package org.bouncycastle.jsse.provider;

import com.adobe.connect.android.model.util.ChatConstants;
import java.io.IOException;
import java.math.BigInteger;
import java.security.Principal;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.jsse.BCSNIMatcher;
import org.bouncycastle.jsse.BCSNIServerName;
import org.bouncycastle.jsse.BCX509Key;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.tls.AlertDescription;
import org.bouncycastle.tls.Certificate;
import org.bouncycastle.tls.CertificateRequest;
import org.bouncycastle.tls.CertificateStatus;
import org.bouncycastle.tls.DefaultTlsServer;
import org.bouncycastle.tls.KeyExchangeAlgorithm;
import org.bouncycastle.tls.ProtocolName;
import org.bouncycastle.tls.ProtocolVersion;
import org.bouncycastle.tls.SecurityParameters;
import org.bouncycastle.tls.SessionParameters;
import org.bouncycastle.tls.SignatureAndHashAlgorithm;
import org.bouncycastle.tls.TlsCredentials;
import org.bouncycastle.tls.TlsExtensionsUtils;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.TlsSession;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.crypto.DHGroup;
import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto;
import org.bouncycastle.util.Arrays;
import org.bouncycastle.util.encoders.Hex;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes4.dex */
public class ProvTlsServer extends DefaultTlsServer implements ProvTlsPeer {
    private static final String PROPERTY_DEFAULT_DHE_PARAMETERS = "jdk.tls.server.defaultDHEParameters";
    private static final boolean provServerEnableStatusRequest = false;
    protected TlsCredentials credentials;
    protected boolean handshakeComplete;
    protected final JsseSecurityParameters jsseSecurityParameters;
    protected Set<String> keyManagerMissCache;
    protected final ProvTlsManager manager;
    protected BCSNIServerName matchedSNIServerName;
    protected final ProvSSLParameters sslParameters;
    protected ProvSSLSession sslSession;
    private static final Logger LOG = Logger.getLogger(ProvTlsServer.class.getName());
    private static final int provEphemeralDHKeySize = PropertyUtils.getIntegerSystemProperty("jdk.tls.ephemeralDHKeySize", 2048, 1024, 8192);
    private static final DHGroup[] provServerDefaultDHEParameters = getDefaultDHEParameters();
    private static final boolean provServerEnableCA = PropertyUtils.getBooleanSystemProperty("jdk.tls.server.enableCAExtension", true);
    private static final boolean provServerEnableSessionResumption = PropertyUtils.getBooleanSystemProperty("org.bouncycastle.jsse.server.enableSessionResumption", true);
    private static final boolean provServerEnableTrustedCAKeys = PropertyUtils.getBooleanSystemProperty("org.bouncycastle.jsse.server.enableTrustedCAKeysExtension", false);

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProvTlsServer(ProvTlsManager provTlsManager, ProvSSLParameters provSSLParameters) {
        super(provTlsManager.getContextData().getCrypto());
        this.jsseSecurityParameters = new JsseSecurityParameters();
        this.sslSession = null;
        this.matchedSNIServerName = null;
        this.keyManagerMissCache = null;
        this.credentials = null;
        this.handshakeComplete = false;
        this.manager = provTlsManager;
        this.sslParameters = provSSLParameters.copyForConnection();
    }

    /* JADX WARN: Removed duplicated region for block: B:23:0x0096  */
    /* JADX WARN: Removed duplicated region for block: B:29:0x0089 A[SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static org.bouncycastle.tls.crypto.DHGroup[] getDefaultDHEParameters() {
        /*
            java.lang.String r0 = "jdk.tls.server.defaultDHEParameters"
            java.lang.String r0 = org.bouncycastle.jsse.provider.PropertyUtils.getStringSecurityProperty(r0)
            r1 = 0
            if (r0 != 0) goto La
            return r1
        La:
            java.lang.String r0 = org.bouncycastle.jsse.provider.JsseUtils.removeAllWhitespace(r0)
            java.lang.String r0 = org.bouncycastle.jsse.provider.JsseUtils.stripDoubleQuotes(r0)
            int r2 = r0.length()
            r3 = 1
            if (r2 >= r3) goto L1a
            return r1
        L1a:
