package sun.security.ssl;

import java.io.IOException;
import java.math.BigInteger;
import java.net.Socket;
import java.security.AccessController;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.Subject;
import javax.security.auth.x500.X500Principal;
import org.glassfish.grizzly.npn.AlpnClientNegotiator;
import org.glassfish.grizzly.npn.ClientSideNegotiator;
import org.glassfish.grizzly.npn.NegotiationSupport;
import sun.security.ssl.CipherSuite;
import sun.security.ssl.HandshakeMessage;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:sun/security/ssl/ClientHandshaker.class */
public final class ClientHandshaker extends Handshaker {
    private static final int ALTNAME_DNS = 2;
    private static final int ALTNAME_IP = 7;
    private PublicKey serverKey;
    private PublicKey ephemeralServerKey;
    private BigInteger serverDH;
    private DHCrypt dh;
    private ECDHCrypt ecdh;
    private HandshakeMessage.CertificateRequest certRequest;
    private boolean serverKeyExchangeReceived;
    private ProtocolVersion maxProtocolVersion;
    private static final boolean enableSNIExtension = Debug.getBooleanProperty("jsse.enableSNIExtension", true);
    private static final boolean allowUnsafeServerCertChange = Debug.getBooleanProperty("jdk.tls.allowUnsafeServerCertChange", false);
    private List<SNIServerName> requestedServerNames;
    private boolean serverNamesAccepted;
    private X509Certificate[] reservedServerCerts;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: sun.security.ssl.ClientHandshaker$2, reason: invalid class name */
    /* loaded from: input_file:sun/security/ssl/ClientHandshaker$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange = new int[CipherSuite.KeyExchange.values().length];

        static {
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_RSA_EXPORT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DH_ANON.ordinal()] = ClientHandshaker.ALTNAME_DNS;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DHE_DSS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DHE_RSA.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDHE_ECDSA.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDHE_RSA.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDH_ANON.ordinal()] = ClientHandshaker.ALTNAME_IP;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_RSA.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DH_RSA.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DH_DSS.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDH_ECDSA.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDH_RSA.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_KRB5.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_KRB5_EXPORT.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
        }
    }

    ClientHandshaker(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, protocolList, true, true, protocolVersion, z, z2, bArr, bArr2);
        this.requestedServerNames = Collections.emptyList();
        this.serverNamesAccepted = false;
        this.reservedServerCerts = null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientHandshaker(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, protocolList, true, true, protocolVersion, z, z2, bArr, bArr2);
        this.requestedServerNames = Collections.emptyList();
        this.serverNamesAccepted = false;
        this.reservedServerCerts = null;
    }

