package ru.CryptoPro.ssl;

import java.io.IOException;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.Subject;
import ru.CryptoPro.JCP.Key.MasterSecretInterface;
import ru.CryptoPro.JCP.Util.GetProperty;
import ru.CryptoPro.ssl.util.IPAddressUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes4.dex */
public final class cl_16 extends cl_59 {
    private static final boolean K = GetProperty.getBooleanProperty("jsse.enableSNIExtension", true);
    private PublicKey C;
    private PublicKey D;
    private BigInteger E;
    private cl_21 F;
    private cl_25 G;
    private cl_45 H;
    private boolean I;
    private cl_79 J;

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_16(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, cl_78 cl_78Var, cl_79 cl_79Var, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, cl_78Var, true, true, cl_79Var, z, z2, bArr, bArr2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_16(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, cl_78 cl_78Var, cl_79 cl_79Var, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, cl_78Var, true, true, cl_79Var, z, z2, bArr, bArr2);
    }

    private void a(cl_44 cl_44Var) throws IOException {
        String str;
        cl_44Var.f();
        X509Certificate[] b = cl_44Var.b();
        if (b.length == 0) {
            a((byte) 42, "empty certificate chain");
        }
        X509TrustManager c = this.r.c();
        try {
            str = ((this.w != cl_11.K_RSA_EXPORT || this.I) ? this.w : cl_11.K_RSA).v;
        } catch (CertificateException e) {
            a((byte) 46, e);
        }
        if (!(c instanceof X509ExtendedTrustManager)) {
            throw new CertificateException("Improper X509TrustManager implementation");
        }
        if (this.l != null) {
            ((X509ExtendedTrustManager) c).checkServerTrusted((X509Certificate[]) b.clone(), str, this.l);
        } else {
            ((X509ExtendedTrustManager) c).checkServerTrusted((X509Certificate[]) b.clone(), str, this.m);
        }
        this.u.a(b);
    }

    private void a(cl_49 cl_49Var) throws IOException {
        cl_49Var.f();
        this.F = new cl_21(cl_49Var.b(), cl_49Var.e(), this.r.a());
        this.E = cl_49Var.g();
    }

    private void a(cl_51 cl_51Var) throws IOException {
        cl_51Var.f();
        ECPublicKey b = cl_51Var.b();
        this.G = new cl_25(b.getParams(), this.r.a());
        this.D = b;
    }

    private void a(cl_52 cl_52Var) throws IOException {
        SSLSessionImpl sSLSessionImpl;
        String str;
        cl_52Var.f();
        if (!cl_52Var.a(this.n, 2, this.u.a())) {
            a((byte) 47, "server 'finished' message doesn't verify");
        }
        if (this.c) {
            this.e = cl_52Var.b();
        }
        if (this.x) {
            this.o.a();
            b(true);
        }
        this.u.a(System.currentTimeMillis());
        if (this.x) {
            return;
        }
        if (this.u.b()) {
            ((SSLSessionContextImpl) this.r.engineGetClientSessionContext()).a(this.u);
            sSLSessionImpl = this.u;
            str = "%% Cached client session: ";
        } else {
            sSLSessionImpl = this.u;
            str = "%% Didn't cache non-resumable client session: ";
        }
        SSLLogger.subTrace(str, sSLSessionImpl);
    }

    private void a(cl_53 cl_53Var) throws IOException {
        cl_53Var.f();
        if (this.q < 1) {
            if (!this.c) {
                SSLLogger.subTrace("Warning: continue with insecure renegotiation");
            }
            v();
        }
    }

    private void a(cl_54 cl_54Var) throws IOException, GeneralSecurityException {
        cl_54Var.f();
        if (!cl_54Var.a(this.C, this.s, this.t)) {
            a((byte) 40, "server key exchange invalid");
        }
        this.D = cl_54Var.b();
    }

