package com.alipay.mychain.sdk.network.netty;

import com.alipay.mychain.sdk.api.env.ISslOption;
import com.alipay.mychain.sdk.api.logging.ILogger;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.crypto.Cipher;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMDecryptor;
import org.bouncycastle.openssl.PEMDecryptorProvider;
import org.bouncycastle.openssl.PEMEncryptedKeyPair;
import org.bouncycastle.openssl.PEMException;
import org.bouncycastle.openssl.PEMKeyPair;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.PasswordException;
import org.bouncycastle.openssl.bc.BcPEMDecryptorProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
import org.bouncycastle.pkcs.PKCSException;

/* loaded from: input_file:com/alipay/mychain/sdk/network/netty/ClientSslContext.class */
public class ClientSslContext {
    public static final String ALGORITHM_NAME_CBC_PADDING = "SM4/CBC/PKCS5Padding";
    public static final String ALGORITHM_NAME_CBC_NOPADDING = "SM4/CBC/NoPadding";
    private static BouncyCastleProvider bouncyCastleProvider = new BouncyCastleProvider();
    private static final String SSL_VER = "TLSv1.2";
    private static final String SSL_VER_V13 = "TLSv1.3";
    private static final SslProvider SSL_PROVIDER;
    private final ISslOption sslOption;
    private final ILogger logger;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/alipay/mychain/sdk/network/netty/ClientSslContext$SM4CBCEMDecryptorProvider.class */
    public class SM4CBCEMDecryptorProvider implements PEMDecryptorProvider {
        private final String password;

        public SM4CBCEMDecryptorProvider(String str) {
            this.password = str;
        }

        public PEMDecryptor get(String str) {
            return new PEMDecryptor() { // from class: com.alipay.mychain.sdk.network.netty.ClientSslContext.SM4CBCEMDecryptorProvider.1
                public byte[] decrypt(byte[] bArr, byte[] bArr2) throws PEMException {
                    if (SM4CBCEMDecryptorProvider.this.password == null) {
                        throw new PasswordException("Password is null, but a password is required");
                    }
                    try {
                        return ClientSslContext.decrypt_CBC_Padding(ClientSslContext.EVP_BytesToKey(16, MessageDigest.getInstance("MD5"), bArr2, SM4CBCEMDecryptorProvider.this.password.getBytes(), 1), bArr2, bArr);
                    } catch (NoSuchAlgorithmException e) {
                        throw new PasswordException("No md5 algorithm" + ExceptionUtils.getStackTrace(e));
                    }
                }
            };
        }
    }

    public ClientSslContext(ISslOption iSslOption, ILogger iLogger) {
        this.sslOption = iSslOption;
        this.logger = iLogger;
    }

    public SslContext createSslContext() {
        try {
            TrustManagerFactory createTrustManager = createTrustManager(this.sslOption.getTrustStoreStream(), this.sslOption.getTrustStorePassword());
            return this.sslOption.isSmTLSSupport() ? SslContextBuilder.forClient().sslProvider(SSL_PROVIDER).protocols(new String[]{SSL_VER_V13, SSL_VER}).keyManager(getKeyManagerFactory()).trustManager(createTrustManager).build() : SslContextBuilder.forClient().sslProvider(SSL_PROVIDER).protocols(new String[]{SSL_VER}).keyManager(this.sslOption.getCertStream(), this.sslOption.getKeyStream(), this.sslOption.getKeyPassword()).trustManager(createTrustManager).build();
        } catch (Exception e) {
            this.logger.error("Init SslContext exception:{}", e.getMessage());
            return null;
        }
    }

    private TrustManagerFactory createTrustManager(InputStream inputStream, String str) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, NoSuchProviderException {
        if (inputStream == null) {
            this.logger.error("trustStoreStream is null.");
            return null;
        }
        try {
            TrustManagerFactory trustManagerFactory = this.sslOption.isSmTLSSupport() ? TrustManagerFactory.getInstance("X.509", "BCJSSE") : TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            try {
                try {
                    trustManagerFactory.init(createKeyStore(inputStream, str));
                    return trustManagerFactory;
                } catch (KeyStoreException e) {
                    this.logger.error("createTrustManager is KeyStoreException: {}", str);
                    throw new KeyStoreException("trust manager init failed.", e);
                }
            } catch (IOException e2) {
                this.logger.error("decode trustCa happens IOException with password: {}", str);
                throw new IOException("load custom key store happen IOException", e2);
            } catch (KeyStoreException e3) {
                this.logger.error("load keystore failed: {}", str);
                throw new KeyStoreException("keystore load exception:", e3);
            } catch (NoSuchAlgorithmException e4) {
                this.logger.error("NoSuchAlgorithmException: {}", str);
                throw new NoSuchAlgorithmException("load custom key store happen NoSuchAlgorithmException", e4);
            } catch (CertificateException e5) {
                this.logger.error("CertificateException: {}", str);
                throw new CertificateException("load custom key store happen CertificateException", e5);
            }
        } catch (NoSuchAlgorithmException e6) {
            this.logger.error("createTrustManager is NoSuchAlgorithmException: {}", str);
            throw new NoSuchAlgorithmException("Not such algorithm exception.", e6);
        } catch (NoSuchProviderException e7) {
            this.logger.error("createTrustManager is NoSuchProviderException: {}", str);
            throw e7;
        }
    }

    private KeyStore createKeyStore(InputStream inputStream, String str) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, IOException {
        KeyStore keyStore = this.sslOption.isSmTLSSupport() ? KeyStore.getInstance("PKCS12", "BC") : KeyStore.getInstance(KeyStore.getDefaultType());
        if (str != null) {
            keyStore.load(inputStream, str.toCharArray());
        } else {
            keyStore.load(inputStream, null);
        }
        return keyStore;
    }

