package org.bouncycastle.jsse.provider;

import java.io.IOException;
import java.math.BigInteger;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.jsse.BCSNIMatcher;
import org.bouncycastle.jsse.BCSNIServerName;
import org.bouncycastle.jsse.BCX509Key;
import org.bouncycastle.jsse.provider.NamedGroupInfo;
import org.bouncycastle.jsse.provider.SignatureSchemeInfo;
import org.bouncycastle.tls.AlertDescription;
import org.bouncycastle.tls.Certificate;
import org.bouncycastle.tls.CertificateRequest;
import org.bouncycastle.tls.CertificateStatus;
import org.bouncycastle.tls.DefaultTlsDHGroupVerifier;
import org.bouncycastle.tls.DefaultTlsServer;
import org.bouncycastle.tls.KeyExchangeAlgorithm;
import org.bouncycastle.tls.NamedGroup;
import org.bouncycastle.tls.ProtocolName;
import org.bouncycastle.tls.ProtocolVersion;
import org.bouncycastle.tls.SecurityParameters;
import org.bouncycastle.tls.SessionParameters;
import org.bouncycastle.tls.SignatureAndHashAlgorithm;
import org.bouncycastle.tls.TlsContext;
import org.bouncycastle.tls.TlsCredentials;
import org.bouncycastle.tls.TlsDHUtils;
import org.bouncycastle.tls.TlsExtensionsUtils;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.TlsSession;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.crypto.DHGroup;
import org.bouncycastle.tls.crypto.TlsDHConfig;
import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto;
import org.bouncycastle.util.encoders.Hex;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/bouncycastle/jsse/provider/ProvTlsServer.class */
public class ProvTlsServer extends DefaultTlsServer implements ProvTlsPeer {
    private static final String PROPERTY_DEFAULT_DHE_PARAMETERS = "jdk.tls.server.defaultDHEParameters";
    private static final boolean provServerEnableStatusRequest = false;
    protected final String serverID;
    protected final ProvTlsManager manager;
    protected final ProvSSLParameters sslParameters;
    protected final JsseSecurityParameters jsseSecurityParameters;
    protected ProvSSLSession sslSession;
    protected BCSNIServerName matchedSNIServerName;
    protected Set<String> keyManagerMissCache;
    protected TlsCredentials credentials;
    protected boolean handshakeComplete;
    private static final Logger LOG = Logger.getLogger(ProvTlsServer.class.getName());
    private static final int provEphemeralDHKeySize = PropertyUtils.getIntegerSystemProperty("jdk.tls.ephemeralDHKeySize", DefaultTlsDHGroupVerifier.DEFAULT_MINIMUM_PRIME_BITS, 1024, 8192);
    private static final DHGroup[] provServerDefaultDHEParameters = getDefaultDHEParameters();
    private static final boolean provServerEnableCA = PropertyUtils.getBooleanSystemProperty("jdk.tls.server.enableCAExtension", true);
    private static final boolean provServerEnableSessionResumption = PropertyUtils.getBooleanSystemProperty("org.bouncycastle.jsse.server.enableSessionResumption", true);
    private static final boolean provServerEnableTrustedCAKeys = PropertyUtils.getBooleanSystemProperty("org.bouncycastle.jsse.server.enableTrustedCAKeysExtension", false);
    private static final boolean provServerOmitSigAlgsCert = PropertyUtils.getBooleanSystemProperty("org.bouncycastle.jsse.server.omitSigAlgsCertExtension", true);

