package org.bouncycastle.jsse.provider;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.jsse.BCSNIHostName;
import org.bouncycastle.jsse.BCSNIServerName;
import org.bouncycastle.jsse.BCX509Key;
import org.bouncycastle.tls.CertificateRequest;
import org.bouncycastle.tls.CertificateStatusRequest;
import org.bouncycastle.tls.CertificateStatusRequestItemV2;
import org.bouncycastle.tls.DefaultTlsClient;
import org.bouncycastle.tls.OCSPStatusRequest;
import org.bouncycastle.tls.ProtocolName;
import org.bouncycastle.tls.ProtocolVersion;
import org.bouncycastle.tls.SecurityParameters;
import org.bouncycastle.tls.ServerName;
import org.bouncycastle.tls.SessionParameters;
import org.bouncycastle.tls.SignatureAlgorithm;
import org.bouncycastle.tls.SignatureAndHashAlgorithm;
import org.bouncycastle.tls.TlsAuthentication;
import org.bouncycastle.tls.TlsCredentials;
import org.bouncycastle.tls.TlsDHGroupVerifier;
import org.bouncycastle.tls.TlsExtensionsUtils;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.TlsServerCertificate;
import org.bouncycastle.tls.TlsSession;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.TrustedAuthority;
import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.IPAddress;
import org.bouncycastle.util.encoders.Hex;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes4.dex */
public class bd extends DefaultTlsClient implements bg {
    private static final Logger hIJ = Logger.getLogger(bd.class.getName());
    private static final boolean hVJ = af.q("jdk.tls.client.enableCAExtension", false);
    private static final boolean hVK = af.q("org.bouncycastle.jsse.client.enableSessionResumption", true);
    private static final boolean hVL = af.q("jdk.tls.client.enableStatusRequestExtension", true);
    private static final boolean hVM = af.q("org.bouncycastle.jsse.client.enableTrustedCAKeysExtension", false);
    private static final boolean hVN = af.q("jsse.enableSNIExtension", true);
    protected final ap hUE;
    protected final bf hVO;
    protected as hVP;
    protected boolean hVQ;
    protected final w hVp;

    /* JADX INFO: Access modifiers changed from: package-private */
    public bd(bf bfVar, ap apVar) {
        super(bfVar.aUe().aTl());
        this.hVp = new w();
        this.hVP = null;
        this.hVQ = false;
        this.hVO = bfVar;
        this.hUE = apVar.aUi();
    }

    private void a(LinkedHashMap<String, bt> linkedHashMap, String str) {
        for (Map.Entry<String, bt> entry : linkedHashMap.entrySet()) {
            String key = entry.getKey();
            if (key.equals(str)) {
                return;
            }
            Logger logger = hIJ;
            if (logger.isLoggable(Level.FINER)) {
                logger.finer("Client found no credentials for signature scheme '" + entry.getValue() + "' (keyType '" + key + "')");
            }
        }
    }

    protected SessionParameters a(as asVar, TlsSession tlsSession) {
        SessionParameters exportSessionParameters;
        if (tlsSession == null || !tlsSession.isResumable() || (exportSessionParameters = tlsSession.exportSessionParameters()) == null || !ProtocolVersion.contains(getProtocolVersions(), exportSessionParameters.getNegotiatedVersion()) || !Arrays.contains(getCipherSuites(), exportSessionParameters.getCipherSuite()) || TlsUtils.isTLSv13(exportSessionParameters.getNegotiatedVersion())) {
            return null;
        }
        String endpointIdentificationAlgorithm = this.hUE.getEndpointIdentificationAlgorithm();
        if (endpointIdentificationAlgorithm != null) {
            String aTD = asVar.aUr().aTD();
            if (!endpointIdentificationAlgorithm.equalsIgnoreCase(aTD)) {
                hIJ.finer("Session not resumable - endpoint ID algorithm mismatch; connection: " + endpointIdentificationAlgorithm + ", session: " + aTD);
                return null;
            }
        }
        return exportSessionParameters;
    }

