package by.avest.net.tls;

import by.avest.net.tls.CertificateRequest;
import by.avest.net.tls.Handshake;
import by.avest.net.tls.SSLSession;
import by.avest.net.tls.SSLSocket;
import by.avest.net.tls.ServerNameExtension;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLHandshakeException;
import javax.security.auth.x500.X500Principal;
import sun.net.util.IPAddressUtil;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:by/avest/net/tls/ClientHandshakeExecutor.class */
public class ClientHandshakeExecutor extends HandshakeExecutor {
    private X500Principal[] certificateAuthorities;
    private CertificateRequest.ClientCertificateType[] clientCertificateTypes;
    private SignatureAndHashAlgorithm[] signatureAndHashAlgorithms;
    private String clientAlias;
    private List<Extension> extensionsSent;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientHandshakeExecutor(SSLSocket sSLSocket, RecordInputStream recordInputStream, RecordOutputStream recordOutputStream) {
        super(sSLSocket, recordInputStream, recordOutputStream);
        this.extensionsSent = new ArrayList();
    }

    @Override // by.avest.net.tls.HandshakeExecutor
    public void doHandshake() throws IOException {
        if (Util.isDebug()) {
            Util.log("Start handshake.");
        }
        init();
        String socketHost = getSocketHost();
        int socketPort = getSocketPort();
        this.session = this.socket.getSessionContext().getSession(socketHost, socketPort);
        if (this.session == null || !this.session.isValid()) {
            if (Util.isDebug()) {
                Util.log("No valid session cache match found.");
            }
            if (this.session != null && !this.session.isValid()) {
                if (Util.isDebug()) {
                    Util.log("Found session is not valid. Remove session from context.");
                }
                this.socket.getSessionContext().removeSession(this.session);
            }
            if (!this.socket.getEnableSessionCreation()) {
                if (Util.isDebug()) {
                    Util.log("Session creation disabled.");
                }
                throw new SSLHandshakeException("Session creation disabled. No existing session to resume found.");
            }
            if (Util.isDebug()) {
                Util.log("Do full handshake.");
            }
            this.session = new SSLSession(socketHost, socketPort);
            this.session.notifyClientStarted(this.socket);
            doFullHandshake();
            this.session.setSessionContext(this.socket.getSessionContext());
            this.socket.getSessionContext().putSession(this.session);
        } else {
            if (Util.isDebug()) {
                Util.log("Valid session cache match found.");
                Util.log("Do abbreviated handshake.");
            }
            try {
                this.session.notifyClientStarted(this.socket);
                doAbbreviatedHandshake();
            } catch (IOException e) {
                this.session.invalidate();
                this.socket.getSessionContext().removeSession(this.session);
                throw e;
            }
        }
        fin();
    }

    @Override // by.avest.net.tls.HandshakeExecutor
    public void renewHandshake(TLSText tLSText) throws IOException {
        if (Util.isDebug()) {
            Util.log("Renew handshake.");
        }
        if (this.socket.getChosenProtocolVersion() == ProtocolVersion.TLS_1) {
            this.socket.setConnectionState(SSLSocket.ConnectionState.PENDING);
        }
        this.socket.setRenewHandshake(true);
        init();
        String socketHost = getSocketHost();
        int socketPort = getSocketPort();
        this.session = this.socket.getSessionContext().getSession(socketHost, socketPort);
        if (this.session == null || !this.session.isValid()) {
            if (Util.isDebug()) {
                Util.log("No valid session cache match found.");
            }
            if (this.session != null && !this.session.isValid()) {
                if (Util.isDebug()) {
                    Util.log("Found session is not valid. Remove session from context.");
                }
                this.socket.getSessionContext().removeSession(this.session);
            }
            if (!this.socket.getEnableSessionCreation()) {
                if (Util.isDebug()) {
                    Util.log("Session creation disabled.");
                }
                throw new SSLHandshakeException("Session creation disabled. No existing session to resume found.");
            }
            if (Util.isDebug()) {
                Util.log("Do full handshake.");
            }
            this.session = new SSLSession(socketHost, socketPort);
            this.socket.setSession(this.session);
            doRenewHandshake(tLSText);
            this.session.setSessionContext(this.socket.getSessionContext());
            this.socket.getSessionContext().putSession(this.session);
        } else {
            if (Util.isDebug()) {
                Util.log("Valid session cache match found.");
                Util.log("Do renew handshake.");
            }
            try {
                this.socket.setSession(this.session);
                cleanUpBeforeRenew();
                doRenewHandshake(tLSText);
            } catch (IOException e) {
                this.session.invalidate();
                this.socket.getSessionContext().removeSession(this.session);
                throw e;
            }
        }
        fin();
    }