    private static DHGroup[] getDefaultDHEParameters() {
        String stripDoubleQuotes;
        int length;
        int i;
        int indexOf;
        int i2;
        int indexOf2;
        String stringSecurityProperty = PropertyUtils.getStringSecurityProperty(PROPERTY_DEFAULT_DHE_PARAMETERS);
        if (null == stringSecurityProperty || (length = (stripDoubleQuotes = JsseUtils.stripDoubleQuotes(JsseUtils.removeAllWhitespace(stringSecurityProperty))).length()) < 1) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        int i3 = -1;
        do {
            int i4 = i3 + 1;
            if (i4 >= length || '{' != stripDoubleQuotes.charAt(i4) || (indexOf = stripDoubleQuotes.indexOf(44, (i = i4 + 1))) <= i || (indexOf2 = stripDoubleQuotes.indexOf(125, (i2 = indexOf + 1))) <= i2) {
                break;
            }
            try {
                BigInteger parseDHParameter = parseDHParameter(stripDoubleQuotes, i, indexOf);
                BigInteger parseDHParameter2 = parseDHParameter(stripDoubleQuotes, i2, indexOf2);
                DHGroup standardGroupForDHParameters = TlsDHUtils.getStandardGroupForDHParameters(parseDHParameter, parseDHParameter2);
                if (null != standardGroupForDHParameters) {
                    arrayList.add(standardGroupForDHParameters);
                } else if (parseDHParameter.isProbablePrime(AlertDescription.no_application_protocol)) {
                    arrayList.add(new DHGroup(parseDHParameter, null, parseDHParameter2, 0));
                } else {
                    LOG.log(Level.WARNING, "Non-prime modulus ignored in security property [jdk.tls.server.defaultDHEParameters]: " + parseDHParameter.toString(16));
                }
                i3 = indexOf2 + 1;
                if (i3 >= length) {
                    DHGroup[] dHGroupArr = (DHGroup[]) arrayList.toArray(new DHGroup[arrayList.size()]);
                    Arrays.sort(dHGroupArr, new Comparator<DHGroup>() { // from class: org.bouncycastle.jsse.provider.ProvTlsServer.1
                        @Override // java.util.Comparator
                        public int compare(DHGroup dHGroup, DHGroup dHGroup2) {
                            return dHGroup.getP().bitLength() - dHGroup2.getP().bitLength();
                        }
                    });
                    return dHGroupArr;
                }
            } catch (Exception e) {
            }
        } while (',' == stripDoubleQuotes.charAt(i3));
        LOG.log(Level.WARNING, "Invalid syntax for security property [jdk.tls.server.defaultDHEParameters]");
        return null;
    }

    private static BigInteger parseDHParameter(String str, int i, int i2) {
        return new BigInteger(str.substring(i, i2), 16);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProvTlsServer(ProvTlsManager provTlsManager, ProvSSLParameters provSSLParameters) {
        super(provTlsManager.getContextData().getCrypto());
        this.jsseSecurityParameters = new JsseSecurityParameters();
        this.sslSession = null;
        this.matchedSNIServerName = null;
        this.keyManagerMissCache = null;
        this.credentials = null;
        this.handshakeComplete = false;
        this.serverID = JsseUtils.getPeerID("server", provTlsManager);
        this.manager = provTlsManager;
        this.sslParameters = provSSLParameters.copyForConnection();
    }

    @Override // org.bouncycastle.jsse.provider.ProvTlsPeer
    public String getID() {
        return this.serverID;
    }

    @Override // org.bouncycastle.jsse.provider.ProvTlsPeer
    public ProvSSLSession getSession() {
        return this.sslSession;
    }

    @Override // org.bouncycastle.jsse.provider.ProvTlsPeer
    public TlsContext getTlsContext() {
        return this.context;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean allowCertificateStatus() {
        return false;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean allowMultiCertStatus() {
        return false;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean allowTrustedCAIndication() {
        return null != this.jsseSecurityParameters.trustedIssuers;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected String getDetailMessageNoCipherSuite() {
        StringBuilder sb = new StringBuilder(this.serverID);
        int[] iArr = this.offeredCipherSuites;
        if (TlsUtils.isNullOrEmpty(iArr)) {
            sb.append(" found no selectable cipher suite because none were offered.");
        } else {
            sb.append(" found no selectable cipher suite among the ");
            sb.append(iArr.length);
            sb.append(" offered: ");
            sb.append('[');
            JsseUtils.appendCipherSuiteDetail(sb, iArr[0]);
            for (int i = 1; i < iArr.length; i++) {
                sb.append(", ");
                JsseUtils.appendCipherSuiteDetail(sb, iArr[i]);
            }
            sb.append(']');
        }
        return sb.toString();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int getMaximumNegotiableCurveBits() {
        return NamedGroupInfo.getMaximumBitsServerECDH(this.jsseSecurityParameters.namedGroups).getResult();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int getMaximumNegotiableFiniteFieldBits() {
        NamedGroupInfo.DefaultedResult maximumBitsServerFFDHE = NamedGroupInfo.getMaximumBitsServerFFDHE(this.jsseSecurityParameters.namedGroups);
        int result = maximumBitsServerFFDHE.getResult();
        if (maximumBitsServerFFDHE.isDefaulted() && !TlsUtils.isNullOrEmpty(provServerDefaultDHEParameters) && !this.manager.getContextData().isFipsMode()) {
            result = Math.max(result, provServerDefaultDHEParameters[provServerDefaultDHEParameters.length - 1].getP().bitLength());
        }
        if (result >= provEphemeralDHKeySize) {
            return result;
        }
        return 0;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected Vector<ProtocolName> getProtocolNames() {
        return JsseUtils.getProtocolNames(this.sslParameters.getApplicationProtocols());
    }