    private void a(cl_55 cl_55Var) throws IOException {
        String str;
        Subject subject;
        this.I = false;
        cl_55Var.f();
        cl_79 cl_79Var = cl_55Var.e;
        if (!c(cl_79Var)) {
            throw new SSLHandshakeException("Server chose " + cl_79Var + ", but that protocol version is not enabled or not supported by the client.");
        }
        a(cl_79Var);
        cl_84 cl_84Var = (cl_84) cl_55Var.j.a(cl_33.q);
        if (cl_84Var != null) {
            if (this.f) {
                if (!cl_84Var.a()) {
                    a((byte) 40, "The renegotiation_info field is not empty");
                }
                this.c = true;
            } else {
                if (!this.c) {
                    a((byte) 40, "Unexpected renegotiation indication extension");
                }
                byte[] bArr = new byte[this.d.length + this.e.length];
                System.arraycopy(this.d, 0, bArr, 0, this.d.length);
                System.arraycopy(this.e, 0, bArr, this.d.length, this.e.length);
                if (!Arrays.equals(bArr, cl_84Var.c())) {
                    str = "Incorrect verify data in ServerHello renegotiation_info message";
                    a((byte) 40, str);
                }
            }
        } else if (this.f) {
            if (!A) {
                a((byte) 40, "Failed to negotiate the use of secure renegotiation");
            }
            this.c = false;
            SSLLogger.subTrace("Warning: No renegotiation indication extension in ServerHello");
        } else if (this.c) {
            str = "No renegotiation indication extension";
            a((byte) 40, str);
        }
        this.t = cl_55Var.f;
        if (!b(cl_55Var.h)) {
            a((byte) 47, "Server selected improper ciphersuite " + cl_55Var.h);
        }
        a(cl_55Var.h);
        this.n.a(cl_79Var, cl_55Var.h, true);
        if (this.f1886a.k >= cl_79.f.k) {
            this.n.b(this.v.g.a());
        }
        if (cl_55Var.i != 0) {
            a((byte) 47, "compression type not supported, " + ((int) cl_55Var.i));
        }
        if (this.u != null) {
            if (this.u.d().equals(cl_55Var.g)) {
                cl_9 e = this.u.e();
                if (this.v != e) {
                    throw new SSLProtocolException("Server returned wrong cipher suite for session");
                }
                if (this.f1886a != this.u.f()) {
                    throw new SSLProtocolException("Server resumed session with wrong protocol version");
                }
                if (e.d == cl_11.K_KRB5 || e.d == cl_11.K_KRB5_EXPORT) {
                    Principal localPrincipal = this.u.getLocalPrincipal();
                    try {
                        subject = (Subject) AccessController.doPrivileged(new cl_17(this));
                    } catch (PrivilegedActionException unused) {
                        SSLLogger.error("Attempt to obtain subject failed!");
                        subject = null;
                    }
                    if (subject == null) {
                        SSLLogger.error("Kerberos credentials are not present in the current Subject; check if  javax.security.auth.useSubjectAsCreds system property has been set to false");
                        throw new SSLProtocolException("Server resumed session with no subject");
                    }
                    if (!subject.getPrincipals(Principal.class).contains(localPrincipal)) {
                        throw new SSLProtocolException("Server resumed session with wrong subject identity");
                    }
                    SSLLogger.subTrace("Subject identity is same");
                }
                this.x = true;
                this.q = 19;
                if (this.w == cl_11.K_GR3410 || this.w == cl_11.K_GR3410_2012_256 || this.w == cl_11.K_GR3410_2012_256_IANA || this.w == cl_11.K_GR3410_2012_256_KUZN || this.w == cl_11.K_GR3410_2012_256_MAGMA) {
                    try {
                        a((MasterSecretInterface) this.u.a());
                    } catch (InvalidKeyException e2) {
                        RuntimeException runtimeException = new RuntimeException("Invalid key exchange");
                        runtimeException.initCause(e2);
                        throw runtimeException;
                    }
                } else {
                    a(this.u.a());
                }
                SSLLogger.subTrace("%% Server resumed ", this.u);
            } else {
                this.u = null;
                if (!this.y) {
                    throw new SSLException("New session creation is disabled");
                }
            }
        }
        if (this.x && this.u != null) {
            if (this.f1886a.k >= cl_79.f.k) {
                this.n.c(null);
            }
            a(this.u);
            return;
        }
        Iterator it2 = cl_55Var.j.a().iterator();
        while (it2.hasNext()) {
            cl_33 cl_33Var = ((cl_62) it2.next()).b;
            if (cl_33Var != cl_33.l && cl_33Var != cl_33.m && cl_33Var != cl_33.d && cl_33Var != cl_33.q && cl_33Var != cl_33.r) {
                a((byte) 110, "Server sent an unsupported extension: " + cl_33Var);
            }
        }
        this.u = new SSLSessionImpl(this.f1886a, this.v, i(), cl_55Var.g, c(), f());
        a(this.u);
        SSLLogger.subTrace("** ", this.v);
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:117:0x040d. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:125:0x04d8  */
    /* JADX WARN: Removed duplicated region for block: B:130:0x0468 A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void a(ru.CryptoPro.ssl.cl_56 r23) throws java.io.IOException {
        /*
            Method dump skipped, instructions count: 1378
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: ru.CryptoPro.ssl.cl_16.a(ru.CryptoPro.ssl.cl_56):void");
    }