    @Override // sun.security.ssl.Handshaker
    void processMessage(byte b, int i) throws IOException {
        if (this.state >= b && b != 0) {
            throw new SSLProtocolException("Handshake message sequence violation, " + ((int) b));
        }
        switch (b) {
            case 0:
                serverHelloRequest(new HandshakeMessage.HelloRequest(this.input));
                break;
            case 1:
            case 3:
            case 4:
            case 5:
            case 6:
            case ALTNAME_IP /* 7 */:
            case 8:
            case 9:
            case 10:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            default:
                throw new SSLProtocolException("Illegal client handshake msg, " + ((int) b));
            case ALTNAME_DNS /* 2 */:
                serverHello(new HandshakeMessage.ServerHello(this.input, i));
                break;
            case 11:
                if (this.keyExchange == CipherSuite.KeyExchange.K_DH_ANON || this.keyExchange == CipherSuite.KeyExchange.K_ECDH_ANON || this.keyExchange == CipherSuite.KeyExchange.K_KRB5 || this.keyExchange == CipherSuite.KeyExchange.K_KRB5_EXPORT) {
                    fatalSE((byte) 10, "unexpected server cert chain");
                }
                serverCertificate(new HandshakeMessage.CertificateMsg(this.input));
                this.serverKey = this.session.getPeerCertificates()[0].getPublicKey();
                break;
            case 12:
                this.serverKeyExchangeReceived = true;
                switch (AnonymousClass2.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[this.keyExchange.ordinal()]) {
                    case 1:
                        if (this.serverKey != null) {
                            if (!(this.serverKey instanceof RSAPublicKey)) {
                                throw new SSLProtocolException("Protocol violation: the certificate type must be appropriate for the selected cipher suite's key exchange algorithm");
                            }
                            if (JsseJce.getRSAKeyLength(this.serverKey) > 512) {
                                try {
                                    serverKeyExchange(new HandshakeMessage.RSA_ServerKeyExchange(this.input));
                                    break;
                                } catch (GeneralSecurityException e) {
                                    throwSSLException("Server key", e);
                                    break;
                                }
                            } else {
                                throw new SSLProtocolException("Protocol violation: server sent a server key exchange message for key exchange " + this.keyExchange + " when the public key in the server certificate is less than or equal to 512 bits in length");
                            }
                        } else {
                            throw new SSLProtocolException("Server did not send certificate message");
                        }
                    case ALTNAME_DNS /* 2 */:
                        try {
                            serverKeyExchange(new HandshakeMessage.DH_ServerKeyExchange(this.input, this.protocolVersion));
                            break;
                        } catch (GeneralSecurityException e2) {
                            throwSSLException("Server key", e2);
                            break;
                        }
                    case 3:
                    case 4:
                        try {
                            serverKeyExchange(new HandshakeMessage.DH_ServerKeyExchange(this.input, this.serverKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, i, getLocalSupportedSignAlgs(), this.protocolVersion));
                            break;
                        } catch (GeneralSecurityException e3) {
                            throwSSLException("Server key", e3);
                            break;
                        }
                    case 5:
                    case 6:
                    case ALTNAME_IP /* 7 */:
                        try {
                            serverKeyExchange(new HandshakeMessage.ECDH_ServerKeyExchange(this.input, this.serverKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, getLocalSupportedSignAlgs(), this.protocolVersion));
                            break;
                        } catch (GeneralSecurityException e4) {
                            throwSSLException("Server key", e4);
                            break;
                        }
                    case 8:
                    case 9:
                    case 10:
                    case 11:
                    case 12:
                        throw new SSLProtocolException("Protocol violation: server sent a server key exchange message for key exchange " + this.keyExchange);
                    case 13:
                    case 14:
                        throw new SSLProtocolException("unexpected receipt of server key exchange algorithm");
                    default:
                        throw new SSLProtocolException("unsupported key exchange algorithm = " + this.keyExchange);
                }
            case 13:
                if (this.keyExchange != CipherSuite.KeyExchange.K_DH_ANON && this.keyExchange != CipherSuite.KeyExchange.K_ECDH_ANON) {
                    if (this.keyExchange != CipherSuite.KeyExchange.K_KRB5 && this.keyExchange != CipherSuite.KeyExchange.K_KRB5_EXPORT) {
                        this.certRequest = new HandshakeMessage.CertificateRequest(this.input, this.protocolVersion);
                        if (debug != null && Debug.isOn("handshake")) {
                            this.certRequest.print(System.out);
                        }
                        if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                            Collection<SignatureAndHashAlgorithm> signAlgorithms = this.certRequest.getSignAlgorithms();
                            if (signAlgorithms != null && !signAlgorithms.isEmpty()) {
                                Collection<SignatureAndHashAlgorithm> supportedAlgorithms = SignatureAndHashAlgorithm.getSupportedAlgorithms(this.algorithmConstraints, signAlgorithms);
                                if (!supportedAlgorithms.isEmpty()) {
                                    setPeerSupportedSignAlgs(supportedAlgorithms);
                                    this.session.setPeerSupportedSignatureAlgorithms(supportedAlgorithms);
                                    break;
                                } else {
                                    throw new SSLHandshakeException("No supported signature and hash algorithm in common");
                                }
                            } else {
                                throw new SSLHandshakeException("No peer supported signature algorithms");
                            }
                        }
                    } else {
                        throw new SSLHandshakeException("Client certificate requested for kerberos cipher suite.");
                    }
                } else {
                    throw new SSLHandshakeException("Client authentication requested for anonymous cipher suite.");
                }
                break;
            case 14:
                serverHelloDone(new HandshakeMessage.ServerHelloDone(this.input));
                break;
            case 20:
                if (!receivedChangeCipherSpec()) {
                    fatalSE((byte) 40, "Received Finished message before ChangeCipherSpec");
                }
                serverFinished(new HandshakeMessage.Finished(this.protocolVersion, this.input, this.cipherSuite));
                break;
        }
        if (this.state < b) {
            this.state = b;
        }
    }

    private void serverHelloRequest(HandshakeMessage.HelloRequest helloRequest) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            helloRequest.print(System.out);
        }
        if (this.state < 1) {
            if (this.secureRenegotiation || allowUnsafeRenegotiation) {
                if (!this.secureRenegotiation && debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: continue with insecure renegotiation");
                }
                kickstart();
                return;
            }
            if (this.activeProtocolVersion.v < ProtocolVersion.TLS10.v) {
                fatalSE((byte) 40, "Renegotiation is not allowed");
            } else {
                warningSE((byte) 100);
                this.invalidated = true;
            }
        }
    }