    @Override // org.bouncycastle.tls.DefaultTlsServer, org.bouncycastle.tls.AbstractTlsPeer
    protected int[] getSupportedCipherSuites() {
        return this.manager.getContextData().getActiveCipherSuites(getCrypto(), this.sslParameters, getProtocolVersions());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.bouncycastle.tls.AbstractTlsPeer
    public ProtocolVersion[] getSupportedVersions() {
        return this.manager.getContextData().getActiveProtocolVersions(this.sslParameters);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean preferLocalCipherSuites() {
        return this.sslParameters.getUseCipherSuitesOrder();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public boolean preferLocalSupportedGroups() {
        return this.sslParameters.getUseNamedGroupsOrder();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean selectCipherSuite(int i) throws IOException {
        TlsCredentials tlsCredentials = null;
        int keyExchangeAlgorithm = TlsUtils.getKeyExchangeAlgorithm(i);
        if (!KeyExchangeAlgorithm.isAnonymous(keyExchangeAlgorithm)) {
            tlsCredentials = selectCredentials(this.jsseSecurityParameters.trustedIssuers, keyExchangeAlgorithm);
            if (null == tlsCredentials) {
                String cipherSuiteName = ProvSSLContextSpi.getCipherSuiteName(i);
                if (!LOG.isLoggable(Level.FINER)) {
                    return false;
                }
                LOG.finer(this.serverID + " found no credentials for cipher suite: " + cipherSuiteName);
                return false;
            }
        }
        boolean selectCipherSuite = super.selectCipherSuite(i);
        if (selectCipherSuite) {
            this.credentials = tlsCredentials;
        }
        return selectCipherSuite;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public TlsDHConfig getDHConfig() throws IOException {
        int max = Math.max(TlsDHUtils.getMinimumFiniteFieldBits(this.selectedCipherSuite), provEphemeralDHKeySize);
        NamedGroupInfo.DefaultedResult selectServerFFDHE = NamedGroupInfo.selectServerFFDHE(this.jsseSecurityParameters.namedGroups, max);
        int result = selectServerFFDHE.getResult();
        if (selectServerFFDHE.isDefaulted() && !TlsUtils.isNullOrEmpty(provServerDefaultDHEParameters) && !this.manager.getContextData().isFipsMode()) {
            DHGroup[] dHGroupArr = provServerDefaultDHEParameters;
            int length = dHGroupArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                DHGroup dHGroup = dHGroupArr[i];
                int bitLength = dHGroup.getP().bitLength();
                if (bitLength < max) {
                    i++;
                } else if (result < 0 || bitLength <= NamedGroup.getFiniteFieldBits(result)) {
                    return new TlsDHConfig(dHGroup);
                }
            }
        }
        return TlsDHUtils.createNamedDHConfig(this.context, result);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectDH(int i) {
        throw new UnsupportedOperationException();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectDHDefault(int i) {
        throw new UnsupportedOperationException();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectECDH(int i) {
        return NamedGroupInfo.selectServerECDH(this.jsseSecurityParameters.namedGroups, i).getResult();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected int selectECDHDefault(int i) {
        throw new UnsupportedOperationException();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected ProtocolName selectProtocolName() throws IOException {
        if (null == this.sslParameters.getEngineAPSelector() && null == this.sslParameters.getSocketAPSelector()) {
            return super.selectProtocolName();
        }
        List<String> protocolNames = JsseUtils.getProtocolNames((Vector<ProtocolName>) this.clientProtocolNames);
        String selectApplicationProtocol = this.manager.selectApplicationProtocol(Collections.unmodifiableList(protocolNames));
        if (null == selectApplicationProtocol) {
            throw new TlsFatalAlert((short) 120);
        }
        if (selectApplicationProtocol.length() < 1) {
            return null;
        }
        if (protocolNames.contains(selectApplicationProtocol)) {
            return ProtocolName.asUtf8Encoding(selectApplicationProtocol);
        }
        throw new TlsFatalAlert((short) 120);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer
    protected boolean shouldSelectProtocolNameEarly() {
        return null == this.sslParameters.getEngineAPSelector() && null == this.sslParameters.getSocketAPSelector();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean allowLegacyResumption() {
        return JsseUtils.allowLegacyResumption();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public int getMaxCertificateChainLength() {
        return JsseUtils.getMaxCertificateChainLength();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public int getMaxHandshakeMessageSize() {
        return JsseUtils.getMaxHandshakeMessageSize();
    }