            java.util.ArrayList r4 = new java.util.ArrayList
            r4.<init>()
            r5 = -1
        L20:
            int r5 = r5 + r3
            if (r5 >= r2) goto L9c
            r6 = 123(0x7b, float:1.72E-43)
            char r7 = r0.charAt(r5)
            if (r6 == r7) goto L2d
            goto L9c
        L2d:
            int r5 = r5 + 1
            r6 = 44
            int r7 = r0.indexOf(r6, r5)
            if (r7 > r5) goto L38
            goto L9c
        L38:
            int r8 = r7 + 1
            r9 = 125(0x7d, float:1.75E-43)
            int r9 = r0.indexOf(r9, r8)
            if (r9 > r8) goto L43
            goto L9c
        L43:
            java.math.BigInteger r5 = parseDHParameter(r0, r5, r7)     // Catch: java.lang.Exception -> L9c
            java.math.BigInteger r7 = parseDHParameter(r0, r8, r9)     // Catch: java.lang.Exception -> L9c
            org.bouncycastle.tls.crypto.DHGroup r8 = org.bouncycastle.tls.TlsDHUtils.getStandardGroupForDHParameters(r5, r7)     // Catch: java.lang.Exception -> L9c
            if (r8 == 0) goto L55
        L51:
            r4.add(r8)     // Catch: java.lang.Exception -> L9c
            goto L85
        L55:
            r8 = 120(0x78, float:1.68E-43)
            boolean r8 = r5.isProbablePrime(r8)     // Catch: java.lang.Exception -> L9c
            if (r8 != 0) goto L7e
            java.util.logging.Logger r7 = org.bouncycastle.jsse.provider.ProvTlsServer.LOG     // Catch: java.lang.Exception -> L9c
            java.util.logging.Level r8 = java.util.logging.Level.WARNING     // Catch: java.lang.Exception -> L9c
            java.lang.StringBuilder r10 = new java.lang.StringBuilder     // Catch: java.lang.Exception -> L9c
            r10.<init>()     // Catch: java.lang.Exception -> L9c
            java.lang.String r11 = "Non-prime modulus ignored in security property [jdk.tls.server.defaultDHEParameters]: "
            java.lang.StringBuilder r10 = r10.append(r11)     // Catch: java.lang.Exception -> L9c
            r11 = 16
            java.lang.String r5 = r5.toString(r11)     // Catch: java.lang.Exception -> L9c
            java.lang.StringBuilder r5 = r10.append(r5)     // Catch: java.lang.Exception -> L9c
            java.lang.String r5 = r5.toString()     // Catch: java.lang.Exception -> L9c
            r7.log(r8, r5)     // Catch: java.lang.Exception -> L9c
            goto L85
        L7e:
            org.bouncycastle.tls.crypto.DHGroup r8 = new org.bouncycastle.tls.crypto.DHGroup     // Catch: java.lang.Exception -> L9c
            r10 = 0
            r8.<init>(r5, r1, r7, r10)     // Catch: java.lang.Exception -> L9c
            goto L51
        L85:
            int r5 = r9 + 1
            if (r5 < r2) goto L96
            int r0 = r4.size()
            org.bouncycastle.tls.crypto.DHGroup[] r0 = new org.bouncycastle.tls.crypto.DHGroup[r0]
            java.lang.Object[] r0 = r4.toArray(r0)
            org.bouncycastle.tls.crypto.DHGroup[] r0 = (org.bouncycastle.tls.crypto.DHGroup[]) r0
            return r0
        L96:
            char r7 = r0.charAt(r5)
            if (r6 == r7) goto L20
        L9c:
            java.util.logging.Logger r0 = org.bouncycastle.jsse.provider.ProvTlsServer.LOG
            java.util.logging.Level r2 = java.util.logging.Level.WARNING
            java.lang.String r3 = "Invalid syntax for security property [jdk.tls.server.defaultDHEParameters]"
            r0.log(r2, r3)
            return r1
        */
        throw new UnsupportedOperationException("Method not decompiled: org.bouncycastle.jsse.provider.ProvTlsServer.getDefaultDHEParameters():org.bouncycastle.tls.crypto.DHGroup[]");
    }

    private void handleKeyManagerMisses(LinkedHashMap<String, SignatureSchemeInfo> linkedHashMap, String str) {
        for (Map.Entry<String, SignatureSchemeInfo> entry : linkedHashMap.entrySet()) {
            String key = entry.getKey();
            if (key.equals(str)) {
                return;
            }
            this.keyManagerMissCache.add(key);
            Logger logger = LOG;
            if (logger.isLoggable(Level.FINER)) {
                logger.finer("Server found no credentials for signature scheme '" + entry.getValue() + "' (keyType '" + key + "')");
