package com.tongtech.client.remoting.tls;

import com.tongtech.client.common.UtilAll;
import com.tongtech.client.utils.AESUtils;
import com.tongtech.commons.io.FileUtils;
import com.tongtech.netty.handler.ssl.ApplicationProtocolConfig;
import com.tongtech.netty.handler.ssl.ApplicationProtocolNames;
import com.tongtech.netty.handler.ssl.CipherSuiteFilter;
import com.tongtech.netty.handler.ssl.ClientAuth;
import com.tongtech.netty.handler.ssl.JdkSslContext;
import com.tongtech.netty.handler.ssl.SslContext;
import com.tongtech.netty.handler.ssl.util.InsecureTrustManagerFactory;
import com.tongtech.slf4j.Logger;
import com.tongtech.slf4j.LoggerFactory;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Set;
import java.util.stream.StreamSupport;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:com/tongtech/client/remoting/tls/GmTlsHelper.class */
public class GmTlsHelper {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) GmTlsHelper.class);
    private static final String PROV_NAME = "Kona";
    private static final String PKCS8_BEGIN = "-----BEGIN PRIVATE KEY-----";
    private static final String PKCS8_END = "-----END PRIVATE KEY-----";

    /* loaded from: input_file:com/tongtech/client/remoting/tls/GmTlsHelper$AllAllowedCipherSuiteFilter.class */
    private static class AllAllowedCipherSuiteFilter implements CipherSuiteFilter {
        private AllAllowedCipherSuiteFilter() {
        }

        @Override // com.tongtech.netty.handler.ssl.CipherSuiteFilter
        public String[] filterCipherSuites(Iterable<String> iterable, List<String> list, Set<String> set) {
            return (String[]) StreamSupport.stream(iterable.spliterator(), false).toArray(i -> {
                return new String[i];
            });
        }
    }

    public static SslContext buildGmSslContext() throws Exception {
        logTheFinalUsedGmTlsConfig();
        return new JdkSslContext(createContext(), true, (Iterable<String>) Arrays.asList("ECC_SM4_GCM_SM3", "ECC_SM4_CBC_SM3", "ECDHE_SM4_CBC_SM3", "ECDHE_SM4_GCM_SM3"), (CipherSuiteFilter) new AllAllowedCipherSuiteFilter(), new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.FATAL_ALERT, ApplicationProtocolConfig.SelectedListenerFailureBehavior.FATAL_ALERT, ApplicationProtocolNames.HTTP_2, "HTTP/1.1"), ClientAuth.NONE, new String[]{"TLCPv1.1"}, false);
    }

    private static String readFile(String str) throws IOException {
        return FileUtils.readFileToString(new File(str), StandardCharsets.UTF_8);
    }

    private static SSLContext createContext() throws Exception {
        KeyStore createKeyStore = createKeyStore(UtilAll.isNotBlank(TlsSystemConfig.gmSigCertPath) ? readFile(TlsSystemConfig.gmSigCertPath) : null, UtilAll.isNotBlank(TlsSystemConfig.gmSignKeyPath) ? readFile(TlsSystemConfig.gmSignKeyPath) : null, UtilAll.isNotBlank(TlsSystemConfig.tlsCertPath) ? readFile(TlsSystemConfig.tlsCertPath) : null, UtilAll.isNotBlank(TlsSystemConfig.tlsKeyPath) ? readFile(TlsSystemConfig.tlsKeyPath) : null);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("NewSunX509", PROV_NAME);
        keyManagerFactory.init(createKeyStore, null);
        SSLContext sSLContext = SSLContext.getInstance("TLCPv1.1", PROV_NAME);
        if (TlsSystemConfig.tlsAuthServer) {
            KeyStore createTrustStore = createTrustStore(readFile(TlsSystemConfig.tlsTrustCertPath));
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", PROV_NAME);
            trustManagerFactory.init(createTrustStore);
            sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
        } else {
            sSLContext.init(keyManagerFactory.getKeyManagers(), InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), new SecureRandom());
        }
        return sSLContext;
    }

    private static KeyStore createTrustStore(String str) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("PKCS12", PROV_NAME);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("tlcp-trust", loadCert(str));
        return keyStore;
    }

    private static KeyStore createKeyStore(String str, String str2, String str3, String str4) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("PKCS12", PROV_NAME);
        keyStore.load(null, null);
        keyStore.setKeyEntry("tlcp-sign-ee", loadPrivateKey(str2), UtilAll.isNotBlank(TlsSystemConfig.gmSignKeyPassword) ? AESUtils.decryptAES(TlsSystemConfig.gmSignKeyPassword).toCharArray() : null, new Certificate[]{loadCert(str)});
        keyStore.setKeyEntry("tlcp-enc-ee", loadPrivateKey(str4), UtilAll.isNotBlank(TlsSystemConfig.tlsKeyPassword) ? AESUtils.decryptAES(TlsSystemConfig.tlsKeyPassword).toCharArray() : null, new Certificate[]{loadCert(str3)});
        return keyStore;
    }

    private static X509Certificate loadCert(String str) throws Exception {
        return (X509Certificate) CertificateFactory.getInstance("X.509", PROV_NAME).generateCertificate(new ByteArrayInputStream(str.getBytes()));
    }

    private static PrivateKey loadPrivateKey(String str) throws Exception {
        if (!str.contains(PKCS8_BEGIN) || !str.contains(PKCS8_END)) {
            throw new Exception("The key is not PKCS#8 format");
        }
        return KeyFactory.getInstance("EC", PROV_NAME).generatePrivate(new PKCS8EncodedKeySpec(Base64.getMimeDecoder().decode(str.replace(PKCS8_BEGIN, "").replace(PKCS8_END, ""))));
    }

    private static void logTheFinalUsedGmTlsConfig() {
        log.info("Log the final used gm tls related configuration");
        log.info("{} = {}", "HTP_SSL_CERTIFICATE_KEY", TlsSystemConfig.tlsKeyPath);
        log.info("{} = {}", "HTP_SSL_CERTIFICATE_PASSWORD", TlsSystemConfig.tlsKeyPassword);
        log.info("{} = {}", "HTP_SSL_CERTIFICATE", TlsSystemConfig.tlsCertPath);
        log.info("{} = {}", "HTP_SSL_VERIFY_SERVER", Boolean.valueOf(TlsSystemConfig.tlsAuthServer));
        log.info("{} = {}", "HTP_SSL_CA_CERTIFICATE", TlsSystemConfig.tlsTrustCertPath);
        log.info("{} = {}", "HTP_SSL_SIGNATURE_CERTIFICATE", TlsSystemConfig.gmSigCertPath);
        log.info("{} = {}", "HTP_SSL_SIGNATURE_CERTIFICATE_KEY", TlsSystemConfig.gmSignKeyPath);
        log.info("{} = {}", "HTP_SSL_SIGNATURE_CERTIFICATE_PASSWORD", TlsSystemConfig.gmSignKeyPassword);
    }

    static {
        Class<?> cls = null;
        try {
            cls = Class.forName("com.tencent.kona.KonaProvider");
        } catch (ClassNotFoundException e) {
            log.error("This provider is not in the classpath");
        }
        if (cls != null) {
            try {
                Security.addProvider((Provider) cls.getConstructor(new Class[0]).newInstance(new Object[0]));
            } catch (IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e2) {
                e2.printStackTrace();
            }
        }
    }
}