    private void doRenewHandshake(TLSText tLSText) throws IOException {
        receiveHelloRequest(tLSText);
        doFullHandshake();
    }

    protected Handshake receiveHelloRequest(TLSText tLSText) throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive HelloRequest start.");
        }
        Handshake read = Handshake.read(new ByteArrayInputStream(tLSText.fragment), this.session.getProtocolVersion(), this.session.getCipherSuiteInt());
        if (read.getType().equals(Handshake.Type.HELLO_REQUEST)) {
            if (Util.isDebug()) {
                Util.log("HelloRequest received.");
            }
            return read;
        }
        if (Util.isDebug()) {
            Util.log("Handshake message HelloRequest expected. Received message: " + read.getType());
        }
        throw new AlertException(Alert.fatal("unexpected_message"), true);
    }

    protected void doAbbreviatedHandshake() throws IOException {
        sendAbbreviatedClientHello();
        flushOutBuffer();
        ServerHello receiveServerHello = receiveServerHello();
        if (isServerWilling2ResumeSession(receiveServerHello)) {
            if (Util.isDebug()) {
                Util.log("Server is willing to resume session.");
                Util.log("Do abbreviated handshake.");
            }
            continueAbbreviatedHandshake(receiveServerHello);
            return;
        }
        if (Util.isDebug()) {
            Util.log("Server is not willing to resume session. Remove session from context.");
        }
        this.socket.getSessionContext().removeSession(this.session);
        if (!this.socket.getEnableSessionCreation()) {
            if (Util.isDebug()) {
                Util.log("Session creation disabled.");
            }
            throw new SSLHandshakeException("Session creation disabled. No existing session to resume found.");
        }
        if (Util.isDebug()) {
            Util.log("Do full handshake.");
        }
        this.session = new SSLSession(getSocketHost(), getSocketPort());
        continueFullHandshake(receiveServerHello);
        this.session.setSessionContext(this.socket.getSessionContext());
        this.socket.getSessionContext().putSession(this.session);
    }

    private int getSocketPort() {
        return this.socket.getPort();
    }

    private String getSocketHost() {
        return this.socket.getInetAddress().getHostAddress();
    }

    private void cleanUpBeforeRenew() {
        this.session.destroyMasterSecret();
        this.socket.cleanUp();
        this.session.setMasterSecret(null);
        this.session.setPreMasterSecret(null);
    }

    protected void doFullHandshake() throws IOException {
        sendClientHello();
        flushOutBuffer();
        continueFullHandshake(receiveServerHello());
    }

    protected void continueAbbreviatedHandshake(ServerHello serverHello) throws IOException {
        processServerHello(serverHello, true);
        receiveChangeCipherSpec();
        receiveFinished(true);
        sendChangeCipherSpec();
        sendFinished(true);
        flushOutBuffer();
    }

    protected void continueFullHandshake(ServerHello serverHello) throws IOException {
        processServerHello(serverHello, false);
        receiveCertificate();
        receiveServerKeyExchange();
        Handshake read = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt());
        if (read.getType().equals(Handshake.Type.SERVER_HELLO_DONE)) {
            if (Util.isDebug()) {
                Util.log("ServerHelloDone received.");
                Util.log("Do plain handshake.");
            }
            doPlainHandshake();
        } else {
            if (!read.getType().equals(Handshake.Type.CERTIFICATE_REQUEST)) {
                if (Util.isDebug()) {
                    Util.log("Handshake message ServerHelloDone or CertificateRequest expected.");
                }
                throw new AlertException(Alert.fatal("unexpected_message"), true);
            }
            if (Util.isDebug()) {
                Util.log("CertificateRequest received.");
                Util.log("Do client auth handshake.");
            }
            doClientAuthHandshake(read);
        }
        sendChangeCipherSpec();
        sendFinished(false);
        flushOutBuffer();
        receiveChangeCipherSpec();
        receiveFinished(false);
    }