    private void serverHello(HandshakeMessage.ServerHello serverHello) throws IOException {
        NextProtocolNegotiationExtension nextProtocolNegotiationExtension;
        ClientSideNegotiator clientSideNegotiator;
        Subject subject;
        AlpnClientNegotiator alpnClientNegotiator;
        AlpnExtension alpnExtension;
        this.serverKeyExchangeReceived = false;
        if (debug != null && Debug.isOn("handshake")) {
            serverHello.print(System.out);
        }
        ProtocolVersion protocolVersion = serverHello.protocolVersion;
        if (!isNegotiable(protocolVersion)) {
            throw new SSLHandshakeException("Server chose " + protocolVersion + ", but that protocol version is not enabled or not supported by the client.");
        }
        this.handshakeHash.protocolDetermined(protocolVersion);
        setVersion(protocolVersion);
        RenegotiationInfoExtension renegotiationInfoExtension = serverHello.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
        if (renegotiationInfoExtension != null) {
            if (this.isInitialHandshake) {
                if (!renegotiationInfoExtension.isEmpty()) {
                    fatalSE((byte) 40, "The renegotiation_info field is not empty");
                }
                this.secureRenegotiation = true;
            } else {
                if (!this.secureRenegotiation) {
                    fatalSE((byte) 40, "Unexpected renegotiation indication extension");
                }
                byte[] bArr = new byte[this.clientVerifyData.length + this.serverVerifyData.length];
                System.arraycopy(this.clientVerifyData, 0, bArr, 0, this.clientVerifyData.length);
                System.arraycopy(this.serverVerifyData, 0, bArr, this.clientVerifyData.length, this.serverVerifyData.length);
                if (!MessageDigest.isEqual(bArr, renegotiationInfoExtension.getRenegotiatedConnection())) {
                    fatalSE((byte) 40, "Incorrect verify data in ServerHello renegotiation_info message");
                }
            }
        } else if (this.isInitialHandshake) {
            if (!allowLegacyHelloMessages) {
                fatalSE((byte) 40, "Failed to negotiate the use of secure renegotiation");
            }
            this.secureRenegotiation = false;
            if (debug != null && Debug.isOn("handshake")) {
                System.out.println("Warning: No renegotiation indication extension in ServerHello");
            }
        } else if (this.secureRenegotiation) {
            fatalSE((byte) 40, "No renegotiation indication extension");
        }
        this.svr_random = serverHello.svr_random;
        if (!isNegotiable(serverHello.cipherSuite)) {
            fatalSE((byte) 47, "Server selected improper ciphersuite " + serverHello.cipherSuite);
        }
        setCipherSuite(serverHello.cipherSuite);
        if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
            this.handshakeHash.setFinishedAlg(this.cipherSuite.prfAlg.getPRFHashAlg());
            if (this.engine != null && (alpnClientNegotiator = NegotiationSupport.getAlpnClientNegotiator(this.engine)) != null && (alpnExtension = (AlpnExtension) serverHello.extensions.get(ExtensionType.EXT_APPLICATION_LEVEL_PROTOCOL_NEGOTIATION)) != null) {
                alpnClientNegotiator.protocolSelected(this.engine, alpnExtension.protocols[0]);
            }
        }
        if (serverHello.compression_method != 0) {
            fatalSE((byte) 47, "compression type not supported, " + ((int) serverHello.compression_method));
        }
        if (this.session != null) {
            if (this.session.getSessionId().equals(serverHello.sessionId)) {
                CipherSuite suite = this.session.getSuite();
                if (this.cipherSuite != suite) {
                    throw new SSLProtocolException("Server returned wrong cipher suite for session");
                }
                if (this.protocolVersion != this.session.getProtocolVersion()) {
                    throw new SSLProtocolException("Server resumed session with wrong protocol version");
                }
                if (suite.keyExchange == CipherSuite.KeyExchange.K_KRB5 || suite.keyExchange == CipherSuite.KeyExchange.K_KRB5_EXPORT) {
                    Principal localPrincipal = this.session.getLocalPrincipal();
                    try {
                        subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { // from class: sun.security.ssl.ClientHandshaker.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public Subject run() throws Exception {
                                return Krb5Helper.getClientSubject(ClientHandshaker.this.getAccSE());
                            }
                        });
                    } catch (PrivilegedActionException e) {
                        subject = null;
                        if (debug != null && Debug.isOn("session")) {
                            System.out.println("Attempt to obtain subject failed!");
                        }
                    }
                    if (subject == null) {
                        if (debug != null && Debug.isOn("session")) {
                            System.out.println("Kerberos credentials are not present in the current Subject; check if  javax.security.auth.useSubjectAsCreds system property has been set to false");
                        }
                        throw new SSLProtocolException("Server resumed session with no subject");
                    }
                    if (!subject.getPrincipals(Principal.class).contains(localPrincipal)) {
                        throw new SSLProtocolException("Server resumed session with wrong subject identity");
                    }
                    if (debug != null && Debug.isOn("session")) {
                        System.out.println("Subject identity is same");
                    }
                }
                this.resumingSession = true;
                this.state = 19;
                calculateConnectionKeys(this.session.getMasterSecret());
                if (debug != null && Debug.isOn("session")) {
                    System.out.println("%% Server resumed " + this.session);
                }
            } else {
                this.session.invalidate();
                this.session = null;
                if (!this.enableNewSession) {
                    throw new SSLException("New session creation is disabled");
                }
            }
        }
        if (this.resumingSession && this.session != null) {
            setHandshakeSessionSE(this.session);
            if (this.isInitialHandshake) {
                this.session.setAsSessionResumption(true);
                return;
            }
            return;
        }
        Iterator<HelloExtension> it = serverHello.extensions.list().iterator();
        while (it.hasNext()) {
            ExtensionType extensionType = it.next().type;
            if (extensionType == ExtensionType.EXT_SERVER_NAME) {
                this.serverNamesAccepted = true;
            } else if (extensionType != ExtensionType.EXT_ELLIPTIC_CURVES && extensionType != ExtensionType.EXT_EC_POINT_FORMATS && extensionType != ExtensionType.EXT_SERVER_NAME && extensionType != ExtensionType.EXT_RENEGOTIATION_INFO && extensionType != ExtensionType.EXT_NEXT_PROTOCOL_NEGOTIATION && extensionType != ExtensionType.EXT_APPLICATION_LEVEL_PROTOCOL_NEGOTIATION) {
                fatalSE((byte) 110, "Server sent an unsupported extension: " + extensionType);
            }
        }
        if (this.isInitialHandshake && (nextProtocolNegotiationExtension = (NextProtocolNegotiationExtension) serverHello.extensions.get(ExtensionType.EXT_NEXT_PROTOCOL_NEGOTIATION)) != null && this.engine != null && (clientSideNegotiator = NegotiationSupport.getClientSideNegotiator(this.engine)) != null) {
            if (nextProtocolNegotiationExtension.protocols.isEmpty()) {
                clientSideNegotiator.onNoDeal(this.engine);
            }
            this.selectedProtocol = clientSideNegotiator.selectProtocol(this.engine, nextProtocolNegotiationExtension.protocols);
            if (this.selectedProtocol == null) {
                clientSideNegotiator.onNoDeal(this.engine);
            }
        }
        this.session = new SSLSessionImpl(this.protocolVersion, this.cipherSuite, getLocalSupportedSignAlgs(), serverHello.sessionId, getHostSE(), getPortSE());
        this.session.setRequestedServerNames(this.requestedServerNames);
        setHandshakeSessionSE(this.session);
        if (debug == null || !Debug.isOn("handshake")) {
            return;
        }
        System.out.println("** " + this.cipherSuite);
    }

