package ru.CryptoPro.ssl;

import java.math.BigInteger;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import ru.CryptoPro.JCP.Util.GetProperty;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes3.dex */
public final class cl_18 extends cl_66 {
    private static final int R = 2;
    private static final int S = 7;

    /* renamed from: ab, reason: collision with root package name */
    private static final boolean f19028ab = GetProperty.getBooleanProperty("jsse.enableSNIExtension", true);

    /* renamed from: ac, reason: collision with root package name */
    private static final boolean f19029ac = GetProperty.getBooleanProperty("jdk.tls.allowUnsafeServerCertChange", false);
    private PublicKey T;
    private PublicKey U;
    private BigInteger V;
    private cl_23 W;
    private cl_27 X;
    private cl_52 Y;
    private boolean Z;

    /* renamed from: aa, reason: collision with root package name */
    private cl_87 f19030aa;

    /* renamed from: ad, reason: collision with root package name */
    private boolean f19031ad;
    private List ae;
    private boolean af;
    private X509Certificate[] ag;

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_18(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, cl_86 cl_86Var, cl_87 cl_87Var, boolean z10, boolean z11, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, cl_86Var, true, true, cl_87Var, z10, z11, bArr, bArr2);
        this.f19031ad = false;
        this.ae = Collections.emptyList();
        this.af = false;
        this.ag = null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public cl_18(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, cl_86 cl_86Var, cl_87 cl_87Var, boolean z10, boolean z11, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, cl_86Var, true, true, cl_87Var, z10, z11, bArr, bArr2);
        this.f19031ad = false;
        this.ae = Collections.emptyList();
        this.af = false;
        this.ag = null;
    }

    private static Collection a(Collection collection, int i10) {
        String str;
        Iterator it = collection.iterator();
        HashSet hashSet = null;
        while (it.hasNext()) {
            List list = (List) it.next();
            if (((Integer) list.get(0)).intValue() == i10 && (str = (String) list.get(1)) != null && !str.isEmpty()) {
                if (hashSet == null) {
                    hashSet = new HashSet(collection.size());
                }
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    private void a(cl_51 cl_51Var) {
        String str;
        String h10;
        cl_51Var.f();
        X509Certificate[] b10 = cl_51Var.b();
        if (b10.length == 0) {
            a((byte) 42, "empty certificate chain");
        }
        if (this.ag != null && !this.A.b() && (((h10 = h()) == null || h10.length() == 0) && !a(b10[0], this.ag[0]))) {
            a((byte) 42, "server certificate change is restricted during renegotiation");
        }
        X509TrustManager c10 = this.f19322x.c();
        try {
            cl_13 cl_13Var = this.C;
            if (cl_13Var == cl_13.f18988c && !this.Z) {
                cl_13Var = cl_13.f18987b;
            }
            str = cl_13Var.f19007v;
        } catch (CertificateException e10) {
            a((byte) 46, e10);
        }
        if (!(c10 instanceof X509ExtendedTrustManager)) {
            throw new CertificateException("Improper X509TrustManager implementation");
        }
        if (this.f19316r != null) {
            ((X509ExtendedTrustManager) c10).checkServerTrusted((X509Certificate[]) b10.clone(), str, this.f19316r);
        } else {
            ((X509ExtendedTrustManager) c10).checkServerTrusted((X509Certificate[]) b10.clone(), str, this.f19317s);
        }
        this.A.a(b10);
    }

    private void a(cl_55 cl_55Var) {
        cl_55Var.f();
        this.W = new cl_23(cl_55Var.b(), cl_55Var.e(), this.f19322x.a());
        BigInteger g10 = cl_55Var.g();
        this.V = g10;
        this.W.a(this.f19306h, g10);
    }

    private void a(cl_57 cl_57Var) {
        cl_57Var.f();
        ECPublicKey b10 = cl_57Var.b();
        this.X = new cl_27(b10.getParams(), this.f19322x.a());
        this.U = b10;
        if (!this.f19306h.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), this.U)) {
            throw new SSLHandshakeException("ECDH ServerKeyExchange does not comply to algorithm constraints");
        }
    }

