package ru.CryptoPro.ssl;

import com.google.android.material.internal.ViewUtils;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.AlgorithmConstraints;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Iterator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import ru.CryptoPro.ssl.util.KeyUtil;
import ru.CryptoPro.ssl.util.LegacyAlgorithmConstraints;
import ru.CryptoPro.ssl.util.ParamUtil;
import ru.CryptoPro.ssl.util.cpSSLConfig;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public final class cl_99 extends cl_64 {
    private static final boolean ae;
    private static final boolean af;
    private static final int ag;
    private static final AlgorithmConstraints ah = new LegacyAlgorithmConstraints(LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, new cl_92());
    cl_109 R;
    private byte S;
    private X509Certificate[] T;
    private PrivateKey U;
    private PublicKey V;
    private Object W;
    private boolean X;
    private PrivateKey Y;
    private PublicKey Z;
    private cl_21 aa;
    private cl_25 ab;
    private cl_84 ac;
    private cl_26 ad;

    static {
        String str = (String) AccessController.doPrivileged(new ru.CryptoPro.ssl.pc_0.cl_1("jdk.tls.ephemeralDHKeySize"));
        if (str == null || str.length() == 0) {
            af = false;
        } else if ("matched".equals(str)) {
            af = false;
            ae = true;
            ag = -1;
        } else {
            if (!"legacy".equals(str)) {
                af = false;
                ae = false;
                try {
                    int parseUnsignedInt = ParamUtil.parseUnsignedInt(str);
                    ag = parseUnsignedInt;
                    if (parseUnsignedInt < 1024 || parseUnsignedInt > 2048) {
                        throw new IllegalArgumentException("Customized DH key size should be positive integer between 1024 and 2048 bits, inclusive");
                    }
                    return;
                } catch (NumberFormatException unused) {
                    throw new IllegalArgumentException("Invalid system property jdk.tls.ephemeralDHKeySize");
                }
            }
            af = true;
        }
        ae = false;
        ag = -1;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_99(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, cl_83 cl_83Var, byte b, cl_84 cl_84Var, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, cl_83Var, b != 0, false, cl_84Var, z, z2, bArr, bArr2);
        this.V = null;
        this.X = false;
        this.S = b;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_99(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, cl_83 cl_83Var, byte b, cl_84 cl_84Var, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, cl_83Var, b != 0, false, cl_84Var, z, z2, bArr, bArr2);
        this.V = null;
        this.X = false;
        this.S = b;
    }

    private boolean C() {
        int i;
        cl_26 cl_26Var = this.ad;
        if (cl_26Var != null) {
            int[] a = cl_26Var.a();
            int length = a.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length) {
                    i = -1;
                    break;
                }
                i = a[i2];
                if (cl_26.b(i)) {
                    break;
                }
                i2++;
            }
            if (i < 0) {
                return false;
            }
        } else {
            i = cl_26.a.a()[0];
        }
        this.ab = new cl_25(cl_26.c(i), this.x.b());
        return true;
    }

    private void D() {
        this.ab = new cl_25(this.U, this.T[0].getPublicKey());
    }

    private boolean E() {
        SecurityManager securityManager;
        if (this.W != null) {
            return true;
        }
        try {
            AccessControlContext f = f();
            Object doPrivileged = AccessController.doPrivileged(new cl_101(this, f));
            this.W = doPrivileged;
            if (doPrivileged != null) {
                SSLLogger.fine("Using Kerberos creds");
                String a = cl_77.a(this.W);
                if (a != null && (securityManager = System.getSecurityManager()) != null) {
                    try {
                        securityManager.checkPermission(cl_77.a(a, "accept"), f);
                    } catch (SecurityException e) {
                        this.W = null;
                        SSLLogger.subThrown("Permission to access Kerberos secret key denied", e);
                        return false;
                    }
                }
            }
            return this.W != null;
        } catch (PrivilegedActionException e2) {
            SSLLogger.subThrown("Attempt to obtain Kerberos key failed: " + e2.toString(), e2);
            return false;
        }
    }

    private SecretKey a(cl_20 cl_20Var) throws IOException {
        cl_20Var.f();
        BigInteger b = cl_20Var.b();
        this.aa.a(this.h, b);
        return this.aa.a(b, false);
    }

    private SecretKey a(cl_24 cl_24Var) throws IOException {
        cl_24Var.f();
        byte[] b = cl_24Var.b();
        this.ab.a(this.h, b);
        return this.ab.a(b);
    }

    private SecretKey a(cl_75 cl_75Var) throws IOException {
        cl_75Var.f();
        this.A.a(cl_75Var.e());
        this.A.b(cl_75Var.g());
        return new SecretKeySpec(cl_75Var.b(), "TlsPremasterSecret");
    }