    private void serverKeyExchange(HandshakeMessage.RSA_ServerKeyExchange rSA_ServerKeyExchange) throws IOException, GeneralSecurityException {
        if (debug != null && Debug.isOn("handshake")) {
            rSA_ServerKeyExchange.print(System.out);
        }
        if (!rSA_ServerKeyExchange.verify(this.serverKey, this.clnt_random, this.svr_random)) {
            fatalSE((byte) 40, "server key exchange invalid");
        }
        this.ephemeralServerKey = rSA_ServerKeyExchange.getPublicKey();
        if (!this.algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), this.ephemeralServerKey)) {
            throw new SSLHandshakeException("RSA ServerKeyExchange does not comply to algorithm constraints");
        }
    }

    private void serverKeyExchange(HandshakeMessage.DH_ServerKeyExchange dH_ServerKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            dH_ServerKeyExchange.print(System.out);
        }
        this.dh = new DHCrypt(dH_ServerKeyExchange.getModulus(), dH_ServerKeyExchange.getBase(), this.sslContext.getSecureRandom());
        this.serverDH = dH_ServerKeyExchange.getServerPublicKey();
        this.dh.checkConstraints(this.algorithmConstraints, this.serverDH);
    }

    private void serverKeyExchange(HandshakeMessage.ECDH_ServerKeyExchange eCDH_ServerKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            eCDH_ServerKeyExchange.print(System.out);
        }
        ECPublicKey publicKey = eCDH_ServerKeyExchange.getPublicKey();
        this.ecdh = new ECDHCrypt(publicKey.getParams(), this.sslContext.getSecureRandom());
        this.ephemeralServerKey = publicKey;
        if (!this.algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), this.ephemeralServerKey)) {
            throw new SSLHandshakeException("ECDH ServerKeyExchange does not comply to algorithm constraints");
        }
    }

