package net.luminis.tls.handshake;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import net.luminis.tls.CertificateWithPrivateKey;
import net.luminis.tls.DefaultHostnameVerifier;
import net.luminis.tls.HostnameVerifier;
import net.luminis.tls.Logger;
import net.luminis.tls.NewSessionTicket;
import net.luminis.tls.ProtectionKeysType;
import net.luminis.tls.TlsConstants;
import net.luminis.tls.TlsProtocolException;
import net.luminis.tls.TlsState;
import net.luminis.tls.TranscriptHash;
import net.luminis.tls.alert.BadCertificateAlert;
import net.luminis.tls.alert.CertificateUnknownAlert;
import net.luminis.tls.alert.DecryptErrorAlert;
import net.luminis.tls.alert.ErrorAlert;
import net.luminis.tls.alert.HandshakeFailureAlert;
import net.luminis.tls.alert.IllegalParameterAlert;
import net.luminis.tls.alert.MissingExtensionAlert;
import net.luminis.tls.alert.UnexpectedMessageAlert;
import net.luminis.tls.alert.UnsupportedExtensionAlert;
import net.luminis.tls.extension.CertificateAuthoritiesExtension;
import net.luminis.tls.extension.ClientHelloPreSharedKeyExtension;
import net.luminis.tls.extension.Extension;
import net.luminis.tls.extension.KeyShareExtension;
import net.luminis.tls.extension.PreSharedKeyExtension;
import net.luminis.tls.extension.ServerPreSharedKeyExtension;
import net.luminis.tls.extension.SignatureAlgorithmsExtension;
import net.luminis.tls.extension.SupportedVersionsExtension;
import net.luminis.tls.extension.UnknownExtension;
import net.luminis.tls.handshake.ClientHello;

/* loaded from: input_file:net/luminis/tls/handshake/TlsClientEngine.class */
public class TlsClientEngine extends TlsEngine implements ClientMessageProcessor {
    public static final List<TlsConstants.SignatureScheme> AVAILABLE_SIGNATURES = List.of(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256, TlsConstants.SignatureScheme.rsa_pss_rsae_sha384, TlsConstants.SignatureScheme.rsa_pss_rsae_sha512, TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256);
    private static final Charset ISO_8859_1 = Charset.forName("ISO-8859-1");
    private final ClientMessageSender sender;
    private final TlsStatusEventHandler statusHandler;
    private String serverName;
    private boolean compatibilityMode;
    private TlsConstants.NamedGroup ecCurve;
    private TlsConstants.CipherSuite selectedCipher;
    private List<Extension> sentExtensions;
    private ClientHello clientHello;
    private TranscriptHash transcriptHash;
    private List<TlsConstants.SignatureScheme> supportedSignatures;
    private X509Certificate serverCertificate;
    private X509TrustManager customTrustManager;
    private NewSessionTicket newSessionTicket;
    private boolean clientAuthRequested;
    private List<X500Principal> clientCertificateAuthorities;
    private List<TlsConstants.SignatureScheme> serverSupportedSignatureSchemes;
    private Status status = Status.Start;
    private List<X509Certificate> serverCertificateChain = Collections.emptyList();
    private boolean pskAccepted = false;
    private List<TlsConstants.CipherSuite> supportedCiphers = new ArrayList();
    private List<Extension> requestedExtensions = new ArrayList();
    private HostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();
    private List<NewSessionTicket> obtainedNewSessionTickets = new ArrayList();
    private Function<List<X500Principal>, CertificateWithPrivateKey> clientCertificateSelector = list -> {
        return null;
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:net/luminis/tls/handshake/TlsClientEngine$Status.class */
    public enum Status {
        Start,
        WaitServerHello,
        WaitEncryptedExtensions,
        WaitCertificateRequest,
        WaitCertificate,
        WaitCertificateVerify,
        WaitFinished,
        Connected
    }

    public TlsClientEngine(ClientMessageSender clientMessageSender, TlsStatusEventHandler tlsStatusEventHandler) {
        this.sender = clientMessageSender;
        this.statusHandler = tlsStatusEventHandler;
    }

    public void startHandshake() throws IOException {
        startHandshake(TlsConstants.NamedGroup.secp256r1, List.of(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256, TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256));
    }

    public void startHandshake(TlsConstants.NamedGroup namedGroup) throws IOException {
        startHandshake(namedGroup, List.of(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256));
    }