    private SecretKey a(cl_85 cl_85Var) throws IOException {
        cl_85Var.f();
        return cl_85Var.q;
    }

    private void a(cl_49 cl_49Var) throws IOException {
        String str = "EC";
        cl_49Var.f();
        X509Certificate[] b = cl_49Var.b();
        if (b.length == 0) {
            if (this.S == 1) {
                return;
            } else {
                a(Alerts.alert_bad_certificate, "null cert chain");
            }
        }
        X509TrustManager d = this.x.d();
        try {
            PublicKey publicKey = b[0].getPublicKey();
            this.V = publicKey;
            String algorithm = publicKey.getAlgorithm();
            if (algorithm.equals("RSA")) {
                str = "RSA";
            } else if (algorithm.equals("DSA")) {
                str = "DSA";
            } else if (!algorithm.equals("EC")) {
                if (this.C != cl_11.K_GR3410 && this.C != cl_11.K_GR3410_2012_256 && this.C != cl_11.K_GR3410_2012_256_IANA && this.C != cl_11.K_GR3410_2012_256_KUZN && this.C != cl_11.K_GR3410_2012_256_MAGMA) {
                    str = "UNKNOWN";
                }
                str = this.C.v;
            }
        } catch (CertificateException e) {
            a(Alerts.alert_certificate_unknown, e);
        }
        if (!(d instanceof X509ExtendedTrustManager)) {
            throw new CertificateException("Improper X509TrustManager implementation");
        }
        if (this.r != null) {
            ((X509ExtendedTrustManager) d).checkClientTrusted((X509Certificate[]) b.clone(), str, this.r);
        } else {
            ((X509ExtendedTrustManager) d).checkClientTrusted((X509Certificate[]) b.clone(), str, this.s);
        }
        this.X = true;
        this.A.a(b);
    }

    private void a(cl_51 cl_51Var) throws IOException {
        cl_51Var.f();
        if (this.a.n >= cl_84.h.n) {
            cl_109 b = cl_51Var.b();
            if (b == null) {
                throw new SSLHandshakeException("Illegal CertificateVerify message");
            }
            String a = cl_109.a(b);
            if (a == null || a.length() == 0) {
                throw new SSLHandshakeException("No supported hash algorithm");
            }
        }
        try {
            if (!cl_51Var.a(this.a, this.t, this.A.getPeerCertificates()[0].getPublicKey(), this.A.a())) {
                a(Alerts.alert_bad_certificate, "certificate verify message signature error");
            }
        } catch (GeneralSecurityException e) {
            a(Alerts.alert_bad_certificate, "certificate verify format error", e);
        }
        this.X = false;
    }

    /* JADX WARN: Code restructure failed: missing block: B:110:0x020e, code lost:
    
        if (r5.isEmpty() == false) goto L139;
     */
    /* JADX WARN: Code restructure failed: missing block: B:97:0x01f4, code lost:
    
        if (ru.CryptoPro.ssl.cl_99.L == false) goto L122;
     */
    /* JADX WARN: Failed to find 'out' block for switch in B:271:0x0564. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:276:0x05fd  */
    /* JADX WARN: Removed duplicated region for block: B:279:0x0609  */
    /* JADX WARN: Removed duplicated region for block: B:289:0x062b  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void a(ru.CryptoPro.ssl.cl_52 r26) throws java.io.IOException {
        /*
            Method dump skipped, instructions count: 1742
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: ru.CryptoPro.ssl.cl_99.a(ru.CryptoPro.ssl.cl_52):void");
    }

    private void a(cl_56 cl_56Var) throws IOException {
        String str;
        cl_56Var.f();
        if (this.S == 2) {
            this.A.getPeerPrincipal();
        }
        if (this.X) {
            a(Alerts.alert_handshake_failure, "client did not send certificate verify message");
        }
        if (!cl_56Var.a(this.t, 1, this.A.a())) {
            a(Alerts.alert_handshake_failure, "client 'finished' message doesn't verify");
        }
        if (this.c) {
            this.d = cl_56Var.b();
        }
        if (!this.D) {
            this.u.a();
            d(true);
        }
        this.A.a(System.currentTimeMillis());
        if (!this.D && this.A.d()) {
            ((SSLSessionContextImpl) this.x.engineGetServerSessionContext()).a(this.A);
            str = "%% Cached server session:";
        } else if (this.D) {
            return;
        } else {
            str = "%% Didn't cache non-resumable server session:";
        }
        SSLLogger.fine(str, this.A);
    }