    protected TlsCredentials a(Principal[] principalArr, byte[] bArr) throws IOException {
        Logger logger;
        String str;
        LinkedHashMap<String, bt> linkedHashMap = new LinkedHashMap<>();
        for (bt btVar : this.hVp.hTe) {
            if (btVar.aTS() && this.hVp.hTc.contains(btVar)) {
                String aUZ = btVar.aUZ();
                if (!linkedHashMap.containsKey(aUZ)) {
                    linkedHashMap.put(aUZ, btVar);
                }
            }
        }
        if (linkedHashMap.isEmpty()) {
            logger = hIJ;
            str = "Client (1.3) found no usable signature schemes";
        } else {
            BCX509Key a = this.hVO.a((String[]) linkedHashMap.keySet().toArray(TlsUtils.EMPTY_STRINGS), principalArr);
            if (a != null) {
                String keyType = a.getKeyType();
                a(linkedHashMap, keyType);
                bt btVar2 = linkedHashMap.get(keyType);
                if (btVar2 == null) {
                    throw new TlsFatalAlert((short) 80, "Key manager returned invalid key type");
                }
                Logger logger2 = hIJ;
                if (logger2.isLoggable(Level.FINE)) {
                    logger2.fine("Client (1.3) selected credentials for signature scheme '" + btVar2 + "' (keyType '" + keyType + "'), with private key algorithm '" + y.c(a.getPrivateKey()) + "'");
                }
                return y.a(this.context, getCrypto(), a, btVar2.getSignatureAndHashAlgorithm(), bArr);
            }
            a(linkedHashMap, (String) null);
            logger = hIJ;
            str = "Client (1.3) did not select any credentials";
        }
        logger.fine(str);
        return null;
    }

    protected TlsCredentials a(Principal[] principalArr, short[] sArr) throws IOException {
        Logger logger;
        String str;
        short clientCertificateType;
        LinkedHashMap<String, bt> linkedHashMap = new LinkedHashMap<>();
        for (bt btVar : this.hVp.hTe) {
            String keyType = btVar.getKeyType();
            if (!linkedHashMap.containsKey(keyType) && (clientCertificateType = SignatureAlgorithm.getClientCertificateType(btVar.getSignatureAlgorithm())) >= 0 && Arrays.contains(sArr, clientCertificateType) && this.hVp.hTc.contains(btVar)) {
                linkedHashMap.put(keyType, btVar);
            }
        }
        if (linkedHashMap.isEmpty()) {
            logger = hIJ;
            str = "Client (1.2) found no usable signature schemes";
        } else {
            BCX509Key a = this.hVO.a((String[]) linkedHashMap.keySet().toArray(TlsUtils.EMPTY_STRINGS), principalArr);
            if (a != null) {
                String keyType2 = a.getKeyType();
                a(linkedHashMap, keyType2);
                bt btVar2 = linkedHashMap.get(keyType2);
                if (btVar2 == null) {
                    throw new TlsFatalAlert((short) 80, "Key manager returned invalid key type");
                }
                Logger logger2 = hIJ;
                if (logger2.isLoggable(Level.FINE)) {
                    logger2.fine("Client (1.2) selected credentials for signature scheme '" + btVar2 + "' (keyType '" + keyType2 + "'), with private key algorithm '" + y.c(a.getPrivateKey()) + "'");
                }
                return y.a(this.context, getCrypto(), a, btVar2.getSignatureAndHashAlgorithm());
            }
            a(linkedHashMap, (String) null);
            logger = hIJ;
            str = "Client (1.2) did not select any credentials";
        }
        logger.fine(str);
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    /* renamed from: aTl, reason: merged with bridge method [inline-methods] */
    public JcaTlsCrypto getCrypto() {
        return this.hVO.aUe().aTl();
    }

