package org.bouncycastle.jsse.provider;

import a.a.a.b.f;
import java.net.Socket;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.DSAPublicKey;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x9.ECNamedCurveTable;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jsse.BCExtendedSSLSession;
import org.bouncycastle.jsse.BCSNIHostName;
import org.bouncycastle.jsse.BCX509ExtendedKeyManager;
import org.bouncycastle.jsse.BCX509Key;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.tls.NamedGroup;
import org.bouncycastle.tls.ProtocolVersion;
import org.bouncycastle.tls.TlsUtils;

/* loaded from: classes5.dex */
class ProvX509KeyManagerSimple extends BCX509ExtendedKeyManager {
    public static final Logger d = Logger.getLogger(ProvX509KeyManagerSimple.class.getName());
    public static final Map<String, PublicKeyFilter> e;
    public static final Map<String, PublicKeyFilter> f;

    /* renamed from: a, reason: collision with root package name */
    public final boolean f41554a;

    /* renamed from: b, reason: collision with root package name */
    public final JcaJceHelper f41555b;

    /* renamed from: c, reason: collision with root package name */
    public final Map<String, Credential> f41556c;

    /* loaded from: classes5.dex */
    public static class Credential {

        /* renamed from: a, reason: collision with root package name */
        public final String f41557a;

        /* renamed from: b, reason: collision with root package name */
        public final PrivateKey f41558b;

        /* renamed from: c, reason: collision with root package name */
        public final X509Certificate[] f41559c;

        public Credential(String str, PrivateKey privateKey, X509Certificate[] x509CertificateArr) {
            this.f41557a = str;
            this.f41558b = privateKey;
            this.f41559c = x509CertificateArr;
        }
    }

    /* loaded from: classes5.dex */
    public static final class DefaultPublicKeyFilter implements PublicKeyFilter {

        /* renamed from: a, reason: collision with root package name */
        public final String f41560a;

        /* renamed from: b, reason: collision with root package name */
        public final Class<? extends PublicKey> f41561b;

        /* renamed from: c, reason: collision with root package name */
        public final int f41562c;

        public DefaultPublicKeyFilter(String str, int i, Class cls) {
            this.f41560a = str;
            this.f41561b = cls;
            this.f41562c = i;
        }

        @Override // org.bouncycastle.jsse.provider.ProvX509KeyManagerSimple.PublicKeyFilter
        public final boolean a(PublicKey publicKey, boolean[] zArr, BCAlgorithmConstraints bCAlgorithmConstraints) {
            Class<? extends PublicKey> cls;
            String str = this.f41560a;
            return ((str != null && str.equalsIgnoreCase(JsseUtils.o(publicKey))) || ((cls = this.f41561b) != null && cls.isInstance(publicKey))) && ProvAlgorithmChecker.i(publicKey, zArr, this.f41562c, bCAlgorithmConstraints);
        }
    }

    /* loaded from: classes5.dex */
    public static final class ECPublicKeyFilter13 implements PublicKeyFilter {

        /* renamed from: a, reason: collision with root package name */
        public final ASN1ObjectIdentifier f41563a;

        public ECPublicKeyFilter13(ASN1ObjectIdentifier aSN1ObjectIdentifier) {
            this.f41563a = aSN1ObjectIdentifier;
        }

        @Override // org.bouncycastle.jsse.provider.ProvX509KeyManagerSimple.PublicKeyFilter
        public final boolean a(PublicKey publicKey, boolean[] zArr, BCAlgorithmConstraints bCAlgorithmConstraints) {
            boolean z;
            if ("EC".equalsIgnoreCase(JsseUtils.o(publicKey)) || ECPublicKey.class.isInstance(publicKey)) {
                if (this.f41563a.s(JsseUtils.l(publicKey))) {
                    z = true;
                    return !z && ProvAlgorithmChecker.i(publicKey, zArr, 0, bCAlgorithmConstraints);
                }
            }
            z = false;
            if (z) {
            }
        }
    }

    /* loaded from: classes5.dex */
    public static final class Match implements Comparable<Match> {
        public static final Quality x = Quality.MISMATCH_SNI;

        /* renamed from: y, reason: collision with root package name */
        public static final Match f41564y = new Match(Quality.NONE, Integer.MAX_VALUE, null);

        /* renamed from: a, reason: collision with root package name */
        public final Quality f41565a;

        /* renamed from: b, reason: collision with root package name */
        public final int f41566b;

        /* renamed from: s, reason: collision with root package name */
        public final Credential f41567s;

        /* loaded from: classes5.dex */
        public enum Quality {
            OK,
            RSA_MULTI_USE,
            MISMATCH_SNI,
            EXPIRED,
            NONE
        }

        public Match(Quality quality, int i, Credential credential) {
            this.f41565a = quality;
            this.f41566b = i;
            this.f41567s = credential;
        }

