package net.luminis.tls.engine.impl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import net.luminis.tls.NewSessionTicket;
import net.luminis.tls.ProtectionKeysType;
import net.luminis.tls.TlsConstants;
import net.luminis.tls.TlsProtocolException;
import net.luminis.tls.alert.BadCertificateAlert;
import net.luminis.tls.alert.CertificateUnknownAlert;
import net.luminis.tls.alert.DecryptErrorAlert;
import net.luminis.tls.alert.ErrorAlert;
import net.luminis.tls.alert.HandshakeFailureAlert;
import net.luminis.tls.alert.IllegalParameterAlert;
import net.luminis.tls.alert.MissingExtensionAlert;
import net.luminis.tls.alert.UnexpectedMessageAlert;
import net.luminis.tls.alert.UnsupportedExtensionAlert;
import net.luminis.tls.engine.CertificateWithPrivateKey;
import net.luminis.tls.engine.ClientMessageProcessor;
import net.luminis.tls.engine.ClientMessageSender;
import net.luminis.tls.engine.DefaultHostnameVerifier;
import net.luminis.tls.engine.HostnameVerifier;
import net.luminis.tls.engine.TlsClientEngine;
import net.luminis.tls.engine.TlsStatusEventHandler;
import net.luminis.tls.extension.CertificateAuthoritiesExtension;
import net.luminis.tls.extension.ClientHelloPreSharedKeyExtension;
import net.luminis.tls.extension.Extension;
import net.luminis.tls.extension.KeyShareExtension;
import net.luminis.tls.extension.PreSharedKeyExtension;
import net.luminis.tls.extension.ServerPreSharedKeyExtension;
import net.luminis.tls.extension.SignatureAlgorithmsExtension;
import net.luminis.tls.extension.SupportedVersionsExtension;
import net.luminis.tls.extension.UnknownExtension;
import net.luminis.tls.handshake.CertificateMessage;
import net.luminis.tls.handshake.CertificateRequestMessage;
import net.luminis.tls.handshake.CertificateVerifyMessage;
import net.luminis.tls.handshake.ClientHello;
import net.luminis.tls.handshake.EncryptedExtensions;
import net.luminis.tls.handshake.FinishedMessage;
import net.luminis.tls.handshake.NewSessionTicketMessage;
import net.luminis.tls.handshake.ServerHello;
import net.luminis.tls.log.Logger;

/* loaded from: classes3.dex */
public class TlsClientEngineImpl extends TlsEngineImpl implements TlsClientEngine, ClientMessageProcessor {
    public static final List<TlsConstants.SignatureScheme> AVAILABLE_SIGNATURES;
    private static final Charset ISO_8859_1;
    private boolean clientAuthRequested;
    private List<X500Principal> clientCertificateAuthorities;
    private ClientHello clientHello;
    private boolean compatibilityMode;
    private X509TrustManager customTrustManager;
    private TlsConstants.NamedGroup ecCurve;
    private NewSessionTicket newSessionTicket;
    private TlsConstants.CipherSuite selectedCipher;
    private final ClientMessageSender sender;
    private List<Extension> sentExtensions;
    private X509Certificate serverCertificate;
    private String serverName;
    private List<TlsConstants.SignatureScheme> serverSupportedSignatureSchemes;
    private final TlsStatusEventHandler statusHandler;
    private List<TlsConstants.SignatureScheme> supportedSignatures;
    private TranscriptHash transcriptHash;
    private Status status = Status.Start;
    private List<X509Certificate> serverCertificateChain = Collections.emptyList();
    private boolean pskAccepted = false;
    private List<TlsConstants.CipherSuite> supportedCiphers = new ArrayList();
    private List<Extension> requestedExtensions = new ArrayList();
    private HostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();
    private List<NewSessionTicket> obtainedNewSessionTickets = new ArrayList();
    private Function<List<X500Principal>, CertificateWithPrivateKey> clientCertificateSelector = new Function() { // from class: net.luminis.tls.engine.impl.TlsClientEngineImpl$$ExternalSyntheticLambda1
        @Override // java.util.function.Function
        public final Object apply(Object obj) {
            return TlsClientEngineImpl.lambda$new$0((List) obj);
        }
    };