    public void startHandshake(TlsConstants.NamedGroup namedGroup, List<TlsConstants.SignatureScheme> list) throws IOException {
        List<Extension> list2;
        if (this.status != Status.Start) {
            throw new IllegalStateException("Handshake already started");
        }
        if (!KeyShareExtension.supportedCurves.contains(namedGroup)) {
            throw new IllegalArgumentException("Named group " + namedGroup + " not supported");
        }
        if (list.stream().anyMatch(signatureScheme -> {
            return !AVAILABLE_SIGNATURES.contains(signatureScheme);
        })) {
            ArrayList arrayList = new ArrayList(list);
            arrayList.removeAll(AVAILABLE_SIGNATURES);
            throw new IllegalArgumentException("Unsupported signature scheme(s): " + arrayList);
        }
        if (this.newSessionTicket != null && !this.supportedCiphers.contains(this.newSessionTicket.getCipher())) {
            throw new IllegalStateException("For session resumption, support ciphers should contain the cipher used with the session-to-resume (" + this.newSessionTicket.getCipher().toString() + ")");
        }
        this.supportedSignatures = list;
        this.ecCurve = namedGroup;
        generateKeys(namedGroup);
        if (this.serverName == null || this.supportedCiphers.isEmpty()) {
            throw new IllegalStateException("not all mandatory properties are set");
        }
        if (this.newSessionTicket != null) {
            list2 = new ArrayList();
            list2.addAll(this.requestedExtensions);
            list2.add(new ClientHelloPreSharedKeyExtension(this.newSessionTicket));
            TlsConstants.CipherSuite cipher = this.newSessionTicket.getCipher();
            this.transcriptHash = new TranscriptHash(hashLength(cipher));
            this.state = new TlsState(this.transcriptHash, this.newSessionTicket.getPSK(), keyLength(cipher), hashLength(cipher));
        } else {
            list2 = this.requestedExtensions;
        }
        this.clientHello = new ClientHello(this.serverName, this.publicKey, this.compatibilityMode, this.supportedCiphers, this.supportedSignatures, namedGroup, list2, this.state, ClientHello.PskKeyEstablishmentMode.PSKwithDHE);
        this.sentExtensions = this.clientHello.getExtensions();
        if (this.state != null) {
            this.transcriptHash.record(this.clientHello);
            this.state.computeEarlyTrafficSecret();
            this.statusHandler.earlySecretsKnown();
        }
        this.sender.send(this.clientHello);
        this.status = Status.WaitServerHello;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(ServerHello serverHello, ProtectionKeysType protectionKeysType) throws MissingExtensionAlert, IllegalParameterAlert {
        if (this.status != Status.WaitServerHello) {
            return;
        }
        boolean anyMatch = serverHello.getExtensions().stream().anyMatch(extension -> {
            return extension instanceof SupportedVersionsExtension;
        });
        boolean anyMatch2 = serverHello.getExtensions().stream().anyMatch(extension2 -> {
            return (extension2 instanceof PreSharedKeyExtension) || (extension2 instanceof KeyShareExtension);
        });
        if (!anyMatch || !anyMatch2) {
            throw new MissingExtensionAlert();
        }
        if (((Short) serverHello.getExtensions().stream().filter(extension3 -> {
            return extension3 instanceof SupportedVersionsExtension;
        }).map(extension4 -> {
            return Short.valueOf(((SupportedVersionsExtension) extension4).getTlsVersion());
        }).findFirst().get()).shortValue() != 772) {
            throw new IllegalParameterAlert("invalid tls version");
        }
        if (serverHello.getExtensions().stream().filter(this::recognizedExtension).anyMatch(extension5 -> {
            return ((extension5 instanceof SupportedVersionsExtension) || (extension5 instanceof PreSharedKeyExtension) || (extension5 instanceof KeyShareExtension)) ? false : true;
        })) {
            throw new IllegalParameterAlert("illegal extension in server hello");
        }
        Optional<Extension> findFirst = serverHello.getExtensions().stream().filter(extension6 -> {
            return extension6 instanceof KeyShareExtension;
        }).findFirst();
        Optional empty = Optional.empty();
        if (findFirst.isPresent()) {
            empty = Optional.of((KeyShareExtension.KeyShareEntry) findFirst.filter(extension7 -> {
                return !((KeyShareExtension) extension7).getKeyShareEntries().isEmpty();
            }).map(extension8 -> {
                return ((KeyShareExtension) extension8).getKeyShareEntries().get(0);
            }).orElseThrow(() -> {
                return new IllegalParameterAlert("");
            }));
            if (((KeyShareExtension.KeyShareEntry) empty.get()).getNamedGroup() != this.ecCurve) {
                throw new IllegalParameterAlert("server supplied key share does not match client supported named group");
            }
        }
        Optional<Extension> findFirst2 = serverHello.getExtensions().stream().filter(extension9 -> {
            return extension9 instanceof ServerPreSharedKeyExtension;
        }).findFirst();
        if (empty.isEmpty() && findFirst2.isEmpty()) {
            throw new MissingExtensionAlert(" either the pre_shared_key extension or the key_share extension must be present");
        }
        if (findFirst2.isPresent()) {
            this.pskAccepted = true;
        }
        if (!this.supportedCiphers.contains(serverHello.getCipherSuite())) {
            throw new IllegalParameterAlert("cipher suite does not match");
        }
        this.selectedCipher = serverHello.getCipherSuite();
        if (this.state == null) {
            this.transcriptHash = new TranscriptHash(hashLength(this.selectedCipher));
            this.state = new TlsState(this.transcriptHash, keyLength(this.selectedCipher), hashLength(this.selectedCipher));
            this.transcriptHash.record(this.clientHello);
            this.state.computeEarlyTrafficSecret();
            this.statusHandler.earlySecretsKnown();
        }
        if (findFirst2.isPresent()) {
            this.state.setPskSelected(((ServerPreSharedKeyExtension) findFirst2.get()).getSelectedIdentity());
            Logger.debug("Server has accepted PSK key establishment");
        } else {
            this.state.setNoPskSelected();
        }
        if (empty.isPresent()) {
            this.state.setOwnKey(this.privateKey);
            this.state.setPeerKey(((KeyShareExtension.KeyShareEntry) empty.get()).getKey());
            this.state.computeSharedSecret();
        }