    private void b(boolean z) throws IOException {
        cl_52 cl_52Var = new cl_52(this.f1886a, this.n, 1, this.u.a(), this.v);
        a(cl_52Var, z);
        if (this.c) {
            this.d = cl_52Var.b();
        }
        this.q = 19;
    }

    @Override // ru.CryptoPro.ssl.cl_59
    cl_43 a() throws SSLException {
        String b;
        cl_106 d = SSLSessionImpl.f1823a.d();
        cl_14 l = l();
        this.J = this.f1886a;
        this.u = ((SSLSessionContextImpl) this.r.engineGetClientSessionContext()).a(c(), f());
        boolean z = false;
        if (this.u != null) {
            Object[] objArr = new Object[2];
            objArr[0] = this.u;
            objArr[1] = this.u.b() ? "" : " (not rejoinable)";
            SSLLogger.subSubTraceFormat("%% Client cached {0} {1}", objArr);
        } else {
            SSLLogger.subTrace("%% No cached client session");
        }
        if (this.u != null && !this.u.b()) {
            this.u = null;
        }
        if (this.u != null) {
            cl_9 e = this.u.e();
            cl_79 f = this.u.f();
            if (!b(e)) {
                SSLLogger.subTrace("%% can't resume, unavailable cipher");
                this.u = null;
            }
            if (this.u != null && !c(f)) {
                SSLLogger.subTrace("%% can't resume, protocol disabled");
                this.u = null;
            }
            if (this.u != null) {
                SSLLogger.subSubTraceFormat("%% Try resuming {0} from port {1}", this.u, Integer.valueOf(g()));
                d = this.u.d();
                this.J = f;
                a(f);
            }
            if (!this.y) {
                if (this.u == null) {
                    throw new SSLHandshakeException("Can't reuse existing SSL client session");
                }
                ArrayList arrayList = new ArrayList(2);
                arrayList.add(e);
                if (!this.c && l.a(cl_9.H)) {
                    arrayList.add(cl_9.H);
                }
                l = new cl_14(arrayList);
            }
        }
        if (this.u == null && !this.y) {
            throw new SSLHandshakeException("No existing session to resume");
        }
        if (this.c && l.a(cl_9.H)) {
            ArrayList arrayList2 = new ArrayList(l.c() - 1);
            for (cl_9 cl_9Var : l.b()) {
                if (cl_9Var != cl_9.H) {
                    arrayList2.add(cl_9Var);
                }
            }
            l = new cl_14(arrayList2);
        }
        Iterator it2 = l.b().iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            if (b((cl_9) it2.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new SSLHandshakeException("No negotiable cipher suite");
        }
        cl_48 cl_48Var = new cl_48(this.r.a(), this.J, d, l);
        if (this.J.k >= cl_79.f.k) {
            Collection i = i();
            if (i.isEmpty()) {
                throw new SSLHandshakeException("No supported signature algorithm");
            }
            cl_48Var.a(i);
        }
        if (K && (b = b()) != null && b.indexOf(46) > 0 && !IPAddressUtil.isIPv4LiteralAddress(b) && !IPAddressUtil.isIPv6LiteralAddress(b)) {
            cl_48Var.a(b);
        }
        this.s = cl_48Var.f;
        if (this.c || !l.a(cl_9.H)) {
            cl_48Var.a(this.d);
        }
        return cl_48Var;
    }