    private void a(boolean z, Key key) {
        int i = z ? 512 : 1024;
        if (!z) {
            if (af) {
                i = ViewUtils.EDGE_TO_EDGE_FLAGS;
            } else if (!ae) {
                int i2 = ag;
                if (i2 > 0) {
                    i = i2;
                }
            } else if (key != null) {
                i = KeyUtil.getKeySize(key) > 1024 ? 2048 : 1024;
            }
        }
        this.aa = new cl_21(i, this.x.b());
    }

    private boolean a(String str, boolean z) {
        StringBuilder sb;
        String str2;
        String str3;
        SSLLogger.fine("Search for server containers with algorithm: " + str);
        X509ExtendedKeyManager c = this.x.c();
        SSLSocketImpl sSLSocketImpl = this.r;
        String[] serverAliases = c.getServerAliases(str, null);
        if (serverAliases == null) {
            SSLLogger.fine("Server container not found.");
            return false;
        }
        for (String str4 : serverAliases) {
            SSLLogger.fine("Check private key: " + str4);
            PrivateKey privateKey = c.getPrivateKey(str4);
            if (privateKey == null) {
                sb = new StringBuilder("Private key ");
            } else {
                X509Certificate[] certificateChain = c.getCertificateChain(str4);
                if (certificateChain == null || certificateChain.length == 0) {
                    sb = new StringBuilder("Certificate chain ");
                } else {
                    String str5 = str.split("_")[0];
                    PublicKey publicKey = certificateChain[0].getPublicKey();
                    if (z || (privateKey.getAlgorithm().equals(str5) && publicKey.getAlgorithm().equals(str5))) {
                        if (str5.equals("EC")) {
                            if (publicKey instanceof ECPublicKey) {
                                int a = cl_26.a(((ECPublicKey) publicKey).getParams());
                                if (cl_26.b(a)) {
                                    cl_26 cl_26Var = this.ad;
                                    if (cl_26Var != null && !cl_26Var.a(a)) {
                                        str3 = "Unsupported elliptic curve extension [2]";
                                    }
                                } else {
                                    str3 = "Unsupported elliptic curve extension [1]";
                                }
                            } else {
                                str3 = "Public key does not match to ECPublicKey";
                            }
                        }
                        if (z) {
                            SSLLogger.fine("Check if certificate " + str4 + " approach...");
                            if (ParamUtil.isCertApproach(certificateChain[0], str)) {
                                SSLLogger.fine("Certificate " + str4 + " matches. Check if DH available...");
                                if (cl_42.isAvailable2012DHAllowed(privateKey)) {
                                    SSLLogger.fine("Private key " + str4 + " is available. Testing key...");
                                    if (cl_42.testPrivateKey(str4, privateKey, cpSSLConfig.getDefaultDigestSignatureSSLProvider())) {
                                        SSLLogger.fine("Private key " + str4 + " is available, key test passed.");
                                    } else {
                                        sb = new StringBuilder("Signature test for key ");
                                        sb.append(str4);
                                        str2 = " not passed. Continue.";
                                    }
                                } else {
                                    sb = new StringBuilder("DH unavailable for the key ");
                                    sb.append(str4);
                                    str2 = ". Continue.";
                                }
                            } else {
                                sb = new StringBuilder("Certificate with alias ");
                                sb.append(str4);
                                str2 = " does not match. Continue.";
                            }
                            sb.append(str2);
                            str3 = sb.toString();
                        }
                        SSLLogger.info("%% Chosen server alias: " + str4);
                        this.U = privateKey;
                        this.T = certificateChain;
                        return true;
                    }
                    str3 = "Key algorithm doesn't match";
                    SSLLogger.fine(str3);
                }
            }
            sb.append(str4);
            sb.append(" is null.");
            str3 = sb.toString();
            SSLLogger.fine(str3);
        }
        SSLLogger.fine("Server container not found.");
        return false;
    }

    private void b(cl_52 cl_52Var) throws IOException {
        cl_14 b;
        cl_14 n;
        if (this.F) {
            b = n();
            n = cl_52Var.b();
        } else {
            b = cl_52Var.b();
            n = n();
        }
        ArrayList arrayList = new ArrayList();
        for (cl_8 cl_8Var : b.c()) {
            if (a(n, cl_8Var)) {
                SSLLogger.fine("Try to set cipher suite:", cl_8Var);
                if (this.S != 2 || (cl_8Var.g != cl_11.K_DH_ANON && cl_8Var.g != cl_11.K_ECDH_ANON)) {
                    if (!ah.permits(null, cl_8Var.d, null)) {
                        arrayList.add(cl_8Var);
                    } else if (c(cl_8Var)) {
                        return;
                    }
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            if (c((cl_8) it.next())) {
                return;
            }
        }
        a(Alerts.alert_handshake_failure, "no cipher suites in common");
    }

    private boolean b(String str) {
        return a(str, false);
    }

    private boolean c(boolean z) {
        KeyPair a = this.x.e().a(z, this.x.b());
        if (a == null) {
            return false;
        }
        this.Z = a.getPublic();
        this.Y = a.getPrivate();
        return true;
    }

    private void d(boolean z) throws IOException {
        this.v.flush();
        cl_56 cl_56Var = new cl_56(this.a, this.t, 2, this.A.a(), this.B);
        a(cl_56Var, z);
        if (this.c) {
            this.e = cl_56Var.b();
        }
        if (z) {
            this.w = 20;
        }
    }