    private void a(cl_58 cl_58Var) {
        String str;
        cl_58Var.f();
        if (!cl_58Var.a(this.f19318t, 2, this.A.a())) {
            a((byte) 47, "server 'finished' message doesn't verify");
        }
        if (this.f19301c) {
            this.f19303e = cl_58Var.b();
        }
        if (!this.f19304f) {
            this.A.b(false);
        }
        if (this.D) {
            this.f19319u.a();
            c(true);
        }
        this.A.a(System.currentTimeMillis());
        if (this.D) {
            return;
        }
        if (this.A.d()) {
            ((SSLSessionContextImpl) this.f19322x.engineGetClientSessionContext()).a(this.A);
            str = "%% Cached client session: ";
        } else {
            str = "%% Didn't cache non-resumable client session: ";
        }
        SSLLogger.fine(str, this.A);
    }

    private void a(cl_59 cl_59Var) {
        cl_59Var.f();
        if (this.f19321w < 1) {
            if (!this.f19301c) {
                SSLLogger.fine("Warning: continue with insecure renegotiation");
            }
            x();
        }
    }

    private void a(cl_60 cl_60Var) {
        cl_60Var.f();
        if (!cl_66.K || !this.P) {
            a((byte) 47, "Server sent the new_session_ticket improperly");
        }
        this.A.a(cl_60Var.b(), cl_60Var.e());
        this.P = false;
    }

    private void a(cl_61 cl_61Var) {
        cl_61Var.f();
        if (!cl_61Var.a(this.T, this.f19323y, this.f19324z)) {
            a((byte) 40, "server key exchange invalid");
        }
        this.U = cl_61Var.b();
        if (!this.f19306h.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), this.U)) {
            throw new SSLHandshakeException("RSA ServerKeyExchange does not comply to algorithm constraints");
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:113:0x02b4  */
    /* JADX WARN: Removed duplicated region for block: B:133:0x02f0  */
    /* JADX WARN: Removed duplicated region for block: B:176:0x0348  */
    /* JADX WARN: Removed duplicated region for block: B:179:0x034b  */
    /* JADX WARN: Removed duplicated region for block: B:181:0x027e  */
    /* JADX WARN: Removed duplicated region for block: B:98:0x0255  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void a(ru.CryptoPro.ssl.cl_62 r19) {
        /*
            Method dump skipped, instructions count: 901
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: ru.CryptoPro.ssl.cl_18.a(ru.CryptoPro.ssl.cl_62):void");
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:112:0x03ef. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:105:0x0304  */
    /* JADX WARN: Removed duplicated region for block: B:122:0x0448 A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:83:0x0217  */
    /* JADX WARN: Removed duplicated region for block: B:89:0x023b  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void a(ru.CryptoPro.ssl.cl_63 r24) {
        /*
            Method dump skipped, instructions count: 1336
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: ru.CryptoPro.ssl.cl_18.a(ru.CryptoPro.ssl.cl_63):void");
    }

    private static boolean a(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        Collection<List<?>> collection;
        if (x509Certificate.equals(x509Certificate2)) {
            return true;
        }
        Collection<List<?>> collection2 = null;
        try {
            collection = x509Certificate.getSubjectAlternativeNames();
        } catch (CertificateParsingException e10) {
            SSLLogger.subThrown("Attempt to obtain subjectAltNames extension failed!", e10);
            collection = null;
        }
        try {
            collection2 = x509Certificate2.getSubjectAlternativeNames();
        } catch (CertificateParsingException e11) {
            SSLLogger.subThrown("Attempt to obtain subjectAltNames extension failed!", e11);
        }
        if (collection != null && collection2 != null) {
            Collection a10 = a(collection, 7);
            Collection a11 = a(collection2, 7);
            if (a10 != null && a11 != null && a(a10, a11)) {
                return true;
            }
            Collection a12 = a(collection, 2);
            Collection a13 = a(collection2, 2);
            if (a12 != null && a13 != null && a(a12, a13)) {
                return true;
            }
        }
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        X500Principal subjectX500Principal2 = x509Certificate2.getSubjectX500Principal();
        return !subjectX500Principal.getName().isEmpty() && !subjectX500Principal2.getName().isEmpty() && subjectX500Principal.equals(subjectX500Principal2) && x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getIssuerX500Principal());
    }