    private void serverHelloDone(HandshakeMessage.ServerHelloDone serverHelloDone) throws IOException {
        RSAClientKeyExchange rSAClientKeyExchange;
        SecretKey agreedSecret;
        HandshakeMessage.CertificateVerify certificateVerify;
        PublicKey publicKey;
        X509Certificate[] certificateChain;
        String str;
        if (debug != null && Debug.isOn("handshake")) {
            serverHelloDone.print(System.out);
        }
        this.input.digestNow();
        PrivateKey privateKey = null;
        if (this.certRequest != null) {
            X509ExtendedKeyManager x509KeyManager = this.sslContext.getX509KeyManager();
            ArrayList arrayList = new ArrayList(4);
            for (int i = 0; i < this.certRequest.types.length; i++) {
                switch (this.certRequest.types[i]) {
                    case 1:
                        str = "RSA";
                        break;
                    case ALTNAME_DNS /* 2 */:
                        str = "DSA";
                        break;
                    case 3:
                    case 4:
                    case 5:
                    case 6:
                    case 65:
                    case 66:
                    default:
                        str = null;
                        break;
                    case 64:
                        str = JsseJce.isEcAvailable() ? "EC" : null;
                        break;
                }
                if (str != null && !arrayList.contains(str)) {
                    arrayList.add(str);
                }
            }
            String str2 = null;
            int size = arrayList.size();
            if (size != 0) {
                String[] strArr = (String[]) arrayList.toArray(new String[size]);
                str2 = this.conn != null ? x509KeyManager.chooseClientAlias(strArr, this.certRequest.getAuthorities(), this.conn) : x509KeyManager.chooseEngineClientAlias(strArr, this.certRequest.getAuthorities(), this.engine);
            }
            HandshakeMessage.CertificateMsg certificateMsg = null;
            if (str2 != null && (certificateChain = x509KeyManager.getCertificateChain(str2)) != null && certificateChain.length != 0) {
                PublicKey publicKey2 = certificateChain[0].getPublicKey();
                if ((publicKey2 instanceof ECPublicKey) && !SupportedEllipticCurvesExtension.isSupported(SupportedEllipticCurvesExtension.getCurveIndex(((ECPublicKey) publicKey2).getParams()))) {
                    publicKey2 = null;
                }
                if (publicKey2 != null) {
                    certificateMsg = new HandshakeMessage.CertificateMsg(certificateChain);
                    privateKey = x509KeyManager.getPrivateKey(str2);
                    this.session.setLocalPrivateKey(privateKey);
                    this.session.setLocalCertificates(certificateChain);
                }
            }
            if (certificateMsg == null) {
                if (this.protocolVersion.v >= ProtocolVersion.TLS10.v) {
                    certificateMsg = new HandshakeMessage.CertificateMsg(new X509Certificate[0]);
                } else {
                    warningSE((byte) 41);
                }
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: no suitable certificate found - continuing without client authentication");
                }
            }
            if (certificateMsg != null) {
                if (debug != null && Debug.isOn("handshake")) {
                    certificateMsg.print(System.out);
                }
                certificateMsg.write(this.output);
            }
        }
        switch (AnonymousClass2.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[this.keyExchange.ordinal()]) {
            case 1:
            case 8:
                if (this.serverKey == null) {
                    throw new SSLProtocolException("Server did not send certificate message");
                }
                if (!(this.serverKey instanceof RSAPublicKey)) {
                    throw new SSLProtocolException("Server certificate does not include an RSA key");
                }
                if (this.keyExchange == CipherSuite.KeyExchange.K_RSA) {
                    publicKey = this.serverKey;
                } else if (JsseJce.getRSAKeyLength(this.serverKey) <= 512) {
                    publicKey = this.serverKey;
                } else {
                    if (this.ephemeralServerKey == null) {
                        throw new SSLProtocolException("Server did not send a RSA_EXPORT Server Key Exchange message");
                    }
                    publicKey = this.ephemeralServerKey;
                }
                rSAClientKeyExchange = new RSAClientKeyExchange(this.protocolVersion, this.maxProtocolVersion, this.sslContext.getSecureRandom(), publicKey);
                break;
            case ALTNAME_DNS /* 2 */:
            case 3:
            case 4:
                if (this.dh == null) {
                    throw new SSLProtocolException("Server did not send a DH Server Key Exchange message");
                }
                rSAClientKeyExchange = new DHClientKeyExchange(this.dh.getPublicKey());
                break;
            case 5:
            case 6:
            case ALTNAME_IP /* 7 */:
                if (this.ecdh == null) {
                    throw new SSLProtocolException("Server did not send a ECDH Server Key Exchange message");
                }
                rSAClientKeyExchange = new ECDHClientKeyExchange(this.ecdh.getPublicKey());
                break;
            case 9:
            case 10:
                rSAClientKeyExchange = new DHClientKeyExchange();
                break;
            case 11:
            case 12:
                if (this.serverKey == null) {
                    throw new SSLProtocolException("Server did not send certificate message");
                }
                if (!(this.serverKey instanceof ECPublicKey)) {
                    throw new SSLProtocolException("Server certificate does not include an EC key");
                }
                this.ecdh = new ECDHCrypt(((ECPublicKey) this.serverKey).getParams(), this.sslContext.getSecureRandom());
                rSAClientKeyExchange = new ECDHClientKeyExchange(this.ecdh.getPublicKey());
                break;
            case 13:
            case 14:
                String str3 = null;
                Iterator<SNIServerName> it = this.requestedServerNames.iterator();
                while (true) {
                    if (it.hasNext()) {
                        SNIServerName next = it.next();
                        if (next instanceof SNIHostName) {
                            str3 = ((SNIHostName) next).getAsciiName();
                        }
                    }
                }
                RSAClientKeyExchange rSAClientKeyExchange2 = null;
                if (str3 != null) {
                    try {
                        rSAClientKeyExchange2 = new KerberosClientKeyExchange(str3, getAccSE(), this.protocolVersion, this.sslContext.getSecureRandom());
                    } catch (IOException e) {
                        if (this.serverNamesAccepted) {
                            throw e;
                        }
                        if (debug != null && Debug.isOn("handshake")) {
                            System.out.println("Warning, cannot use Server Name Indication: " + e.getMessage());
                        }
                    }
                }
                if (rSAClientKeyExchange2 == null) {
                    String hostSE = getHostSE();
                    if (hostSE == null) {
                        throw new IOException("Hostname is required to use Kerberos cipher suites");
                    }
                    rSAClientKeyExchange2 = new KerberosClientKeyExchange(hostSE, getAccSE(), this.protocolVersion, this.sslContext.getSecureRandom());
                }
                this.session.setPeerPrincipal(rSAClientKeyExchange2.getPeerPrincipal());
                this.session.setLocalPrincipal(rSAClientKeyExchange2.getLocalPrincipal());
                rSAClientKeyExchange = rSAClientKeyExchange2;
                break;
            default:
                throw new RuntimeException("Unsupported key exchange: " + this.keyExchange);
        }
        if (debug != null && Debug.isOn("handshake")) {
            rSAClientKeyExchange.print(System.out);
        }
        rSAClientKeyExchange.write(this.output);
        this.output.doHashes();
        this.output.flush();
        switch (AnonymousClass2.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[this.keyExchange.ordinal()]) {
            case 1:
            case 8:
                agreedSecret = rSAClientKeyExchange.preMaster;
                break;
            case ALTNAME_DNS /* 2 */:
            case 3:
            case 4:
                agreedSecret = this.dh.getAgreedSecret(this.serverDH, true);
                break;
            case 5:
            case 6:
            case ALTNAME_IP /* 7 */:
                agreedSecret = this.ecdh.getAgreedSecret(this.ephemeralServerKey);
                break;
            case 9:
            case 10:
            default:
                throw new IOException("Internal error: unknown key exchange " + this.keyExchange);
            case 11:
            case 12:
                agreedSecret = this.ecdh.getAgreedSecret(this.serverKey);
                break;
            case 13:
            case 14:
                agreedSecret = new SecretKeySpec(((KerberosClientKeyExchange) rSAClientKeyExchange).getUnencryptedPreMasterSecret(), "TlsPremasterSecret");
                break;
        }
        calculateKeys(agreedSecret, null);
        if (privateKey != null) {
            try {
                SignatureAndHashAlgorithm signatureAndHashAlgorithm = null;
                if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                    signatureAndHashAlgorithm = SignatureAndHashAlgorithm.getPreferableAlgorithm(getPeerSupportedSignAlgs(), privateKey.getAlgorithm(), privateKey);
                    if (signatureAndHashAlgorithm == null) {
                        throw new SSLHandshakeException("No supported signature algorithm");
                    }
                    String hashAlgorithmName = SignatureAndHashAlgorithm.getHashAlgorithmName(signatureAndHashAlgorithm);
                    if (hashAlgorithmName == null || hashAlgorithmName.length() == 0) {
                        throw new SSLHandshakeException("No supported hash algorithm");
                    }
                }
                certificateVerify = new HandshakeMessage.CertificateVerify(this.protocolVersion, this.handshakeHash, privateKey, this.session.getMasterSecret(), this.sslContext.getSecureRandom(), signatureAndHashAlgorithm);
            } catch (GeneralSecurityException e2) {
                fatalSE((byte) 40, "Error signing certificate verify", e2);
                certificateVerify = null;
            }
            if (debug != null && Debug.isOn("handshake")) {
                certificateVerify.print(System.out);
            }
            certificateVerify.write(this.output);
            this.output.doHashes();
        }
        sendChangeCipherAndFinish(false);
    }