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes3.dex */
    public enum Status {
        Start,
        WaitServerHello,
        WaitEncryptedExtensions,
        WaitCertificateRequest,
        WaitCertificate,
        WaitCertificateVerify,
        WaitFinished,
        Connected
    }

    static {
        ArrayList arrayList = new ArrayList();
        AVAILABLE_SIGNATURES = arrayList;
        arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256);
        arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha384);
        arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha512);
        arrayList.add(TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256);
        arrayList.add(TlsConstants.SignatureScheme.ecdsa_secp384r1_sha384);
        arrayList.add(TlsConstants.SignatureScheme.ecdsa_secp521r1_sha512);
        ISO_8859_1 = Charset.forName("ISO-8859-1");
    }

    public TlsClientEngineImpl(ClientMessageSender clientMessageSender, TlsStatusEventHandler tlsStatusEventHandler) {
        this.sender = clientMessageSender;
        this.statusHandler = tlsStatusEventHandler;
    }

    private boolean certificateSupportsSignature(X509Certificate x509Certificate, TlsConstants.SignatureScheme signatureScheme) {
        String sigAlgName = x509Certificate.getSigAlgName();
        if (sigAlgName.toLowerCase().contains("withrsa")) {
            ArrayList arrayList = new ArrayList(2);
            arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256);
            arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha384);
            return arrayList.contains(signatureScheme);
        }
        if (!sigAlgName.toLowerCase().contains("withecdsa")) {
            return false;
        }
        ArrayList arrayList2 = new ArrayList(1);
        arrayList2.add(TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256);
        return arrayList2.contains(signatureScheme);
    }

    private String extractReason(CertificateException certificateException) {
        CertPathValidatorException.Reason reason;
        Throwable cause = certificateException.getCause();
        if (!(cause instanceof CertPathValidatorException)) {
            if (cause instanceof CertPathBuilderException) {
                return cause.getMessage();
            }
            return null;
        }
        StringBuilder sb = new StringBuilder();
        sb.append(cause.getMessage());
        sb.append(": ");
        reason = ((CertPathValidatorException) cause).getReason();
        sb.append(reason);
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ CertificateWithPrivateKey lambda$new$0(List list) {
        return null;
    }

    private void sendClientAuth() throws IOException, ErrorAlert {
        Object apply;
        apply = this.clientCertificateSelector.apply(this.clientCertificateAuthorities);
        CertificateWithPrivateKey certificateWithPrivateKey = (CertificateWithPrivateKey) apply;
        TlsConstants.SignatureScheme signatureScheme = null;
        CertificateMessage certificateMessage = new CertificateMessage(certificateWithPrivateKey != null ? certificateWithPrivateKey.getCertificate() : null);
        this.sender.send(certificateMessage);
        this.transcriptHash.recordClient(certificateMessage);
        if (certificateWithPrivateKey != null) {
            Iterator<TlsConstants.SignatureScheme> it = this.serverSupportedSignatureSchemes.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                TlsConstants.SignatureScheme next = it.next();
                if (this.supportedSignatures.contains(next) && certificateSupportsSignature(certificateWithPrivateKey.getCertificate(), next)) {
                    signatureScheme = next;
                    break;
                }
            }
            if (signatureScheme == null) {
                throw new HandshakeFailureAlert("failed to negotiate signature scheme");
            }
            CertificateVerifyMessage certificateVerifyMessage = new CertificateVerifyMessage(signatureScheme, computeSignature(this.transcriptHash.getClientHash(TlsConstants.HandshakeType.certificate), certificateWithPrivateKey.getPrivateKey(), signatureScheme, true));
            this.sender.send(certificateVerifyMessage);
            this.transcriptHash.recordClient(certificateVerifyMessage);
        }
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void add(Extension extension) {
        this.requestedExtensions.add(extension);
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void addExtensions(List<Extension> list) {
        this.requestedExtensions.addAll(list);
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void addSupportedCiphers(List<TlsConstants.CipherSuite> list) {
        this.supportedCiphers.addAll(list);
    }

