package kl.ssl.jsse.provider;

import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.Vector;
import java.util.logging.Logger;
import javax.net.ssl.SSLException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.security.auth.x500.X500Principal;
import kl.ssl.gmvpn.Certificate;
import kl.ssl.gmvpn.CertificateRequest;
import kl.ssl.gmvpn.DefaultTlsServer;
import kl.ssl.gmvpn.TlsCredentials;
import kl.ssl.gmvpn.TlsFatalAlert;
import kl.ssl.gmvpn.TlsSession;
import kl.ssl.gmvpn.TlsUtils;
import kl.ssl.gmvpn.crypto.TlsCertificate;
import kl.ssl.gmvpn.crypto.TlsCrypto;
import kl.ssl.gmvpn.crypto.TlsCryptoParameters;
import kl.ssl.gmvpn.crypto.impl.jcajce.JcaDefaultTlsCredentialedSignerAndDecryptor;
import kl.ssl.gmvpn.crypto.impl.jcajce.JcaTlsCrypto;
import org.bouncycastle.asn1.x500.X500Name;

/* loaded from: classes2.dex */
public class ProvTlsServer extends DefaultTlsServer implements ProvTlsPeer {
    public static final Logger LOG = Logger.getLogger(ProvTlsServer.class.getName());
    public static final int provEphemeralDHKeySize = PropertyUtils.getIntegerSystemProperty("jdk.tls.ephemeralDHKeySize", 2048, 1024, 8192);
    public TlsCredentials credentials;
    public boolean handshakeComplete;
    public Set<String> keyManagerMissCache;
    public final ProvTlsManager manager;
    public final ProvSSLParameters sslParameters;
    public ProvSSLSession sslSession;

    public ProvTlsServer(ProvTlsManager provTlsManager, ProvSSLParameters provSSLParameters) throws SSLException {
        super(provTlsManager.getContextData().getCrypto());
        this.sslSession = null;
        this.keyManagerMissCache = null;
        this.credentials = null;
        this.handshakeComplete = false;
        this.manager = provTlsManager;
        this.sslParameters = provSSLParameters.copy();
        if (!provTlsManager.getEnableSessionCreation()) {
            throw new SSLException("Session resumption not implemented yet and session creation is disabled");
        }
    }

    @Override // kl.ssl.gmvpn.AbstractTlsServer, kl.ssl.gmvpn.TlsServer
    public CertificateRequest getCertificateRequest() throws IOException {
        Vector vector = null;
        if (!(this.sslParameters.getNeedClientAuth() || this.sslParameters.getWantClientAuth())) {
            return null;
        }
        short[] sArr = {64};
        Vector supportedSignatureAlgorithms = TlsUtils.isSignatureAlgorithmsExtensionAllowed(this.context.getServerVersion()) ? JsseUtils.getSupportedSignatureAlgorithms(getCrypto()) : null;
        HashSet hashSet = new HashSet();
        for (X509Certificate x509Certificate : this.manager.getContextData().getX509TrustManager().getAcceptedIssuers()) {
            hashSet.add(x509Certificate.getSubjectX500Principal());
        }
        if (!hashSet.isEmpty()) {
            vector = new Vector(hashSet.size());
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                vector.addElement(X500Name.getInstance(((X500Principal) it.next()).getEncoded()));
            }
        }
        return new CertificateRequest(sArr, supportedSignatureAlgorithms, vector);
    }

    @Override // kl.ssl.gmvpn.DefaultTlsServer, kl.ssl.gmvpn.TlsServer
    public TlsCredentials getCredentials() throws IOException {
        X509ExtendedKeyManager x509KeyManager = this.manager.getContextData().getX509KeyManager();
        PrivateKey privateKey = x509KeyManager.getPrivateKey(DefaultTlsServer.SIGN_CERT_PRIVATE_KEY_ALIAS);
        PrivateKey privateKey2 = x509KeyManager.getPrivateKey(DefaultTlsServer.ENC_CERT_PRIVATE_KEY_ALIAS);
        TlsCrypto crypto = getCrypto();
        return new JcaDefaultTlsCredentialedSignerAndDecryptor(new TlsCryptoParameters(this.context), (JcaTlsCrypto) this.context.getCrypto(), new Certificate(new TlsCertificate[]{JsseUtils.getCertificateMessage(crypto, x509KeyManager.getCertificateChain(DefaultTlsServer.SIGN_CERT_ALIAS)).getCertificateAt(0), JsseUtils.getCertificateMessage(crypto, x509KeyManager.getCertificateChain(DefaultTlsServer.ENC_CERT_ALIAS)).getCertificateAt(0)}), new PrivateKey[]{privateKey, privateKey2}, null);
    }

    @Override // kl.ssl.jsse.provider.ProvTlsPeer
    public synchronized boolean isHandshakeComplete() {
        return this.handshakeComplete;
    }

    @Override // kl.ssl.gmvpn.AbstractTlsServer, kl.ssl.gmvpn.TlsServer
    public void notifyClientCertificate(Certificate certificate) throws IOException {
        if (!this.sslParameters.getNeedClientAuth() && !this.sslParameters.getWantClientAuth()) {
            throw new TlsFatalAlert((short) 80);
        }
        if (certificate == null || certificate.isEmpty()) {
            if (this.sslParameters.getNeedClientAuth()) {
                throw new TlsFatalAlert((short) 40);
            }
        } else {
            this.manager.checkClientTrusted(JsseUtils.getX509CertificateChain(getCrypto(), certificate), JsseUtils.getAuthStringClient(certificate.getCertificateAt(0).getLegacySignatureAlgorithm()));
        }
    }

    @Override // kl.ssl.gmvpn.AbstractTlsPeer, kl.ssl.gmvpn.TlsPeer
    public synchronized void notifyHandshakeComplete() throws IOException {
        super.notifyHandshakeComplete();
        this.handshakeComplete = true;
        TlsSession session = this.context.getSession();
        if (this.sslSession == null || this.sslSession.getTlsSession() != session) {
            this.sslSession = this.manager.getContextData().getClientSessionContext().reportSession(this.manager.getPeerHost(), this.manager.getPeerPort(), session, new JsseSessionParameters(this.sslParameters.getEndpointIdentificationAlgorithm()));
        }
        this.manager.notifyHandshakeComplete(new ProvSSLConnection(this.context, this.sslSession));
    }
}
