package org.bouncycastle.tls;

import com.xdja.pki.gmssl.core.utils.GMSSLByteArrayUtils;
import com.xdja.pki.gmssl.crypto.sdf.SdfPrivateKey;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.TlsCryptoParameters;
import org.bouncycastle.tls.crypto.TlsStreamSigner;
import org.bouncycastle.tls.crypto.TlsVerifier;
import org.bouncycastle.tls.crypto.impl.AbstractTlsCrypto;
import org.bouncycastle.tls.crypto.impl.bc.BcDefaultTlsCredentialedECCSM2;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCryptoSdf;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/bouncycastle/tls/GMSSLUtils.class */
public class GMSSLUtils {
    private static Logger logger = LoggerFactory.getLogger(GMSSLUtils.class.getName());

    public static DefaultTlsCredentialedSigner generateCredentials(String str, AbstractTlsCrypto abstractTlsCrypto, X509KeyManager x509KeyManager, X509TrustManager x509TrustManager, SignatureAndHashAlgorithm signatureAndHashAlgorithm, TlsContext tlsContext, Logger logger2) throws IOException {
        String signatureAlias = getSignatureAlias(str, x509KeyManager, abstractTlsCrypto);
        String encryptioneAlias = getEncryptioneAlias(str, x509KeyManager, abstractTlsCrypto);
        List asList = Arrays.asList(x509KeyManager.getServerAliases(str, null));
        if (signatureAlias == null) {
            signatureAlias = "sign";
            if (!asList.contains(signatureAlias)) {
                signatureAlias = (String) asList.get(0);
            }
        }
        if (encryptioneAlias == null) {
            encryptioneAlias = "enc";
            if (!asList.contains(encryptioneAlias)) {
                encryptioneAlias = (String) asList.get(1);
            }
        }
        if (logger2 == null) {
            logger.debug("generate Credentials signatureAlias: " + signatureAlias + " encryptionAlias: " + encryptioneAlias);
        } else {
            logger2.debug("generate Credentials signatureAlias: " + signatureAlias + " encryptionAlias: " + encryptioneAlias);
        }
        if (signatureAlias == null || encryptioneAlias == null) {
            return null;
        }
        SdfPrivateKey privateKey = x509KeyManager.getPrivateKey(signatureAlias);
        SdfPrivateKey privateKey2 = x509KeyManager.getPrivateKey(encryptioneAlias);
        Certificate makeGMSSLCertificate = makeGMSSLCertificate(getCertificateMessage(abstractTlsCrypto, x509KeyManager.getCertificateChain(signatureAlias)), getCertificateMessage(abstractTlsCrypto, x509KeyManager.getCertificateChain(encryptioneAlias)), getCertificateMessage(abstractTlsCrypto, x509TrustManager.getAcceptedIssuers()));
        if (!(privateKey instanceof SdfPrivateKey) || !(privateKey2 instanceof SdfPrivateKey)) {
            return new BcDefaultTlsCredentialedECCSM2(new TlsCryptoParameters(tlsContext), (BcTlsCrypto) abstractTlsCrypto, makeGMSSLCertificate, (PrivateKey) privateKey, (PrivateKey) privateKey2, signatureAndHashAlgorithm);
        }
        X509Certificate x509Certificate = x509KeyManager.getCertificateChain(signatureAlias)[0];
        return new BcDefaultTlsCredentialedECCSM2(new TlsCryptoParameters(tlsContext), (BcTlsCryptoSdf) abstractTlsCrypto, makeGMSSLCertificate, privateKey, privateKey2, signatureAndHashAlgorithm);
    }

    public static Certificate makeGMSSLCertificate(Certificate certificate, Certificate certificate2, Certificate certificate3) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(certificate.getCertificateAt(0));
        arrayList.add(certificate2.getCertificateAt(0));
        for (int i = 0; i < certificate3.getLength(); i++) {
            arrayList.add(certificate3.getCertificateAt(i));
        }
        return new Certificate((TlsCertificate[]) arrayList.toArray(new TlsCertificate[arrayList.size()]));
    }

    public static TlsCertificate getSignatureCertificate(Certificate certificate) {
        return certificate.getCertificateAt(0);
    }

    public static TlsCertificate getEncryptionCertificate(Certificate certificate) {
        return certificate.getCertificateAt(1);
    }

    public static String getSignatureAlias(String str, X509KeyManager x509KeyManager, TlsCrypto tlsCrypto) throws IOException {
        return getAliasWithKeyUsage(str, CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, x509KeyManager, tlsCrypto);
    }

    public static String getEncryptioneAlias(String str, X509KeyManager x509KeyManager, TlsCrypto tlsCrypto) throws IOException {
        return getAliasWithKeyUsage(str, 56, x509KeyManager, tlsCrypto);
    }