    private void serverFinished(HandshakeMessage.Finished finished) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            finished.print(System.out);
        }
        if (!finished.verify(this.handshakeHash, ALTNAME_DNS, this.session.getMasterSecret())) {
            fatalSE((byte) 47, "server 'finished' message doesn't verify");
        }
        if (this.secureRenegotiation) {
            this.serverVerifyData = finished.getVerifyData();
        }
        if (!this.isInitialHandshake) {
            this.session.setAsSessionResumption(false);
        }
        if (this.resumingSession) {
            this.input.digestNow();
            sendChangeCipherAndFinish(true);
        }
        this.session.setLastAccessedTime(System.currentTimeMillis());
        if (this.resumingSession) {
            return;
        }
        if (!this.session.isRejoinable()) {
            if (debug == null || !Debug.isOn("session")) {
                return;
            }
            System.out.println("%% Didn't cache non-resumable client session: " + this.session);
            return;
        }
        this.sslContext.engineGetClientSessionContext().put(this.session);
        if (debug == null || !Debug.isOn("session")) {
            return;
        }
        System.out.println("%% Cached client session: " + this.session);
    }

    private void sendChangeCipherAndFinish(boolean z) throws IOException {
        HandshakeMessage.Finished finished = new HandshakeMessage.Finished(this.protocolVersion, this.handshakeHash, 1, this.session.getMasterSecret(), this.cipherSuite);
        sendChangeCipherSpec(finished, z);
        if (this.secureRenegotiation) {
            this.clientVerifyData = finished.getVerifyData();
        }
        this.state = 19;
    }