    @Override // org.bouncycastle.jsse.provider.bg
    public synchronized boolean aUI() {
        return this.hVQ;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean allowLegacyResumption() {
        return y.allowLegacyResumption();
    }

    protected TlsCredentials b(Principal[] principalArr, short[] sArr) throws IOException {
        BCX509Key a;
        String[] c = c(sArr);
        if (c.length >= 1 && (a = this.hVO.a(c, principalArr)) != null) {
            return y.a(this.context, getCrypto(), a, null);
        }
        return null;
    }

    protected String[] c(short[] sArr) throws IOException {
        String[] strArr = new String[sArr.length];
        for (int i = 0; i < sArr.length; i++) {
            strArr[i] = y.d(sArr[i]);
        }
        return strArr;
    }

    @Override // org.bouncycastle.tls.TlsClient
    public TlsAuthentication getAuthentication() throws IOException {
        return new TlsAuthentication() { // from class: org.bouncycastle.jsse.provider.bd.1
            @Override // org.bouncycastle.tls.TlsAuthentication
            public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
                d aUe = bd.this.hVO.aUe();
                SecurityParameters securityParametersHandshake = bd.this.context.getSecurityParametersHandshake();
                ProtocolVersion negotiatedVersion = securityParametersHandshake.getNegotiatedVersion();
                boolean isTLSv13 = TlsUtils.isTLSv13(negotiatedVersion);
                Vector serverSigAlgs = securityParametersHandshake.getServerSigAlgs();
                Vector serverSigAlgsCert = securityParametersHandshake.getServerSigAlgsCert();
                bd.this.hVp.hTe = aUe.e(serverSigAlgs);
                bd.this.hVp.hTf = serverSigAlgs == serverSigAlgsCert ? bd.this.hVp.hTe : aUe.e(serverSigAlgsCert);
                if (bd.hIJ.isLoggable(Level.FINEST)) {
                    bd.hIJ.finest(y.i("Peer signature_algorithms", bd.this.hVp.hTe));
                    if (bd.this.hVp.hTf != bd.this.hVp.hTe) {
                        bd.hIJ.finest(y.i("Peer signature_algorithms_cert", bd.this.hVp.hTf));
                    }
                }
                if (g.hSQ == aUe.aTo()) {
                    return null;
                }
                X500Principal[] h = y.h(certificateRequest.getCertificateAuthorities());
                byte[] certificateRequestContext = certificateRequest.getCertificateRequestContext();
                if (isTLSv13 != (certificateRequestContext != null)) {
                    throw new TlsFatalAlert((short) 80);
                }
                short[] certificateTypes = certificateRequest.getCertificateTypes();
                if (isTLSv13 == (certificateTypes == null)) {
                    return isTLSv13 ? bd.this.a((Principal[]) h, certificateRequestContext) : TlsUtils.isSignatureAlgorithmsExtensionAllowed(negotiatedVersion) ? bd.this.a(h, certificateTypes) : bd.this.b(h, certificateTypes);
                }
                throw new TlsFatalAlert((short) 80);
            }