        @Override // java.lang.Comparable
        /* renamed from: a, reason: merged with bridge method [inline-methods] */
        public final int compareTo(Match match) {
            Quality quality = match.f41565a;
            Quality quality2 = x;
            boolean z = quality.compareTo(quality2) < 0;
            Quality quality3 = this.f41565a;
            int compare = Boolean.compare(z, quality3.compareTo(quality2) < 0);
            if (compare != 0) {
                return compare;
            }
            int compare2 = Integer.compare(this.f41566b, match.f41566b);
            return compare2 == 0 ? quality3.compareTo(match.f41565a) : compare2;
        }
    }

    /* loaded from: classes5.dex */
    public interface PublicKeyFilter {
        boolean a(PublicKey publicKey, boolean[] zArr, BCAlgorithmConstraints bCAlgorithmConstraints);
    }

    static {
        HashMap hashMap = new HashMap();
        g("Ed25519", hashMap);
        g("Ed448", hashMap);
        f(31, hashMap);
        f(32, hashMap);
        f(33, hashMap);
        f(23, hashMap);
        f(24, hashMap);
        f(25, hashMap);
        g("RSA", hashMap);
        g("RSASSA-PSS", hashMap);
        h(hashMap, 0, null, DSAPublicKey.class, "DSA");
        h(hashMap, 0, null, ECPublicKey.class, "EC");
        e = Collections.unmodifiableMap(hashMap);
        HashMap hashMap2 = new HashMap();
        g("Ed25519", hashMap2);
        g("Ed448", hashMap2);
        f(31, hashMap2);
        f(32, hashMap2);
        f(33, hashMap2);
        f(23, hashMap2);
        f(24, hashMap2);
        f(25, hashMap2);
        g("RSA", hashMap2);
        g("RSASSA-PSS", hashMap2);
        i(hashMap2, 0, null, DSAPublicKey.class, 3, 22);
        i(hashMap2, 0, null, ECPublicKey.class, 17);
        i(hashMap2, 0, "RSA", null, 5, 19, 23);
        i(hashMap2, 2, "RSA", null, 1);
        f = Collections.unmodifiableMap(hashMap2);
    }

    public ProvX509KeyManagerSimple(boolean z, JcaJceHelper jcaJceHelper, KeyStore keyStore, char[] cArr) {
        PrivateKey privateKey;
        this.f41554a = z;
        this.f41555b = jcaJceHelper;
        HashMap hashMap = new HashMap(4);
        if (keyStore != null) {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.entryInstanceOf(nextElement, KeyStore.PrivateKeyEntry.class) && (privateKey = (PrivateKey) keyStore.getKey(nextElement, cArr)) != null) {
                    X509Certificate[] t = JsseUtils.t(keyStore.getCertificateChain(nextElement));
                    if (!TlsUtils.U(t)) {
                        hashMap.put(nextElement, new Credential(nextElement, privateKey, t));
                    }
                }
            }
        }
        this.f41556c = Collections.unmodifiableMap(hashMap);
    }

    public static void f(int i, HashMap hashMap) {
        ASN1ObjectIdentifier e2;
        if (!NamedGroup.a(i, ProtocolVersion.f42542g)) {
            throw new IllegalStateException("Invalid named group for TLS 1.3 EC filter");
        }
        String c2 = NamedGroup.c(i);
        if (c2 != null && (e2 = ECNamedCurveTable.e(c2)) != null) {
            if (hashMap.put(JsseUtils.k(i, "EC"), new ECPublicKeyFilter13(e2)) != null) {
                throw new IllegalStateException("Duplicate keys in filters");
            }
        } else {
            d.warning("Failed to register public key filter for EC with " + NamedGroup.g(i));
        }
    }

    public static void g(String str, HashMap hashMap) {
        h(hashMap, 0, str, null, str);
    }

    public static void h(HashMap hashMap, int i, String str, Class cls, String... strArr) {
        DefaultPublicKeyFilter defaultPublicKeyFilter = new DefaultPublicKeyFilter(str, i, cls);
        for (String str2 : strArr) {
            if (hashMap.put(str2, defaultPublicKeyFilter) != null) {
                throw new IllegalStateException("Duplicate keys in filters");
            }
        }
    }

    public static void i(HashMap hashMap, int i, String str, Class cls, int... iArr) {
        int length = iArr.length;
        String[] strArr = new String[length];
        for (int i2 = 0; i2 < length; i2++) {
            strArr[i2] = JsseUtils.g(iArr[i2]);
        }
        h(hashMap, i, str, cls, strArr);
    }

    public static List<String> n(String... strArr) {
        if (strArr == null || strArr.length <= 0) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList(strArr.length);
        for (String str : strArr) {
            if (str == null) {
                throw new IllegalArgumentException("Key types cannot be null");
            }
            if (!arrayList.contains(str)) {
                arrayList.add(str);
            }
        }
        return Collections.unmodifiableList(arrayList);
    }

