package org.conscrypt;

import java.io.IOException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.DHKey;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.crypto.tls.ExporterLabel;

/* loaded from: classes5.dex */
public class ClientHandshakeImpl extends HandshakeProtocol {

    /* loaded from: classes5.dex */
    public class a implements Runnable {
        public a() {
        }

        @Override // java.lang.Runnable
        public void run() {
            ClientHandshakeImpl.this.processServerHelloDone();
        }
    }

    public ClientHandshakeImpl(Object obj) {
        super(obj);
    }

    private SSLSessionImpl findSessionToResume() {
        String peerHostName;
        int peerPort;
        SSLEngineImpl sSLEngineImpl = this.engineOwner;
        if (sSLEngineImpl != null) {
            peerHostName = sSLEngineImpl.getPeerHost();
            peerPort = this.engineOwner.getPeerPort();
        } else {
            peerHostName = this.socketOwner.getPeerHostName();
            peerPort = this.socketOwner.getPeerPort();
        }
        if (peerHostName == null || peerPort == -1) {
            return null;
        }
        SSLSessionImpl sSLSessionImpl = (SSLSessionImpl) this.parameters.getClientSessionContext().getSession(peerHostName, peerPort);
        return sSLSessionImpl != null ? (SSLSessionImpl) sSLSessionImpl.clone() : sSLSessionImpl;
    }

    private void renegotiateNewSession() {
        if (!this.parameters.getEnableSessionCreation()) {
            this.status = 2;
            sendWarningAlert((byte) 100);
            return;
        }
        this.isResuming = false;
        SSLSessionImpl sSLSessionImpl = new SSLSessionImpl(this.parameters.getSecureRandom());
        this.session = sSLSessionImpl;
        SSLEngineImpl sSLEngineImpl = this.engineOwner;
        if (sSLEngineImpl != null) {
            sSLSessionImpl.setPeer(sSLEngineImpl.getPeerHost(), this.engineOwner.getPeerPort());
        } else {
            sSLSessionImpl.setPeer(this.socketOwner.getPeerHostName(), this.socketOwner.getPeerPort());
        }
        this.session.protocol = ProtocolVersion.getLatestVersion(this.parameters.getEnabledProtocols());
        this.recordProtocol.setVersion(this.session.protocol.version);
        startSession();
    }

    private void startSession() {
        CipherSuite[] enabledCipherSuitesMember = this.isResuming ? new CipherSuite[]{this.session.cipherSuite} : this.parameters.getEnabledCipherSuitesMember();
        SecureRandom secureRandom = this.parameters.getSecureRandom();
        SSLSessionImpl sSLSessionImpl = this.session;
        ClientHello clientHello = new ClientHello(secureRandom, sSLSessionImpl.protocol.version, sSLSessionImpl.f39617id, enabledCipherSuitesMember);
        this.clientHello = clientHello;
        this.session.clientRandom = clientHello.random;
        send(clientHello);
        this.status = 1;
    }

    private void verifyServerCert() {
        String authType = this.session.cipherSuite.getAuthType(this.serverKeyExchange != null);
        if (authType == null) {
            return;
        }
        SSLEngineImpl sSLEngineImpl = this.engineOwner;
        String peerHost = sSLEngineImpl != null ? sSLEngineImpl.getPeerHost() : this.socketOwner.getWrappedHostName();
        try {
            X509TrustManager trustManager = this.parameters.getTrustManager();
            if (trustManager instanceof TrustManagerImpl) {
                ((TrustManagerImpl) trustManager).checkServerTrusted(this.serverCert.certs, authType, peerHost);
            } else {
                trustManager.checkServerTrusted(this.serverCert.certs, authType);
            }
            this.session.peerCertificates = this.serverCert.certs;
        } catch (CertificateException e10) {
            fatalAlert((byte) 42, "Not trusted server certificate", e10);
        }
    }

    @Override // org.conscrypt.HandshakeProtocol
    public void makeFinished() {
        byte[] bArr;
        if (this.serverHello.server_version[1] == 1) {
            bArr = new byte[12];
            computerVerifyDataTLS(ExporterLabel.client_finished, bArr);
        } else {
            bArr = new byte[36];
            computerVerifyDataSSLv3(SSLv3Constants.client, bArr);
        }
        Finished finished = new Finished(bArr);
        this.clientFinished = finished;
        send(finished);
        if (this.isResuming) {
            this.session.lastAccessedTime = System.currentTimeMillis();
            this.status = 3;
        } else {
            if (this.serverHello.server_version[1] == 1) {
                computerReferenceVerifyDataTLS(ExporterLabel.server_finished);
            } else {
                computerReferenceVerifyDataSSLv3(SSLv3Constants.server);
            }
            this.status = 1;
        }
    }