            }
        }
    }

    private static BigInteger parseDHParameter(String str, int i, int i2) {
        return new BigInteger(str.substring(i, i2), 16);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean allowCertificateStatus() {
        return false;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean allowLegacyResumption() {
        return JsseUtils.allowLegacyResumption();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean allowMultiCertStatus() {
        return false;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean allowTrustedCAIndication() {
        return this.jsseSecurityParameters.trustedIssuers != null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public CertificateRequest getCertificateRequest() throws IOException {
        if (!isClientAuthEnabled()) {
            return null;
        }
        ContextData contextData = this.manager.getContextData();
        ProtocolVersion serverVersion = this.context.getServerVersion();
        List<SignatureSchemeInfo> activeCertsSignatureSchemes = contextData.getActiveCertsSignatureSchemes(true, this.sslParameters, new ProtocolVersion[]{serverVersion}, this.jsseSecurityParameters.namedGroups);
        this.jsseSecurityParameters.localSigSchemes = activeCertsSignatureSchemes;
        this.jsseSecurityParameters.localSigSchemesCert = activeCertsSignatureSchemes;
        Vector<SignatureAndHashAlgorithm> signatureAndHashAlgorithms = SignatureSchemeInfo.getSignatureAndHashAlgorithms(this.jsseSecurityParameters.localSigSchemes);
        Vector<X500Name> certificateAuthorities = provServerEnableCA ? JsseUtils.getCertificateAuthorities(contextData.getX509TrustManager()) : null;
        if (TlsUtils.isTLSv13(serverVersion)) {
            return new CertificateRequest(TlsUtils.EMPTY_BYTES, signatureAndHashAlgorithms, this.jsseSecurityParameters.localSigSchemes != this.jsseSecurityParameters.localSigSchemesCert ? SignatureSchemeInfo.getSignatureAndHashAlgorithms(this.jsseSecurityParameters.localSigSchemesCert) : null, certificateAuthorities);
        }
        return new CertificateRequest(new short[]{64, 1, 2}, signatureAndHashAlgorithms, certificateAuthorities);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public CertificateStatus getCertificateStatus() throws IOException {
        return null;
    }

    @Override // org.bouncycastle.tls.DefaultTlsServer, org.bouncycastle.tls.TlsServer
    public TlsCredentials getCredentials() throws IOException {
        TlsCredentials tlsCredentials = this.credentials;
        if (tlsCredentials != null) {
            return tlsCredentials;
        }
        throw new TlsFatalAlert((short) 80);
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public JcaTlsCrypto getCrypto() {
        return this.manager.getContextData().getCrypto();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public int getMaxCertificateChainLength() {
        return JsseUtils.getMaxCertificateChainLength();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public int getMaxHandshakeMessageSize() {
        return JsseUtils.getMaxHandshakeMessageSize();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int getMaximumNegotiableCurveBits() {
        return NamedGroupInfo.getMaximumBitsServerECDH(this.jsseSecurityParameters.namedGroups);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int getMaximumNegotiableFiniteFieldBits() {
        int maximumBitsServerFFDHE = NamedGroupInfo.getMaximumBitsServerFFDHE(this.jsseSecurityParameters.namedGroups);
        if (maximumBitsServerFFDHE >= provEphemeralDHKeySize) {
            return maximumBitsServerFFDHE;
        }
        return 0;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public byte[] getNewSessionID() {
        if (!provServerEnableSessionResumption || TlsUtils.isTLSv13(this.context)) {
            return null;
        }
        return this.context.getNonceGenerator().generateNonce(32);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected Vector<ProtocolName> getProtocolNames() {
        return JsseUtils.getProtocolNames(this.sslParameters.getApplicationProtocols());
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public int getSelectedCipherSuite() throws IOException {