        this.transcriptHash.record(serverHello);
        this.state.computeHandshakeSecrets();
        this.status = Status.WaitEncryptedExtensions;
        this.statusHandler.handshakeSecretsKnown();
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(EncryptedExtensions encryptedExtensions, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitEncryptedExtensions) {
            throw new UnexpectedMessageAlert("unexpected encrypted extensions message");
        }
        List list = (List) this.sentExtensions.stream().map(extension -> {
            return extension.getClass();
        }).collect(Collectors.toList());
        if (!encryptedExtensions.getExtensions().stream().filter(extension2 -> {
            return !(extension2 instanceof UnknownExtension);
        }).allMatch(extension3 -> {
            return list.contains(extension3.getClass());
        })) {
            throw new UnsupportedExtensionAlert("extension response to missing request");
        }
        if (((Set) encryptedExtensions.getExtensions().stream().map(extension4 -> {
            return extension4.getClass();
        }).collect(Collectors.toSet())).size() != encryptedExtensions.getExtensions().size()) {
            throw new UnsupportedExtensionAlert("duplicate extensions not allowed");
        }
        this.transcriptHash.record(encryptedExtensions);
        this.status = this.pskAccepted ? Status.WaitFinished : Status.WaitCertificateRequest;
        this.statusHandler.extensionsReceived(encryptedExtensions.getExtensions());
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(CertificateMessage certificateMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitCertificate && this.status != Status.WaitCertificateRequest) {
            throw new UnexpectedMessageAlert("unexpected certificate message");
        }
        if (certificateMessage.getRequestContext().length > 0) {
            throw new IllegalParameterAlert("certificate request context should be zero length");
        }
        if (certificateMessage.getEndEntityCertificate() == null) {
            throw new IllegalParameterAlert("missing certificate");
        }
        this.serverCertificate = certificateMessage.getEndEntityCertificate();
        this.serverCertificateChain = certificateMessage.getCertificateChain();
        this.transcriptHash.recordServer(certificateMessage);
        this.status = Status.WaitCertificateVerify;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(CertificateVerifyMessage certificateVerifyMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitCertificateVerify) {
            throw new UnexpectedMessageAlert("unexpected certificate verify message");
        }
        TlsConstants.SignatureScheme signatureScheme = certificateVerifyMessage.getSignatureScheme();
        if (signatureScheme == null || !this.supportedSignatures.contains(signatureScheme)) {
            throw new IllegalParameterAlert("signature scheme does not match");
        }
        if (!verifySignature(certificateVerifyMessage.getSignature(), signatureScheme, this.serverCertificate, this.transcriptHash.getServerHash(TlsConstants.HandshakeType.certificate))) {
            throw new DecryptErrorAlert("signature verification fails");
        }
        checkCertificateValidity(this.serverCertificateChain);
        if (!this.hostnameVerifier.verify(this.serverName, this.serverCertificate)) {
            throw new CertificateUnknownAlert("servername does not match");
        }
        this.transcriptHash.recordServer(certificateVerifyMessage);
        this.status = Status.WaitFinished;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(FinishedMessage finishedMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert, IOException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitFinished) {
            throw new UnexpectedMessageAlert("unexpected finished message");
        }
        this.transcriptHash.recordServer(finishedMessage);
        if (!Arrays.equals(finishedMessage.getVerifyData(), computeFinishedVerifyData(this.transcriptHash.getServerHash(TlsConstants.HandshakeType.certificate_verify), this.state.getServerHandshakeTrafficSecret()))) {
            throw new DecryptErrorAlert("incorrect finished message");
        }
        if (this.clientAuthRequested) {
            sendClientAuth();
        }
        FinishedMessage finishedMessage2 = new FinishedMessage(computeFinishedVerifyData(this.transcriptHash.getClientHash(TlsConstants.HandshakeType.certificate_verify), this.state.getClientHandshakeTrafficSecret()));
        this.sender.send(finishedMessage2);
        this.transcriptHash.recordClient(finishedMessage2);
        this.state.computeApplicationSecrets();
        this.state.computeResumptionMasterSecret();
        this.status = Status.Connected;
        this.statusHandler.handshakeFinished();
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(NewSessionTicketMessage newSessionTicketMessage, ProtectionKeysType protectionKeysType) throws UnexpectedMessageAlert {
        if (protectionKeysType != ProtectionKeysType.Application) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        NewSessionTicket newSessionTicket = new NewSessionTicket(this.state, newSessionTicketMessage, this.selectedCipher);
        this.obtainedNewSessionTickets.add(newSessionTicket);
        this.statusHandler.newSessionTicketReceived(newSessionTicket);
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(CertificateRequestMessage certificateRequestMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException, IOException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitCertificateRequest) {
            throw new UnexpectedMessageAlert("unexpected certificate request message");
        }
        this.serverSupportedSignatureSchemes = (List) certificateRequestMessage.getExtensions().stream().filter(extension -> {
            return extension instanceof SignatureAlgorithmsExtension;
        }).findFirst().map(extension2 -> {
            return ((SignatureAlgorithmsExtension) extension2).getSignatureAlgorithms();
        }).orElseThrow(() -> {
            return new MissingExtensionAlert();
        });
        this.transcriptHash.record(certificateRequestMessage);
        this.clientCertificateAuthorities = (List) certificateRequestMessage.getExtensions().stream().filter(extension3 -> {
            return extension3 instanceof CertificateAuthoritiesExtension;
        }).findFirst().map(extension4 -> {
            return ((CertificateAuthoritiesExtension) extension4).getAuthorities();
        }).orElse(Collections.emptyList());
        this.clientAuthRequested = true;
        this.status = Status.WaitCertificate;
    }