    public void processServerHelloDone() {
        PublicKey publicKey;
        DHParameterSpec params;
        int i10;
        String chooseClientAlias;
        if (this.serverCert != null) {
            if (this.session.cipherSuite.isAnonymous()) {
                unexpectedMessage();
                return;
            }
            verifyServerCert();
        } else if (!this.session.cipherSuite.isAnonymous()) {
            unexpectedMessage();
            return;
        }
        CertificateRequest certificateRequest = this.certificateRequest;
        PrivateKey privateKey = null;
        r2 = null;
        X509Certificate[] certificateChain = null;
        if (certificateRequest != null) {
            String[] typesAsString = certificateRequest.getTypesAsString();
            X500Principal[] x500PrincipalArr = this.certificateRequest.certificate_authorities;
            X509KeyManager keyManager = this.parameters.getKeyManager();
            if (keyManager instanceof X509ExtendedKeyManager) {
                X509ExtendedKeyManager x509ExtendedKeyManager = (X509ExtendedKeyManager) keyManager;
                SSLSocketImpl sSLSocketImpl = this.socketOwner;
                chooseClientAlias = sSLSocketImpl != null ? x509ExtendedKeyManager.chooseClientAlias(typesAsString, x500PrincipalArr, sSLSocketImpl) : x509ExtendedKeyManager.chooseEngineClientAlias(typesAsString, x500PrincipalArr, this.engineOwner);
                if (chooseClientAlias != null) {
                    certificateChain = x509ExtendedKeyManager.getCertificateChain(chooseClientAlias);
                }
            } else {
                chooseClientAlias = keyManager.chooseClientAlias(typesAsString, x500PrincipalArr, this.socketOwner);
                if (chooseClientAlias != null) {
                    certificateChain = keyManager.getCertificateChain(chooseClientAlias);
                }
            }
            this.session.localCertificates = certificateChain;
            this.clientCert = new CertificateMessage(certificateChain);
            privateKey = keyManager.getPrivateKey(chooseClientAlias);
            send(this.clientCert);
        }
        int i11 = this.session.cipherSuite.keyExchange;
        boolean z10 = true;
        if (i11 == 1 || i11 == 2) {
            try {
                Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
                ServerKeyExchange serverKeyExchange = this.serverKeyExchange;
                if (serverKeyExchange != null) {
                    cipher.init(3, serverKeyExchange.getRSAPublicKey());
                } else {
                    cipher.init(3, this.serverCert.certs[0]);
                }
                this.preMasterSecret = new byte[48];
                this.parameters.getSecureRandom().nextBytes(this.preMasterSecret);
                System.arraycopy(this.clientHello.client_version, 0, this.preMasterSecret, 0, 2);
                try {
                    byte[] wrap = cipher.wrap(new SecretKeySpec(this.preMasterSecret, "preMasterSecret"));
                    if (this.serverHello.server_version[1] != 1) {
                        z10 = false;
                    }
                    this.clientKeyExchange = new ClientKeyExchange(wrap, z10);
                } catch (Exception e10) {
                    fatalAlert((byte) 80, "Unexpected exception", e10);
                    return;
                }
            } catch (Exception e11) {
                fatalAlert((byte) 80, "Unexpected exception", e11);
                return;
            }
        } else {
            try {
                KeyFactory keyFactory = KeyFactory.getInstance("DH");
                KeyAgreement keyAgreement = KeyAgreement.getInstance("DH");
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("DH");
                if (this.serverKeyExchange != null) {
                    ServerKeyExchange serverKeyExchange2 = this.serverKeyExchange;
                    publicKey = keyFactory.generatePublic(new DHPublicKeySpec(serverKeyExchange2.par3, serverKeyExchange2.par1, serverKeyExchange2.par2));
                    ServerKeyExchange serverKeyExchange3 = this.serverKeyExchange;
                    params = new DHParameterSpec(serverKeyExchange3.par1, serverKeyExchange3.par2);
                } else {
                    publicKey = this.serverCert.certs[0].getPublicKey();
                    params = ((DHPublicKey) publicKey).getParams();
                }
                keyPairGenerator.initialize(params);
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                PublicKey publicKey2 = generateKeyPair.getPublic();
                CertificateMessage certificateMessage = this.clientCert;
                if (certificateMessage == null || this.serverCert == null || !((i10 = this.session.cipherSuite.keyExchange) == 5 || i10 == 3)) {
                    this.clientKeyExchange = new ClientKeyExchange(((DHPublicKey) publicKey2).getY());
                } else {
                    PublicKey publicKey3 = certificateMessage.certs[0].getPublicKey();
                    PublicKey publicKey4 = this.serverCert.certs[0].getPublicKey();
                    if ((publicKey3 instanceof DHKey) && (publicKey4 instanceof DHKey) && ((DHKey) publicKey3).getParams().getG().equals(((DHKey) publicKey4).getParams().getG()) && ((DHKey) publicKey3).getParams().getP().equals(((DHKey) publicKey4).getParams().getG())) {
                        this.clientKeyExchange = new ClientKeyExchange();
                    }
                }
                keyAgreement.init(generateKeyPair.getPrivate());
                keyAgreement.doPhase(publicKey, true);
                this.preMasterSecret = keyAgreement.generateSecret();
            } catch (Exception e12) {
                fatalAlert((byte) 80, "Unexpected exception", e12);
                return;
            }
        }
        Message message = this.clientKeyExchange;
        if (message != null) {
            send(message);
        }
        computerMasterSecret();
        CertificateMessage certificateMessage2 = this.clientCert;
        if (certificateMessage2 != null && certificateMessage2.certs.length > 0 && !this.clientKeyExchange.isEmpty()) {
            String algorithm = privateKey.getAlgorithm();
            DigitalSignature digitalSignature = new DigitalSignature(algorithm);
            digitalSignature.init(privateKey);
            if ("RSA".equals(algorithm)) {
                digitalSignature.setMD5(this.io_stream.getDigestMD5());
                digitalSignature.setSHA(this.io_stream.getDigestSHA());
            } else if (CipherSuite.KEY_TYPE_DSA.equals(algorithm)) {
                digitalSignature.setSHA(this.io_stream.getDigestSHA());
            }
            CertificateVerify certificateVerify = new CertificateVerify(digitalSignature.sign());
            this.certificateVerify = certificateVerify;
            send(certificateVerify);
        }
        sendChangeCipherSpec();
    }