        ContextData contextData = this.manager.getContextData();
        SecurityParameters securityParametersHandshake = this.context.getSecurityParametersHandshake();
        NamedGroupInfo.notifyPeer(this.jsseSecurityParameters.namedGroups, securityParametersHandshake.getClientSupportedGroups());
        Vector clientSigAlgs = securityParametersHandshake.getClientSigAlgs();
        Vector clientSigAlgsCert = securityParametersHandshake.getClientSigAlgsCert();
        this.jsseSecurityParameters.peerSigSchemes = contextData.getSignatureSchemes(clientSigAlgs);
        JsseSecurityParameters jsseSecurityParameters = this.jsseSecurityParameters;
        jsseSecurityParameters.peerSigSchemesCert = clientSigAlgs == clientSigAlgsCert ? jsseSecurityParameters.peerSigSchemes : contextData.getSignatureSchemes(clientSigAlgsCert);
        Logger logger = LOG;
        if (logger.isLoggable(Level.FINEST)) {
            logger.finest(JsseUtils.getSignatureAlgorithmsReport("Peer signature_algorithms", this.jsseSecurityParameters.peerSigSchemes));
            if (this.jsseSecurityParameters.peerSigSchemesCert != this.jsseSecurityParameters.peerSigSchemes) {
                logger.finest(JsseUtils.getSignatureAlgorithmsReport("Peer signature_algorithms_cert", this.jsseSecurityParameters.peerSigSchemesCert));
            }
        }
        if (DummyX509KeyManager.INSTANCE == contextData.getX509KeyManager()) {
            throw new TlsFatalAlert((short) 40);
        }
        this.keyManagerMissCache = new HashSet();
        int selectedCipherSuite = super.getSelectedCipherSuite();
        this.keyManagerMissCache = null;
        logger.fine("Server selected cipher suite: " + this.manager.getContextData().getContext().validateNegotiatedCipherSuite(this.sslParameters, selectedCipherSuite));
        return selectedCipherSuite;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public Hashtable<Integer, byte[]> getServerExtensions() throws IOException {
        super.getServerExtensions();
        if (this.matchedSNIServerName != null) {
            TlsExtensionsUtils.addServerNameExtensionServer(this.serverExtensions);
        }
        return this.serverExtensions;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public ProtocolVersion getServerVersion() throws IOException {
        ProtocolVersion serverVersion = super.getServerVersion();
        LOG.fine("Server selected protocol version: " + this.manager.getContextData().getContext().validateNegotiatedProtocol(this.sslParameters, serverVersion));
        return serverVersion;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public TlsSession getSessionToResume(byte[] bArr) {
        ProvSSLSession sessionImpl;
        ProvSSLSessionContext serverSessionContext = this.manager.getContextData().getServerSessionContext();
        if (provServerEnableSessionResumption && (sessionImpl = serverSessionContext.getSessionImpl(bArr)) != null) {
            TlsSession tlsSession = sessionImpl.getTlsSession();
            if (isResumable(sessionImpl, tlsSession)) {
                this.sslSession = sessionImpl;
                return tlsSession;
            }
        }
        JsseUtils.checkSessionCreationEnabled(this.manager);
        return null;
    }

    @Override // org.bouncycastle.tls.DefaultTlsServer, org.bouncycastle.tls.AbstractTlsPeer
    protected int[] getSupportedCipherSuites() {
        return this.manager.getContextData().getContext().getActiveCipherSuites(getCrypto(), this.sslParameters, getProtocolVersions());
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public int[] getSupportedGroups() throws IOException {
        this.jsseSecurityParameters.namedGroups = this.manager.getContextData().getNamedGroups(this.sslParameters, new ProtocolVersion[]{this.context.getServerVersion()});
        return NamedGroupInfo.getSupportedGroupsLocalServer(this.jsseSecurityParameters.namedGroups);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.bouncycastle.tls.AbstractTlsPeer
    public ProtocolVersion[] getSupportedVersions() {
        return this.manager.getContextData().getContext().getActiveProtocolVersions(this.sslParameters);
    }

    protected boolean isClientAuthEnabled() {