    public static String getAliasWithKeyUsage(String str, int i, X509KeyManager x509KeyManager, TlsCrypto tlsCrypto) throws IOException {
        KeyUsage fromExtensions;
        String[] serverAliases = x509KeyManager.getServerAliases(str, null);
        if (serverAliases.length == 1) {
            return serverAliases[0];
        }
        if (serverAliases.length != 2) {
            return null;
        }
        for (String str2 : serverAliases) {
            Extensions extensions = org.bouncycastle.asn1.x509.Certificate.getInstance(getCertificateMessage(tlsCrypto, x509KeyManager.getCertificateChain(str2)).getCertificateAt(0).getEncoded()).getTBSCertificate().getExtensions();
            if (extensions != null && (fromExtensions = KeyUsage.fromExtensions(extensions)) != null && (fromExtensions.getBytes()[0] & 255 & i) == i) {
                return str2;
            }
        }
        return null;
    }

    public static Certificate getCertificateMessage(TlsCrypto tlsCrypto, X509Certificate[] x509CertificateArr) throws IOException {
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            return Certificate.EMPTY_CHAIN;
        }
        TlsCertificate[] tlsCertificateArr = new TlsCertificate[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                tlsCertificateArr[i] = tlsCrypto.createCertificate(x509CertificateArr[i].getEncoded());
            } catch (CertificateEncodingException e) {
                throw new TlsFatalAlert((short) 80, e);
            }
        }
        return new Certificate(tlsCertificateArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateECCSM2ServerKeyExchangeSignature(TlsContext tlsContext, TlsCredentialedSigner tlsCredentialedSigner, TlsCertificate tlsCertificate) throws IOException {
        byte[] calculateSignatureECCSM2 = calculateSignatureECCSM2(tlsContext, tlsCertificate);
        GMSSLByteArrayUtils.printHexBinary(logger, "generateECCSM2ServerKeyExchangeSignature m", calculateSignatureECCSM2);
        byte[] generateRawSignature = tlsCredentialedSigner.generateRawSignature(calculateSignatureECCSM2);
        GMSSLByteArrayUtils.printHexBinary(logger, "generateECCSM2ServerKeyExchangeSignature signature", generateRawSignature);
        return generateRawSignature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyECCSM2ServerKeyExchangeSignature(TlsContext tlsContext, TlsVerifier tlsVerifier, DigitallySigned digitallySigned, TlsCertificate tlsCertificate) throws IOException {
        byte[] calculateSignatureECCSM2 = calculateSignatureECCSM2(tlsContext, tlsCertificate);
        GMSSLByteArrayUtils.printHexBinary(logger, "verifyECCSM2ServerKeyExchangeSignature m", calculateSignatureECCSM2);
        if (!tlsVerifier.verifyRawSignature(digitallySigned, calculateSignatureECCSM2)) {
            throw new TlsFatalAlert((short) 51);
        }
    }

    static byte[] calculateSignatureECCSM2(TlsContext tlsContext, TlsCertificate tlsCertificate) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        SecurityParameters securityParameters = tlsContext.getSecurityParameters();
        byteArrayOutputStream.write(securityParameters.clientRandom);
        byteArrayOutputStream.write(securityParameters.serverRandom);
        TlsUtils.writeOpaque24(tlsCertificate.getEncoded(), byteArrayOutputStream);
        return byteArrayOutputStream.toByteArray();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateCertificateVerify(TlsContext tlsContext, TlsCredentialedSigner tlsCredentialedSigner, TlsStreamSigner tlsStreamSigner, TlsHandshakeHash tlsHandshakeHash) throws IOException {
        byte[] finalHash = tlsHandshakeHash.getFinalHash((short) 7);
        GMSSLByteArrayUtils.printHexBinary(logger, "verify certificate verify hash", finalHash);
        byte[] generateRawSignature = tlsCredentialedSigner.generateRawSignature(finalHash);
        GMSSLByteArrayUtils.printHexBinary(logger, "verify certificate verify", generateRawSignature);
        return generateRawSignature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void verifyCertificateVerify(TlsContext tlsContext, CertificateRequest certificateRequest, Certificate certificate, ByteArrayInputStream byteArrayInputStream, TlsHandshakeHash tlsHandshakeHash) throws IOException {
        byte[] readOpaque16 = TlsUtils.readOpaque16(byteArrayInputStream);
        GMSSLByteArrayUtils.printHexBinary(logger, "certificate verify", readOpaque16);
        byte[] finalHash = tlsHandshakeHash.getFinalHash((short) 7);
        GMSSLByteArrayUtils.printHexBinary(logger, "verify certificate verify hash", finalHash);
        boolean verifyRawSignature = certificate.getCertificateAt(0).createVerifier((short) 4).verifyRawSignature(new DigitallySigned(new SignatureAndHashAlgorithm((short) 7, (short) 4), readOpaque16), finalHash);
        logger.info("verify certificate verified: " + verifyRawSignature);
        if (!verifyRawSignature) {
            throw new TlsFatalAlert((short) 51);
        }
    }
}