    @Override // org.bouncycastle.jsse.provider.ProvTlsPeer
    public synchronized boolean isHandshakeComplete() {
        return this.handshakeComplete;
    }

    @Override // org.bouncycastle.tls.DefaultTlsServer, org.bouncycastle.tls.TlsServer
    public TlsCredentials getCredentials() throws IOException {
        if (this.credentials == null) {
            throw new TlsFatalAlert((short) 80);
        }
        return this.credentials;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public CertificateRequest getCertificateRequest() throws IOException {
        if (!isClientAuthEnabled()) {
            return null;
        }
        ContextData contextData = this.manager.getContextData();
        ProtocolVersion serverVersion = this.context.getServerVersion();
        Vector<SignatureAndHashAlgorithm> localSignatureAndHashAlgorithms = this.jsseSecurityParameters.signatureSchemes.getLocalSignatureAndHashAlgorithms();
        Vector<X500Name> vector = null;
        if (provServerEnableCA) {
            vector = JsseUtils.getCertificateAuthorities(contextData.getX509TrustManager());
        }
        if (!TlsUtils.isTLSv13(serverVersion)) {
            return new CertificateRequest(new short[]{64, 1, 2}, localSignatureAndHashAlgorithms, vector);
        }
        byte[] bArr = TlsUtils.EMPTY_BYTES;
        Vector<SignatureAndHashAlgorithm> localSignatureAndHashAlgorithmsCert = this.jsseSecurityParameters.signatureSchemes.getLocalSignatureAndHashAlgorithmsCert();
        if (localSignatureAndHashAlgorithmsCert == null && !provServerOmitSigAlgsCert) {
            localSignatureAndHashAlgorithmsCert = this.jsseSecurityParameters.signatureSchemes.getLocalSignatureAndHashAlgorithms();
        }
        return new CertificateRequest(bArr, localSignatureAndHashAlgorithms, localSignatureAndHashAlgorithmsCert, vector);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public CertificateStatus getCertificateStatus() throws IOException {
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public JcaTlsCrypto getCrypto() {
        return this.manager.getContextData().getCrypto();
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public int[] getSupportedGroups() throws IOException {
        ContextData contextData = this.manager.getContextData();
        ProtocolVersion serverVersion = this.context.getServerVersion();
        this.jsseSecurityParameters.namedGroups = contextData.getNamedGroupsServer(this.sslParameters, serverVersion);
        return NamedGroupInfo.getSupportedGroupsLocalServer(this.jsseSecurityParameters.namedGroups);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public int getSelectedCipherSuite() throws IOException {
        ContextData contextData = this.manager.getContextData();
        SecurityParameters securityParametersHandshake = this.context.getSecurityParametersHandshake();
        this.jsseSecurityParameters.namedGroups.notifyPeerData(securityParametersHandshake.getClientSupportedGroups());
        this.jsseSecurityParameters.signatureSchemes = contextData.getSignatureSchemesServer(this.sslParameters, this.context.getServerVersion(), this.jsseSecurityParameters.namedGroups);
        Vector clientSigAlgs = securityParametersHandshake.getClientSigAlgs();
        Vector clientSigAlgsCert = securityParametersHandshake.getClientSigAlgsCert();
        List<SignatureSchemeInfo> signatureSchemes = contextData.getSignatureSchemes(clientSigAlgs);
        List<SignatureSchemeInfo> list = null;
        if (clientSigAlgsCert != clientSigAlgs) {
            list = contextData.getSignatureSchemes(clientSigAlgsCert);
        }
        this.jsseSecurityParameters.signatureSchemes.notifyPeerData(signatureSchemes, list);
        if (LOG.isLoggable(Level.FINEST)) {
            LOG.finest(JsseUtils.getSignatureAlgorithmsReport(this.serverID + " peer signature_algorithms", signatureSchemes));
            if (list != null) {
                LOG.finest(JsseUtils.getSignatureAlgorithmsReport(this.serverID + " peer signature_algorithms_cert", list));
            }
        }
        if (DummyX509KeyManager.INSTANCE == contextData.getX509KeyManager()) {
