package com.tencent.kona.sun.security.ssl;

import com.tencent.kona.crypto.CryptoInsts;
import com.tencent.kona.sun.security.internal.spec.TlsPrfParameterSpec;
import com.tencent.kona.sun.security.ssl.CipherSuite;
import com.tencent.kona.sun.security.ssl.SSLHandshake;
import com.tencent.kona.sun.security.util.HexDumpEncoder;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.ProviderException;
import java.text.MessageFormat;
import java.util.Locale;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;

/* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished.class */
final class TLCPFinished {
    static final SSLConsumer tlcpHandshakeConsumer = new TLCPFinishedConsumer();
    static final HandshakeProducer tlcpHandshakeProducer = new TLCPFinishedProducer();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished$FinishedMessage.class */
    public static final class FinishedMessage extends SSLHandshake.HandshakeMessage {
        private final byte[] verifyData;

        FinishedMessage(HandshakeContext handshakeContext) throws IOException {
            super(handshakeContext);
            try {
                this.verifyData = VerifyDataScheme.valueOf(handshakeContext.negotiatedProtocol).createVerifyData(handshakeContext, false);
            } catch (IOException e) {
                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Failed to generate verify_data", e);
            }
        }

        FinishedMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            int i = 12;
            if (handshakeContext.negotiatedProtocol == ProtocolVersion.SSL30) {
                i = 36;
            } else if (handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
                i = handshakeContext.negotiatedCipherSuite.hashAlg.hashLength;
            }
            if (byteBuffer.remaining() != i) {
                throw handshakeContext.conContext.fatal(Alert.DECODE_ERROR, "Inappropriate finished message: need " + i + " but remaining " + byteBuffer.remaining() + " bytes verify_data");
            }
            this.verifyData = new byte[i];
            byteBuffer.get(this.verifyData);
            try {
                if (!MessageDigest.isEqual(VerifyDataScheme.valueOf(handshakeContext.negotiatedProtocol).createVerifyData(handshakeContext, true), this.verifyData)) {
                    throw handshakeContext.conContext.fatal(Alert.DECRYPT_ERROR, "The Finished message cannot be verified.");
                }
            } catch (IOException e) {
                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Failed to generate verify_data", e);
            }
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.FINISHED;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            return this.verifyData.length;
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            handshakeOutStream.write(this.verifyData);
        }

        public String toString() {
            return new MessageFormat("\"Finished\": '{'\n  \"verify data\": '{'\n{0}\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{Utilities.indent(new HexDumpEncoder().encode(this.verifyData), "    ")});
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished$TLCP11VerifyDataGenerator.class */
    private static final class TLCP11VerifyDataGenerator implements VerifyDataGenerator {
        private TLCP11VerifyDataGenerator() {
        }

        @Override // com.tencent.kona.sun.security.ssl.TLCPFinished.VerifyDataGenerator
        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            HandshakeHash handshakeHash = handshakeContext.handshakeHash;
            SecretKey masterSecret = handshakeContext.handshakeSession.getMasterSecret();
            String str = (handshakeContext.sslConfig.isClientMode && !z) || (!handshakeContext.sslConfig.isClientMode && z) ? "client finished" : "server finished";
            try {
                byte[] digest = handshakeHash.digest();
                CipherSuite.HashAlg hashAlg = CipherSuite.HashAlg.H_SM3;
                TlsPrfParameterSpec tlsPrfParameterSpec = new TlsPrfParameterSpec(masterSecret, str, digest, 12, hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
                KeyGenerator keyGenerator = CryptoInsts.getKeyGenerator("TlcpPrf");
                keyGenerator.init(tlsPrfParameterSpec);
                SecretKey generateKey = keyGenerator.generateKey();
                if ("RAW".equals(generateKey.getFormat())) {
                    return generateKey.getEncoded();
                }
                throw new ProviderException("Invalid PRF output, format must be RAW. Format received: " + generateKey.getFormat());
            } catch (GeneralSecurityException e) {
                throw new RuntimeException("PRF failed", e);
            }
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished$TLCPFinishedConsumer.class */
    static final class TLCPFinishedConsumer implements SSLConsumer {
        private TLCPFinishedConsumer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            HandshakeContext handshakeContext = (HandshakeContext) connectionContext;
            handshakeContext.handshakeConsumers.remove(Byte.valueOf(SSLHandshake.FINISHED.id));
            if (handshakeContext.conContext.consumers.containsKey(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id))) {
                throw handshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Missing ChangeCipherSpec message");
            }
            if (handshakeContext.sslConfig.isClientMode) {
                onConsumeFinished((ClientHandshakeContext) connectionContext, byteBuffer);
            } else {
                onConsumeFinished((ServerHandshakeContext) connectionContext, byteBuffer);
            }
        }

