package cn.com.bouncycastle.jsse.provider;

import cn.com.bouncycastle.jsse.BCSNIServerName;
import cn.com.bouncycastle.tls.Certificate;
import cn.com.bouncycastle.tls.CertificateRequest;
import cn.com.bouncycastle.tls.CertificateStatusRequest;
import cn.com.bouncycastle.tls.DefaultTlsClient;
import cn.com.bouncycastle.tls.DefaultTlsKeyExchangeFactory;
import cn.com.bouncycastle.tls.ProtocolVersion;
import cn.com.bouncycastle.tls.ServerName;
import cn.com.bouncycastle.tls.SignatureAndHashAlgorithm;
import cn.com.bouncycastle.tls.TlsAuthentication;
import cn.com.bouncycastle.tls.TlsCredentials;
import cn.com.bouncycastle.tls.TlsFatalAlert;
import cn.com.bouncycastle.tls.TlsServerCertificate;
import cn.com.bouncycastle.tls.TlsSession;
import cn.com.bouncycastle.tls.TlsUtils1;
import cn.com.bouncycastle.tls.crypto.TlsCertificate;
import cn.com.bouncycastle.tls.crypto.TlsCrypto;
import cn.com.bouncycastle.tls.crypto.TlsCryptoParameters;
import cn.com.bouncycastle.tls.crypto.impl.bc.BcDefaultTlsCredentialedSigner;
import cn.com.bouncycastle.tls.crypto.impl.bc.BcExternalTlsCredentialedSigner;
import cn.com.bouncycastle.tls.crypto.impl.bc.BcSM2TlsCredentialedSignerAndDecryptor;
import cn.com.bouncycastle.tls.crypto.impl.bc.BcSM2TlsExternalSignerAndDecryptor;
import cn.com.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
import cn.com.bouncycastle.tls.crypto.impl.jcajce.JcaDefaultTlsCredentialedSigner;
import cn.com.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto;
import cn.com.bouncycastle.tls.crypto.impl.jcajce.JceDefaultTlsCredentialedAgreement;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.Principal;
import java.security.PrivateKey;
import java.util.Hashtable;
import java.util.List;
import java.util.Set;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.X509KeyManager;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
import org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters;
import org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey;
import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.IPAddress;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: classes.dex */
public class ProvTlsClient extends DefaultTlsClient implements ProvTlsPeer {
    private static final String INFOSEC_CLENTIP_IPV4 = "112";
    private static final String INFOSEC_CLENTIP_IPV6 = "113";
    private static Logger LOG = Logger.getLogger(ProvTlsClient.class.getName());
    private static final boolean provEnableSNIExtension = PropertyUtils.getBooleanSystemProperty("jsse.enableSNIExtension", true);
    public boolean handshakeComplete;
    private Object ipv4Value;
    private Object ipv6Value;
    public final ProvTlsManager manager;
    public final ProvSSLParameters sslParameters;
    public ProvSSLSessionImpl sslSession;

    public ProvTlsClient(ProvTlsManager provTlsManager) {
        super(provTlsManager.getContextData().getCrypto(), new DefaultTlsKeyExchangeFactory(), new ProvDHConfigVerifier());
        this.sslSession = null;
        this.handshakeComplete = false;
        this.manager = provTlsManager;
        this.sslParameters = provTlsManager.getProvSSLParameters();
    }