    public static Set<Principal> p(Principal[] principalArr) {
        if (principalArr == null) {
            return null;
        }
        if (principalArr.length > 0) {
            HashSet hashSet = new HashSet();
            for (Principal principal : principalArr) {
                if (principal != null) {
                    hashSet.add(principal);
                }
            }
            if (!hashSet.isEmpty()) {
                return Collections.unmodifiableSet(hashSet);
            }
        }
        return Collections.emptySet();
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public final BCX509Key a(String[] strArr, Principal[] principalArr, Socket socket) {
        return k(n(strArr), principalArr, TransportData.a(socket), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public final BCX509Key b(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return k(n(strArr), principalArr, TransportData.b(sSLEngine), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public final BCX509Key c(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return k(n(strArr), principalArr, TransportData.b(sSLEngine), true);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return j(n(strArr), principalArr, TransportData.a(socket), false);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public final String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return j(n(strArr), principalArr, TransportData.b(sSLEngine), false);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public final String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return j(n(str), principalArr, TransportData.b(sSLEngine), true);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return j(n(str), principalArr, TransportData.a(socket), true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public final BCX509Key d(String[] strArr, Principal[] principalArr, Socket socket) {
        return k(n(strArr), principalArr, TransportData.a(socket), true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public final BCX509Key e(String str, String str2) {
        Credential credential = str2 == null ? null : this.f41556c.get(str2);
        if (credential == null) {
            return null;
        }
        return new ProvX509Key(str, credential.f41558b, credential.f41559c);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final X509Certificate[] getCertificateChain(String str) {
        Credential credential = str == null ? null : this.f41556c.get(str);
        if (credential == null) {
            return null;
        }
        return (X509Certificate[]) credential.f41559c.clone();
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String[] getClientAliases(String str, Principal[] principalArr) {
        return l(n(str), principalArr, false);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final PrivateKey getPrivateKey(String str) {
        Credential credential = str == null ? null : this.f41556c.get(str);
        if (credential == null) {
            return null;
        }
        return credential.f41558b;
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String[] getServerAliases(String str, Principal[] principalArr) {
        return l(n(str), principalArr, true);
    }

    public final String j(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        Match m = m(list, principalArr, transportData, z);
        int compareTo = m.compareTo(Match.f41564y);
        Logger logger = d;
        if (compareTo >= 0) {
            logger.fine("No matching key found");
            return null;
        }
        String str = list.get(m.f41566b);
        String str2 = m.f41567s.f41557a;
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Found matching key of type: " + str + ", returning alias: " + str2);
        }
        return str2;
    }

    public final BCX509Key k(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        Match m = m(list, principalArr, transportData, z);
        int compareTo = m.compareTo(Match.f41564y);
        Logger logger = d;
        if (compareTo < 0) {
            String str = list.get(m.f41566b);
            Credential credential = m.f41567s;
            ProvX509Key provX509Key = credential == null ? null : new ProvX509Key(str, credential.f41558b, credential.f41559c);
            if (provX509Key != null) {
                if (logger.isLoggable(Level.FINE)) {
                    StringBuilder x = f.x("Found matching key of type: ", str, ", from alias: ");
                    x.append(credential.f41557a);
                    logger.fine(x.toString());
                }
                return provX509Key;
            }
        }
        logger.fine("No matching key found");
        return null;
    }

    public final String[] l(List list, Principal[] principalArr, boolean z) {
        Map<String, Credential> map = this.f41556c;
        if (!map.isEmpty() && !list.isEmpty()) {
            int size = list.size();
            Set<Principal> p2 = p(principalArr);
            BCAlgorithmConstraints c2 = TransportData.c(null, true);
            Date date = new Date();
            Iterator<Credential> it = map.values().iterator();
            ArrayList arrayList = null;
            while (it.hasNext()) {
                Match o2 = o(it.next(), list, size, p2, c2, z, date, null);
                if (o2.compareTo(Match.f41564y) < 0) {
                    ArrayList arrayList2 = arrayList == null ? new ArrayList() : arrayList;
                    arrayList2.add(o2);
                    arrayList = arrayList2;
                }
            }
            if (arrayList != null && !arrayList.isEmpty()) {
                Collections.sort(arrayList);
                String[] strArr = new String[arrayList.size()];
                Iterator it2 = arrayList.iterator();
                int i = 0;
                while (it2.hasNext()) {
                    strArr[i] = ((Match) it2.next()).f41567s.f41557a;
                    i++;
                }
                return strArr;
            }
        }
        return null;
    }