    private static boolean a(Collection collection, Collection collection2) {
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            Iterator it2 = collection2.iterator();
            while (it2.hasNext()) {
                if (str.equalsIgnoreCase((String) it2.next())) {
                    return true;
                }
            }
        }
        return false;
    }

    private void c(boolean z10) {
        cl_58 cl_58Var = new cl_58(this.f19295a, this.f19318t, 1, this.A.a(), this.B);
        a(cl_58Var, z10);
        if (this.f19301c) {
            this.f19302d = cl_58Var.b();
        }
        this.f19321w = 19;
    }

    @Override // ru.CryptoPro.ssl.cl_66
    cl_50 a() {
        String str;
        SSLSessionImpl sSLSessionImpl;
        String h10;
        cl_109 f10 = SSLSessionImpl.f18738a.f();
        cl_16 n10 = n();
        this.f19030aa = this.f19295a;
        SSLSessionImpl a10 = ((SSLSessionContextImpl) this.f19322x.engineGetClientSessionContext()).a(b(), d());
        this.A = a10;
        if (a10 != null) {
            StringBuilder sb2 = new StringBuilder();
            sb2.append("%% Client cached ");
            sb2.append(this.A);
            sb2.append(" ");
            sb2.append(this.A.d() ? "" : " (not rejoinable)");
            str = sb2.toString();
        } else {
            str = "%% No cached client session";
        }
        SSLLogger.finer(str);
        SSLSessionImpl sSLSessionImpl2 = this.A;
        if (sSLSessionImpl2 != null) {
            if (!f19029ac && sSLSessionImpl2.j()) {
                try {
                    this.ag = (X509Certificate[]) this.A.getPeerCertificates();
                } catch (SSLPeerUnverifiedException unused) {
                }
            }
            if (!this.A.d()) {
                this.A = null;
            }
        }
        SSLSessionImpl sSLSessionImpl3 = this.A;
        boolean z10 = false;
        if (sSLSessionImpl3 != null) {
            cl_10 i10 = sSLSessionImpl3.i();
            cl_87 k10 = this.A.k();
            if (!b(i10)) {
                SSLLogger.fine("%% can't resume, unavailable cipher");
                this.A = null;
            }
            if (this.A != null && !c(k10)) {
                SSLLogger.fine("%% can't resume, protocol disabled");
                this.A = null;
            }
            SSLSessionImpl sSLSessionImpl4 = this.A;
            if (sSLSessionImpl4 != null && cl_66.J) {
                boolean z11 = k10.f19404n >= cl_87.f19395f.f19404n;
                if (z11 && !sSLSessionImpl4.b() && !cl_66.L) {
                    this.A = null;
                }
                if (this.A != null && !f19029ac && (((h10 = h()) == null || h10.length() == 0) && (!z11 || !this.A.b()))) {
                    this.A = null;
                }
            }
            String h11 = h();
            SSLSessionImpl sSLSessionImpl5 = this.A;
            if (sSLSessionImpl5 != null && h11 != null) {
                String c10 = sSLSessionImpl5.c();
                if (!h11.equals(c10)) {
                    SSLLogger.fine("%% can't resume, endpoint id algorithm does not match, requested: " + h11 + ", cached: " + c10);
                    this.A = null;
                }
            }
            if (this.A != null) {
                SSLLogger.finer("%% Try resuming " + this.A + " from port " + e());
                f10 = this.A.f();
                cl_87 cl_87Var = this.f19030aa;
                this.f19030aa = k10;