    protected void checkCertificateValidity(List<X509Certificate> list) throws BadCertificateAlert {
        try {
            X509Certificate[] x509CertificateArr = new X509Certificate[list.size()];
            for (int i = 0; i < list.size(); i++) {
                x509CertificateArr[i] = list.get(i);
            }
            X509TrustManager x509TrustManager = this.customTrustManager;
            if (x509TrustManager != null) {
                x509TrustManager.checkServerTrusted(x509CertificateArr, "RSA");
                return;
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            trustManagerFactory.init((KeyStore) null);
            ((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).checkServerTrusted(x509CertificateArr, "UNKNOWN");
        } catch (KeyStoreException unused) {
            throw new RuntimeException("keystore exception");
        } catch (NoSuchAlgorithmException unused2) {
            throw new RuntimeException("unsupported trust manager algorithm");
        } catch (CertificateException e) {
            String extractReason = extractReason(e);
            if (extractReason == null) {
                extractReason = "certificate validation failed";
            }
            throw new BadCertificateAlert(extractReason);
        }
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public List<NewSessionTicket> getNewSessionTickets() {
        return this.obtainedNewSessionTickets;
    }

    @Override // net.luminis.tls.engine.impl.TlsEngineImpl, net.luminis.tls.engine.TlsClientEngine
    public TlsConstants.CipherSuite getSelectedCipher() {
        TlsConstants.CipherSuite cipherSuite = this.selectedCipher;
        if (cipherSuite != null) {
            return cipherSuite;
        }
        throw new IllegalStateException("No (valid) server hello received yet");
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public List<X509Certificate> getServerCertificateChain() {
        return this.serverCertificateChain;
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public boolean handshakeFinished() {
        return this.status == Status.Connected;
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(CertificateMessage certificateMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitCertificate && this.status != Status.WaitCertificateRequest) {
            throw new UnexpectedMessageAlert("unexpected certificate message");
        }
        if (certificateMessage.getRequestContext().length > 0) {
            throw new IllegalParameterAlert("certificate request context should be zero length");
        }
        if (certificateMessage.getEndEntityCertificate() == null) {
            throw new IllegalParameterAlert("missing certificate");
        }
        this.serverCertificate = certificateMessage.getEndEntityCertificate();
        this.serverCertificateChain = certificateMessage.getCertificateChain();
        this.transcriptHash.recordServer(certificateMessage);
        this.status = Status.WaitCertificateVerify;
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(CertificateRequestMessage certificateRequestMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException, IOException {
        List<TlsConstants.SignatureScheme> list;
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitCertificateRequest) {
            throw new UnexpectedMessageAlert("unexpected certificate request message");
        }
        Iterator<Extension> it = certificateRequestMessage.getExtensions().iterator();
        while (true) {
            if (!it.hasNext()) {
                list = null;
                break;
            }
            Extension next = it.next();
            if (next instanceof SignatureAlgorithmsExtension) {
                list = ((SignatureAlgorithmsExtension) next).getSignatureAlgorithms();
                break;
            }
        }
        if (list == null) {
            throw new MissingExtensionAlert();
        }
        this.serverSupportedSignatureSchemes = list;
        this.transcriptHash.record(certificateRequestMessage);
        this.clientCertificateAuthorities = new ArrayList();
        Iterator<Extension> it2 = certificateRequestMessage.getExtensions().iterator();
        while (true) {
            if (!it2.hasNext()) {
                break;
            }
            Extension next2 = it2.next();
            if (next2 instanceof CertificateAuthoritiesExtension) {
                this.clientCertificateAuthorities = ((CertificateAuthoritiesExtension) next2).getAuthorities();
                break;
            }
        }
        this.clientAuthRequested = true;