    private KeyManagerFactory getKeyManagerFactory() throws Exception {
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(this.sslOption.getCertStream());
            PrivateKey privateKeyFromPKCS8 = getPrivateKeyFromPKCS8();
            KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC");
            keyStore.load(null, this.sslOption.getKeyPassword().toCharArray());
            keyStore.setKeyEntry("User Key", privateKeyFromPKCS8, this.sslOption.getKeyPassword().toCharArray(), new Certificate[]{x509Certificate});
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
            keyManagerFactory.init(keyStore, this.sslOption.getKeyPassword().toCharArray());
            return keyManagerFactory;
        } catch (Exception e) {
            this.logger.error("getKeyManagerFactor failed", (Throwable) e);
            throw e;
        }
    }

    private PrivateKey getPrivateKeyFromPKCS8() throws PKCSException, IOException, OperatorCreationException {
        Object readObject = new PEMParser(new InputStreamReader(this.sslOption.getKeyStream())).readObject();
        if (readObject instanceof PEMEncryptedKeyPair) {
            String keyPassword = this.sslOption.getKeyPassword();
            PEMEncryptedKeyPair pEMEncryptedKeyPair = (PEMEncryptedKeyPair) readObject;
            new JceOpenSSLPKCS8DecryptorProviderBuilder().setProvider(bouncyCastleProvider);
            PEMKeyPair decryptKeyPair = "SM4-CBC".equalsIgnoreCase(pEMEncryptedKeyPair.getDekAlgName()) ? pEMEncryptedKeyPair.decryptKeyPair(new SM4CBCEMDecryptorProvider(keyPassword)) : pEMEncryptedKeyPair.decryptKeyPair(new BcPEMDecryptorProvider(keyPassword.toCharArray()));
            JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter();
            jcaPEMKeyConverter.setProvider(bouncyCastleProvider);
            return jcaPEMKeyConverter.getPrivateKey(decryptKeyPair.getPrivateKeyInfo());
        }
        if (readObject instanceof PKCS8EncryptedPrivateKeyInfo) {
            PrivateKeyInfo decryptPrivateKeyInfo = ((PKCS8EncryptedPrivateKeyInfo) readObject).decryptPrivateKeyInfo(new JceOpenSSLPKCS8DecryptorProviderBuilder().build(this.sslOption.getKeyPassword().toCharArray()));
            JcaPEMKeyConverter jcaPEMKeyConverter2 = new JcaPEMKeyConverter();
            jcaPEMKeyConverter2.setProvider(bouncyCastleProvider);
            return jcaPEMKeyConverter2.getPrivateKey(decryptPrivateKeyInfo);
        }
        if (readObject instanceof PrivateKeyInfo) {
            JcaPEMKeyConverter jcaPEMKeyConverter3 = new JcaPEMKeyConverter();
            jcaPEMKeyConverter3.setProvider(bouncyCastleProvider);
            return jcaPEMKeyConverter3.getPrivateKey((PrivateKeyInfo) readObject);
        }
        PEMKeyPair pEMKeyPair = (PEMKeyPair) readObject;
        new JceOpenSSLPKCS8DecryptorProviderBuilder().setProvider(bouncyCastleProvider);
        JcaPEMKeyConverter jcaPEMKeyConverter4 = new JcaPEMKeyConverter();
        jcaPEMKeyConverter4.setProvider(bouncyCastleProvider);
        return jcaPEMKeyConverter4.getPrivateKey(pEMKeyPair.getPrivateKeyInfo());
    }

    private static Cipher generateCBCCipher(String str, int i, byte[] bArr, byte[] bArr2) throws InvalidKeyException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, NoSuchPaddingException {
        Cipher cipher = Cipher.getInstance(str, "BC");
        cipher.init(i, new SecretKeySpec(bArr, "SM4"), new IvParameterSpec(bArr2));
        return cipher;
    }

    public static byte[] decrypt_CBC_Padding(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        try {
            return generateCBCCipher(ALGORITHM_NAME_CBC_PADDING, 2, bArr, bArr2).doFinal(bArr3);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static byte[] EVP_BytesToKey(int i, MessageDigest messageDigest, byte[] bArr, byte[] bArr2, int i2) {
        byte[] bArr3 = new byte[i];
        int i3 = 0;
        byte[] bArr4 = null;
        int i4 = i;
        if (bArr2 == null) {
            return bArr3;
        }
        int i5 = 0;
        do {
            messageDigest.reset();
            int i6 = i5;
            i5++;
            if (i6 > 0) {
                messageDigest.update(bArr4);
            }
            messageDigest.update(bArr2);
            if (null != bArr) {
                messageDigest.update(bArr, 0, 8);
            }
            bArr4 = messageDigest.digest();
            for (int i7 = 1; i7 < i2; i7++) {
                messageDigest.reset();
                messageDigest.update(bArr4);
                bArr4 = messageDigest.digest();
            }
            if (i4 > 0) {
                for (int i8 = 0; i4 != 0 && i8 != bArr4.length; i8++) {
                    int i9 = i3;
                    i3++;
                    bArr3[i9] = bArr4[i8];
                    i4--;
                }
            }
        } while (i4 != 0);
        for (int i10 = 0; i10 < bArr4.length; i10++) {
            bArr4[i10] = 0;
        }
        return bArr3;
    }

    static {
        Security.addProvider(bouncyCastleProvider);
        try {
            ProviderUtils.setupHighPriority(false);
        } catch (Exception e) {
        }
        SSL_PROVIDER = SslProvider.OPENSSL;
    }
}