                if (cl_87Var != k10) {
                    ArrayList arrayList = new ArrayList(2);
                    for (cl_10 cl_10Var : n10.c()) {
                        int i11 = cl_10Var.f18871m;
                        int i12 = this.f19030aa.f19404n;
                        if (i11 > i12 && cl_10Var.f18872n <= i12) {
                            arrayList.add(cl_10Var);
                        }
                    }
                    n10 = new cl_16(arrayList);
                }
                a(k10);
            }
            if (!this.E) {
                if (this.A == null) {
                    throw new SSLHandshakeException("Can't reuse existing SSL client session");
                }
                ArrayList arrayList2 = new ArrayList(2);
                arrayList2.add(i10);
                if (!this.f19301c) {
                    cl_10 cl_10Var2 = cl_10.K;
                    if (n10.a(cl_10Var2)) {
                        arrayList2.add(cl_10Var2);
                    }
                }
                n10 = new cl_16(arrayList2);
            }
        }
        if (this.A == null && !this.E) {
            throw new SSLHandshakeException("No existing session to resume");
        }
        if (this.f19301c && n10.a(cl_10.K)) {
            ArrayList arrayList3 = new ArrayList(n10.d() - 1);
            for (cl_10 cl_10Var3 : n10.c()) {
                if (cl_10Var3 != cl_10.K) {
                    arrayList3.add(cl_10Var3);
                }
            }
            n10 = new cl_16(arrayList3);
        }
        Iterator it = n10.c().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (b((cl_10) it.next())) {
                z10 = true;
                break;
            }
        }
        if (!z10) {
            throw new SSLHandshakeException("No negotiable cipher suite");
        }
        cl_54 cl_54Var = new cl_54(this.f19322x.a(), this.f19030aa, f10, n10);
        if (this.f19030aa.f19404n >= cl_87.f19397h.f19404n) {
            Collection i13 = i();
            if (i13.isEmpty()) {
                throw new SSLHandshakeException("No supported signature algorithm");
            }
            cl_54Var.a(i13);
        }
        if (cl_66.J && this.f19030aa.f19404n >= cl_87.f19395f.f19404n && ((this.A == null && n10.g()) || ((sSLSessionImpl = this.A) != null && sSLSessionImpl.b()))) {
            cl_54Var.g();
            this.N = true;
        }
        if (cl_66.K && this.f19030aa.f19404n >= cl_87.f19395f.f19404n) {
            SSLSessionImpl sSLSessionImpl6 = this.A;
            cl_54Var.b(sSLSessionImpl6 != null ? sSLSessionImpl6.g() : null);
            this.O = true;
        }
        if (f19028ab) {
            SSLSessionImpl sSLSessionImpl7 = this.A;
            this.ae = sSLSessionImpl7 != null ? sSLSessionImpl7.getRequestedServerNames() : this.f19310l;
            if (!this.ae.isEmpty()) {
                cl_54Var.a(this.ae);
            }
        }
        String[] strArr = this.f19312n;
        if (strArr != null && strArr.length > 0) {
            cl_54Var.a(strArr);
            this.f19031ad = true;
        }
        this.f19323y = cl_54Var.f19245r;
        if (this.f19301c || !n10.a(cl_10.K)) {
            cl_54Var.a(this.f19302d);
        }
        return cl_54Var;
    }

    @Override // ru.CryptoPro.ssl.cl_66
    void a(byte b10) {
        String a10 = cl_3.a(b10);
        SSLLogger.fine("SSL - handshake alert: ", a10);
        throw new SSLProtocolException("handshake alert:  " + a10);
    }

