package sun.security.ssl;

import java.lang.ref.Reference;
import java.lang.ref.SoftReference;
import java.net.Socket;
import java.security.AlgorithmConstraints;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
import sun.tools.java.RuntimeConstants;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:win/1.8.0_292/jre/lib/jsse.jar:sun/security/ssl/X509KeyManagerImpl.class */
public final class X509KeyManagerImpl extends X509ExtendedKeyManager implements X509KeyManager {
    private static Date verificationDate;
    private final List<KeyStore.Builder> builders;
    private final AtomicLong uidCounter;
    private final Map<String, Reference<KeyStore.PrivateKeyEntry>> entryCacheMap;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:win/1.8.0_292/jre/lib/jsse.jar:sun/security/ssl/X509KeyManagerImpl$CheckResult.class */
    public enum CheckResult {
        OK,
        INSENSITIVE,
        EXPIRED,
        EXTENSION_MISMATCH
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:win/1.8.0_292/jre/lib/jsse.jar:sun/security/ssl/X509KeyManagerImpl$CheckType.class */
    public enum CheckType {
        NONE(Collections.emptySet()),
        CLIENT(new HashSet(Arrays.asList("2.5.29.37.0", "1.3.6.1.5.5.7.3.2"))),
        SERVER(new HashSet(Arrays.asList("2.5.29.37.0", "1.3.6.1.5.5.7.3.1", "2.16.840.1.113730.4.1", "1.3.6.1.4.1.311.10.3.3")));

        final Set<String> validEku;

        CheckType(Set set) {
            this.validEku = set;
        }

        private static boolean getBit(boolean[] zArr, int i) {
            return i < zArr.length && zArr[i];
        }

        CheckResult check(X509Certificate x509Certificate, Date date, List<SNIServerName> list, String str) {
            if (this == NONE) {
                return CheckResult.OK;
            }
            try {
                List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
                if (extendedKeyUsage != null && Collections.disjoint(this.validEku, extendedKeyUsage)) {
                    return CheckResult.EXTENSION_MISMATCH;
                }
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if (keyUsage != null) {
                    String algorithm = x509Certificate.getPublicKey().getAlgorithm();
                    boolean bit = getBit(keyUsage, 0);
                    boolean z = -1;
                    switch (algorithm.hashCode()) {
                        case 2180:
                            if (algorithm.equals("DH")) {
                                z = 3;
                                break;
                            }
                            break;
                        case 2206:
                            if (algorithm.equals("EC")) {
                                z = 4;
                                break;
                            }
                            break;
                        case 67986:
                            if (algorithm.equals("DSA")) {
                                z = 2;
                                break;
                            }
                            break;
                        case 81440:
                            if (algorithm.equals("RSA")) {
                                z = false;
                                break;
                            }
                            break;
                        case 1775481508:
                            if (algorithm.equals("RSASSA-PSS")) {
                                z = true;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            if (!bit && (this == CLIENT || !getBit(keyUsage, 2))) {
                                return CheckResult.EXTENSION_MISMATCH;
                            }
                            break;
                        case true:
                            if (!bit && this == SERVER) {
                                return CheckResult.EXTENSION_MISMATCH;
                            }
                            break;
                        case true:
                            if (!bit) {
                                return CheckResult.EXTENSION_MISMATCH;
                            }
                            break;
                        case true:
                            if (!getBit(keyUsage, 4)) {
                                return CheckResult.EXTENSION_MISMATCH;
                            }
                            break;
                        case true:
                            if (!bit) {
                                return CheckResult.EXTENSION_MISMATCH;
                            }
                            if (this == SERVER && !getBit(keyUsage, 4)) {
                                return CheckResult.EXTENSION_MISMATCH;
                            }
                            break;
                    }
                }
                try {
                    x509Certificate.checkValidity(date);
                    if (list != null && !list.isEmpty()) {
                        Iterator<SNIServerName> it = list.iterator();
                        while (true) {
                            if (it.hasNext()) {
                                SNIServerName next = it.next();
                                if (next.getType() == 0) {
                                    if (!(next instanceof SNIHostName)) {
                                        try {
                                            next = new SNIHostName(next.getEncoded());
                                        } catch (IllegalArgumentException e) {
                                            if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
                                                SSLLogger.fine("Illegal server name: " + ((Object) next), new Object[0]);
                                            }
                                            return CheckResult.INSENSITIVE;
                                        }
                                    }
                                    String asciiName = ((SNIHostName) next).getAsciiName();
                                    try {
                                        X509TrustManagerImpl.checkIdentity(asciiName, x509Certificate, str);
                                    } catch (CertificateException e2) {
                                        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
                                            SSLLogger.fine("Certificate identity does not match Server Name Inidication (SNI): " + asciiName, new Object[0]);
                                        }
                                        return CheckResult.INSENSITIVE;
                                    }
                                }
                            }
                        }
                    }
                    return CheckResult.OK;
                } catch (CertificateException e3) {
                    return CheckResult.EXPIRED;
                }
            } catch (CertificateException e4) {
                return CheckResult.EXTENSION_MISMATCH;
            }
        }