    @Override // cn.com.bouncycastle.tls.TlsClient
    public TlsAuthentication getAuthentication() throws IOException {
        return new TlsAuthentication() { // from class: cn.com.bouncycastle.jsse.provider.ProvTlsClient.1
            /* JADX WARN: Multi-variable type inference failed */
            @Override // cn.com.bouncycastle.tls.TlsAuthentication
            public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
                short[] certificateTypes;
                Principal[] principalArr;
                int keyExchangeAlgorithm = TlsUtils1.getKeyExchangeAlgorithm(ProvTlsClient.this.selectedCipherSuite);
                if (keyExchangeAlgorithm != 1 && keyExchangeAlgorithm != 3 && keyExchangeAlgorithm != 5) {
                    if (keyExchangeAlgorithm != 7 && keyExchangeAlgorithm != 9) {
                        if (keyExchangeAlgorithm != 25 && keyExchangeAlgorithm != 26) {
                            switch (keyExchangeAlgorithm) {
                                case 16:
                                case 18:
                                    break;
                                case 17:
                                case 19:
                                    break;
                                default:
                                    throw new TlsFatalAlert((short) 80);
                            }
                        }
                    }
                    return null;
                }
                X509KeyManager keyManager = ProvTlsClient.this.manager.getContextData().getKeyManager();
                if (keyManager == null || (certificateTypes = certificateRequest.getCertificateTypes()) == null || certificateTypes.length == 0) {
                    return null;
                }
                String[] strArr = new String[certificateTypes.length];
                for (int i2 = 0; i2 < certificateTypes.length; i2++) {
                    strArr[i2] = JsseUtils.getAuthTypeClient(certificateTypes[i2]);
                }
                Vector certificateAuthorities = certificateRequest.getCertificateAuthorities();
                if (certificateAuthorities == null || certificateAuthorities.size() <= 0) {
                    principalArr = null;
                } else {
                    Set<X500Principal> x500Principals = JsseUtils.toX500Principals((X500Name[]) certificateAuthorities.toArray(new X500Name[certificateAuthorities.size()]));
                    principalArr = (Principal[]) x500Principals.toArray(new Principal[x500Principals.size()]);
                }
                String chooseClientAlias = keyManager.chooseClientAlias(strArr, principalArr, null);
                if (chooseClientAlias == null) {
                    return null;
                }
                TlsCrypto crypto = ProvTlsClient.this.getCrypto();
                PrivateKey privateKey = keyManager.getPrivateKey(chooseClientAlias);
                Certificate certificateMessage = JsseUtils.getCertificateMessage(crypto, keyManager.getCertificateChain(chooseClientAlias));
                boolean z = keyManager instanceof ProvX509KeyManagerExternal;
                if (!z && (privateKey == 0 || certificateMessage.isEmpty())) {
                    return null;
                }
                if (keyExchangeAlgorithm != 1 && keyExchangeAlgorithm != 3 && keyExchangeAlgorithm != 5) {
                    if (keyExchangeAlgorithm != 7 && keyExchangeAlgorithm != 9) {
                        if (keyExchangeAlgorithm == 25 || keyExchangeAlgorithm == 26) {
                            try {
                                X509KeyManager encKeyManager = ProvTlsClient.this.manager.getContextData().getEncKeyManager();
                                String chooseClientAlias2 = encKeyManager.chooseClientAlias(strArr, principalArr, null);
                                Certificate certificate = new Certificate(new TlsCertificate[]{certificateMessage.getCertificateAt(0), JsseUtils.getCertificateMessage(crypto, encKeyManager.getCertificateChain(chooseClientAlias2)).getCertificateAt(0)});
                                PrivateKey privateKey2 = encKeyManager.getPrivateKey(chooseClientAlias2);
                                SignatureAndHashAlgorithm chooseSignatureAndHashAlgorithm = TlsUtils1.chooseSignatureAndHashAlgorithm(ProvTlsClient.this.context, ProvTlsClient.this.supportedSignatureAlgorithms, TlsUtils1.getSignatureAlgorithm(keyExchangeAlgorithm));
                                return encKeyManager instanceof ProvX509KeyManagerExternal ? new BcSM2TlsExternalSignerAndDecryptor((BcTlsCrypto) crypto, new TlsCryptoParameters(ProvTlsClient.this.context), certificate, ((ProvX509KeyManagerExternal) encKeyManager).getExternalCredentialedProvider(), chooseSignatureAndHashAlgorithm) : new BcSM2TlsCredentialedSignerAndDecryptor((BcTlsCrypto) crypto, new TlsCryptoParameters(ProvTlsClient.this.context), certificate, ECUtil.generatePrivateKeyParameter(privateKey), ECUtil.generatePrivateKeyParameter(privateKey2), chooseSignatureAndHashAlgorithm);
                            } catch (InvalidKeyException e2) {
                                e2.printStackTrace();
                                throw new TlsFatalAlert((short) 40);
                            }
                        }
                        switch (keyExchangeAlgorithm) {
                            case 16:
                            case 18:
                                break;
                            case 17:
                            case 19:
                                break;
                            default:
                                throw new TlsFatalAlert((short) 80);
                        }
                    }
                    return new JceDefaultTlsCredentialedAgreement((JcaTlsCrypto) crypto, certificateMessage, privateKey);
                }
                SignatureAndHashAlgorithm chooseSignatureAndHashAlgorithm2 = TlsUtils1.chooseSignatureAndHashAlgorithm(ProvTlsClient.this.context, ProvTlsClient.this.supportedSignatureAlgorithms, TlsUtils1.getSignatureAlgorithmClient(certificateMessage.getCertificateAt(0).getClientCertificateType()));
                if (crypto instanceof JcaTlsCrypto) {
                    return new JcaDefaultTlsCredentialedSigner(new TlsCryptoParameters(ProvTlsClient.this.context), (JcaTlsCrypto) crypto, privateKey, certificateMessage, chooseSignatureAndHashAlgorithm2);
                }
                if (!(privateKey instanceof BCRSAPrivateCrtKey)) {
                    return z ? new BcExternalTlsCredentialedSigner(new TlsCryptoParameters(ProvTlsClient.this.context), (BcTlsCrypto) crypto, ((ProvX509KeyManagerExternal) keyManager).getExternalCredentialedProvider(), certificateMessage, chooseSignatureAndHashAlgorithm2) : new BcDefaultTlsCredentialedSigner(new TlsCryptoParameters(ProvTlsClient.this.context), (BcTlsCrypto) crypto, (AsymmetricKeyParameter) privateKey, certificateMessage, chooseSignatureAndHashAlgorithm2);
                }
                BCRSAPrivateCrtKey bCRSAPrivateCrtKey = (BCRSAPrivateCrtKey) privateKey;
                return new BcDefaultTlsCredentialedSigner(new TlsCryptoParameters(ProvTlsClient.this.context), (BcTlsCrypto) crypto, new RSAPrivateCrtKeyParameters(bCRSAPrivateCrtKey.getModulus(), bCRSAPrivateCrtKey.getPublicExponent(), bCRSAPrivateCrtKey.getPrivateExponent(), bCRSAPrivateCrtKey.getPrimeP(), bCRSAPrivateCrtKey.getPrimeQ(), bCRSAPrivateCrtKey.getPrimeExponentP(), bCRSAPrivateCrtKey.getPrimeExponentQ(), bCRSAPrivateCrtKey.getCrtCoefficient()), certificateMessage, chooseSignatureAndHashAlgorithm2);
            }

