package sun.security.ssl;

import java.lang.ref.Reference;
import java.lang.ref.SoftReference;
import java.net.Socket;
import java.security.AlgorithmConstraints;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import javax.net.ssl.ExtendedSSLSession;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;
import sun.security.provider.certpath.AlgorithmChecker;

/* loaded from: classes.dex */
final class X509KeyManagerImpl extends X509ExtendedKeyManager implements X509KeyManager {
    private static final Debug debug = Debug.getInstance("ssl");
    private static final boolean useDebug;
    private static Date verificationDate;
    private final List<KeyStore.Builder> builders;
    private final Map<String, Reference<KeyStore.PrivateKeyEntry>> entryCacheMap;
    private final AtomicLong uidCounter;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public enum CheckResult {
        OK,
        EXPIRED,
        EXTENSION_MISMATCH
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public enum CheckType {
        NONE(Collections.emptySet()),
        CLIENT(new HashSet(Arrays.asList("2.5.29.37.0", "1.3.6.1.5.5.7.3.2"))),
        SERVER(new HashSet(Arrays.asList("2.5.29.37.0", "1.3.6.1.5.5.7.3.1", "2.16.840.1.113730.4.1", "1.3.6.1.4.1.311.10.3.3")));

        final Set<String> validEku;

        CheckType(Set set) {
            this.validEku = set;
        }

        private static boolean getBit(boolean[] zArr, int i) {
            return i < zArr.length && zArr[i];
        }

        CheckResult check(X509Certificate x509Certificate, Date date) {
            if (this == NONE) {
                return CheckResult.OK;
            }
            try {
                List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
                if (extendedKeyUsage != null && Collections.disjoint(this.validEku, extendedKeyUsage)) {
                    return CheckResult.EXTENSION_MISMATCH;
                }
                boolean[] keyUsage = x509Certificate.getKeyUsage();
                if (keyUsage != null) {
                    String algorithm = x509Certificate.getPublicKey().getAlgorithm();
                    boolean bit = getBit(keyUsage, 0);
                    if (algorithm.equals("RSA")) {
                        if (!bit && (this == CLIENT || !getBit(keyUsage, 2))) {
                            return CheckResult.EXTENSION_MISMATCH;
                        }
                    } else if (algorithm.equals("DSA")) {
                        if (!bit) {
                            return CheckResult.EXTENSION_MISMATCH;
                        }
                    } else if (algorithm.equals("DH")) {
                        if (!getBit(keyUsage, 4)) {
                            return CheckResult.EXTENSION_MISMATCH;
                        }
                    } else if (algorithm.equals("EC")) {
                        if (!bit) {
                            return CheckResult.EXTENSION_MISMATCH;
                        }
                        if (this == SERVER && !getBit(keyUsage, 4)) {
                            return CheckResult.EXTENSION_MISMATCH;
                        }
                    }
                }
                try {
                    x509Certificate.checkValidity(date);
                    return CheckResult.OK;
                } catch (CertificateException e) {
                    return CheckResult.EXPIRED;
                }
            } catch (CertificateException e2) {
                return CheckResult.EXTENSION_MISMATCH;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class EntryStatus implements Comparable<EntryStatus> {
        final String alias;
        final int builderIndex;
        final CheckResult checkResult;
        final int keyIndex;

        EntryStatus(int i, int i2, String str, Certificate[] certificateArr, CheckResult checkResult) {
            this.builderIndex = i;
            this.keyIndex = i2;
            this.alias = str;
            this.checkResult = checkResult;
        }

        @Override // java.lang.Comparable
        public int compareTo(EntryStatus entryStatus) {
            int compareTo = this.checkResult.compareTo(entryStatus.checkResult);
            return compareTo == 0 ? this.keyIndex - entryStatus.keyIndex : compareTo;
        }

        public String toString() {
            String str = this.alias + " (verified: " + this.checkResult + ")";
            return this.builderIndex == 0 ? str : "Builder #" + this.builderIndex + ", alias: " + str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class KeyType {
        final String keyAlgorithm;
        final String sigKeyAlgorithm;