    public final Match m(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        BCExtendedSSLSession bCExtendedSSLSession;
        BCSNIHostName p2;
        Match match = Match.f41564y;
        Map<String, Credential> map = this.f41556c;
        if (!map.isEmpty() && !list.isEmpty()) {
            int size = list.size();
            Set<Principal> p3 = p(principalArr);
            BCAlgorithmConstraints c2 = TransportData.c(transportData, true);
            Date date = new Date();
            String str = (transportData == null || !z || (bCExtendedSSLSession = transportData.f41609b) == null || (p2 = JsseUtils.p(bCExtendedSSLSession.g())) == null) ? null : p2.f41354c;
            Iterator<Credential> it = map.values().iterator();
            int i = size;
            while (it.hasNext()) {
                int i2 = i;
                Match o2 = o(it.next(), list, i, p3, c2, z, date, str);
                if (o2.compareTo(match) < 0) {
                    Match.Quality quality = Match.Quality.OK;
                    Match.Quality quality2 = o2.f41565a;
                    int i3 = o2.f41566b;
                    if (quality == quality2 && i3 == 0) {
                        return o2;
                    }
                    if (quality2.compareTo(Match.x) < 0) {
                        i = Math.min(i2, i3 + 1);
                        match = o2;
                    } else {
                        match = o2;
                    }
                }
                i = i2;
            }
        }
        return match;
    }

    public final Match o(Credential credential, List<String> list, int i, Set<Principal> set, BCAlgorithmConstraints bCAlgorithmConstraints, boolean z, Date date, String str) {
        boolean z2;
        int i2;
        boolean z3;
        Match.Quality quality;
        X509Certificate[] x509CertificateArr = credential.f41559c;
        if (!TlsUtils.U(x509CertificateArr)) {
            if (set != null && !set.isEmpty()) {
                int length = x509CertificateArr.length;
                while (true) {
                    length--;
                    if (length < 0) {
                        X509Certificate x509Certificate = x509CertificateArr[0];
                        if (x509Certificate.getBasicConstraints() < 0 || !set.contains(x509Certificate.getSubjectX500Principal())) {
                            z2 = false;
                        }
                    } else if (set.contains(x509CertificateArr[length].getIssuerX500Principal())) {
                        break;
                    }
                }
            }
            z2 = true;
            if (z2) {
                X509Certificate x509Certificate2 = x509CertificateArr[0];
                Map<String, PublicKeyFilter> map = z ? f : e;
                PublicKey publicKey = x509Certificate2.getPublicKey();
                boolean[] keyUsage = x509Certificate2.getKeyUsage();
                int i3 = 0;
                while (true) {
                    if (i3 < i) {
                        PublicKeyFilter publicKeyFilter = map.get(list.get(i3));
                        if (publicKeyFilter != null && publicKeyFilter.a(publicKey, keyUsage, bCAlgorithmConstraints)) {
                            i2 = i3;
                            break;
                        }
                        i3++;
                    } else {
                        i2 = -1;
                        break;
                    }
                }
                if (i2 >= 0) {
                    String str2 = list.get(i2);
                    String n = f.n("EE cert potentially usable for key type: ", str2);
                    Logger logger = d;
                    logger.finer(n);
                    try {
                        ProvAlgorithmChecker.a(this.f41554a, this.f41555b, bCAlgorithmConstraints, Collections.emptySet(), x509CertificateArr, !ProvX509KeyManager.f41541g ? null : z ? KeyPurposeId.f39657s : KeyPurposeId.x, -1);
                        z3 = true;
                    } catch (CertPathValidatorException e2) {
                        logger.log(Level.FINEST, "Certificate chain check failed", (Throwable) e2);
                        z3 = false;
                    }
                    if (z3) {
                        X509Certificate x509Certificate3 = x509CertificateArr[0];
                        try {
                            x509Certificate3.checkValidity(date);
                            if (str != null) {
                                try {
                                    ProvX509TrustManager.g(str, x509Certificate3, "HTTPS");
                                } catch (CertificateException unused) {
                                    quality = Match.Quality.MISMATCH_SNI;
                                }
                            }
                        } catch (CertificateException unused2) {
                            quality = Match.Quality.EXPIRED;
                        }
                        if ("RSA".equalsIgnoreCase(JsseUtils.o(x509Certificate3.getPublicKey()))) {
                            boolean[] keyUsage2 = x509Certificate3.getKeyUsage();
                            if (ProvAlgorithmChecker.j(keyUsage2, 0) && ProvAlgorithmChecker.j(keyUsage2, 2)) {
                                quality = Match.Quality.RSA_MULTI_USE;
                                return new Match(quality, i2, credential);
                            }
                        }
                        quality = Match.Quality.OK;
                        return new Match(quality, i2, credential);
                    }
                    logger.finer("Unsuitable chain for key type: " + str2);
                }
            }
        }
        return Match.f41564y;
    }
}