        public String getValidator() {
            return this == CLIENT ? Validator.VAR_TLS_CLIENT : this == SERVER ? Validator.VAR_TLS_SERVER : Validator.VAR_GENERIC;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:win/1.8.0_292/jre/lib/jsse.jar:sun/security/ssl/X509KeyManagerImpl$EntryStatus.class */
    public static class EntryStatus implements Comparable<EntryStatus> {
        final int builderIndex;
        final int keyIndex;
        final String alias;
        final CheckResult checkResult;

        EntryStatus(int i, int i2, String str, Certificate[] certificateArr, CheckResult checkResult) {
            this.builderIndex = i;
            this.keyIndex = i2;
            this.alias = str;
            this.checkResult = checkResult;
        }

        @Override // java.lang.Comparable
        public int compareTo(EntryStatus entryStatus) {
            int compareTo = this.checkResult.compareTo(entryStatus.checkResult);
            return compareTo == 0 ? this.keyIndex - entryStatus.keyIndex : compareTo;
        }

        public String toString() {
            String str = this.alias + " (verified: " + ((Object) this.checkResult) + RuntimeConstants.SIG_ENDMETHOD;
            return this.builderIndex == 0 ? str : "Builder #" + this.builderIndex + ", alias: " + str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:win/1.8.0_292/jre/lib/jsse.jar:sun/security/ssl/X509KeyManagerImpl$KeyType.class */
    public static class KeyType {
        final String keyAlgorithm;
        final String sigKeyAlgorithm;

        KeyType(String str) {
            int indexOf = str.indexOf(95);
            if (indexOf == -1) {
                this.keyAlgorithm = str;
                this.sigKeyAlgorithm = null;
            } else {
                this.keyAlgorithm = str.substring(0, indexOf);
                this.sigKeyAlgorithm = str.substring(indexOf + 1);
            }
        }

        boolean matches(Certificate[] certificateArr) {
            if (!certificateArr[0].getPublicKey().getAlgorithm().equals(this.keyAlgorithm)) {
                return false;
            }
            if (this.sigKeyAlgorithm == null) {
                return true;
            }
            return certificateArr.length > 1 ? this.sigKeyAlgorithm.equals(certificateArr[1].getPublicKey().getAlgorithm()) : ((X509Certificate) certificateArr[0]).getSigAlgName().toUpperCase(Locale.ENGLISH).contains("WITH" + this.sigKeyAlgorithm.toUpperCase(Locale.ENGLISH));
        }
    }