    @Override // ru.CryptoPro.ssl.cl_66
    void a(byte b10, int i10) {
        if (this.f19321w >= b10 && b10 != 0 && b10 != 4) {
            throw new SSLProtocolException("Handshake message sequence violation, " + ((int) b10));
        }
        if (b10 == 0) {
            a(new cl_59(this.f19319u));
        } else if (b10 == 2) {
            a(new cl_62(this.f19319u, i10));
        } else if (b10 == 4) {
            a(new cl_60(this.f19319u, i10));
        } else if (b10 != 20) {
            switch (b10) {
                case 11:
                    cl_13 cl_13Var = this.C;
                    if (cl_13Var == cl_13.f18993h || cl_13Var == cl_13.f18998m || cl_13Var == cl_13.f18999n || cl_13Var == cl_13.f19000o) {
                        a((byte) 10, "unexpected server cert chain");
                    }
                    a(new cl_51(this.f19319u));
                    this.T = this.A.getPeerCertificates()[0].getPublicKey();
                    break;
                case 12:
                    this.Z = true;
                    try {
                        switch (cl_20.f19034a[this.C.ordinal()]) {
                            case 1:
                                PublicKey publicKey = this.T;
                                if (publicKey == null) {
                                    throw new SSLProtocolException("Server did not send certificate message");
                                }
                                if (!(publicKey instanceof RSAPublicKey)) {
                                    throw new SSLProtocolException("Protocol violation: the certificate type must be appropriate for the selected cipher suite's key exchange algorithm");
                                }
                                if (cl_76.a(publicKey) <= 512) {
                                    throw new SSLProtocolException("Protocol violation: server sent a server key exchange message for key exchange " + this.C + " when the public key in the server certificate is less than or equal to 512 bits in length");
                                }
                                a(new cl_61(this.f19319u));
                                break;
                            case 2:
                                a(new cl_55(this.f19319u, this.f19295a));
                                break;
                            case 3:
                            case 4:
                                a(new cl_55(this.f19319u, this.T, this.f19323y.f19428a, this.f19324z.f19428a, i10, i(), this.f19295a));
                                break;
                            case 5:
                            case 6:
                            case 7:
                                a(new cl_57(this.f19319u, this.T, this.f19323y.f19428a, this.f19324z.f19428a, i(), this.f19295a));
                                break;
                            case 8:
                            case 9:
                            case 10:
                            case 11:
                            case 12:
                                throw new SSLProtocolException("Protocol violation: server sent a server key exchange message for key exchange " + this.C);
                            case 13:
                            case 14:
                                throw new SSLProtocolException("unexpected receipt of server key exchange algorithm");
                            default:
                                throw new SSLProtocolException("unsupported key exchange algorithm = " + this.C);
                        }
                        break;
                    } catch (GeneralSecurityException e10) {
                        cl_66.a("Server key", e10);
                        break;
                    }
                case 13:
                    cl_13 cl_13Var2 = this.C;
                    if (cl_13Var2 == cl_13.f18993h || cl_13Var2 == cl_13.f18998m) {
                        throw new SSLHandshakeException("Client authentication requested for anonymous cipher suite.");
                    }
                    if (cl_13Var2 == cl_13.f18999n || cl_13Var2 == cl_13.f19000o) {
                        throw new SSLHandshakeException("Client certificate requested for kerberos cipher suite.");
                    }
                    cl_52 cl_52Var = new cl_52(this.f19319u, this.f19295a);
                    this.Y = cl_52Var;
                    cl_52Var.f();
                    if (this.f19295a.f19404n >= cl_87.f19397h.f19404n) {
                        Collection g10 = this.Y.g();
                        if (g10 == null || g10.isEmpty()) {
                            throw new SSLHandshakeException("No peer supported signature algorithms");
                        }
                        Collection a10 = cl_112.a(this.f19306h, g10);
                        if (!a10.isEmpty()) {
                            a(a10);
                            this.A.a(a10);
                            break;
                        } else {
                            throw new SSLHandshakeException("No supported signature and hash algorithm in common");
                        }
                    }
                    break;
                case 14:
                    a(new cl_63(this.f19319u));
                    break;
                default:
                    throw new SSLProtocolException("Illegal client handshake msg, " + ((int) b10));
            }
        } else {
            if (cl_66.K && this.P) {
                a((byte) 40, "Server didn't send the new_session_ticket");
            }
            if (!g()) {
                a((byte) 40, "Received Finished message before ChangeCipherSpec");
            }
            a(new cl_58(this.f19295a, this.f19319u, this.B));
        }
        if (this.f19321w < b10) {
            this.f19321w = b10;
        }
    }
}