            @Override // cn.com.bouncycastle.tls.TlsAuthentication
            public void notifyServerCertificate(TlsServerCertificate tlsServerCertificate) throws IOException {
                if (tlsServerCertificate == null || tlsServerCertificate.getCertificate() == null || tlsServerCertificate.getCertificate().isEmpty()) {
                    throw new TlsFatalAlert((short) 40);
                }
                if (!ProvTlsClient.this.manager.isServerTrusted(JsseUtils.getX509CertificateChain(ProvTlsClient.this.manager.getContextData().getCrypto(), tlsServerCertificate.getCertificate()), JsseUtils.getAuthTypeServer(TlsUtils1.getKeyExchangeAlgorithm(ProvTlsClient.this.selectedCipherSuite)))) {
                    throw new TlsFatalAlert((short) 42);
                }
            }
        };
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient
    public CertificateStatusRequest getCertificateStatusRequest() {
        return null;
    }

    @Override // cn.com.bouncycastle.tls.DefaultTlsClient, cn.com.bouncycastle.tls.TlsClient
    public int[] getCipherSuites() {
        return TlsUtils1.getSupportedCipherSuites(this.manager.getContextData().getCrypto(), this.manager.getContext().convertCipherSuites(this.sslParameters.getCipherSuites()));
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public ProtocolVersion getClientVersion() {
        return this.manager.getContext().getMaximumVersion(this.sslParameters.getProtocols());
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public short[] getCompressionMethods() {
        return this.manager.getContext().isFips() ? new short[]{0} : super.getCompressionMethods();
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient
    public ProtocolVersion getMinimumVersion() {
        return this.manager.getContext().getMinimumVersion(this.sslParameters.getProtocols());
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient
    public Vector getSNIServerNames() {
        if (!provEnableSNIExtension) {
            return null;
        }
        List<BCSNIServerName> serverNames = this.manager.getProvSSLParameters().getServerNames();
        if (serverNames == null) {
            String peerHost = this.manager.getPeerHost();
            if (peerHost == null || peerHost.indexOf(46) <= 0 || IPAddress.isValid(peerHost)) {
                return null;
            }
            Vector vector = new Vector(1);
            vector.addElement(new ServerName((short) 0, peerHost));
            return vector;
        }
        Vector vector2 = new Vector(serverNames.size());
        for (BCSNIServerName bCSNIServerName : serverNames) {
            if (bCSNIServerName.getType() == 0) {
                try {
                    vector2.addElement(new ServerName((short) bCSNIServerName.getType(), new String(bCSNIServerName.getEncoded(), "ASCII")));
                } catch (UnsupportedEncodingException e2) {
                    LOG.log(Level.WARNING, "Unable to include SNI server name", (Throwable) e2);
                }
            }
        }
        if (vector2.isEmpty()) {
            return null;
        }
        return vector2;
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public TlsSession getSessionToResume() {
        TlsSession tlsSession;
        ProvSSLSessionImpl sessionImpl = this.manager.getContextData().getClientSessionContext().getSessionImpl(this.manager.getPeerHost(), this.manager.getPeerPort());
        this.sslSession = sessionImpl;
        if (sessionImpl != null && (tlsSession = sessionImpl.getTlsSession()) != null) {
            return tlsSession;
        }
        if (this.manager.getEnableSessionCreation()) {
            return null;
        }
        throw new IllegalStateException("No resumable sessions and session creation is disabled");
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient
    public Vector getSupportedGroups(boolean z, boolean z2) {
        return SupportedGroups.getClientSupportedGroups(this.manager.getContext().isFips(), z, z2);
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient
    public Vector getSupportedSignatureAlgorithms() {
        return JsseUtils.getSupportedSignatureAlgorithms(getCrypto());
    }