        KeyType(String str) {
            int indexOf = str.indexOf("_");
            if (indexOf == -1) {
                this.keyAlgorithm = str;
                this.sigKeyAlgorithm = null;
            } else {
                this.keyAlgorithm = str.substring(0, indexOf);
                this.sigKeyAlgorithm = str.substring(indexOf + 1);
            }
        }

        boolean matches(Certificate[] certificateArr) {
            if (!certificateArr[0].getPublicKey().getAlgorithm().equals(this.keyAlgorithm)) {
                return false;
            }
            if (this.sigKeyAlgorithm == null) {
                return true;
            }
            return certificateArr.length > 1 ? this.sigKeyAlgorithm.equals(certificateArr[1].getPublicKey().getAlgorithm()) : ((X509Certificate) certificateArr[0]).getSigAlgName().toUpperCase(Locale.ENGLISH).contains("WITH" + this.sigKeyAlgorithm.toUpperCase(Locale.ENGLISH));
        }
    }

    /* loaded from: classes.dex */
    private static class SizedMap<K, V> extends LinkedHashMap<K, V> {
        private SizedMap() {
        }

        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<K, V> entry) {
            return size() > 10;
        }
    }

    static {
        useDebug = debug != null && Debug.isOn("keymanager");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509KeyManagerImpl(KeyStore.Builder builder) {
        this((List<KeyStore.Builder>) Collections.singletonList(builder));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509KeyManagerImpl(List<KeyStore.Builder> list) {
        this.builders = list;
        this.uidCounter = new AtomicLong();
        this.entryCacheMap = Collections.synchronizedMap(new SizedMap());
    }

    private String chooseAlias(List<KeyType> list, Principal[] principalArr, CheckType checkType, AlgorithmConstraints algorithmConstraints) {
        ArrayList arrayList;
        if (list == null || list.size() == 0) {
            return null;
        }
        Set<Principal> issuerSet = getIssuerSet(principalArr);
        int size = this.builders.size();
        int i = 0;
        ArrayList arrayList2 = null;
        while (i < size) {
            try {
                List<EntryStatus> aliases = getAliases(i, list, issuerSet, false, checkType, algorithmConstraints);
                if (aliases != null) {
                    EntryStatus entryStatus = aliases.get(0);
                    if (entryStatus.checkResult == CheckResult.OK) {
                        if (useDebug) {
                            debug.println("KeyMgr: choosing key: " + entryStatus);
                        }
                        return makeAlias(entryStatus);
                    }
                    arrayList = arrayList2 == null ? new ArrayList() : arrayList2;
                    try {
                        arrayList.addAll(aliases);
                    } catch (Exception e) {
                    }
                } else {
                    arrayList = arrayList2;
                }
            } catch (Exception e2) {
                arrayList = arrayList2;
            }
            i++;
            arrayList2 = arrayList;
        }
        if (arrayList2 == null) {
            if (useDebug) {
                debug.println("KeyMgr: no matching key found");
            }
            return null;
        }
        Collections.sort(arrayList2);
        if (useDebug) {
            debug.println("KeyMgr: no good matching key found, returning best match out of:");
            debug.println(arrayList2.toString());
        }
        return makeAlias((EntryStatus) arrayList2.get(0));
    }

    private static boolean conformsToAlgorithmConstraints(AlgorithmConstraints algorithmConstraints, Certificate[] certificateArr) {
        AlgorithmChecker algorithmChecker = new AlgorithmChecker(algorithmConstraints);
        try {
            algorithmChecker.init(false);
            for (int length = certificateArr.length - 1; length >= 0; length--) {
                try {
                    algorithmChecker.check(certificateArr[length], Collections.emptySet());
                } catch (CertPathValidatorException e) {
                    return false;
                }
            }
            return true;
        } catch (CertPathValidatorException e2) {
            return false;
        }
    }

    private AlgorithmConstraints getAlgorithmConstraints(Socket socket) {
        if (socket == null || !socket.isConnected() || !(socket instanceof SSLSocket)) {
            return new SSLAlgorithmConstraints((SSLSocket) null, true);
        }
        SSLSocket sSLSocket = (SSLSocket) socket;
        SSLSession handshakeSession = sSLSocket.getHandshakeSession();
        if (handshakeSession == null || ProtocolVersion.valueOf(handshakeSession.getProtocol()).v < ProtocolVersion.TLS12.v) {
            return new SSLAlgorithmConstraints(sSLSocket, true);
        }
        return new SSLAlgorithmConstraints(sSLSocket, handshakeSession instanceof ExtendedSSLSession ? ((ExtendedSSLSession) handshakeSession).getPeerSupportedSignatureAlgorithms() : null, true);
    }