        private void onConsumeFinished(ClientHandshakeContext clientHandshakeContext, ByteBuffer byteBuffer) throws IOException {
            FinishedMessage finishedMessage = new FinishedMessage(clientHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming server Finished handshake message", new Object[]{finishedMessage});
            }
            if (clientHandshakeContext.conContext.secureRenegotiation) {
                clientHandshakeContext.conContext.serverVerifyData = finishedMessage.verifyData;
            }
            if (clientHandshakeContext.isResumption) {
                clientHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
            } else {
                if (clientHandshakeContext.handshakeSession.isRejoinable()) {
                    ((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).put(clientHandshakeContext.handshakeSession);
                }
                clientHandshakeContext.conContext.conSession = clientHandshakeContext.handshakeSession.finish();
                clientHandshakeContext.conContext.protocolVersion = clientHandshakeContext.negotiatedProtocol;
                clientHandshakeContext.handshakeFinished = true;
                if (!clientHandshakeContext.sslContext.isDTLS()) {
                    clientHandshakeContext.conContext.finishHandshake();
                }
            }
            for (SSLHandshake sSLHandshake : new SSLHandshake[]{SSLHandshake.FINISHED}) {
                HandshakeProducer remove = clientHandshakeContext.handshakeProducers.remove(Byte.valueOf(sSLHandshake.id));
                if (remove != null) {
                    remove.produce(clientHandshakeContext, finishedMessage);
                }
            }
        }

        private void onConsumeFinished(ServerHandshakeContext serverHandshakeContext, ByteBuffer byteBuffer) throws IOException {
            if (!serverHandshakeContext.isResumption && serverHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CERTIFICATE_VERIFY.id))) {
                throw serverHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected Finished handshake message");
            }
            FinishedMessage finishedMessage = new FinishedMessage(serverHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming client Finished handshake message", new Object[]{finishedMessage});
            }
            if (serverHandshakeContext.conContext.secureRenegotiation) {
                serverHandshakeContext.conContext.clientVerifyData = finishedMessage.verifyData;
            }
            if (serverHandshakeContext.isResumption) {
                if (serverHandshakeContext.handshakeSession.isRejoinable() && !serverHandshakeContext.statelessResumption) {
                    ((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext()).put(serverHandshakeContext.handshakeSession);
                }
                serverHandshakeContext.conContext.conSession = serverHandshakeContext.handshakeSession.finish();
                serverHandshakeContext.conContext.protocolVersion = serverHandshakeContext.negotiatedProtocol;
                serverHandshakeContext.handshakeFinished = true;
                if (!serverHandshakeContext.sslContext.isDTLS()) {
                    serverHandshakeContext.conContext.finishHandshake();
                }
            } else {
                serverHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
            }
            for (SSLHandshake sSLHandshake : new SSLHandshake[]{SSLHandshake.FINISHED}) {
                HandshakeProducer remove = serverHandshakeContext.handshakeProducers.remove(Byte.valueOf(sSLHandshake.id));
                if (remove != null) {
                    remove.produce(serverHandshakeContext, finishedMessage);
                }
            }
        }
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished$TLCPFinishedProducer.class */
    static final class TLCPFinishedProducer implements HandshakeProducer {
        private TLCPFinishedProducer() {
        }