            throw new TlsFatalAlert((short) 40);
        }
        this.keyManagerMissCache = new HashSet();
        int selectedCipherSuite = super.getSelectedCipherSuite();
        this.keyManagerMissCache = null;
        String validateNegotiatedCipherSuite = contextData.validateNegotiatedCipherSuite(this.sslParameters, selectedCipherSuite);
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(this.serverID + " selected cipher suite: " + validateNegotiatedCipherSuite);
        }
        return selectedCipherSuite;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public Hashtable<Integer, byte[]> getServerExtensions() throws IOException {
        super.getServerExtensions();
        if (null != this.matchedSNIServerName) {
            TlsExtensionsUtils.addServerNameExtensionServer(this.serverExtensions);
        }
        return this.serverExtensions;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public TlsSession getSessionToResume(byte[] bArr) {
        ProvSSLSession sessionImpl;
        ProvSSLSessionContext serverSessionContext = this.manager.getContextData().getServerSessionContext();
        if (provServerEnableSessionResumption && null != (sessionImpl = serverSessionContext.getSessionImpl(bArr))) {
            TlsSession tlsSession = sessionImpl.getTlsSession();
            if (isResumable(sessionImpl, tlsSession)) {
                this.sslSession = sessionImpl;
                return tlsSession;
            }
        }
        JsseUtils.checkSessionCreationEnabled(this.manager);
        return null;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public byte[] getNewSessionID() {
        if (!provServerEnableSessionResumption || TlsUtils.isTLSv13(this.context)) {
            return null;
        }
        return this.context.getNonceGenerator().generateNonce(32);
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public void notifySession(TlsSession tlsSession) {
        byte[] sessionID = tlsSession.getSessionID();
        if (!(null != this.sslSession && this.sslSession.getTlsSession() == tlsSession)) {
            this.sslSession = null;
            if (LOG.isLoggable(Level.FINE)) {
                if (TlsUtils.isNullOrEmpty(sessionID)) {
                    LOG.fine(this.serverID + " did not specify a session ID");
                } else {
                    LOG.fine(this.serverID + " specified new session: " + Hex.toHexString(sessionID));
                }
            }
            JsseUtils.checkSessionCreationEnabled(this.manager);
        } else if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(this.serverID + " resumed session: " + Hex.toHexString(sessionID));
        }
        this.manager.notifyHandshakeSession(this.manager.getContextData().getServerSessionContext(), this.context.getSecurityParametersHandshake(), this.jsseSecurityParameters, this.sslSession);
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyAlertRaised(short s, short s2, String str, Throwable th) {
        Level level = s == 1 ? Level.FINE : s2 == 80 ? Level.WARNING : Level.INFO;
        if (LOG.isLoggable(level)) {
            String alertRaisedLogMessage = JsseUtils.getAlertRaisedLogMessage(this.serverID, s, s2);
            if (str != null) {
                alertRaisedLogMessage = alertRaisedLogMessage + ": " + str;
            }
            LOG.log(level, alertRaisedLogMessage, th);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyAlertReceived(short s, short s2) {
        super.notifyAlertReceived(s, s2);
        Level level = s == 1 ? Level.FINE : Level.INFO;
        if (LOG.isLoggable(level)) {
            LOG.log(level, JsseUtils.getAlertReceivedLogMessage(this.serverID, s, s2));
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public ProtocolVersion getServerVersion() throws IOException {
        ProtocolVersion serverVersion = super.getServerVersion();
        String validateNegotiatedProtocol = this.manager.getContextData().validateNegotiatedProtocol(this.sslParameters, serverVersion);
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(this.serverID + " selected protocol version: " + validateNegotiatedProtocol);