    @Override // sun.security.ssl.Handshaker
    HandshakeMessage getKickstartMessage() throws SSLException {
        SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();
        CipherSuiteList activeCipherSuites = getActiveCipherSuites();
        this.maxProtocolVersion = this.protocolVersion;
        this.session = this.sslContext.engineGetClientSessionContext().get(getHostSE(), getPortSE());
        if (debug != null && Debug.isOn("session")) {
            if (this.session != null) {
                System.out.println("%% Client cached " + this.session + (this.session.isRejoinable() ? "" : " (not rejoinable)"));
            } else {
                System.out.println("%% No cached client session");
            }
        }
        if (this.session != null) {
            if (!allowUnsafeServerCertChange && this.session.isSessionResumption()) {
                try {
                    this.reservedServerCerts = (X509Certificate[]) this.session.getPeerCertificates();
                } catch (SSLPeerUnverifiedException e) {
                }
            }
            if (!this.session.isRejoinable()) {
                this.session = null;
            }
        }
        if (this.session != null) {
            CipherSuite suite = this.session.getSuite();
            ProtocolVersion protocolVersion = this.session.getProtocolVersion();
            if (!isNegotiable(suite)) {
                if (debug != null && Debug.isOn("session")) {
                    System.out.println("%% can't resume, unavailable cipher");
                }
                this.session = null;
            }
            if (this.session != null && !isNegotiable(protocolVersion)) {
                if (debug != null && Debug.isOn("session")) {
                    System.out.println("%% can't resume, protocol disabled");
                }
                this.session = null;
            }
            if (this.session != null) {
                if (debug != null && (Debug.isOn("handshake") || Debug.isOn("session"))) {
                    System.out.println("%% Try resuming " + this.session + " from port " + getLocalPortSE());
                }
                sessionId = this.session.getSessionId();
                this.maxProtocolVersion = protocolVersion;
                setVersion(protocolVersion);
            }
            if (!this.enableNewSession) {
                if (this.session == null) {
                    throw new SSLHandshakeException("Can't reuse existing SSL client session");
                }
                ArrayList arrayList = new ArrayList(ALTNAME_DNS);
                arrayList.add(suite);
                if (!this.secureRenegotiation && activeCipherSuites.contains(CipherSuite.C_SCSV)) {
                    arrayList.add(CipherSuite.C_SCSV);
                }
                activeCipherSuites = new CipherSuiteList(arrayList);
            }
        }
        if (this.session == null && !this.enableNewSession) {
            throw new SSLHandshakeException("No existing session to resume");
        }
        if (this.secureRenegotiation && activeCipherSuites.contains(CipherSuite.C_SCSV)) {
            ArrayList arrayList2 = new ArrayList(activeCipherSuites.size() - 1);
            for (CipherSuite cipherSuite : activeCipherSuites.collection()) {
                if (cipherSuite != CipherSuite.C_SCSV) {
                    arrayList2.add(cipherSuite);
                }
            }
            activeCipherSuites = new CipherSuiteList(arrayList2);
        }
        boolean z = false;
        Iterator it = activeCipherSuites.collection().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (isNegotiable((CipherSuite) it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new SSLHandshakeException("No negotiable cipher suite");
        }
        HandshakeMessage.ClientHello clientHello = new HandshakeMessage.ClientHello(this.sslContext.getSecureRandom(), this.maxProtocolVersion, sessionId, activeCipherSuites);
        if (this.maxProtocolVersion.v >= ProtocolVersion.TLS12.v) {
            Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs = getLocalSupportedSignAlgs();
            if (localSupportedSignAlgs.isEmpty()) {
                throw new SSLHandshakeException("No supported signature algorithm");
            }
            clientHello.addSignatureAlgorithmsExtension(localSupportedSignAlgs);
        }
        if (enableSNIExtension) {
            if (this.session != null) {
                this.requestedServerNames = this.session.getRequestedServerNames();
            } else {
                this.requestedServerNames = this.serverNames;
            }
            if (!this.requestedServerNames.isEmpty()) {
                clientHello.addSNIExtension(this.requestedServerNames);
            }
        }
        this.clnt_random = clientHello.clnt_random;
        if (this.secureRenegotiation || !activeCipherSuites.contains(CipherSuite.C_SCSV)) {
            clientHello.addRenegotiationInfoExtension(this.clientVerifyData);
        }
        if (this.engine != null) {
            clientHello.addNextProtocolNegotiationExtension(this.engine);
            clientHello.addAlpnExtension(this.engine);
        }
        return clientHello;
    }