    protected boolean verifySignature(byte[] bArr, TlsConstants.SignatureScheme signatureScheme, Certificate certificate, byte[] bArr2) throws HandshakeFailureAlert {
        ByteBuffer allocate = ByteBuffer.allocate(64 + "TLS 1.3, server CertificateVerify".getBytes(ISO_8859_1).length + 1 + bArr2.length);
        for (int i = 0; i < 64; i++) {
            allocate.put((byte) 32);
        }
        allocate.put("TLS 1.3, server CertificateVerify".getBytes(ISO_8859_1));
        allocate.put((byte) 0);
        allocate.put(bArr2);
        boolean z = false;
        try {
            Signature signatureAlgorithm = getSignatureAlgorithm(signatureScheme);
            signatureAlgorithm.initVerify(certificate);
            signatureAlgorithm.update(allocate.array());
            z = signatureAlgorithm.verify(bArr);
        } catch (InvalidKeyException e) {
            Logger.debug("Certificate verify: invalid key.");
        } catch (SignatureException e2) {
            Logger.debug("Certificate verify: invalid signature.");
        }
        return z;
    }

    protected void checkCertificateValidity(List<X509Certificate> list) throws BadCertificateAlert {
        try {
            if (this.customTrustManager != null) {
                this.customTrustManager.checkServerTrusted((X509Certificate[]) list.toArray(new X509Certificate[list.size()]), "RSA");
            } else {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
                trustManagerFactory.init((KeyStore) null);
                ((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).checkServerTrusted((X509Certificate[]) list.toArray(new X509Certificate[list.size()]), "UNKNOWN");
            }
        } catch (KeyStoreException e) {
            throw new RuntimeException("keystore exception");
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("unsupported trust manager algorithm");
        } catch (CertificateException e3) {
            throw new BadCertificateAlert(extractReason(e3).orElse("certificate validation failed"));
        }
    }