        this.status = Status.WaitCertificate;
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(CertificateVerifyMessage certificateVerifyMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitCertificateVerify) {
            throw new UnexpectedMessageAlert("unexpected certificate verify message");
        }
        TlsConstants.SignatureScheme signatureScheme = certificateVerifyMessage.getSignatureScheme();
        if (signatureScheme == null || !this.supportedSignatures.contains(signatureScheme)) {
            throw new IllegalParameterAlert("signature scheme does not match");
        }
        if (!verifySignature(certificateVerifyMessage.getSignature(), signatureScheme, this.serverCertificate, this.transcriptHash.getServerHash(TlsConstants.HandshakeType.certificate))) {
            throw new DecryptErrorAlert("signature verification fails");
        }
        checkCertificateValidity(this.serverCertificateChain);
        if (!this.hostnameVerifier.verify(this.serverName, this.serverCertificate)) {
            throw new CertificateUnknownAlert("servername does not match");
        }
        this.transcriptHash.recordServer(certificateVerifyMessage);
        this.status = Status.WaitFinished;
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(ClientHello clientHello, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        throw new UnexpectedMessageAlert("no client hello expected");
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(EncryptedExtensions encryptedExtensions, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitEncryptedExtensions) {
            throw new UnexpectedMessageAlert("unexpected encrypted extensions message");
        }
        ArrayList arrayList = new ArrayList();
        Iterator<Extension> it = this.sentExtensions.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getClass());
        }
        for (Extension extension : encryptedExtensions.getExtensions()) {
            if (!(extension instanceof UnknownExtension) && !arrayList.contains(extension.getClass())) {
                throw new UnsupportedExtensionAlert("extension response to missing request");
            }
        }
        HashSet hashSet = new HashSet();
        Iterator<Extension> it2 = encryptedExtensions.getExtensions().iterator();
        while (it2.hasNext()) {
            hashSet.add(it2.next().getClass());
        }
        if (hashSet.size() != encryptedExtensions.getExtensions().size()) {
            throw new UnsupportedExtensionAlert("duplicate extensions not allowed");
        }
        this.transcriptHash.record(encryptedExtensions);
        this.status = this.pskAccepted ? Status.WaitFinished : Status.WaitCertificateRequest;
        this.statusHandler.extensionsReceived(encryptedExtensions.getExtensions());
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(FinishedMessage finishedMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert, IOException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.WaitFinished) {
            throw new UnexpectedMessageAlert("unexpected finished message");
        }
        this.transcriptHash.recordServer(finishedMessage);
        if (!Arrays.equals(finishedMessage.getVerifyData(), computeFinishedVerifyData(this.transcriptHash.getServerHash(TlsConstants.HandshakeType.certificate_verify), this.state.getServerHandshakeTrafficSecret()))) {
            throw new DecryptErrorAlert("incorrect finished message");
        }
        if (this.clientAuthRequested) {
            sendClientAuth();
        }
        FinishedMessage finishedMessage2 = new FinishedMessage(computeFinishedVerifyData(this.transcriptHash.getClientHash(TlsConstants.HandshakeType.certificate_verify), this.state.getClientHandshakeTrafficSecret()));
        this.sender.send(finishedMessage2);
        this.transcriptHash.recordClient(finishedMessage2);
        this.state.computeApplicationSecrets();
        this.state.computeResumptionMasterSecret();
        this.status = Status.Connected;
        this.statusHandler.handshakeFinished();
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(NewSessionTicketMessage newSessionTicketMessage, ProtectionKeysType protectionKeysType) throws UnexpectedMessageAlert {
        if (protectionKeysType != ProtectionKeysType.Application) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        NewSessionTicket newSessionTicket = new NewSessionTicket(this.state.computePSK(newSessionTicketMessage.getTicketNonce()), newSessionTicketMessage, this.selectedCipher);
        this.obtainedNewSessionTickets.add(newSessionTicket);
        this.statusHandler.newSessionTicketReceived(newSessionTicket);
    }