    /* loaded from: input_file:win/1.8.0_292/jre/lib/jsse.jar:sun/security/ssl/X509KeyManagerImpl$SizedMap.class */
    private static class SizedMap<K, V> extends LinkedHashMap<K, V> {
        private static final long serialVersionUID = -8211222668790986062L;

        private SizedMap() {
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<K, V> entry) {
            return size() > 10;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509KeyManagerImpl(KeyStore.Builder builder) {
        this((List<KeyStore.Builder>) Collections.singletonList(builder));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509KeyManagerImpl(List<KeyStore.Builder> list) {
        this.builders = list;
        this.uidCounter = new AtomicLong();
        this.entryCacheMap = Collections.synchronizedMap(new SizedMap());
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        if (entry == null) {
            return null;
        }
        return (X509Certificate[]) entry.getCertificateChain();
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        if (entry == null) {
            return null;
        }
        return entry.getPrivateKey();
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseAlias(getKeyTypes(strArr), principalArr, CheckType.CLIENT, getAlgorithmConstraints(socket));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseAlias(getKeyTypes(strArr), principalArr, CheckType.CLIENT, getAlgorithmConstraints(sSLEngine));
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return chooseAlias(getKeyTypes(str), principalArr, CheckType.SERVER, getAlgorithmConstraints(socket), X509TrustManagerImpl.getRequestedServerNames(socket), "HTTPS");
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseAlias(getKeyTypes(str), principalArr, CheckType.SERVER, getAlgorithmConstraints(sSLEngine), X509TrustManagerImpl.getRequestedServerNames(sSLEngine), "HTTPS");
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return getAliases(str, principalArr, CheckType.CLIENT, null);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return getAliases(str, principalArr, CheckType.SERVER, null);
    }

    private AlgorithmConstraints getAlgorithmConstraints(Socket socket) {
        if (socket == null || !socket.isConnected() || !(socket instanceof SSLSocket)) {
            return new SSLAlgorithmConstraints((SSLSocket) null, true);
        }
        SSLSocket sSLSocket = (SSLSocket) socket;
        SSLSession handshakeSession = sSLSocket.getHandshakeSession();
        if (handshakeSession == null || !ProtocolVersion.useTLS12PlusSpec(handshakeSession.getProtocol())) {
            return new SSLAlgorithmConstraints(sSLSocket, true);
        }
        String[] strArr = null;
        if (handshakeSession instanceof ExtendedSSLSession) {
            strArr = ((ExtendedSSLSession) handshakeSession).getPeerSupportedSignatureAlgorithms();
        }
        return new SSLAlgorithmConstraints(sSLSocket, strArr, true);
    }

    private AlgorithmConstraints getAlgorithmConstraints(SSLEngine sSLEngine) {
        SSLSession handshakeSession;
        if (sSLEngine == null || (handshakeSession = sSLEngine.getHandshakeSession()) == null || !ProtocolVersion.useTLS12PlusSpec(handshakeSession.getProtocol())) {
            return new SSLAlgorithmConstraints(sSLEngine, true);
        }
        String[] strArr = null;
        if (handshakeSession instanceof ExtendedSSLSession) {
            strArr = ((ExtendedSSLSession) handshakeSession).getPeerSupportedSignatureAlgorithms();
        }
        return new SSLAlgorithmConstraints(sSLEngine, strArr, true);
    }

    private String makeAlias(EntryStatus entryStatus) {
        return this.uidCounter.incrementAndGet() + "." + entryStatus.builderIndex + "." + entryStatus.alias;
    }

    private KeyStore.PrivateKeyEntry getEntry(String str) {
        if (str == null) {
            return null;
        }
        Reference<KeyStore.PrivateKeyEntry> reference = this.entryCacheMap.get(str);
        KeyStore.PrivateKeyEntry privateKeyEntry = reference != null ? reference.get() : null;
        if (privateKeyEntry != null) {
            return privateKeyEntry;
        }
        int indexOf = str.indexOf(46);
        int indexOf2 = str.indexOf(46, indexOf + 1);
        if (indexOf == -1 || indexOf2 == indexOf) {
            return null;
        }
        try {
            int parseInt = Integer.parseInt(str.substring(indexOf + 1, indexOf2));
            String substring = str.substring(indexOf2 + 1);
            KeyStore.Builder builder = this.builders.get(parseInt);
            KeyStore.Entry entry = builder.getKeyStore().getEntry(substring, builder.getProtectionParameter(str));
            if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                return null;
            }
            KeyStore.PrivateKeyEntry privateKeyEntry2 = (KeyStore.PrivateKeyEntry) entry;
            this.entryCacheMap.put(str, new SoftReference(privateKeyEntry2));
            return privateKeyEntry2;
        } catch (Exception e) {
            return null;
        }
    }