        return this.sslParameters.getNeedClientAuth() || this.sslParameters.getWantClientAuth();
    }

    @Override // org.bouncycastle.jsse.provider.ProvTlsPeer
    public synchronized boolean isHandshakeComplete() {
        return this.handshakeComplete;
    }

    protected boolean isResumable(ProvSSLSession provSSLSession, TlsSession tlsSession) {
        SessionParameters exportSessionParameters;
        if (tlsSession != null && tlsSession.isResumable()) {
            ProtocolVersion negotiatedVersion = this.context.getSecurityParametersHandshake().getNegotiatedVersion();
            if (TlsUtils.isTLSv13(negotiatedVersion) || (exportSessionParameters = tlsSession.exportSessionParameters()) == null || !negotiatedVersion.equals(exportSessionParameters.getNegotiatedVersion()) || !Arrays.contains(getCipherSuites(), exportSessionParameters.getCipherSuite()) || !Arrays.contains(this.offeredCipherSuites, exportSessionParameters.getCipherSuite()) || !exportSessionParameters.isExtendedMasterSecret()) {
                return false;
            }
            JsseSessionParameters jsseSessionParameters = provSSLSession.getJsseSessionParameters();
            BCSNIServerName bCSNIServerName = this.matchedSNIServerName;
            BCSNIServerName matchedSNIServerName = jsseSessionParameters.getMatchedSNIServerName();
            if (JsseUtils.equals(bCSNIServerName, matchedSNIServerName)) {
                return true;
            }
            LOG.finest("Session not resumable - SNI mismatch; connection: " + bCSNIServerName + ", session: " + matchedSNIServerName);
            return false;
        }
        return false;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyAlertRaised(short s, short s2, String str, Throwable th) {
        Level level = s == 1 ? Level.FINE : s2 == 80 ? Level.WARNING : Level.INFO;
        Logger logger = LOG;
        if (logger.isLoggable(level)) {
            String alertLogMessage = JsseUtils.getAlertLogMessage("Server raised", s, s2);
            if (str != null) {
                alertLogMessage = alertLogMessage + ": " + str;
            }
            logger.log(level, alertLogMessage, th);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyAlertReceived(short s, short s2) {
        super.notifyAlertReceived(s, s2);
        Level level = s == 1 ? Level.FINE : Level.INFO;
        Logger logger = LOG;
        if (logger.isLoggable(level)) {
            logger.log(level, JsseUtils.getAlertLogMessage("Server received", s, s2));
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public void notifyClientCertificate(Certificate certificate) throws IOException {
        if (!isClientAuthEnabled()) {
            throw new TlsFatalAlert((short) 80);
        }
        if (certificate != null && !certificate.isEmpty()) {
            this.manager.checkClientTrusted(JsseUtils.getX509CertificateChain(getCrypto(), certificate), "TLS-client-auth");
        } else if (this.sslParameters.getNeedClientAuth()) {
            throw new TlsFatalAlert(TlsUtils.isTLSv13(this.context) ? AlertDescription.certificate_required : (short) 40);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public synchronized void notifyHandshakeComplete() throws IOException {
        super.notifyHandshakeComplete();
        boolean z = true;
        this.handshakeComplete = true;
        TlsSession session = this.context.getSession();
        ProvSSLSession provSSLSession = this.sslSession;
        if (provSSLSession == null || provSSLSession.getTlsSession() != session) {
            ProvSSLSessionContext serverSessionContext = this.manager.getContextData().getServerSessionContext();
            String peerHost = this.manager.getPeerHost();
            int peerPort = this.manager.getPeerPort();
            JsseSessionParameters jsseSessionParameters = new JsseSessionParameters(null, this.matchedSNIServerName);
            if (!provServerEnableSessionResumption || TlsUtils.isTLSv13(this.context) || !this.context.getSecurityParametersConnection().isExtendedMasterSecret()) {
                z = false;
            }
            this.sslSession = serverSessionContext.reportSession(peerHost, peerPort, session, jsseSessionParameters, z);