    @Override // net.luminis.tls.engine.MessageProcessor
    public void received(ServerHello serverHello, ProtectionKeysType protectionKeysType) throws MissingExtensionAlert, IllegalParameterAlert {
        ServerPreSharedKeyExtension serverPreSharedKeyExtension;
        KeyShareExtension keyShareExtension;
        KeyShareExtension.KeyShareEntry keyShareEntry;
        if (this.status != Status.WaitServerHello) {
            return;
        }
        Iterator<Extension> it = serverHello.getExtensions().iterator();
        boolean z = false;
        while (it.hasNext()) {
            if (it.next() instanceof SupportedVersionsExtension) {
                z = true;
            }
        }
        boolean z2 = false;
        for (Extension extension : serverHello.getExtensions()) {
            if ((extension instanceof PreSharedKeyExtension) || (extension instanceof KeyShareExtension)) {
                z2 = true;
            }
        }
        if (!z || !z2) {
            throw new MissingExtensionAlert();
        }
        short s = -1;
        for (Extension extension2 : serverHello.getExtensions()) {
            if (extension2 instanceof SupportedVersionsExtension) {
                s = ((SupportedVersionsExtension) extension2).getTlsVersion();
            }
        }
        if (s != 772) {
            throw new IllegalParameterAlert("invalid tls version");
        }
        for (Extension extension3 : serverHello.getExtensions()) {
            if (recognizedExtension(extension3) && !(extension3 instanceof SupportedVersionsExtension) && !(extension3 instanceof PreSharedKeyExtension) && !(extension3 instanceof KeyShareExtension)) {
                throw new IllegalParameterAlert("illegal extension in server hello");
            }
        }
        Iterator<Extension> it2 = serverHello.getExtensions().iterator();
        while (true) {
            serverPreSharedKeyExtension = null;
            if (!it2.hasNext()) {
                keyShareExtension = null;
                break;
            }
            Extension next = it2.next();
            if (next instanceof KeyShareExtension) {
                keyShareExtension = (KeyShareExtension) next;
                break;
            }
        }
        if (keyShareExtension != null) {
            keyShareEntry = !keyShareExtension.getKeyShareEntries().isEmpty() ? keyShareExtension.getKeyShareEntries().get(0) : null;
            if (keyShareEntry == null) {
                throw new IllegalParameterAlert("");
            }
            if (keyShareEntry.getNamedGroup() != this.ecCurve) {
                throw new IllegalParameterAlert("server supplied key share does not match client supported named group");
            }
        } else {
            keyShareEntry = null;
        }
        Iterator<Extension> it3 = serverHello.getExtensions().iterator();
        while (true) {
            if (!it3.hasNext()) {
                break;
            }
            Extension next2 = it3.next();
            if (next2 instanceof ServerPreSharedKeyExtension) {
                serverPreSharedKeyExtension = (ServerPreSharedKeyExtension) next2;
                break;
            }
        }
        if (keyShareEntry == null && serverPreSharedKeyExtension == null) {
            throw new MissingExtensionAlert(" either the pre_shared_key extension or the key_share extension must be present");
        }
        if (serverPreSharedKeyExtension != null) {
            this.pskAccepted = true;
        }
        if (!this.supportedCiphers.contains(serverHello.getCipherSuite())) {
            throw new IllegalParameterAlert("cipher suite does not match");
        }
        this.selectedCipher = serverHello.getCipherSuite();
        if (this.state == null) {
            this.transcriptHash = new TranscriptHash(hashLength(this.selectedCipher));
            this.state = new TlsState(this.transcriptHash, keyLength(this.selectedCipher), hashLength(this.selectedCipher));
            this.transcriptHash.record(this.clientHello);
            this.state.computeEarlyTrafficSecret();
            this.statusHandler.earlySecretsKnown();
        }
        if (serverPreSharedKeyExtension != null) {
            this.state.setPskSelected(serverPreSharedKeyExtension.getSelectedIdentity());
            Logger.debug("Server has accepted PSK key establishment");
        } else {
            this.state.setNoPskSelected();
        }
        if (keyShareEntry != null) {
            this.state.setOwnKey(this.privateKey);
            this.state.setPeerKey(keyShareEntry.getKey());
            this.state.computeSharedSecret();
        }
        this.transcriptHash.record(serverHello);
        this.state.computeHandshakeSecrets();
        this.status = Status.WaitEncryptedExtensions;
        this.statusHandler.handshakeSecretsKnown();
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void setClientCertificateCallback(Function<List<X500Principal>, CertificateWithPrivateKey> function) {
        this.clientCertificateSelector = function;
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void setCompatibilityMode(boolean z) {
        this.compatibilityMode = z;
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        if (hostnameVerifier != null) {
            this.hostnameVerifier = hostnameVerifier;
        }
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void setNewSessionTicket(NewSessionTicket newSessionTicket) {
        this.newSessionTicket = newSessionTicket;
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void setServerName(String str) {
        this.serverName = str;
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void setTrustManager(X509TrustManager x509TrustManager) {
        this.customTrustManager = x509TrustManager;
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void startHandshake() throws IOException {
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256);
        arrayList.add(TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256);
        startHandshake(TlsConstants.NamedGroup.secp256r1, arrayList);
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void startHandshake(TlsConstants.NamedGroup namedGroup) throws IOException {
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(TlsConstants.SignatureScheme.rsa_pss_rsae_sha256);
        startHandshake(namedGroup, arrayList);
    }