    private static List<KeyType> getKeyTypes(String... strArr) {
        if (strArr == null || strArr.length == 0 || strArr[0] == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(strArr.length);
        for (String str : strArr) {
            arrayList.add(new KeyType(str));
        }
        return arrayList;
    }

    private String chooseAlias(List<KeyType> list, Principal[] principalArr, CheckType checkType, AlgorithmConstraints algorithmConstraints) {
        return chooseAlias(list, principalArr, checkType, algorithmConstraints, null, null);
    }

    private String chooseAlias(List<KeyType> list, Principal[] principalArr, CheckType checkType, AlgorithmConstraints algorithmConstraints, List<SNIServerName> list2, String str) {
        if (list == null || list.isEmpty()) {
            return null;
        }
        Set<Principal> issuerSet = getIssuerSet(principalArr);
        ArrayList arrayList = null;
        int size = this.builders.size();
        for (int i = 0; i < size; i++) {
            try {
                List<EntryStatus> aliases = getAliases(i, list, issuerSet, false, checkType, algorithmConstraints, list2, str);
                if (aliases != null) {
                    EntryStatus entryStatus = aliases.get(0);
                    if (entryStatus.checkResult == CheckResult.OK) {
                        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
                            SSLLogger.fine("KeyMgr: choosing key: " + ((Object) entryStatus), new Object[0]);
                        }
                        return makeAlias(entryStatus);
                    }
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.addAll(aliases);
                }
            } catch (Exception e) {
            }
        }
        if (arrayList == null) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("keymanager")) {
                return null;
            }
            SSLLogger.fine("KeyMgr: no matching key found", new Object[0]);
            return null;
        }
        Collections.sort(arrayList);
        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
            SSLLogger.fine("KeyMgr: no good matching key found, returning best match out of", arrayList);
        }
        return makeAlias((EntryStatus) arrayList.get(0));
    }

    public String[] getAliases(String str, Principal[] principalArr, CheckType checkType, AlgorithmConstraints algorithmConstraints) {
        if (str == null) {
            return null;
        }
        Set<Principal> issuerSet = getIssuerSet(principalArr);
        List<KeyType> keyTypes = getKeyTypes(str);
        ArrayList arrayList = null;
        int size = this.builders.size();
        for (int i = 0; i < size; i++) {
            try {
                List<EntryStatus> aliases = getAliases(i, keyTypes, issuerSet, true, checkType, algorithmConstraints, null, null);
                if (aliases != null) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.addAll(aliases);
                }
            } catch (Exception e) {
            }
        }
        if (arrayList == null || arrayList.isEmpty()) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("keymanager")) {
                return null;
            }
            SSLLogger.fine("KeyMgr: no matching alias found", new Object[0]);
            return null;
        }
        Collections.sort(arrayList);
        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
            SSLLogger.fine("KeyMgr: getting aliases", arrayList);
        }
        return toAliases(arrayList);
    }

    private String[] toAliases(List<EntryStatus> list) {
        String[] strArr = new String[list.size()];
        int i = 0;
        Iterator<EntryStatus> it = list.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            strArr[i2] = makeAlias(it.next());
        }
        return strArr;
    }

    private Set<Principal> getIssuerSet(Principal[] principalArr) {
        if (principalArr == null || principalArr.length == 0) {
            return null;
        }
        return new HashSet(Arrays.asList(principalArr));
    }