        }
        this.manager.notifyHandshakeComplete(new ProvSSLConnection(this.context, this.sslSession));
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifySecureRenegotiation(boolean z) throws IOException {
        if (!z && !PropertyUtils.getBooleanSystemProperty("sun.security.ssl.allowLegacyHelloMessages", true)) {
            throw new TlsFatalAlert((short) 40);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public void notifySession(TlsSession tlsSession) {
        Logger logger;
        String str;
        byte[] sessionID = tlsSession.getSessionID();
        ProvSSLSession provSSLSession = this.sslSession;
        if (provSSLSession != null && provSSLSession.getTlsSession() == tlsSession) {
            LOG.fine("Server resumed session: " + Hex.toHexString(sessionID));
        } else {
            this.sslSession = null;
            if (TlsUtils.isNullOrEmpty(sessionID)) {
                logger = LOG;
                str = "Server did not specify a session ID";
            } else {
                logger = LOG;
                str = "Server specified new session: " + Hex.toHexString(sessionID);
            }
            logger.fine(str);
            JsseUtils.checkSessionCreationEnabled(this.manager);
        }
        ProvTlsManager provTlsManager = this.manager;
        provTlsManager.notifyHandshakeSession(provTlsManager.getContextData().getServerSessionContext(), this.context.getSecurityParametersHandshake(), this.jsseSecurityParameters, this.sslSession);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean preferLocalCipherSuites() {
        return this.sslParameters.getUseCipherSuitesOrder();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public void processClientExtensions(Hashtable hashtable) throws IOException {
        Logger logger;
        String str;
        super.processClientExtensions(hashtable);
        Vector clientServerNames = this.context.getSecurityParametersHandshake().getClientServerNames();
        if (clientServerNames != null) {
            Collection<BCSNIMatcher> sNIMatchers = this.sslParameters.getSNIMatchers();
            if (sNIMatchers == null || sNIMatchers.isEmpty()) {
                logger = LOG;
                str = "Server ignored SNI (no matchers specified)";
            } else {
                BCSNIServerName findMatchingSNIServerName = JsseUtils.findMatchingSNIServerName(clientServerNames, sNIMatchers);
                this.matchedSNIServerName = findMatchingSNIServerName;
                if (findMatchingSNIServerName == null) {
                    throw new TlsFatalAlert(AlertDescription.unrecognized_name);
                }
                logger = LOG;
                str = "Server accepted SNI: " + this.matchedSNIServerName;
            }
            logger.fine(str);
        }
        if (TlsUtils.isTLSv13(this.context)) {
            this.jsseSecurityParameters.trustedIssuers = JsseUtils.toX500Principals(TlsExtensionsUtils.getCertificateAuthoritiesExtension(hashtable));
        } else if (provServerEnableTrustedCAKeys) {
            this.jsseSecurityParameters.trustedIssuers = JsseUtils.getTrustedIssuers(this.trustedCAKeys);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean requiresCloseNotify() {
        return JsseUtils.requireCloseNotify();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean requiresExtendedMasterSecret() {
        return !JsseUtils.allowLegacyMasterSecret();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean selectCipherSuite(int i) throws IOException {
        TlsCredentials tlsCredentials;
        int keyExchangeAlgorithm = TlsUtils.getKeyExchangeAlgorithm(i);
        if (KeyExchangeAlgorithm.isAnonymous(keyExchangeAlgorithm)) {
            tlsCredentials = null;
        } else {
            tlsCredentials = selectCredentials(this.jsseSecurityParameters.trustedIssuers, keyExchangeAlgorithm);
            if (tlsCredentials == null) {
                LOG.finer("Server found no credentials for cipher suite: " + ProvSSLContextSpi.getCipherSuiteName(i));
                return false;
            }
        }
        boolean selectCipherSuite = super.selectCipherSuite(i);
        if (selectCipherSuite) {