    private void sendAbbreviatedClientHello() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send abbreviated ClientHello start.");
        }
        ProtocolVersion protocolVersion = this.session.getProtocolVersion();
        try {
            this.clientRandom = new Random(Util.unixTime(), SecureRandom.getInstance("BelPrd").generateSeed(28));
            ArrayList arrayList = new ArrayList();
            arrayList.add(this.session.getCipherSuiteInt());
            if (!this.socket.isRenewHandshake() && protocolVersion.compareTo(ProtocolVersion.TLS_1_2) >= 0) {
                arrayList.add(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
            }
            String rawHostname = this.socket.getRawHostname();
            if (rawHostname != null && !IPAddressUtil.isIPv4LiteralAddress(rawHostname) && !IPAddressUtil.isIPv6LiteralAddress(rawHostname)) {
                HashMap hashMap = new HashMap();
                hashMap.put(ServerNameExtension.NameType.HOSTNAME, new ServerNameExtension.HostName(rawHostname));
                this.extensionsSent.add(new ServerNameExtension(hashMap));
            }
            if (protocolVersion.compareTo(ProtocolVersion.TLS_1_2) >= 0) {
                this.extensionsSent.add(new SignatureAlgorithmsExtension(Collections.singletonList(SignatureAndHashAlgorithm.BELT_WITH_BIGN)));
            }
            if (protocolVersion.compareTo(ProtocolVersion.TLS_1_2) >= 0 && this.socket.isRenewHandshake()) {
                this.extensionsSent.add(new RenegotiationInfoExtension(this.socket.getOwnVerify(), new byte[0]));
            }
            ClientHello clientHello = new ClientHello(protocolVersion, this.clientRandom, this.session.getIdInt(), arrayList, this.session.getCompressionMethod(), this.extensionsSent);
            new Handshake(Handshake.Type.CLIENT_HELLO, clientHello).write(this.handshakeOut);
            this.handshakeOut.flush();
            if (Util.isDebug()) {
                Util.log("Abbreviated ClientHello sent.");
                Util.log(clientHello.toString());
            }
            if (Util.isDebug()) {
                Util.log("MasterSecret client random set.");
            }
        } catch (NoSuchAlgorithmException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.getMessage());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        }
    }

    private boolean isServerWilling2ResumeSession(ServerHello serverHello) {
        return this.session.getIdInt().equals(serverHello.getSessionID()) && this.session.getProtocolVersion().equals(serverHello.getProtocolVersion()) && this.session.getCipherSuiteInt().equals(serverHello.getCipherSuite()) && this.session.getCompressionMethod().equals(serverHello.getCompressionMethod());
    }

    private void sendClientHello() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send ClientHello start.");
        }
        ProtocolVersion chooseProtocolVersion = this.socket.chooseProtocolVersion();
        try {
            this.clientRandom = new Random(Util.unixTime(), SecureRandom.getInstance("BelPrd").generateSeed(28));
            SSLSession.ID id = new SSLSession.ID();
            ArrayList arrayList = new ArrayList(this.socket.getEnabledCipherSuitesList());
            if (!this.socket.isRenewHandshake() && chooseProtocolVersion.compareTo(ProtocolVersion.TLS_1_2) >= 0) {
                arrayList.add(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
            }
            String rawHostname = this.socket.getRawHostname();
            if (rawHostname != null && !IPAddressUtil.isIPv4LiteralAddress(rawHostname) && !IPAddressUtil.isIPv6LiteralAddress(rawHostname)) {
                HashMap hashMap = new HashMap();
                hashMap.put(ServerNameExtension.NameType.HOSTNAME, new ServerNameExtension.HostName(rawHostname));
                this.extensionsSent.add(new ServerNameExtension(hashMap));
            }
            if (chooseProtocolVersion.compareTo(ProtocolVersion.TLS_1_2) >= 0) {
                this.extensionsSent.add(new SignatureAlgorithmsExtension(Collections.singletonList(SignatureAndHashAlgorithm.BELT_WITH_BIGN)));
            }
            if (chooseProtocolVersion.compareTo(ProtocolVersion.TLS_1_2) >= 0 && this.socket.isRenewHandshake()) {
                this.extensionsSent.add(new RenegotiationInfoExtension(this.socket.getOwnVerify(), new byte[0]));
            }
            ClientHello clientHello = new ClientHello(chooseProtocolVersion, this.clientRandom, id, arrayList, this.socket.getEnabledCompressionMethodsList(), this.extensionsSent);
            new Handshake(Handshake.Type.CLIENT_HELLO, clientHello).write(this.handshakeOut);
            this.handshakeOut.flush();
            if (Util.isDebug()) {
                Util.log("ClientHello sent.");
                Util.log(clientHello.toString());
            }
            if (Util.isDebug()) {
                Util.log("MasterSecret initialized.");
            }
        } catch (NoSuchAlgorithmException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.getMessage());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        }
    }

