package org.spongycastle.jsse.provider;

import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Set;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.spongycastle.asn1.x500.X500Name;
import org.spongycastle.jsse.BCSNIMatcher;
import org.spongycastle.jsse.BCSNIServerName;
import org.spongycastle.tls.Certificate;
import org.spongycastle.tls.CertificateRequest;
import org.spongycastle.tls.DefaultTlsServer;
import org.spongycastle.tls.NamedGroup;
import org.spongycastle.tls.ProtocolVersion;
import org.spongycastle.tls.ServerNameList;
import org.spongycastle.tls.TlsCredentials;
import org.spongycastle.tls.TlsExtensionsUtils;
import org.spongycastle.tls.TlsFatalAlert;
import org.spongycastle.tls.TlsUtils;
import org.spongycastle.tls.crypto.DHGroup;
import org.spongycastle.tls.crypto.DHStandardGroups;
import org.spongycastle.tls.crypto.TlsCrypto;
import org.spongycastle.tls.crypto.TlsCryptoParameters;
import org.spongycastle.tls.crypto.impl.jcajce.JcaDefaultTlsCredentialedSigner;
import org.spongycastle.tls.crypto.impl.jcajce.JcaTlsCrypto;
import org.spongycastle.tls.crypto.impl.jcajce.JceDefaultTlsCredentialedAgreement;
import org.spongycastle.tls.crypto.impl.jcajce.JceDefaultTlsCredentialedDecryptor;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public class ProvTlsServer extends DefaultTlsServer implements ProvTlsPeer {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static Logger LOG = Logger.getLogger(ProvTlsServer.class.getName());
    private static final int provEphemeralDHKeySize = PropertyUtils.getIntegerSystemProperty("jdk.tls.ephemeralDHKeySize", 2048, 1024, 8192);
    protected TlsCredentials credentials;
    protected boolean handshakeComplete;
    protected Set<String> keyManagerMissCache;
    protected final ProvTlsManager manager;
    protected BCSNIServerName matchedSNIServerName;
    protected final ProvSSLParameters sslParameters;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProvTlsServer(ProvTlsManager provTlsManager) {
        super(provTlsManager.getContextData().getCrypto());
        this.matchedSNIServerName = null;
        this.keyManagerMissCache = null;
        this.credentials = null;
        this.handshakeComplete = false;
        this.manager = provTlsManager;
        this.sslParameters = provTlsManager.getProvSSLParameters();
    }

    @Override // org.spongycastle.tls.AbstractTlsServer, org.spongycastle.tls.TlsServer
    public CertificateRequest getCertificateRequest() throws IOException {
        if (!(this.sslParameters.getNeedClientAuth() || this.sslParameters.getWantClientAuth())) {
            return null;
        }
        short[] sArr = {1, 2, 64};
        Vector supportedSignatureAlgorithms = TlsUtils.isSignatureAlgorithmsExtensionAllowed(this.serverVersion) ? JsseUtils.getSupportedSignatureAlgorithms(getCrypto()) : null;
        Vector vector = new Vector();
        X509TrustManager trustManager = this.manager.getContextData().getTrustManager();
        if (trustManager != null) {
            for (X509Certificate x509Certificate : trustManager.getAcceptedIssuers()) {
                vector.addElement(X500Name.getInstance(x509Certificate.getSubjectX500Principal().getEncoded()));
            }
        }
        return new CertificateRequest(sArr, supportedSignatureAlgorithms, vector);
    }

    @Override // org.spongycastle.tls.DefaultTlsServer, org.spongycastle.tls.AbstractTlsServer
    public int[] getCipherSuites() {
        return TlsUtils.getSupportedCipherSuites(this.manager.getContextData().getCrypto(), this.manager.getContext().convertCipherSuites(this.sslParameters.getCipherSuites()));
    }

    @Override // org.spongycastle.tls.AbstractTlsServer
    protected short[] getCompressionMethods() {
        return this.manager.getContext().isFips() ? new short[]{0} : super.getCompressionMethods();
    }

    @Override // org.spongycastle.tls.DefaultTlsServer, org.spongycastle.tls.TlsServer
    public TlsCredentials getCredentials() throws IOException {
        return this.credentials;
    }

    @Override // org.spongycastle.tls.AbstractTlsServer
    protected DHGroup getDHParameters() {
        int i = provEphemeralDHKeySize;
        if (i <= 1024) {
            return DHStandardGroups.rfc2409_1024;
        }
        if (i <= 1536) {
            return DHStandardGroups.rfc3526_1536;
        }
        if (i <= 2048) {
            return DHStandardGroups.rfc7919_ffdhe2048;
        }
        if (i <= 3072) {
            return DHStandardGroups.rfc7919_ffdhe3072;
        }
        if (i <= 4096) {
            return DHStandardGroups.rfc7919_ffdhe4096;
        }
        if (i <= 6144) {
            return DHStandardGroups.rfc7919_ffdhe6144;
        }
        if (i <= 8192) {
            return DHStandardGroups.rfc7919_ffdhe8192;
        }
        throw new IllegalStateException("Ephemeral DH key size has unexpected value: " + provEphemeralDHKeySize);
    }