            this.credentials = tlsCredentials;
        }
        return selectCipherSuite;
    }

    protected TlsCredentials selectCredentials(Principal[] principalArr, int i) throws IOException {
        if (i == 0) {
            return selectServerCredentials13(principalArr, TlsUtils.EMPTY_BYTES);
        }
        if (i == 1 || i == 3 || i == 5 || i == 17 || i == 19) {
            return (1 == i || !TlsUtils.isSignatureAlgorithmsExtensionAllowed(this.context.getServerVersion())) ? selectServerCredentialsLegacy(principalArr, i) : selectServerCredentials12(principalArr, i);
        }
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectDH(int i) {
        return NamedGroupInfo.selectServerFFDHE(this.jsseSecurityParameters.namedGroups, Math.max(i, provEphemeralDHKeySize));
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectDHDefault(int i) {
        throw new UnsupportedOperationException();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectECDH(int i) {
        return NamedGroupInfo.selectServerECDH(this.jsseSecurityParameters.namedGroups, i);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectECDHDefault(int i) {
        throw new UnsupportedOperationException();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected ProtocolName selectProtocolName() throws IOException {
        if (this.sslParameters.getEngineAPSelector() == null && this.sslParameters.getSocketAPSelector() == null) {
            return super.selectProtocolName();
        }
        List<String> protocolNames = JsseUtils.getProtocolNames((Vector<ProtocolName>) this.clientProtocolNames);
        String selectApplicationProtocol = this.manager.selectApplicationProtocol(Collections.unmodifiableList(protocolNames));
        if (selectApplicationProtocol == null) {
            throw new TlsFatalAlert(AlertDescription.no_application_protocol);
        }
        if (selectApplicationProtocol.length() < 1) {
            return null;
        }
        if (protocolNames.contains(selectApplicationProtocol)) {
            return ProtocolName.asUtf8Encoding(selectApplicationProtocol);
        }
        throw new TlsFatalAlert(AlertDescription.no_application_protocol);
    }

    protected TlsCredentials selectServerCredentials12(Principal[] principalArr, int i) throws IOException {
        Logger logger;
        StringBuilder sb;
        String str;
        BCAlgorithmConstraints algorithmConstraints = this.sslParameters.getAlgorithmConstraints();
        short legacySignatureAlgorithmServer = TlsUtils.getLegacySignatureAlgorithmServer(i);
        LinkedHashMap<String, SignatureSchemeInfo> linkedHashMap = new LinkedHashMap<>();
        for (SignatureSchemeInfo signatureSchemeInfo : this.jsseSecurityParameters.peerSigSchemes) {
            if (TlsUtils.isValidSignatureSchemeForServerKeyExchange(signatureSchemeInfo.getSignatureScheme(), i)) {
                String keyTypeLegacyServer = legacySignatureAlgorithmServer == signatureSchemeInfo.getSignatureAlgorithm() ? JsseUtils.getKeyTypeLegacyServer(i) : signatureSchemeInfo.getKeyType();
                if (!this.keyManagerMissCache.contains(keyTypeLegacyServer) && !linkedHashMap.containsKey(keyTypeLegacyServer) && signatureSchemeInfo.isActive(algorithmConstraints, false, true, this.jsseSecurityParameters.namedGroups)) {
                    linkedHashMap.put(keyTypeLegacyServer, signatureSchemeInfo);
                }
            }
        }
        if (linkedHashMap.isEmpty()) {
            logger = LOG;
            sb = new StringBuilder();
            str = "Server (1.2) has no key types to try for KeyExchangeAlgorithm ";
        } else {
            BCX509Key chooseServerKey = this.manager.chooseServerKey((String[]) linkedHashMap.keySet().toArray(TlsUtils.EMPTY_STRINGS), principalArr);
            if (chooseServerKey != null) {
                String keyType = chooseServerKey.getKeyType();
                handleKeyManagerMisses(linkedHashMap, keyType);
                SignatureSchemeInfo signatureSchemeInfo2 = linkedHashMap.get(keyType);
                if (signatureSchemeInfo2 == null) {
                    throw new TlsFatalAlert((short) 80, "Key manager returned invalid key type");
                }
                Logger logger2 = LOG;