    @Override // org.conscrypt.HandshakeProtocol
    public void receiveChangeCipherSpec() {
        if (this.isResuming) {
            if (this.serverHello == null) {
                unexpectedMessage();
            }
        } else if (this.clientFinished == null) {
            unexpectedMessage();
        }
        this.changeCipherSpecReceived = true;
    }

    @Override // org.conscrypt.HandshakeProtocol
    public void start() {
        SSLSessionImpl sSLSessionImpl = this.session;
        if (sSLSessionImpl == null) {
            this.session = findSessionToResume();
        } else {
            if (this.clientHello != null && this.status != 3) {
                return;
            }
            if (!sSLSessionImpl.isValid()) {
                this.session = null;
            }
        }
        if (this.session != null) {
            this.isResuming = true;
        } else if (this.parameters.getEnableSessionCreation()) {
            this.isResuming = false;
            SSLSessionImpl sSLSessionImpl2 = new SSLSessionImpl(this.parameters.getSecureRandom());
            this.session = sSLSessionImpl2;
            SSLEngineImpl sSLEngineImpl = this.engineOwner;
            if (sSLEngineImpl != null) {
                sSLSessionImpl2.setPeer(sSLEngineImpl.getPeerHost(), this.engineOwner.getPeerPort());
            } else {
                sSLSessionImpl2.setPeer(this.socketOwner.getPeerHostName(), this.socketOwner.getPeerPort());
            }
            this.session.protocol = ProtocolVersion.getLatestVersion(this.parameters.getEnabledProtocols());
            this.recordProtocol.setVersion(this.session.protocol.version);
        } else {
            fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "SSL Session may not be created ");
        }
        startSession();
    }