    @Override // net.luminis.tls.engine.TlsClientEngine
    public void startHandshake(TlsConstants.NamedGroup namedGroup, List<TlsConstants.SignatureScheme> list) throws IOException {
        List list2;
        if (this.status != Status.Start) {
            throw new IllegalStateException("Handshake already started");
        }
        if (!KeyShareExtension.supportedCurves.contains(namedGroup)) {
            throw new IllegalArgumentException("Named group " + namedGroup + " not supported");
        }
        for (TlsConstants.SignatureScheme signatureScheme : list) {
            List<TlsConstants.SignatureScheme> list3 = AVAILABLE_SIGNATURES;
            if (!list3.contains(signatureScheme)) {
                ArrayList arrayList = new ArrayList(list);
                arrayList.removeAll(list3);
                throw new IllegalArgumentException("Unsupported signature scheme(s): " + arrayList);
            }
        }
        NewSessionTicket newSessionTicket = this.newSessionTicket;
        if (newSessionTicket != null && !this.supportedCiphers.contains(newSessionTicket.getCipher())) {
            throw new IllegalStateException("For session resumption, support ciphers should contain the cipher used with the session-to-resume (" + this.newSessionTicket.getCipher().toString() + ")");
        }
        this.supportedSignatures = list;
        this.ecCurve = namedGroup;
        generateKeys(namedGroup);
        if (this.serverName == null || this.supportedCiphers.isEmpty()) {
            throw new IllegalStateException("not all mandatory properties are set");
        }
        if (this.newSessionTicket != null) {
            list2 = new ArrayList(this.requestedExtensions);
            list2.add(new ClientHelloPreSharedKeyExtension(this.newSessionTicket));
            TlsConstants.CipherSuite cipher = this.newSessionTicket.getCipher();
            this.transcriptHash = new TranscriptHash(hashLength(cipher));
            this.state = new TlsState(this.transcriptHash, this.newSessionTicket.getPSK(), keyLength(cipher), hashLength(cipher));
        } else {
            list2 = this.requestedExtensions;
        }
        ClientHello clientHello = new ClientHello(this.serverName, this.publicKey, this.compatibilityMode, this.supportedCiphers, this.supportedSignatures, namedGroup, list2, this.state, ClientHello.PskKeyEstablishmentMode.PSKwithDHE);
        this.clientHello = clientHello;
        this.sentExtensions = clientHello.getExtensions();
        if (this.state != null) {
            this.transcriptHash.record(this.clientHello);
            this.state.computeEarlyTrafficSecret();
            this.statusHandler.earlySecretsKnown();
        }
        this.sender.send(this.clientHello);
        this.status = Status.WaitServerHello;
    }

    protected boolean verifySignature(byte[] bArr, TlsConstants.SignatureScheme signatureScheme, Certificate certificate, byte[] bArr2) throws HandshakeFailureAlert {
        ByteBuffer allocate = ByteBuffer.allocate("TLS 1.3, server CertificateVerify".getBytes(ISO_8859_1).length + 65 + bArr2.length);
        for (int i = 0; i < 64; i++) {
            allocate.put((byte) 32);
        }
        allocate.put("TLS 1.3, server CertificateVerify".getBytes(ISO_8859_1));
        allocate.put((byte) 0);
        allocate.put(bArr2);
        try {
            Signature signatureAlgorithm = getSignatureAlgorithm(signatureScheme);
            signatureAlgorithm.initVerify(certificate);
            signatureAlgorithm.update(allocate.array());
            return signatureAlgorithm.verify(bArr);
        } catch (InvalidKeyException unused) {
            Logger.debug("Certificate verify: invalid key.");
            return false;
        } catch (SignatureException unused2) {
            Logger.debug("Certificate verify: invalid signature.");
            return false;
        }
    }
}