    @Override // ru.CryptoPro.ssl.cl_59
    void a(byte b) throws SSLProtocolException {
        String a2 = cl_2.a(b);
        SSLLogger.subTrace("SSL - handshake alert: ", a2);
        throw new SSLProtocolException("handshake alert:  " + a2);
    }

    @Override // ru.CryptoPro.ssl.cl_59
    void a(byte b, int i) throws IOException {
        if (this.q >= b && b != 0) {
            throw new SSLProtocolException("Handshake message sequence violation, " + ((int) b));
        }
        if (b == 0) {
            a(new cl_53(this.o));
        } else if (b == 2) {
            a(new cl_55(this.o, i));
        } else if (b != 20) {
            switch (b) {
                case 11:
                    if (this.w == cl_11.K_DH_ANON || this.w == cl_11.K_ECDH_ANON || this.w == cl_11.K_KRB5 || this.w == cl_11.K_KRB5_EXPORT) {
                        a((byte) 10, "unexpected server cert chain");
                    }
                    a(new cl_44(this.o));
                    this.C = this.u.getPeerCertificates()[0].getPublicKey();
                    break;
                case 12:
                    this.I = true;
                    try {
                        switch (cl_18.f1859a[this.w.ordinal()]) {
                            case 1:
                                PublicKey publicKey = this.C;
                                if (publicKey == null) {
                                    throw new SSLProtocolException("Server did not send certificate message");
                                }
                                if (!(publicKey instanceof RSAPublicKey)) {
                                    throw new SSLProtocolException("Protocol violation: the certificate type must be appropriate for the selected cipher suite's key exchange algorithm");
                                }
                                if (cl_68.a(publicKey) <= 512) {
                                    throw new SSLProtocolException("Protocol violation: server sent a server key exchange message for key exchange " + this.w + " when the public key in the server certificate is less than or equal to 512 bits in length");
                                }
                                a(new cl_54(this.o));
                                break;
                            case 2:
                                a(new cl_49(this.o, this.f1886a));
                                break;
                            case 3:
                            case 4:
                                a(new cl_49(this.o, this.C, this.s.f1902a, this.t.f1902a, i, i(), this.f1886a));
                                break;
                            case 5:
                            case 6:
                            case 7:
                                a(new cl_51(this.o, this.C, this.s.f1902a, this.t.f1902a, i(), this.f1886a));
                                break;
                            case 8:
                            case 9:
                            case 10:
                            case 11:
                            case 12:
                                throw new SSLProtocolException("Protocol violation: server sent a server key exchangemessage for key exchange " + this.w);
                            case 13:
                            case 14:
                                throw new SSLProtocolException("unexpected receipt of server key exchange algorithm");
                            default:
                                throw new SSLProtocolException("unsupported key exchange algorithm = " + this.w);
                        }
                        break;
                    } catch (GeneralSecurityException e) {
                        a("Server key", e);
                        break;
                    }
                case 13:
                    if (this.w == cl_11.K_DH_ANON || this.w == cl_11.K_ECDH_ANON) {
                        throw new SSLHandshakeException("Client authentication requested for anonymous cipher suite.");
                    }
                    if (this.w == cl_11.K_KRB5 || this.w == cl_11.K_KRB5_EXPORT) {
                        throw new SSLHandshakeException("Client certificate requested for kerberos cipher suite.");
                    }
                    cl_45 cl_45Var = new cl_45(this.o, this.f1886a);
                    this.H = cl_45Var;
                    cl_45Var.f();
                    if (this.f1886a.k >= cl_79.f.k) {
                        Collection g = this.H.g();
                        if (g == null || g.isEmpty()) {
                            throw new SSLHandshakeException("No peer supported signature algorithms");
                        }
                        Collection a2 = cl_108.a(g);
                        if (!a2.isEmpty()) {
                            a(a2);
                            this.u.a(a2);
                            break;
                        } else {
                            throw new SSLHandshakeException("No supported signature and hash algorithm in common");
                        }
                    }
                    break;
                case 14:
                    a(new cl_56(this.o));
                    break;
                default:
                    throw new SSLProtocolException("Illegal client handshake msg, " + ((int) b));
            }
        } else {
            a(new cl_52(this.f1886a, this.o, this.v));
        }
        if (this.q < b) {
            this.q = b;
        }
    }
}