    @Override // org.conscrypt.HandshakeProtocol
    public void unwrap(byte[] bArr) {
        Exception exc = this.delegatedTaskErr;
        if (exc != null) {
            this.delegatedTaskErr = null;
            fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "Error in delegated task", exc);
        }
        this.io_stream.append(bArr);
        while (this.io_stream.available() > 0) {
            this.io_stream.mark();
            try {
                int read = this.io_stream.read();
                int readUint24 = this.io_stream.readUint24();
                if (this.io_stream.available() < readUint24) {
                    this.io_stream.reset();
                    return;
                }
                if (read == 0) {
                    this.io_stream.removeFromMarkedPosition();
                    if (this.clientHello == null || (this.clientFinished != null && this.serverFinished != null)) {
                        if (this.session.isValid()) {
                            this.session = (SSLSessionImpl) this.session.clone();
                            this.isResuming = true;
                            startSession();
                        } else {
                            renegotiateNewSession();
                        }
                    }
                } else {
                    if (read == 2) {
                        if (this.clientHello != null && this.serverHello == null) {
                            ServerHello serverHello = new ServerHello(this.io_stream, readUint24);
                            this.serverHello = serverHello;
                            ProtocolVersion byVersion = ProtocolVersion.getByVersion(serverHello.server_version);
                            String[] enabledProtocols = this.parameters.getEnabledProtocols();
                            int i10 = 0;
                            while (true) {
                                if (i10 >= enabledProtocols.length) {
                                    fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "Bad server hello protocol version");
                                } else if (!byVersion.equals(ProtocolVersion.getByName(enabledProtocols[i10]))) {
                                    i10++;
                                }
                            }
                            if (this.serverHello.compression_method != 0) {
                                fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "Bad server hello compression method");
                            }
                            CipherSuite[] enabledCipherSuitesMember = this.parameters.getEnabledCipherSuitesMember();
                            int i11 = 0;
                            while (true) {
                                if (i11 >= enabledCipherSuitesMember.length) {
                                    fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "Bad server hello cipher suite");
                                } else if (!this.serverHello.cipher_suite.equals(enabledCipherSuitesMember[i11])) {
                                    i11++;
                                }
                            }
                            if (this.isResuming) {
                                byte[] bArr2 = this.serverHello.session_id;
                                if (bArr2.length == 0) {
                                    this.isResuming = false;
                                } else if (!Arrays.equals(bArr2, this.clientHello.session_id)) {
                                    this.isResuming = false;
                                } else if (!this.session.protocol.equals(byVersion)) {
                                    fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "Bad server hello protocol version");
                                } else if (!this.session.cipherSuite.equals(this.serverHello.cipher_suite)) {
                                    fatalAlert(AlertProtocol.HANDSHAKE_FAILURE, "Bad server hello cipher suite");
                                }
                                if (this.serverHello.server_version[1] == 1) {
                                    computerReferenceVerifyDataTLS(ExporterLabel.server_finished);
                                } else {
                                    computerReferenceVerifyDataSSLv3(SSLv3Constants.server);
                                }
                            }
                            this.session.protocol = byVersion;
                            this.recordProtocol.setVersion(byVersion.version);
                            SSLSessionImpl sSLSessionImpl = this.session;
                            ServerHello serverHello2 = this.serverHello;
                            sSLSessionImpl.cipherSuite = serverHello2.cipher_suite;
                            sSLSessionImpl.f39617id = (byte[]) serverHello2.session_id.clone();
                            this.session.serverRandom = this.serverHello.random;
                        }
                        unexpectedMessage();
                        return;
                    }
                    if (read != 20) {
                        switch (read) {
                            case 11:
                                if (this.serverHello != null && this.serverKeyExchange == null && this.serverCert == null && !this.isResuming) {
                                    this.serverCert = new CertificateMessage(this.io_stream, readUint24);
                                    break;
                                }
                                unexpectedMessage();
                                return;
                            case 12:
                                if (this.serverHello != null && this.serverKeyExchange == null && !this.isResuming) {
                                    this.serverKeyExchange = new ServerKeyExchange(this.io_stream, readUint24, this.session.cipherSuite.keyExchange);
                                    break;
                                }
                                unexpectedMessage();
                                return;
                            case 13:
                                if (this.serverCert != null && this.certificateRequest == null && !this.session.cipherSuite.isAnonymous() && !this.isResuming) {
                                    this.certificateRequest = new CertificateRequest(this.io_stream, readUint24);
                                    break;
                                }
                                unexpectedMessage();
                                return;
                            case 14:
                                if (this.serverHello != null && this.serverHelloDone == null && !this.isResuming) {
                                    this.serverHelloDone = new ServerHelloDone(this.io_stream, readUint24);
                                    if (!this.nonBlocking) {
                                        processServerHelloDone();
                                        break;
                                    } else {
                                        this.delegatedTasks.add(new DelegatedTask(new a(), this));
                                        return;
                                    }
                                }
                                unexpectedMessage();
                                return;
                            default:
                                unexpectedMessage();
                                return;
                        }
                    }
                    if (!this.changeCipherSpecReceived) {
                        unexpectedMessage();
                        return;
                    }
                    Finished finished = new Finished(this.io_stream, readUint24);
                    this.serverFinished = finished;
                    verifyFinished(finished.getData());
                    this.session.lastAccessedTime = System.currentTimeMillis();
                    this.session.context = this.parameters.getClientSessionContext();
                    this.parameters.getClientSessionContext().putSession(this.session);
                    if (this.isResuming) {
                        sendChangeCipherSpec();
                    } else {
                        this.session.lastAccessedTime = System.currentTimeMillis();
                        this.status = 3;
                    }
                }
            } catch (IOException unused) {
                this.io_stream.reset();
                return;
            }
        }
    }

    @Override // org.conscrypt.HandshakeProtocol
    public void unwrapSSLv2(byte[] bArr) {
        unexpectedMessage();
    }
}