    @Override // cn.com.bouncycastle.jsse.provider.ProvTlsPeer
    public synchronized boolean isHandshakeComplete() {
        return this.handshakeComplete;
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsPeer, cn.com.bouncycastle.tls.TlsPeer
    public void notifyAlertRaised(short s, short s2, String str, Throwable th) {
        super.notifyAlertRaised(s, s2, str, th);
        Level level = s == 1 ? Level.FINE : s2 == 80 ? Level.WARNING : Level.INFO;
        if (LOG.isLoggable(level)) {
            String alertLogMessage = JsseUtils.getAlertLogMessage("Client raised", s, s2);
            if (str != null) {
                alertLogMessage = alertLogMessage + ": " + str;
            }
            LOG.log(level, alertLogMessage, th);
        }
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsPeer, cn.com.bouncycastle.tls.TlsPeer
    public void notifyAlertReceived(short s, short s2) {
        super.notifyAlertReceived(s, s2);
        Level level = s == 1 ? Level.FINE : Level.INFO;
        if (LOG.isLoggable(level)) {
            LOG.log(level, JsseUtils.getAlertLogMessage("Client received", s, s2));
        }
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsPeer, cn.com.bouncycastle.tls.TlsPeer
    public synchronized void notifyHandshakeComplete() throws IOException {
        this.handshakeComplete = true;
        TlsSession session = this.context.getSession();
        ProvSSLSessionImpl provSSLSessionImpl = this.sslSession;
        if (provSSLSessionImpl == null || provSSLSessionImpl.getTlsSession() != session) {
            this.sslSession = this.manager.getContextData().getClientSessionContext().reportSession(session, this.manager.getPeerHost(), this.manager.getPeerPort());
        }
        Object obj = this.ipv4Value;
        if (obj != null) {
            this.sslSession.putValue(INFOSEC_CLENTIP_IPV4, obj);
            this.ipv4Value = null;
        }
        Object obj2 = this.ipv6Value;
        if (obj2 != null) {
            this.sslSession.putValue(INFOSEC_CLENTIP_IPV6, obj2);
            this.ipv6Value = null;
        }
        this.manager.notifyHandshakeComplete(new ProvSSLConnection(this.context, this.sslSession));
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsPeer, cn.com.bouncycastle.tls.TlsPeer
    public void notifySecureRenegotiation(boolean z) throws IOException {
        if (!z && !PropertyUtils.getBooleanSystemProperty("sun.security.ssl.allowLegacyHelloMessages", true)) {
            throw new TlsFatalAlert((short) 40);
        }
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public void notifySelectedCipherSuite(int i2) {
        this.manager.getContext().validateNegotiatedCipherSuite(i2);
        super.notifySelectedCipherSuite(i2);
        LOG.fine("Client notified of selected cipher suite: " + this.manager.getContext().getCipherSuiteString(i2));
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public void notifyServerVersion(ProtocolVersion protocolVersion) throws IOException {
        String protocolString = this.manager.getContext().getProtocolString(protocolVersion);
        if (protocolString != null) {
            for (String str : this.sslParameters.getProtocols()) {
                if (protocolString.equals(str)) {
                    LOG.fine("Client notified of selected protocol version: " + protocolString);
                    return;
                }
            }
        }
        throw new TlsFatalAlert((short) 70);
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public void notifySessionID(byte[] bArr) {
        super.notifySessionID(bArr);
        if (bArr == null || bArr.length == 0) {
            LOG.fine("Server did not specify a session ID");
            return;
        }
        ProvSSLSessionImpl provSSLSessionImpl = this.sslSession;
        if (provSSLSessionImpl != null && Arrays.areEqual(bArr, provSSLSessionImpl.getId())) {
            LOG.fine("Server resumed session: " + Hex.toHexString(bArr));
            return;
        }
        if (!this.manager.getEnableSessionCreation()) {
            throw new IllegalStateException("Server did not resume session and session creation is disabled");
        }
        LOG.fine("Server specified new session: " + Hex.toHexString(bArr));
    }

    @Override // cn.com.bouncycastle.tls.AbstractTlsClient, cn.com.bouncycastle.tls.TlsClient
    public void processServerExtensions(Hashtable hashtable) throws IOException {
        super.processServerExtensions(hashtable);
        if (hashtable != null) {
            this.ipv4Value = hashtable.get(INFOSEC_CLENTIP_IPV4);
            this.ipv6Value = hashtable.get(INFOSEC_CLENTIP_IPV6);
        }
    }
}