        }
        return serverVersion;
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public void notifyClientCertificate(Certificate certificate) throws IOException {
        if (!isClientAuthEnabled()) {
            throw new TlsFatalAlert((short) 80);
        }
        if (null != certificate && !certificate.isEmpty()) {
            this.manager.checkClientTrusted(JsseUtils.getX509CertificateChain(getCrypto(), certificate), "TLS-client-auth");
        } else if (this.sslParameters.getNeedClientAuth()) {
            throw new TlsFatalAlert(TlsUtils.isTLSv13(this.context) ? (short) 116 : (short) 40);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyConnectionClosed() {
        super.notifyConnectionClosed();
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info(this.serverID + " disconnected from " + JsseUtils.getPeerReport(this.manager));
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifyHandshakeBeginning() throws IOException {
        super.notifyHandshakeBeginning();
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info(this.serverID + " accepting connection from " + JsseUtils.getPeerReport(this.manager));
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public synchronized void notifyHandshakeComplete() throws IOException {
        super.notifyHandshakeComplete();
        this.handshakeComplete = true;
        if (LOG.isLoggable(Level.INFO)) {
            LOG.info(this.serverID + " established connection with " + JsseUtils.getPeerReport(this.manager));
        }
        TlsSession session = this.context.getSession();
        if (null == this.sslSession || this.sslSession.getTlsSession() != session) {
            this.sslSession = this.manager.getContextData().getServerSessionContext().reportSession(this.manager.getPeerHost(), this.manager.getPeerPort(), session, new JsseSessionParameters(this.sslParameters.getEndpointIdentificationAlgorithm(), this.matchedSNIServerName), provServerEnableSessionResumption && !TlsUtils.isTLSv13(this.context));
        }
        this.manager.notifyHandshakeComplete(new ProvSSLConnection(this));
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public void notifySecureRenegotiation(boolean z) throws IOException {
        if (!z && !PropertyUtils.getBooleanSystemProperty("sun.security.ssl.allowLegacyHelloMessages", true)) {
            throw new TlsFatalAlert((short) 40);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsServer, org.bouncycastle.tls.TlsServer
    public void processClientExtensions(Hashtable hashtable) throws IOException {
        super.processClientExtensions(hashtable);
        Vector clientServerNames = this.context.getSecurityParametersHandshake().getClientServerNames();
        if (null != clientServerNames) {
            Collection<BCSNIMatcher> sNIMatchers = this.sslParameters.getSNIMatchers();
            if (null != sNIMatchers && !sNIMatchers.isEmpty()) {
                this.matchedSNIServerName = JsseUtils.findMatchingSNIServerName(clientServerNames, sNIMatchers);
                if (null == this.matchedSNIServerName) {
                    throw new TlsFatalAlert((short) 112);
                }
                if (LOG.isLoggable(Level.FINE)) {
                    LOG.fine(this.serverID + " accepted SNI: " + this.matchedSNIServerName);
                }
            } else if (LOG.isLoggable(Level.FINE)) {
                LOG.fine(this.serverID + " ignored SNI (no matchers specified)");
            }
        }
        if (TlsUtils.isTLSv13(this.context)) {
            this.jsseSecurityParameters.trustedIssuers = JsseUtils.toX500Principals(TlsExtensionsUtils.getCertificateAuthoritiesExtension(hashtable));
        } else if (provServerEnableTrustedCAKeys) {
            this.jsseSecurityParameters.trustedIssuers = JsseUtils.getTrustedIssuers(this.trustedCAKeys);
        }
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean requiresCloseNotify() {
        return JsseUtils.requireCloseNotify();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean requiresExtendedMasterSecret() {
        return !JsseUtils.allowLegacyMasterSecret();
    }