    private AlgorithmConstraints getAlgorithmConstraints(SSLEngine sSLEngine) {
        SSLSession handshakeSession;
        if (sSLEngine == null || (handshakeSession = sSLEngine.getHandshakeSession()) == null || ProtocolVersion.valueOf(handshakeSession.getProtocol()).v < ProtocolVersion.TLS12.v) {
            return new SSLAlgorithmConstraints(sSLEngine, true);
        }
        return new SSLAlgorithmConstraints(sSLEngine, handshakeSession instanceof ExtendedSSLSession ? ((ExtendedSSLSession) handshakeSession).getPeerSupportedSignatureAlgorithms() : null, true);
    }

    private List<EntryStatus> getAliases(int i, List<KeyType> list, Set<Principal> set, boolean z, CheckType checkType, AlgorithmConstraints algorithmConstraints) throws Exception {
        Certificate[] certificateChain;
        int i2;
        boolean z2;
        KeyStore keyStore = this.builders.get(i).getKeyStore();
        ArrayList arrayList = null;
        Date date = verificationDate;
        Enumeration<String> aliases = keyStore.aliases();
        boolean z3 = false;
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement) && (certificateChain = keyStore.getCertificateChain(nextElement)) != null && certificateChain.length != 0) {
                boolean z4 = false;
                int length = certificateChain.length;
                int i3 = 0;
                while (true) {
                    if (i3 >= length) {
                        break;
                    }
                    if (!(certificateChain[i3] instanceof X509Certificate)) {
                        z4 = true;
                        break;
                    }
                    i3++;
                }
                if (z4) {
                    continue;
                } else {
                    int i4 = 0;
                    Iterator<KeyType> it2 = list.iterator();
                    while (true) {
                        i2 = i4;
                        if (!it2.hasNext()) {
                            i2 = -1;
                            break;
                        }
                        if (it2.next().matches(certificateChain)) {
                            break;
                        }
                        i4 = i2 + 1;
                    }
                    if (i2 != -1) {
                        if (set != null) {
                            int length2 = certificateChain.length;
                            int i5 = 0;
                            while (true) {
                                if (i5 >= length2) {
                                    z2 = false;
                                    break;
                                }
                                if (set.contains(((X509Certificate) certificateChain[i5]).getIssuerX500Principal())) {
                                    z2 = true;
                                    break;
                                }
                                i5++;
                            }
                            if (!z2) {
                                if (useDebug) {
                                    debug.println("Ignoring alias " + nextElement + ": issuers do not match");
                                }
                            }
                        }
                        if (algorithmConstraints == null || conformsToAlgorithmConstraints(algorithmConstraints, certificateChain)) {
                            Date date2 = date == null ? new Date() : date;
                            CheckResult check = checkType.check((X509Certificate) certificateChain[0], date2);
                            EntryStatus entryStatus = new EntryStatus(i, i2, nextElement, certificateChain, check);
                            boolean z5 = (!z3 && check == CheckResult.OK && i2 == 0) ? true : z3;
                            if (z5 && !z) {
                                return Collections.singletonList(entryStatus);
                            }
                            ArrayList arrayList2 = arrayList == null ? new ArrayList() : arrayList;
                            arrayList2.add(entryStatus);
                            z3 = z5;
                            arrayList = arrayList2;
                            date = date2;
                        } else if (useDebug) {
                            debug.println("Ignoring alias " + nextElement + ": certificate list does not conform to algorithm constraints");
                        }
                    } else if (useDebug) {
                        debug.println("Ignoring alias " + nextElement + ": key algorithm does not match");
                    }
                }
            }
        }
        return arrayList;
    }