    private List<EntryStatus> getAliases(int i, List<KeyType> list, Set<Principal> set, boolean z, CheckType checkType, AlgorithmConstraints algorithmConstraints, List<SNIServerName> list2, String str) throws Exception {
        Certificate[] certificateChain;
        KeyStore keyStore = this.builders.get(i).getKeyStore();
        ArrayList arrayList = null;
        Date date = verificationDate;
        boolean z2 = false;
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement2 = aliases.nextElement2();
            if (keyStore.isKeyEntry(nextElement2) && (certificateChain = keyStore.getCertificateChain(nextElement2)) != null && certificateChain.length != 0) {
                boolean z3 = false;
                int length = certificateChain.length;
                int i2 = 0;
                while (true) {
                    if (i2 >= length) {
                        break;
                    }
                    if (!(certificateChain[i2] instanceof X509Certificate)) {
                        z3 = true;
                        break;
                    }
                    i2++;
                }
                if (z3) {
                    continue;
                } else {
                    int i3 = -1;
                    int i4 = 0;
                    Iterator<KeyType> it = list.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (it.next().matches(certificateChain)) {
                            i3 = i4;
                            break;
                        }
                        i4++;
                    }
                    if (i3 != -1) {
                        if (set != null) {
                            boolean z4 = false;
                            int length2 = certificateChain.length;
                            int i5 = 0;
                            while (true) {
                                if (i5 >= length2) {
                                    break;
                                }
                                if (set.contains(((X509Certificate) certificateChain[i5]).getIssuerX500Principal())) {
                                    z4 = true;
                                    break;
                                }
                                i5++;
                            }
                            if (!z4) {
                                if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
                                    SSLLogger.fine("Ignore alias " + nextElement2 + ": issuers do not match", new Object[0]);
                                }
                            }
                        }
                        if (algorithmConstraints == null || conformsToAlgorithmConstraints(algorithmConstraints, certificateChain, checkType.getValidator())) {
                            if (date == null) {
                                date = new Date();
                            }
                            CheckResult check = checkType.check((X509Certificate) certificateChain[0], date, list2, str);
                            EntryStatus entryStatus = new EntryStatus(i, i3, nextElement2, certificateChain, check);
                            if (!z2 && check == CheckResult.OK && i3 == 0) {
                                z2 = true;
                            }
                            if (z2 && !z) {
                                return Collections.singletonList(entryStatus);
                            }
                            if (arrayList == null) {
                                arrayList = new ArrayList();
                            }
                            arrayList.add(entryStatus);
                        } else if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
                            SSLLogger.fine("Ignore alias " + nextElement2 + ": certificate list does not conform to algorithm constraints", new Object[0]);
                        }
                    } else if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
                        SSLLogger.fine("Ignore alias " + nextElement2 + ": key algorithm does not match", new Object[0]);
                    }
                }
            }
        }
        return arrayList;
    }

    private static boolean conformsToAlgorithmConstraints(AlgorithmConstraints algorithmConstraints, Certificate[] certificateArr, String str) {
        AlgorithmChecker algorithmChecker = new AlgorithmChecker(algorithmConstraints, str);
        try {
            algorithmChecker.init(false);
            for (int length = certificateArr.length - 1; length >= 0; length--) {
                Certificate certificate = certificateArr[length];
                try {
                    algorithmChecker.check(certificate, Collections.emptySet());
                } catch (CertPathValidatorException e) {
                    if (!SSLLogger.isOn || !SSLLogger.isOn("keymanager")) {
                        return false;
                    }
                    SSLLogger.fine("Certificate does not conform to algorithm constraints", certificate, e);
                    return false;
                }
            }
            return true;
        } catch (CertPathValidatorException e2) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("keymanager")) {
                return false;
            }
            SSLLogger.fine("Cannot initialize algorithm constraints checker", e2);
            return false;
        }
    }
}