    @Override // sun.security.ssl.Handshaker
    void handshakeAlert(byte b) throws SSLProtocolException {
        String alertDescription = Alerts.alertDescription(b);
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("SSL - handshake alert: " + alertDescription);
        }
        throw new SSLProtocolException("handshake alert:  " + alertDescription);
    }

    private void serverCertificate(HandshakeMessage.CertificateMsg certificateMsg) throws IOException {
        String str;
        String endpointIdentificationAlgorithmSE;
        if (debug != null && Debug.isOn("handshake")) {
            certificateMsg.print(System.out);
        }
        X509Certificate[] certificateChain = certificateMsg.getCertificateChain();
        if (certificateChain.length == 0) {
            fatalSE((byte) 42, "empty certificate chain");
        }
        if (this.reservedServerCerts != null && (((endpointIdentificationAlgorithmSE = getEndpointIdentificationAlgorithmSE()) == null || endpointIdentificationAlgorithmSE.length() == 0) && !isIdentityEquivalent(certificateChain[0], this.reservedServerCerts[0]))) {
            fatalSE((byte) 42, "server certificate change is restricted during renegotiation");
        }
        X509TrustManager x509TrustManager = this.sslContext.getX509TrustManager();
        try {
            str = (this.keyExchange != CipherSuite.KeyExchange.K_RSA_EXPORT || this.serverKeyExchangeReceived) ? this.keyExchange.name : CipherSuite.KeyExchange.K_RSA.name;
        } catch (CertificateException e) {
            fatalSE((byte) 46, e);
        }
        if (!(x509TrustManager instanceof X509ExtendedTrustManager)) {
            throw new CertificateException("Improper X509TrustManager implementation");
        }
        if (this.conn != null) {
            ((X509ExtendedTrustManager) x509TrustManager).checkServerTrusted((X509Certificate[]) certificateChain.clone(), str, (Socket) this.conn);
        } else {
            ((X509ExtendedTrustManager) x509TrustManager).checkServerTrusted((X509Certificate[]) certificateChain.clone(), str, this.engine);
        }
        this.session.setPeerCertificates(certificateChain);
    }

    private static boolean isIdentityEquivalent(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        if (x509Certificate.equals(x509Certificate2)) {
            return true;
        }
        Collection<List<?>> collection = null;
        try {
            collection = x509Certificate.getSubjectAlternativeNames();
        } catch (CertificateParsingException e) {
            if (debug != null && Debug.isOn("handshake")) {
                System.out.println("Attempt to obtain subjectAltNames extension failed!");
            }
        }
        Collection<List<?>> collection2 = null;
        try {
            collection2 = x509Certificate2.getSubjectAlternativeNames();
        } catch (CertificateParsingException e2) {
            if (debug != null && Debug.isOn("handshake")) {
                System.out.println("Attempt to obtain subjectAltNames extension failed!");
            }
        }
        if (collection != null && collection2 != null) {
            Collection<String> subjectAltNames = getSubjectAltNames(collection, ALTNAME_IP);
            Collection<String> subjectAltNames2 = getSubjectAltNames(collection2, ALTNAME_IP);
            if (subjectAltNames != null && subjectAltNames2 != null && isEquivalent(subjectAltNames, subjectAltNames2)) {
                return true;
            }
            Collection<String> subjectAltNames3 = getSubjectAltNames(collection, ALTNAME_DNS);
            Collection<String> subjectAltNames4 = getSubjectAltNames(collection2, ALTNAME_DNS);
            if (subjectAltNames3 != null && subjectAltNames4 != null && isEquivalent(subjectAltNames3, subjectAltNames4)) {
                return true;
            }
        }
        X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
        X500Principal subjectX500Principal2 = x509Certificate2.getSubjectX500Principal();
        return !subjectX500Principal.getName().isEmpty() && !subjectX500Principal2.getName().isEmpty() && subjectX500Principal.equals(subjectX500Principal2) && x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getIssuerX500Principal());
    }

    private static Collection<String> getSubjectAltNames(Collection<List<?>> collection, int i) {
        String str;
        HashSet hashSet = null;
        for (List<?> list : collection) {
            if (((Integer) list.get(0)).intValue() == i && (str = (String) list.get(1)) != null && !str.isEmpty()) {
                if (hashSet == null) {
                    hashSet = new HashSet(collection.size());
                }
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    private static boolean isEquivalent(Collection<String> collection, Collection<String> collection2) {
        for (String str : collection) {
            Iterator<String> it = collection2.iterator();
            while (it.hasNext()) {
                if (str.equalsIgnoreCase(it.next())) {
                    return true;
                }
            }
        }
        return false;
    }
}