            @Override // org.bouncycastle.tls.TlsAuthentication
            public void notifyServerCertificate(TlsServerCertificate tlsServerCertificate) throws IOException {
                if (tlsServerCertificate == null || tlsServerCertificate.getCertificate() == null || tlsServerCertificate.getCertificate().isEmpty()) {
                    throw new TlsFatalAlert((short) 40);
                }
                X509Certificate[] a = y.a(bd.this.getCrypto(), tlsServerCertificate.getCertificate());
                String qA = y.qA(bd.this.context.getSecurityParametersHandshake().getKeyExchangeAlgorithm());
                bd.this.hVp.hTg = y.a(tlsServerCertificate.getCertificateStatus());
                bd.this.hVO.checkServerTrusted(a, qA);
            }
        };
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<X500Name> getCertificateAuthorities() {
        if (hVJ) {
            return y.a(this.hVO.aUe().aTp());
        }
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected CertificateStatusRequest getCertificateStatusRequest() {
        if (hVL) {
            return new CertificateStatusRequest((short) 1, new OCSPStatusRequest(null, null));
        }
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public TlsDHGroupVerifier getDHGroupVerifier() {
        return new aj();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public int getMaxCertificateChainLength() {
        return y.getMaxCertificateChainLength();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public int getMaxHandshakeMessageSize() {
        return y.getMaxHandshakeMessageSize();
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<CertificateStatusRequestItemV2> getMultiCertStatusRequest() {
        if (!hVL) {
            return null;
        }
        OCSPStatusRequest oCSPStatusRequest = new OCSPStatusRequest(null, null);
        Vector<CertificateStatusRequestItemV2> vector = new Vector<>(2);
        vector.add(new CertificateStatusRequestItemV2((short) 2, oCSPStatusRequest));
        vector.add(new CertificateStatusRequestItemV2((short) 1, oCSPStatusRequest));
        return vector;
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<ProtocolName> getProtocolNames() {
        return y.r(this.hUE.getApplicationProtocols());
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<ServerName> getSNIServerNames() {
        String aUf;
        if (!hVN) {
            return null;
        }
        List<BCSNIServerName> serverNames = this.hUE.getServerNames();
        if (serverNames == null && (aUf = this.hVO.aUf()) != null && aUf.indexOf(46) > 0 && !IPAddress.isValid(aUf)) {
            try {
                serverNames = Collections.singletonList(new BCSNIHostName(aUf));
            } catch (RuntimeException unused) {
                hIJ.fine("Failed to add peer host as default SNI host_name: " + aUf);
            }
        }
        if (serverNames == null || serverNames.isEmpty()) {
            return null;
        }
        Vector<ServerName> vector = new Vector<>(serverNames.size());
        for (BCSNIServerName bCSNIServerName : serverNames) {
            vector.add(new ServerName((short) bCSNIServerName.getType(), bCSNIServerName.getEncoded()));
        }
        return vector;
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public TlsSession getSessionToResume() {
        TlsSession aUv;
        SessionParameters a;
        if (hVK) {
            as aUn = this.hUE.aUn();
            if (aUn == null) {
                aUn = this.hVO.aUe().aTm().S(this.hVO.getPeerHost(), this.hVO.getPeerPort());
            }
            if (aUn != null && (a = a(aUn, (aUv = aUn.aUv()))) != null) {
                this.hVP = aUn;
                if (!this.hVO.getEnableSessionCreation()) {
                    this.cipherSuites = new int[]{a.getCipherSuite()};
                }
                return aUv;
            }
        }
        y.a(this.hVO);
        return null;
    }