    @Override // org.bouncycastle.tls.AbstractTlsPeer, org.bouncycastle.tls.TlsPeer
    public boolean shouldUseExtendedMasterSecret() {
        return JsseUtils.useExtendedMasterSecret();
    }

    protected boolean isClientAuthEnabled() {
        return this.sslParameters.getNeedClientAuth() || this.sslParameters.getWantClientAuth();
    }

    protected boolean isResumable(ProvSSLSession provSSLSession, TlsSession tlsSession) {
        SessionParameters exportSessionParameters;
        if (null == tlsSession || !tlsSession.isResumable()) {
            return false;
        }
        ProtocolVersion negotiatedVersion = this.context.getSecurityParametersHandshake().getNegotiatedVersion();
        if (TlsUtils.isTLSv13(negotiatedVersion) || null == (exportSessionParameters = tlsSession.exportSessionParameters()) || !negotiatedVersion.equals(exportSessionParameters.getNegotiatedVersion()) || !org.bouncycastle.util.Arrays.contains(getCipherSuites(), exportSessionParameters.getCipherSuite()) || !org.bouncycastle.util.Arrays.contains(this.offeredCipherSuites, exportSessionParameters.getCipherSuite())) {
            return false;
        }
        if (this.sslParameters.getNeedClientAuth() && exportSessionParameters.getPeerCertificate() == null) {
            return false;
        }
        String endpointIdentificationAlgorithm = this.sslParameters.getEndpointIdentificationAlgorithm();
        if (null != endpointIdentificationAlgorithm) {
            String endpointIDAlgorithm = provSSLSession.getJsseSessionParameters().getEndpointIDAlgorithm();
            if (!endpointIdentificationAlgorithm.equalsIgnoreCase(endpointIDAlgorithm)) {
                if (!LOG.isLoggable(Level.FINER)) {
                    return false;
                }
                LOG.finer(this.serverID + ": Session not resumable - endpoint ID algorithm mismatch; connection: " + endpointIdentificationAlgorithm + ", session: " + endpointIDAlgorithm);
                return false;
            }
        }
        JsseSessionParameters jsseSessionParameters = provSSLSession.getJsseSessionParameters();
        BCSNIServerName bCSNIServerName = this.matchedSNIServerName;
        BCSNIServerName matchedSNIServerName = jsseSessionParameters.getMatchedSNIServerName();
        if (JsseUtils.equals(bCSNIServerName, matchedSNIServerName)) {
            return true;
        }
        if (!LOG.isLoggable(Level.FINEST)) {
            return false;
        }
        LOG.finest(this.serverID + ": Session not resumable - SNI mismatch; connection: " + bCSNIServerName + ", session: " + matchedSNIServerName);
        return false;
    }

    protected TlsCredentials selectCredentials(Principal[] principalArr, int i) throws IOException {
        switch (i) {
            case 0:
                return selectServerCredentials13(principalArr, TlsUtils.EMPTY_BYTES);
            case 1:
            case 3:
            case 5:
            case 17:
            case 19:
                return (1 == i || !TlsUtils.isSignatureAlgorithmsExtensionAllowed(this.context.getServerVersion())) ? selectServerCredentialsLegacy(principalArr, i) : selectServerCredentials12(principalArr, i);
            case 2:
            case 4:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
            case 11:
            case 12:
            case 13:
            case 14:
            case 15:
            case 16:
            case 18:
            default:
                return null;
        }
    }

    protected TlsCredentials selectServerCredentials12(Principal[] principalArr, int i) throws IOException {
        short legacySignatureAlgorithmServer = TlsUtils.getLegacySignatureAlgorithmServer(i);
        SignatureSchemeInfo.PerConnection perConnection = this.jsseSecurityParameters.signatureSchemes;
        LinkedHashMap<String, SignatureSchemeInfo> linkedHashMap = new LinkedHashMap<>();
        for (SignatureSchemeInfo signatureSchemeInfo : perConnection.getPeerSigSchemes()) {
            if (TlsUtils.isValidSignatureSchemeForServerKeyExchange(signatureSchemeInfo.getSignatureScheme(), i)) {
                String keyTypeLegacyServer = legacySignatureAlgorithmServer == signatureSchemeInfo.getSignatureAlgorithm() ? JsseUtils.getKeyTypeLegacyServer(i) : signatureSchemeInfo.getKeyType();
                if (!this.keyManagerMissCache.contains(keyTypeLegacyServer) && !linkedHashMap.containsKey(keyTypeLegacyServer) && signatureSchemeInfo.isSupportedPre13() && perConnection.hasLocalSignatureScheme(signatureSchemeInfo)) {
                    linkedHashMap.put(keyTypeLegacyServer, signatureSchemeInfo);
                }
            }
        }
        if (linkedHashMap.isEmpty()) {
            if (!LOG.isLoggable(Level.FINE)) {
                return null;
            }
            LOG.fine(this.serverID + " (1.2) has no key types to try for KeyExchangeAlgorithm " + i);
            return null;
        }
        BCX509Key chooseServerKey = this.manager.chooseServerKey((String[]) linkedHashMap.keySet().toArray(TlsUtils.EMPTY_STRINGS), principalArr);
        if (null == chooseServerKey) {
            handleKeyManagerMisses(linkedHashMap, null);
            if (!LOG.isLoggable(Level.FINE)) {
                return null;
            }
            LOG.fine(this.serverID + " (1.2) did not select any credentials for KeyExchangeAlgorithm " + i);
            return null;
        }
        String keyType = chooseServerKey.getKeyType();
        handleKeyManagerMisses(linkedHashMap, keyType);
        SignatureSchemeInfo signatureSchemeInfo2 = linkedHashMap.get(keyType);
        if (null == signatureSchemeInfo2) {
            throw new TlsFatalAlert((short) 80, "Key manager returned invalid key type");
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(this.serverID + " (1.2) selected credentials for signature scheme '" + signatureSchemeInfo2 + "' (keyType '" + keyType + "'), with private key algorithm '" + JsseUtils.getPrivateKeyAlgorithm(chooseServerKey.getPrivateKey()) + "'");
        }
        return JsseUtils.createCredentialedSigner(this.context, getCrypto(), chooseServerKey, signatureSchemeInfo2.getSignatureAndHashAlgorithm());
    }