    @Override // org.spongycastle.tls.AbstractTlsServer
    protected int getMaximumNegotiableCurveBits() {
        boolean isFips = this.manager.getContext().isFips();
        if (this.clientSupportedGroups == null) {
            return isFips ? FipsUtils.getFipsMaximumCurveBits() : NamedGroup.getMaximumCurveBits();
        }
        int i = 0;
        for (int i2 = 0; i2 < this.clientSupportedGroups.length; i2++) {
            int i3 = this.clientSupportedGroups[i2];
            if (!isFips || FipsUtils.isFipsCurve(i3)) {
                i = Math.max(i, NamedGroup.getCurveBits(i3));
            }
        }
        return i;
    }

    @Override // org.spongycastle.tls.AbstractTlsServer, org.spongycastle.tls.TlsServer
    public int getSelectedCipherSuite() throws IOException {
        this.keyManagerMissCache = new HashSet();
        int selectedCipherSuite = super.getSelectedCipherSuite();
        LOG.fine("Server selected cipher suite: " + this.manager.getContext().getCipherSuiteString(selectedCipherSuite));
        this.keyManagerMissCache = null;
        return selectedCipherSuite;
    }

    @Override // org.spongycastle.tls.AbstractTlsServer, org.spongycastle.tls.TlsServer
    public Hashtable getServerExtensions() throws IOException {
        super.getServerExtensions();
        if (this.matchedSNIServerName != null) {
            checkServerExtensions().put(TlsExtensionsUtils.EXT_server_name, TlsExtensionsUtils.createEmptyExtensionData());
        }
        return this.serverExtensions;
    }

    @Override // org.spongycastle.tls.AbstractTlsServer, org.spongycastle.tls.TlsServer
    public ProtocolVersion getServerVersion() throws IOException {
        String[] protocols = this.sslParameters.getProtocols();
        if (protocols != null && protocols.length > 0) {
            for (ProtocolVersion protocolVersion = this.clientVersion; protocolVersion != null; protocolVersion = protocolVersion.getPreviousVersion()) {
                String protocolString = this.manager.getContext().getProtocolString(protocolVersion);
                if (protocolString != null && JsseUtils.contains(protocols, protocolString)) {
                    LOG.fine("Server selected protocol version: " + protocolVersion);
                    this.serverVersion = protocolVersion;
                    return protocolVersion;
                }
            }
        }
        throw new TlsFatalAlert((short) 70);
    }

    @Override // org.spongycastle.jsse.provider.ProvTlsPeer
    public synchronized boolean isHandshakeComplete() {
        return this.handshakeComplete;
    }

    @Override // org.spongycastle.tls.AbstractTlsPeer, org.spongycastle.tls.TlsPeer
    public void notifyAlertRaised(short s, short s2, String str, Throwable th) {
        Level level = s == 1 ? Level.FINE : s2 == 80 ? Level.WARNING : Level.INFO;
        if (LOG.isLoggable(level)) {
            String alertLogMessage = JsseUtils.getAlertLogMessage("Server raised", s, s2);
            if (str != null) {
                alertLogMessage = alertLogMessage + ": " + str;
            }
            LOG.log(level, alertLogMessage, th);
        }
    }

    @Override // org.spongycastle.tls.AbstractTlsPeer, org.spongycastle.tls.TlsPeer
    public void notifyAlertReceived(short s, short s2) {
        super.notifyAlertReceived(s, s2);
        Level level = s == 1 ? Level.FINE : Level.INFO;
        if (LOG.isLoggable(level)) {
            LOG.log(level, JsseUtils.getAlertLogMessage("Server received", s, s2));
        }
    }

    @Override // org.spongycastle.tls.AbstractTlsServer, org.spongycastle.tls.TlsServer
    public void notifyClientCertificate(Certificate certificate) throws IOException {
        if (certificate == null || certificate.isEmpty()) {
            if (this.sslParameters.getNeedClientAuth()) {
                throw new TlsFatalAlert((short) 40);
            }
        } else {
            if (!this.manager.isClientTrusted(JsseUtils.getX509CertificateChain(this.manager.getContextData().getCrypto(), certificate), JsseUtils.getAuthTypeClient(certificate.getCertificateAt(0).getClientCertificateType()))) {
                throw new TlsFatalAlert((short) 42);
            }
        }
    }

    @Override // org.spongycastle.tls.AbstractTlsPeer, org.spongycastle.tls.TlsPeer
    public synchronized void notifyHandshakeComplete() throws IOException {
        this.handshakeComplete = true;
        this.manager.notifyHandshakeComplete(new ProvSSLConnection(this.context, this.manager.getContextData().getServerSessionContext().reportSession(this.context.getSession())));
    }

