package org.apache.hc.client5.http.ssl;

import java.io.IOException;
import java.net.Socket;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.apache.hc.client5.http.config.TlsConfig;
import org.apache.hc.core5.http.URIScheme;
import org.apache.hc.core5.http.protocol.HttpContext;
import org.apache.hc.core5.http.ssl.TLS;
import org.apache.hc.core5.http.ssl.TlsCiphers;
import org.apache.hc.core5.io.Closer;
import org.apache.hc.core5.reactor.ssl.SSLBufferMode;
import org.apache.hc.core5.util.Args;
import org.apache.hc.core5.util.Timeout;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes.dex */
abstract class AbstractClientTlsStrategy implements TlsSocketStrategy {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AbstractClientTlsStrategy.class);
    private final HostnameVerificationPolicy hostnameVerificationPolicy;
    private final HostnameVerifier hostnameVerifier;
    private final SSLBufferMode sslBufferManagement;
    private final SSLContext sslContext;
    private final String[] supportedCipherSuites;
    private final String[] supportedProtocols;

    public AbstractClientTlsStrategy(SSLContext sSLContext, String[] strArr, String[] strArr2, SSLBufferMode sSLBufferMode, HostnameVerificationPolicy hostnameVerificationPolicy, HostnameVerifier hostnameVerifier) {
        this.sslContext = (SSLContext) Args.notNull(sSLContext, "SSL context");
        this.supportedProtocols = strArr;
        this.supportedCipherSuites = strArr2;
        this.sslBufferManagement = sSLBufferMode == null ? SSLBufferMode.STATIC : sSLBufferMode;
        hostnameVerificationPolicy = hostnameVerificationPolicy == null ? HostnameVerificationPolicy.BOTH : hostnameVerificationPolicy;
        this.hostnameVerificationPolicy = hostnameVerificationPolicy;
        this.hostnameVerifier = hostnameVerifier == null ? hostnameVerificationPolicy == HostnameVerificationPolicy.BUILTIN ? NoopHostnameVerifier.INSTANCE : HttpsSupport.getDefaultHostnameVerifier() : hostnameVerifier;
    }

    private void executeHandshake(SSLSocket sSLSocket, String str, Object obj) {
        TlsConfig tlsConfig = obj instanceof TlsConfig ? (TlsConfig) obj : TlsConfig.DEFAULT;
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        String[] strArr = this.supportedProtocols;
        if (strArr != null) {
            sSLParameters.setProtocols(strArr);
        } else {
            sSLParameters.setProtocols(TLS.excludeWeak(sSLSocket.getEnabledProtocols()));
        }
        String[] strArr2 = this.supportedCipherSuites;
        if (strArr2 != null) {
            sSLParameters.setCipherSuites(strArr2);
        } else {
            sSLParameters.setCipherSuites(TlsCiphers.excludeWeak(sSLSocket.getEnabledCipherSuites()));
        }
        HostnameVerificationPolicy hostnameVerificationPolicy = this.hostnameVerificationPolicy;
        if (hostnameVerificationPolicy == HostnameVerificationPolicy.BUILTIN || hostnameVerificationPolicy == HostnameVerificationPolicy.BOTH) {
            sSLParameters.setEndpointIdentificationAlgorithm(URIScheme.HTTPS.id);
        }
        sSLSocket.setSSLParameters(sSLParameters);
        Timeout handshakeTimeout = tlsConfig.getHandshakeTimeout();
        if (handshakeTimeout != null) {
            sSLSocket.setSoTimeout(handshakeTimeout.toMillisecondsIntBound());
        }
        initializeSocket(sSLSocket);
        Logger logger = LOG;
        if (logger.isDebugEnabled()) {
            logger.debug("Enabled protocols: {}", (Object) sSLSocket.getEnabledProtocols());
            logger.debug("Enabled cipher suites: {}", (Object) sSLSocket.getEnabledCipherSuites());
            logger.debug("Starting handshake ({})", handshakeTimeout);
        }
        sSLSocket.startHandshake();
        verifySession(str, sSLSocket.getSession());
    }

    public void initializeSocket(SSLSocket sSLSocket) {
    }

    @Override // org.apache.hc.client5.http.ssl.TlsSocketStrategy
    public SSLSocket upgrade(Socket socket, String str, int i, Object obj, HttpContext httpContext) {
        SSLSocket sSLSocket = (SSLSocket) this.sslContext.getSocketFactory().createSocket(socket, str, i, false);
        try {
            executeHandshake(sSLSocket, str, obj);
            return sSLSocket;
        } catch (IOException | RuntimeException e) {
            Closer.closeQuietly(sSLSocket);
            throw e;
        }
    }

    public void verifySession(String str, SSLSession sSLSession) {
        HostnameVerificationPolicy hostnameVerificationPolicy = this.hostnameVerificationPolicy;
        verifySession(str, sSLSession, (hostnameVerificationPolicy == HostnameVerificationPolicy.CLIENT || hostnameVerificationPolicy == HostnameVerificationPolicy.BOTH) ? this.hostnameVerifier : null);
    }

    public void verifySession(String str, SSLSession sSLSession, HostnameVerifier hostnameVerifier) {
        Logger logger = LOG;
        if (logger.isDebugEnabled()) {
            logger.debug("Secure session established");
            logger.debug(" negotiated protocol: {}", sSLSession.getProtocol());
            logger.debug(" negotiated cipher suite: {}", sSLSession.getCipherSuite());
            try {
                Certificate certificate = sSLSession.getPeerCertificates()[0];
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    logger.debug(" peer principal: {}", x509Certificate.getSubjectX500Principal());
                    Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                    if (subjectAlternativeNames != null) {
                        ArrayList arrayList = new ArrayList();
                        for (List<?> list : subjectAlternativeNames) {
                            if (!list.isEmpty()) {
                                arrayList.add(Objects.toString(list.get(1), null));
                            }
                        }
                        LOG.debug(" peer alternative names: {}", arrayList);
                    }
                    LOG.debug(" issuer principal: {}", x509Certificate.getIssuerX500Principal());
                    Collection<List<?>> issuerAlternativeNames = x509Certificate.getIssuerAlternativeNames();
                    if (issuerAlternativeNames != null) {
                        ArrayList arrayList2 = new ArrayList();
                        for (List<?> list2 : issuerAlternativeNames) {
                            if (!list2.isEmpty()) {
                                arrayList2.add(Objects.toString(list2.get(1), null));
                            }
                        }
                        LOG.debug(" issuer alternative names: {}", arrayList2);
                    }
                }
            } catch (Exception unused) {
            }
        }
        if (hostnameVerifier != null) {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            if (peerCertificates.length < 1) {
                throw new SSLPeerUnverifiedException("Peer certificate chain is empty");
            }
            Certificate certificate2 = peerCertificates[0];
            if (!(certificate2 instanceof X509Certificate)) {
                throw new SSLPeerUnverifiedException("Unexpected certificate type: " + certificate2.getType());
            }
            X509Certificate x509Certificate2 = (X509Certificate) certificate2;
            if (hostnameVerifier instanceof HttpClientHostnameVerifier) {
                ((HttpClientHostnameVerifier) hostnameVerifier).verify(str, x509Certificate2);
                return;
            }
            if (hostnameVerifier.verify(str, sSLSession)) {
                return;
            }
            throw new SSLPeerUnverifiedException("Certificate for <" + str + "> doesn't match any of the subject alternative names: " + DefaultHostnameVerifier.getSubjectAltNames(x509Certificate2));
        }
    }
}