    private void sendClientAuth() throws IOException, ErrorAlert {
        CertificateWithPrivateKey apply = this.clientCertificateSelector.apply(this.clientCertificateAuthorities);
        CertificateMessage certificateMessage = new CertificateMessage(apply != null ? apply.getCertificate() : null);
        this.sender.send(certificateMessage);
        this.transcriptHash.recordClient(certificateMessage);
        if (apply != null) {
            Stream<TlsConstants.SignatureScheme> stream = this.serverSupportedSignatureSchemes.stream();
            List<TlsConstants.SignatureScheme> list = this.supportedSignatures;
            Objects.requireNonNull(list);
            TlsConstants.SignatureScheme orElseThrow = stream.filter((v1) -> {
                return r1.contains(v1);
            }).filter(signatureScheme -> {
                return certificateSupportsSignature(apply.getCertificate(), signatureScheme);
            }).findFirst().orElseThrow(() -> {
                return new HandshakeFailureAlert("failed to negotiate signature scheme");
            });
            CertificateVerifyMessage certificateVerifyMessage = new CertificateVerifyMessage(orElseThrow, computeSignature(this.transcriptHash.getClientHash(TlsConstants.HandshakeType.certificate), apply.getPrivateKey(), orElseThrow, true));
            this.sender.send(certificateVerifyMessage);
            this.transcriptHash.recordClient(certificateVerifyMessage);
        }
    }

    private boolean certificateSupportsSignature(X509Certificate x509Certificate, TlsConstants.SignatureScheme signatureScheme) {
        String sigAlgName = x509Certificate.getSigAlgName();
        if (sigAlgName.toLowerCase().contains("withrsa")) {
            return List.of(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256, TlsConstants.SignatureScheme.rsa_pss_rsae_sha384).contains(signatureScheme);
        }
        if (sigAlgName.toLowerCase().contains("withecdsa")) {
            return List.of(TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256).contains(signatureScheme);
        }
        return false;
    }

    private Optional<String> extractReason(CertificateException certificateException) {
        Throwable cause = certificateException.getCause();
        return cause instanceof CertPathValidatorException ? Optional.of(cause.getMessage() + ": " + ((CertPathValidatorException) cause).getReason()) : cause instanceof CertPathBuilderException ? Optional.of(cause.getMessage()) : Optional.empty();
    }

    public void setServerName(String str) {
        this.serverName = str;
    }

    public void setCompatibilityMode(boolean z) {
        this.compatibilityMode = z;
    }

    public void addSupportedCiphers(List<TlsConstants.CipherSuite> list) {
        this.supportedCiphers.addAll(list);
    }

    public void addExtensions(List<Extension> list) {
        this.requestedExtensions.addAll(list);
    }

    public void add(Extension extension) {
        this.requestedExtensions.add(extension);
    }

    public void setTrustManager(X509TrustManager x509TrustManager) {
        this.customTrustManager = x509TrustManager;
    }

    public void setNewSessionTicket(NewSessionTicket newSessionTicket) {
        this.newSessionTicket = newSessionTicket;
    }

    @Override // net.luminis.tls.handshake.TlsEngine
    public TlsConstants.CipherSuite getSelectedCipher() {
        if (this.selectedCipher != null) {
            return this.selectedCipher;
        }
        throw new IllegalStateException("No (valid) server hello received yet");
    }

    public List<NewSessionTicket> getNewSessionTickets() {
        return this.obtainedNewSessionTickets;
    }

    public List<X509Certificate> getServerCertificateChain() {
        return this.serverCertificateChain;
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        if (hostnameVerifier != null) {
            this.hostnameVerifier = hostnameVerifier;
        }
    }

    public boolean handshakeFinished() {
        return this.status == Status.Connected;
    }

    public void setClientCertificateCallback(Function<List<X500Principal>, CertificateWithPrivateKey> function) {
        this.clientCertificateSelector = function;
    }
}