    @Override // org.spongycastle.tls.AbstractTlsServer, org.spongycastle.tls.TlsServer
    public void processClientExtensions(Hashtable hashtable) throws IOException {
        Collection<BCSNIMatcher> sNIMatchers;
        ServerNameList serverNameExtension;
        super.processClientExtensions(hashtable);
        if (hashtable == null || (sNIMatchers = this.manager.getProvSSLParameters().getSNIMatchers()) == null || sNIMatchers.isEmpty() || (serverNameExtension = TlsExtensionsUtils.getServerNameExtension(hashtable)) == null) {
            return;
        }
        BCSNIServerName findMatchingSNIServerName = JsseUtils.findMatchingSNIServerName(serverNameExtension, sNIMatchers);
        this.matchedSNIServerName = findMatchingSNIServerName;
        if (findMatchingSNIServerName == null) {
            throw new TlsFatalAlert((short) 112);
        }
    }

    @Override // org.spongycastle.tls.AbstractTlsServer
    protected boolean selectCipherSuite(int i) throws IOException {
        if (!selectCredentials(i)) {
            return false;
        }
        this.manager.getContext().validateNegotiatedCipherSuite(i);
        return super.selectCipherSuite(i);
    }

    protected boolean selectCredentials(int i) throws IOException {
        this.credentials = null;
        int keyExchangeAlgorithm = TlsUtils.getKeyExchangeAlgorithm(i);
        if (keyExchangeAlgorithm != 1 && keyExchangeAlgorithm != 3 && keyExchangeAlgorithm != 5 && keyExchangeAlgorithm != 7 && keyExchangeAlgorithm != 9) {
            if (keyExchangeAlgorithm != 11) {
                switch (keyExchangeAlgorithm) {
                    case 16:
                    case 17:
                    case 18:
                    case 19:
                        break;
                    case 20:
                        break;
                    default:
                        return false;
                }
            }
            return true;
        }
        X509KeyManager keyManager = this.manager.getContextData().getKeyManager();
        if (keyManager == null) {
            return false;
        }
        String authTypeServer = JsseUtils.getAuthTypeServer(keyExchangeAlgorithm);
        if (this.keyManagerMissCache.contains(authTypeServer)) {
            return false;
        }
        String chooseServerAlias = keyManager.chooseServerAlias(authTypeServer, null, null);
        if (chooseServerAlias == null) {
            this.keyManagerMissCache.add(authTypeServer);
            return false;
        }
        TlsCrypto crypto = getCrypto();
        if (!(crypto instanceof JcaTlsCrypto)) {
            throw new UnsupportedOperationException();
        }
        PrivateKey privateKey = keyManager.getPrivateKey(chooseServerAlias);
        Certificate certificateMessage = JsseUtils.getCertificateMessage(crypto, keyManager.getCertificateChain(chooseServerAlias));
        if (privateKey == null || !JsseUtils.isUsableKeyForServer(keyExchangeAlgorithm, privateKey) || certificateMessage.isEmpty()) {
            this.keyManagerMissCache.add(authTypeServer);
            return false;
        }
        if (keyExchangeAlgorithm == 1) {
            this.credentials = new JceDefaultTlsCredentialedDecryptor((JcaTlsCrypto) crypto, certificateMessage, privateKey);
            return true;
        }
        if (keyExchangeAlgorithm != 3 && keyExchangeAlgorithm != 5) {
            if (keyExchangeAlgorithm != 7 && keyExchangeAlgorithm != 9) {
                switch (keyExchangeAlgorithm) {
                    case 16:
                    case 18:
                        break;
                    case 17:
                    case 19:
                        break;
                    default:
                        return false;
                }
            }
            this.credentials = new JceDefaultTlsCredentialedAgreement((JcaTlsCrypto) crypto, certificateMessage, privateKey);
            return true;
        }
        this.credentials = new JcaDefaultTlsCredentialedSigner(new TlsCryptoParameters(this.context), (JcaTlsCrypto) crypto, privateKey, certificateMessage, TlsUtils.chooseSignatureAndHashAlgorithm(this.context, this.supportedSignatureAlgorithms, TlsUtils.getSignatureAlgorithm(keyExchangeAlgorithm)));
        return true;
    }

    @Override // org.spongycastle.tls.AbstractTlsServer
    protected int selectCurve(int i) {
        if (this.clientSupportedGroups == null) {
            return selectDefaultCurve(i);
        }
        boolean isFips = this.manager.getContext().isFips();
        for (int i2 = 0; i2 < this.clientSupportedGroups.length; i2++) {
            int i3 = this.clientSupportedGroups[i2];
            if (NamedGroup.getCurveBits(i3) >= i && (!isFips || FipsUtils.isFipsCurve(i3))) {
                return i3;
            }
        }
        return -1;
    }

    @Override // org.spongycastle.tls.AbstractTlsServer
    protected int selectDefaultCurve(int i) {
        if (i <= 256) {
            return 23;
        }
        return i <= 384 ? 24 : -1;
    }
}