    @Override // org.bouncycastle.tls.DefaultTlsClient, org.bouncycastle.tls.AbstractTlsPeer
    protected int[] getSupportedCipherSuites() {
        return this.hVO.aUe().aTk().a(getCrypto(), this.hUE, getProtocolVersions());
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<Integer> getSupportedGroups(Vector vector) {
        return ad.c(this.hVp.hTb);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<SignatureAndHashAlgorithm> getSupportedSignatureAlgorithms() {
        List<bt> a = this.hVO.aUe().a(false, this.hUE, getProtocolVersions(), this.hVp.hTb);
        this.hVp.hTc = a;
        this.hVp.hTd = a;
        return bt.cr(this.hVp.hTc);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<SignatureAndHashAlgorithm> getSupportedSignatureAlgorithmsCert() {
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer
    protected ProtocolVersion[] getSupportedVersions() {
        return this.hVO.aUe().aTk().a(this.hUE);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient
    protected Vector<TrustedAuthority> getTrustedCAIndication() {
        Vector<X500Name> a;
        if (!hVM || (a = y.a(this.hVO.aUe().aTp())) == null) {
            return null;
        }
        Vector<TrustedAuthority> vector = new Vector<>(a.size());
        Iterator<X500Name> it = a.iterator();
        while (it.hasNext()) {
            vector.add(new TrustedAuthority((short) 2, it.next()));
        }
        return vector;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyAlertRaised(short s, short s2, String str, Throwable th) {
        super.notifyAlertRaised(s, s2, str, th);
        Level level = s == 1 ? Level.FINE : s2 == 80 ? Level.WARNING : Level.INFO;
        Logger logger = hIJ;
        if (logger.isLoggable(level)) {
            String a = y.a("Client raised", s, s2);
            if (str != null) {
                a = a + ": " + str;
            }
            logger.log(level, a, th);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyAlertReceived(short s, short s2) {
        super.notifyAlertReceived(s, s2);
        Level level = s == 1 ? Level.FINE : Level.INFO;
        Logger logger = hIJ;
        if (logger.isLoggable(level)) {
            logger.log(level, y.a("Client received", s, s2));
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyHandshakeBeginning() throws IOException {
        super.notifyHandshakeBeginning();
        d aUe = this.hVO.aUe();
        ProtocolVersion[] protocolVersions = getProtocolVersions();
        this.hVp.hTb = aUe.a(this.hUE, protocolVersions);
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public synchronized void notifyHandshakeComplete() throws IOException {
        super.notifyHandshakeComplete();
        boolean z = true;
        this.hVQ = true;
        TlsSession session = this.context.getSession();
        as asVar = this.hVP;
        if (asVar == null || asVar.aUv() != session) {
            au aTm = this.hVO.aUe().aTm();
            String peerHost = this.hVO.getPeerHost();
            int peerPort = this.hVO.getPeerPort();
            x xVar = new x(this.hUE.getEndpointIdentificationAlgorithm(), null);
            if (!hVK || TlsUtils.isTLSv13(this.context)) {
                z = false;
            }
            this.hVP = aTm.a(peerHost, peerPort, session, xVar, z);
        }
        this.hVO.a(new al(this.context, this.hVP));
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifySecureRenegotiation(boolean z) throws IOException {
        if (!z && !af.q("sun.security.ssl.allowLegacyHelloMessages", true)) {
            throw new TlsFatalAlert((short) 40);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public void notifySelectedCipherSuite(int i) {
        hIJ.fine("Client notified of selected cipher suite: " + this.hVO.aUe().aTk().a(this.hUE, i));
        super.notifySelectedCipherSuite(i);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public void notifyServerVersion(ProtocolVersion protocolVersion) throws IOException {
        hIJ.fine("Client notified of selected protocol version: " + this.hVO.aUe().aTk().a(this.hUE, protocolVersion));
        super.notifyServerVersion(protocolVersion);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public void notifySessionID(byte[] bArr) {
        as asVar;
        if ((TlsUtils.isNullOrEmpty(bArr) || (asVar = this.hVP) == null || !Arrays.areEqual(bArr, asVar.getId())) ? false : true) {
            hIJ.fine("Server resumed session: " + Hex.toHexString(bArr));
        } else {
            this.hVP = null;
            if (TlsUtils.isNullOrEmpty(bArr)) {
                hIJ.fine("Server did not specify a session ID");
            } else {
                hIJ.fine("Server specified new session: " + Hex.toHexString(bArr));
            }
            y.a(this.hVO);
        }
        bf bfVar = this.hVO;
        bfVar.a(bfVar.aUe().aTm(), this.context.getSecurityParametersHandshake(), this.hVp, this.hVP);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public void notifySessionToResume(TlsSession tlsSession) {
        if (tlsSession == null) {
            y.a(this.hVO);
        }
        super.notifySessionToResume(tlsSession);
    }

    @Override // org.bouncycastle.tls.AbstractTlsClient, org.bouncycastle.tls.TlsClient
    public void processServerExtensions(Hashtable hashtable) throws IOException {
        super.processServerExtensions(hashtable);
        if (this.context.getSecurityParametersHandshake().getClientServerNames() != null) {
            hIJ.finer("Server accepted SNI?: " + TlsExtensionsUtils.hasServerNameExtensionServer(hashtable));
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean requiresCloseNotify() {
        return y.aTG();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean requiresExtendedMasterSecret() {
        return !y.aTF();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean shouldUseExtendedMasterSecret() {
        return y.aTH();
    }
}