    protected TlsCredentials selectServerCredentials13(Principal[] principalArr, byte[] bArr) throws IOException {
        SignatureSchemeInfo.PerConnection perConnection = this.jsseSecurityParameters.signatureSchemes;
        LinkedHashMap<String, SignatureSchemeInfo> linkedHashMap = new LinkedHashMap<>();
        for (SignatureSchemeInfo signatureSchemeInfo : perConnection.getPeerSigSchemes()) {
            String keyType13 = signatureSchemeInfo.getKeyType13();
            if (!this.keyManagerMissCache.contains(keyType13) && !linkedHashMap.containsKey(keyType13) && signatureSchemeInfo.isSupportedPost13() && perConnection.hasLocalSignatureScheme(signatureSchemeInfo)) {
                linkedHashMap.put(keyType13, signatureSchemeInfo);
            }
        }
        if (linkedHashMap.isEmpty()) {
            if (!LOG.isLoggable(Level.FINE)) {
                return null;
            }
            LOG.fine(this.serverID + " (1.3) found no usable signature schemes");
            return null;
        }
        BCX509Key chooseServerKey = this.manager.chooseServerKey((String[]) linkedHashMap.keySet().toArray(TlsUtils.EMPTY_STRINGS), principalArr);
        if (null == chooseServerKey) {
            handleKeyManagerMisses(linkedHashMap, null);
            if (!LOG.isLoggable(Level.FINE)) {
                return null;
            }
            LOG.fine(this.serverID + " (1.3) did not select any credentials");
            return null;
        }
        String keyType = chooseServerKey.getKeyType();
        handleKeyManagerMisses(linkedHashMap, keyType);
        SignatureSchemeInfo signatureSchemeInfo2 = linkedHashMap.get(keyType);
        if (null == signatureSchemeInfo2) {
            throw new TlsFatalAlert((short) 80, "Key manager returned invalid key type");
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine(this.serverID + " (1.3) selected credentials for signature scheme '" + signatureSchemeInfo2 + "' (keyType '" + keyType + "'), with private key algorithm '" + JsseUtils.getPrivateKeyAlgorithm(chooseServerKey.getPrivateKey()) + "'");
        }
        return JsseUtils.createCredentialedSigner13(this.context, getCrypto(), chooseServerKey, signatureSchemeInfo2.getSignatureAndHashAlgorithm(), bArr);
    }

    protected TlsCredentials selectServerCredentialsLegacy(Principal[] principalArr, int i) throws IOException {
        String keyTypeLegacyServer = JsseUtils.getKeyTypeLegacyServer(i);
        if (this.keyManagerMissCache.contains(keyTypeLegacyServer)) {
            return null;
        }
        BCX509Key chooseServerKey = this.manager.chooseServerKey(new String[]{keyTypeLegacyServer}, principalArr);
        if (null != chooseServerKey) {
            return 1 == i ? JsseUtils.createCredentialedDecryptor(getCrypto(), chooseServerKey) : JsseUtils.createCredentialedSigner(this.context, getCrypto(), chooseServerKey, null);
        }
        this.keyManagerMissCache.add(keyTypeLegacyServer);
        return null;
    }

    private void handleKeyManagerMisses(LinkedHashMap<String, SignatureSchemeInfo> linkedHashMap, String str) {
        for (Map.Entry<String, SignatureSchemeInfo> entry : linkedHashMap.entrySet()) {
            String key = entry.getKey();
            if (key.equals(str)) {
                return;
            }
            this.keyManagerMissCache.add(key);
            if (LOG.isLoggable(Level.FINER)) {
                LOG.finer(this.serverID + " found no credentials for signature scheme '" + entry.getValue() + "' (keyType '" + key + "')");
            }
        }
    }
}