                if (logger2.isLoggable(Level.FINE)) {
                    logger2.fine("Server (1.2) selected credentials for signature scheme '" + signatureSchemeInfo2 + "' (keyType '" + keyType + "'), with private key algorithm '" + JsseUtils.getPrivateKeyAlgorithm(chooseServerKey.getPrivateKey()) + ChatConstants.SINGLEQUOT);
                }
                return JsseUtils.createCredentialedSigner(this.context, getCrypto(), chooseServerKey, signatureSchemeInfo2.getSignatureAndHashAlgorithm());
            }
            handleKeyManagerMisses(linkedHashMap, null);
            logger = LOG;
            sb = new StringBuilder();
            str = "Server (1.2) did not select any credentials for KeyExchangeAlgorithm ";
        }
        logger.fine(sb.append(str).append(i).toString());
        return null;
    }

    protected TlsCredentials selectServerCredentials13(Principal[] principalArr, byte[] bArr) throws IOException {
        Logger logger;
        String str;
        BCAlgorithmConstraints algorithmConstraints = this.sslParameters.getAlgorithmConstraints();
        LinkedHashMap<String, SignatureSchemeInfo> linkedHashMap = new LinkedHashMap<>();
        for (SignatureSchemeInfo signatureSchemeInfo : this.jsseSecurityParameters.peerSigSchemes) {
            String keyType13 = signatureSchemeInfo.getKeyType13();
            if (!this.keyManagerMissCache.contains(keyType13) && !linkedHashMap.containsKey(keyType13) && signatureSchemeInfo.isActive(algorithmConstraints, true, false, this.jsseSecurityParameters.namedGroups)) {
                linkedHashMap.put(keyType13, signatureSchemeInfo);
            }
        }
        if (linkedHashMap.isEmpty()) {
            logger = LOG;
            str = "Server (1.3) found no usable signature schemes";
        } else {
            BCX509Key chooseServerKey = this.manager.chooseServerKey((String[]) linkedHashMap.keySet().toArray(TlsUtils.EMPTY_STRINGS), principalArr);
            if (chooseServerKey != null) {
                String keyType = chooseServerKey.getKeyType();
                handleKeyManagerMisses(linkedHashMap, keyType);
                SignatureSchemeInfo signatureSchemeInfo2 = linkedHashMap.get(keyType);
                if (signatureSchemeInfo2 == null) {
                    throw new TlsFatalAlert((short) 80, "Key manager returned invalid key type");
                }
                Logger logger2 = LOG;
                if (logger2.isLoggable(Level.FINE)) {
                    logger2.fine("Server (1.3) selected credentials for signature scheme '" + signatureSchemeInfo2 + "' (keyType '" + keyType + "'), with private key algorithm '" + JsseUtils.getPrivateKeyAlgorithm(chooseServerKey.getPrivateKey()) + ChatConstants.SINGLEQUOT);
                }
                return JsseUtils.createCredentialedSigner13(this.context, getCrypto(), chooseServerKey, signatureSchemeInfo2.getSignatureAndHashAlgorithm(), bArr);
            }
            handleKeyManagerMisses(linkedHashMap, null);
            logger = LOG;
            str = "Server (1.3) did not select any credentials";
        }
        logger.fine(str);
        return null;
    }

    protected TlsCredentials selectServerCredentialsLegacy(Principal[] principalArr, int i) throws IOException {
        String keyTypeLegacyServer = JsseUtils.getKeyTypeLegacyServer(i);
        if (this.keyManagerMissCache.contains(keyTypeLegacyServer)) {
            return null;
        }
        BCX509Key chooseServerKey = this.manager.chooseServerKey(new String[]{keyTypeLegacyServer}, principalArr);
        if (chooseServerKey != null) {
            return 1 == i ? JsseUtils.createCredentialedDecryptor(getCrypto(), chooseServerKey) : JsseUtils.createCredentialedSigner(this.context, getCrypto(), chooseServerKey, null);
        }
        this.keyManagerMissCache.add(keyTypeLegacyServer);
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean shouldSelectProtocolNameEarly() {
        return this.sslParameters.getEngineAPSelector() == null && this.sslParameters.getSocketAPSelector() == null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean shouldUseExtendedMasterSecret() {
        return JsseUtils.useExtendedMasterSecret();
    }
}