    @Override // ru.CryptoPro.ssl.cl_64
    cl_48 a() {
        return new cl_57();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // ru.CryptoPro.ssl.cl_64
    public void a(byte b) throws SSLProtocolException {
        String alertDescription = Alerts.alertDescription(b);
        SSLLogger.fine("SSL -- handshake alert:", alertDescription);
        if (b == 41 && this.S == 1) {
            return;
        }
        throw new SSLProtocolException("handshake alert: " + alertDescription);
    }

    @Override // ru.CryptoPro.ssl.cl_64
    void a(byte b, int i) throws IOException {
        SecretKey a;
        int i2 = b;
        if (this.w >= i2 && this.w != 16 && i2 != 15) {
            throw new SSLProtocolException("Handshake message sequence violation, state = " + this.w + ", type = " + i2);
        }
        if (i2 == 1) {
            a(new cl_52(this.u, i));
        } else if (i2 == 11) {
            if (this.S == 0) {
                a((byte) 10, "client sent unsolicited cert chain");
            }
            a(new cl_49(this.u));
        } else if (i2 == 20) {
            if (!g()) {
                a(Alerts.alert_handshake_failure, "Received Finished message before ChangeCipherSpec");
            }
            a(new cl_56(this.a, this.u, this.B));
        } else if (i2 == 15) {
            a((this.C == cl_11.K_GR3410 || this.C == cl_11.K_GR3410_2012_256) ? new cl_51(this.u, i, true, j(), this.a) : (this.C == cl_11.K_GR3410_2012_256_IANA || this.C == cl_11.K_GR3410_2012_256_KUZN || this.C == cl_11.K_GR3410_2012_256_MAGMA) ? new cl_51(this.u, i, true, k(), this.a) : new cl_51(this.u, i, false, i(), this.a));
        } else {
            if (i2 != 16) {
                throw new SSLProtocolException("Illegal server handshake msg, " + i2);
            }
            switch (cl_102.a[this.C.ordinal()]) {
                case 1:
                case 2:
                    a = a(new cl_85(this.a, this.ac, this.x.b(), this.u, i, this.U));
                    break;
                case 3:
                case 4:
                    a = a(new cl_75(this.a, this.ac, this.x.b(), this.u, f(), this.W));
                    break;
                case 5:
                case 6:
                case 7:
                    a = a(new cl_20(this.u));
                    break;
                case 8:
                case 9:
                case 10:
                case 11:
                case 12:
                    a = a(new cl_24(this.u));
                    break;
                case 13:
                case 14:
                case 15:
                case 16:
                case 17:
                    cl_37 cl_37Var = new cl_37(this.u, i);
                    cl_37Var.a(this.B, this.y.a, this.z.a, this.U, this.V);
                    a = cl_37Var.e();
                    this.X = cl_37Var.b();
                    break;
                default:
                    throw new SSLProtocolException("Unrecognized key exchange: " + this.C);
            }
            if (this.A.b()) {
                this.u.a();
            }
            try {
                a(a, this.ac);
            } catch (InvalidKeyException e) {
                RuntimeException runtimeException = new RuntimeException("Invalid key exchange", e);
                runtimeException.initCause(e);
                throw runtimeException;
            }
        }
        if (this.w < i2) {
            if (i2 == 15) {
                i2 += 2;
            }
            this.w = i2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void c(byte b) {
        this.S = b;
    }

    /* JADX WARN: Code restructure failed: missing block: B:105:0x01ba, code lost:
    
        if (c(r9.k) == false) goto L116;
     */
    /* JADX WARN: Failed to find 'out' block for switch in B:20:0x009d. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:125:0x0077  */
    /* JADX WARN: Removed duplicated region for block: B:127:0x007c  */
    /* JADX WARN: Removed duplicated region for block: B:31:0x01d1  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    boolean c(ru.CryptoPro.ssl.cl_8 r9) {
        /*
            Method dump skipped, instructions count: 524
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: ru.CryptoPro.ssl.cl_99.c(ru.CryptoPro.ssl.cl_8):boolean");
    }
}