        @Override // com.tencent.kona.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            return ((HandshakeContext) connectionContext).sslConfig.isClientMode ? onProduceFinished((ClientHandshakeContext) connectionContext, handshakeMessage) : onProduceFinished((ServerHandshakeContext) connectionContext, handshakeMessage);
        }

        private byte[] onProduceFinished(ClientHandshakeContext clientHandshakeContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            clientHandshakeContext.handshakeHash.update();
            FinishedMessage finishedMessage = new FinishedMessage(clientHandshakeContext);
            TLCPChangeCipherSpec.tlcpProducer.produce(clientHandshakeContext, handshakeMessage);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced client Finished handshake message", new Object[]{finishedMessage});
            }
            finishedMessage.write(clientHandshakeContext.handshakeOutput);
            clientHandshakeContext.handshakeOutput.flush();
            if (clientHandshakeContext.conContext.secureRenegotiation) {
                clientHandshakeContext.conContext.clientVerifyData = finishedMessage.verifyData;
            }
            if (clientHandshakeContext.statelessResumption) {
                clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.NEW_SESSION_TICKET.id), SSLHandshake.NEW_SESSION_TICKET);
            }
            if (!clientHandshakeContext.isResumption) {
                clientHandshakeContext.conContext.consumers.put(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id), TLCPChangeCipherSpec.tlcpConsumer);
                clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                clientHandshakeContext.conContext.inputRecord.expectingFinishFlight();
                return null;
            }
            if (clientHandshakeContext.handshakeSession.isRejoinable()) {
                ((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).put(clientHandshakeContext.handshakeSession);
            }
            clientHandshakeContext.conContext.conSession = clientHandshakeContext.handshakeSession.finish();
            clientHandshakeContext.conContext.protocolVersion = clientHandshakeContext.negotiatedProtocol;
            clientHandshakeContext.handshakeFinished = true;
            if (clientHandshakeContext.sslContext.isDTLS()) {
                return null;
            }
            clientHandshakeContext.conContext.finishHandshake();
            return null;
        }

        private byte[] onProduceFinished(ServerHandshakeContext serverHandshakeContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            if (serverHandshakeContext.statelessResumption) {
                NewSessionTicket.handshake12Producer.produce(serverHandshakeContext, handshakeMessage);
            }
            serverHandshakeContext.handshakeHash.update();
            FinishedMessage finishedMessage = new FinishedMessage(serverHandshakeContext);
            TLCPChangeCipherSpec.tlcpProducer.produce(serverHandshakeContext, handshakeMessage);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced server Finished handshake message", new Object[]{finishedMessage});
            }
            finishedMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            if (serverHandshakeContext.conContext.secureRenegotiation) {
                serverHandshakeContext.conContext.serverVerifyData = finishedMessage.verifyData;
            }
            if (serverHandshakeContext.isResumption) {
                serverHandshakeContext.conContext.consumers.put(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id), TLCPChangeCipherSpec.tlcpConsumer);
                serverHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                serverHandshakeContext.conContext.inputRecord.expectingFinishFlight();
                return null;
            }
            if (serverHandshakeContext.statelessResumption && serverHandshakeContext.handshakeSession.isStatelessable()) {
                serverHandshakeContext.handshakeSession.setContext((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext());
            } else if (serverHandshakeContext.handshakeSession.isRejoinable()) {
                ((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext()).put(serverHandshakeContext.handshakeSession);
            }
            serverHandshakeContext.conContext.conSession = serverHandshakeContext.handshakeSession.finish();
            serverHandshakeContext.conContext.protocolVersion = serverHandshakeContext.negotiatedProtocol;
            serverHandshakeContext.handshakeFinished = true;
            if (serverHandshakeContext.sslContext.isDTLS()) {
                return null;
            }
            serverHandshakeContext.conContext.finishHandshake();
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished$VerifyDataGenerator.class */
    public interface VerifyDataGenerator {
        byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException;
    }

    /* loaded from: input_file:com/tencent/kona/sun/security/ssl/TLCPFinished$VerifyDataScheme.class */
    enum VerifyDataScheme {
        TLCP11("kdf_tlcp11", new TLCP11VerifyDataGenerator());

        final String name;
        final VerifyDataGenerator generator;

        VerifyDataScheme(String str, VerifyDataGenerator verifyDataGenerator) {
            this.name = str;
            this.generator = verifyDataGenerator;
        }

        static VerifyDataScheme valueOf(ProtocolVersion protocolVersion) {
            switch (protocolVersion) {
                case TLCP11:
                    return TLCP11;
                default:
                    return null;
            }
        }

        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            if (this.generator != null) {
                return this.generator.createVerifyData(handshakeContext, z);
            }
            throw new UnsupportedOperationException("Not supported yet.");
        }
    }

    TLCPFinished() {
    }
}