    private KeyStore.PrivateKeyEntry getEntry(String str) {
        if (str == null) {
            return null;
        }
        Reference<KeyStore.PrivateKeyEntry> reference = this.entryCacheMap.get(str);
        KeyStore.PrivateKeyEntry privateKeyEntry = reference != null ? reference.get() : null;
        if (privateKeyEntry != null) {
            return privateKeyEntry;
        }
        int indexOf = str.indexOf(46);
        int indexOf2 = str.indexOf(46, indexOf + 1);
        if (indexOf == -1 || indexOf2 == indexOf) {
            return null;
        }
        try {
            int parseInt = Integer.parseInt(str.substring(indexOf + 1, indexOf2));
            String substring = str.substring(indexOf2 + 1);
            KeyStore.Builder builder = this.builders.get(parseInt);
            KeyStore.Entry entry = builder.getKeyStore().getEntry(substring, builder.getProtectionParameter(str));
            if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                return null;
            }
            KeyStore.PrivateKeyEntry privateKeyEntry2 = (KeyStore.PrivateKeyEntry) entry;
            this.entryCacheMap.put(str, new SoftReference(privateKeyEntry2));
            return privateKeyEntry2;
        } catch (Exception e) {
            return null;
        }
    }

    private Set<Principal> getIssuerSet(Principal[] principalArr) {
        if (principalArr == null || principalArr.length == 0) {
            return null;
        }
        return new HashSet(Arrays.asList(principalArr));
    }

    private static List<KeyType> getKeyTypes(String... strArr) {
        if (strArr == null || strArr.length == 0 || strArr[0] == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(strArr.length);
        for (String str : strArr) {
            arrayList.add(new KeyType(str));
        }
        return arrayList;
    }

    private String makeAlias(EntryStatus entryStatus) {
        return this.uidCounter.incrementAndGet() + "." + entryStatus.builderIndex + "." + entryStatus.alias;
    }

    private String[] toAliases(List<EntryStatus> list) {
        String[] strArr = new String[list.size()];
        Iterator<EntryStatus> it2 = list.iterator();
        int i = 0;
        while (it2.hasNext()) {
            strArr[i] = makeAlias(it2.next());
            i++;
        }
        return strArr;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseAlias(getKeyTypes(strArr), principalArr, CheckType.CLIENT, getAlgorithmConstraints(socket));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseAlias(getKeyTypes(strArr), principalArr, CheckType.CLIENT, getAlgorithmConstraints(sSLEngine));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseAlias(getKeyTypes(str), principalArr, CheckType.SERVER, getAlgorithmConstraints(sSLEngine));
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return chooseAlias(getKeyTypes(str), principalArr, CheckType.SERVER, getAlgorithmConstraints(socket));
    }

    public String[] getAliases(String str, Principal[] principalArr, CheckType checkType, AlgorithmConstraints algorithmConstraints) {
        ArrayList arrayList;
        int i = 0;
        if (str == null) {
            return null;
        }
        Set<Principal> issuerSet = getIssuerSet(principalArr);
        List<KeyType> keyTypes = getKeyTypes(str);
        int size = this.builders.size();
        ArrayList arrayList2 = null;
        while (i < size) {
            try {
                List<EntryStatus> aliases = getAliases(i, keyTypes, issuerSet, true, checkType, algorithmConstraints);
                if (aliases != null) {
                    arrayList = arrayList2 == null ? new ArrayList() : arrayList2;
                    try {
                        arrayList.addAll(aliases);
                    } catch (Exception e) {
                    }
                } else {
                    arrayList = arrayList2;
                }
            } catch (Exception e2) {
                arrayList = arrayList2;
            }
            i++;
            arrayList2 = arrayList;
        }
        if (arrayList2 == null || arrayList2.size() == 0) {
            if (useDebug) {
                debug.println("KeyMgr: no matching alias found");
            }
            return null;
        }
        Collections.sort(arrayList2);
        if (useDebug) {
            debug.println("KeyMgr: getting aliases: " + arrayList2);
        }
        return toAliases(arrayList2);
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        if (entry == null) {
            return null;
        }
        return (X509Certificate[]) entry.getCertificateChain();
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return getAliases(str, principalArr, CheckType.CLIENT, null);
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        if (entry == null) {
            return null;
        }
        return entry.getPrivateKey();
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return getAliases(str, principalArr, CheckType.SERVER, null);
    }
}
