package cfca.sadk.tls.sun.security.ssl.message;

import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.ssl.HandshakeInStream;
import cfca.sadk.tls.sun.security.ssl.HandshakeOutStream;
import cfca.sadk.tls.sun.security.ssl.ProtocolVersion;
import cfca.sadk.tls.sun.security.ssl.sec.HandshakeHash;
import cfca.sadk.tls.sun.security.ssl.sec.JSSEJCE;
import cfca.sadk.tls.sun.security.ssl.sec.SM2Signature;
import cfca.sadk.tls.sun.security.ssl.sec.SignatureAndHashAlgorithm;
import cfca.sadk.tls.util.Hexifys;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.util.List;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLHandshakeException;

/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/message/CertificateVerify.class */
public final class CertificateVerify extends HandshakeMessage {
    private byte[] signatureBytes;
    private ProtocolVersion protocolVersion;
    private SignatureAndHashAlgorithm signatureAlgorithm;
    private HandshakeHash handshakeHash;
    private Signature signature;

    public CertificateVerify(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, PrivateKey privateKey, SecretKey secretKey, SignatureAndHashAlgorithm signatureAndHashAlgorithm, SecureRandom secureRandom) throws GeneralSecurityException {
        this.signature = null;
        this.protocolVersion = protocolVersion;
        this.signatureAlgorithm = signatureAndHashAlgorithm;
        this.handshakeHash = handshakeHash;
        this.signature = signatureFrom(protocolVersion, handshakeHash, privateKey);
        this.signature.initSign(privateKey, secureRandom);
        signatureUpdate(protocolVersion, handshakeHash, secretKey);
        this.signatureBytes = this.signature.sign();
    }

    public CertificateVerify(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, HandshakeInStream handshakeInStream, List<SignatureAndHashAlgorithm> list) throws IOException {
        this.signature = null;
        this.protocolVersion = protocolVersion;
        this.handshakeHash = handshakeHash;
        if (this.protocolVersion.isStandardTLS12()) {
            this.signatureAlgorithm = SignatureAndHashAlgorithm.valueOf(handshakeInStream.getInt8(), handshakeInStream.getInt8(), 0);
            if (this.signatureAlgorithm == null) {
                throw new SSLHandshakeException("Illegal CertificateVerify message");
            }
            String hashAlgorithmName = SignatureAndHashAlgorithm.getHashAlgorithmName(this.signatureAlgorithm);
            if (hashAlgorithmName == null || hashAlgorithmName.length() == 0) {
                throw new SSLHandshakeException("No supported hash algorithm");
            }
            if (!list.contains(this.signatureAlgorithm)) {
                throw new SSLHandshakeException("Unsupported SignatureAndHashAlgorithm in ServerKeyExchange message");
            }
        }
        this.signatureBytes = handshakeInStream.getBytes16();
    }

    public boolean verify(PublicKey publicKey, SecretKey secretKey) throws GeneralSecurityException {
        this.signature = signatureFrom(this.protocolVersion, this.handshakeHash, publicKey);
        this.signature.initVerify(publicKey);
        signatureUpdate(this.protocolVersion, this.handshakeHash, secretKey);
        return this.signature.verify(this.signatureBytes);
    }

    private final Signature signatureFrom(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, Key key) throws GeneralSecurityException {
        Signature signature;
        String upperCase = key.getAlgorithm().toUpperCase();
        if (protocolVersion.isStandardTLS12()) {
            signature = JSSEJCE.getSignature(this.signatureAlgorithm.getAlgorithmName());
        } else if ("SM2".equals(upperCase)) {
            signature = SM2Signature.newSignature();
        } else if ("RSA".equals(upperCase)) {
            signature = JSSEJCE.getSignature(JSSEJCE.SIGNATURE_RAWRSA);
        } else {
            if (!"EC".equals(upperCase)) {
                throw new SignatureException("Unrecognized algorithm: " + upperCase);
            }
            signature = JSSEJCE.getSignature(JSSEJCE.SIGNATURE_RAWECDSA);
        }
        return signature;
    }

    final void signatureUpdate(ProtocolVersion protocolVersion, HandshakeHash handshakeHash, SecretKey secretKey) throws GeneralSecurityException {
        if (!protocolVersion.isChinaTLS11()) {
            throw new GeneralSecurityException("Only SMTLS 1.1 supported");
        }
        byte[] finishedHash = handshakeHash.getFinishedHash();
        if (Debugger.handshaker.isDebugEnabled()) {
            Debugger.handshaker.debug("handshakeHash: 0x{}", Hexifys.hexify(finishedHash));
        }
        this.signature.update(finishedHash);
    }

    @Override // cfca.sadk.tls.sun.security.ssl.message.HandshakeMessage
    public final int messageType() {
        return 15;
    }

    @Override // cfca.sadk.tls.sun.security.ssl.message.HandshakeMessage
    final int messageLength() {
        int i = 2;
        if (this.protocolVersion.isStandardTLS12()) {
            i = 2 + SignatureAndHashAlgorithm.sizeInRecord();
        }
        return i + this.signatureBytes.length;
    }

    @Override // cfca.sadk.tls.sun.security.ssl.message.HandshakeMessage
    final void send(HandshakeOutStream handshakeOutStream) throws IOException {
        if (this.protocolVersion.isStandardTLS12()) {
            handshakeOutStream.putInt8(this.signatureAlgorithm.getHashValue());
            handshakeOutStream.putInt8(this.signatureAlgorithm.getSignatureValue());
        }
        handshakeOutStream.putBytes16(this.signatureBytes);
    }

    public final String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append('\n');
        sb.append("*** CertificateVerify");
        if (this.protocolVersion.isStandardTLS12()) {
            sb.append("Signature Algorithm ");
            if (this.signatureAlgorithm != null) {
                sb.append(this.signatureAlgorithm.getAlgorithmName());
            }
        }
        sb.append("\n***");
        return sb.toString();
    }
}