    private ServerHello receiveServerHello() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive ServerHello start.");
        }
        Handshake.Body body = Handshake.read(this.handshakeIn, null, null).getBody();
        if (!(body instanceof ServerHello)) {
            if (Util.isDebug()) {
                Util.log("Handshake message ServerHello expected. Received message: " + (body == null ? null : body.getClass().getName()));
            }
            throw new AlertException(Alert.fatal("unexpected_message"), true);
        }
        ServerHello serverHello = (ServerHello) body;
        if (Util.isDebug()) {
            Util.log("ServerHello received.");
            Util.log(serverHello.toString());
        }
        return serverHello;
    }

    private void processServerHello(ServerHello serverHello, boolean z) throws IOException {
        if (!this.socket.isProtocolEnabled(serverHello.getProtocolVersion())) {
            if (Util.isDebug()) {
                Util.log("Server choosed " + serverHello.getProtocolVersion() + " protocol version but client does not support it - sending PV alert");
            }
            throw new AlertException(Alert.fatal("protocol_version"), true);
        }
        this.socket.setChosenProtocolVersion(serverHello.getProtocolVersion());
        if (!this.socket.isCipherSuiteEnabled(serverHello.getCipherSuite())) {
            if (Util.isDebug()) {
                Util.log("Server choosed " + serverHello.getCipherSuite() + " cipher suite but client does not support it - sending HF alert");
            }
            throw new AlertException(Alert.fatal("handshake_failure"), true);
        }
        if (!this.socket.isCompressionMethodEnabled(serverHello.getCompressionMethod())) {
            if (Util.isDebug()) {
                Util.log("Server choosed " + serverHello.getCipherSuite() + " compression method but client does not support it - sending HF alert");
            }
            throw new AlertException(Alert.fatal("handshake_failure"), true);
        }
        if (serverHello.getSessionID().getId().length == 0) {
            throw new SSLHandshakeException("Received session ID is empty.");
        }
        if (!z) {
            this.session.setProtocolVersion(serverHello.getProtocolVersion());
            this.session.setCipherSuite(serverHello.getCipherSuite());
            this.session.setCompressionMethod(serverHello.getCompressionMethod());
            this.session.setId(serverHello.getSessionID());
        }
        if (this.socket.getChosenProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0) {
            this.signatureAndHashAlgorithm = SignatureAndHashAlgorithm.BELT_WITH_BIGN;
        }
        if (serverHello.getExtensions() != null) {
            if (serverHello.getProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0) {
                RenegotiationInfoExtension renegotiationInfoExtension = (RenegotiationInfoExtension) serverHello.getExtensionById(65281);
                if (renegotiationInfoExtension != null) {
                    if (this.socket.isRenewHandshake()) {
                        if (!this.socket.isSecureRenegotiation()) {
                            if (Util.isDebug()) {
                                Util.log("Unexpected RenegotiationInfoExtension in legacy renegotiation - sending HF alert");
                            }
                            throw new AlertException(Alert.fatal("handshake_failure"), true);
                        }
                        byte[] ownVerify = this.socket.getOwnVerify();
                        byte[] peerVerify = this.socket.getPeerVerify();
                        byte[] bArr = new byte[ownVerify.length + peerVerify.length];
                        System.arraycopy(ownVerify, 0, bArr, 0, ownVerify.length);
                        System.arraycopy(peerVerify, 0, bArr, ownVerify.length, peerVerify.length);
                        if (Util.isDebug()) {
                            Util.log("Checking client_verify and server_verify: " + Util.toHexString(bArr, ' '));
                        }
                        boolean equals = Arrays.equals(bArr, renegotiationInfoExtension.getRenegotiatedConnection());
                        if (!equals) {
                            if (Util.isDebug()) {
                                Util.log("renegotiated_connection field matches: " + equals + " - sending HF alert");
                            }
                            throw new AlertException(Alert.fatal("handshake_failure"), true);
                        }
                        if (Util.isDebug()) {
                            Util.log("renegotiated_connection field matches: " + equals);
                        }
                    } else {
                        if (renegotiationInfoExtension.getRenegotiatedConnection().length > 0) {
                            if (Util.isDebug()) {
                                Util.log("Non-zero renegotiated_connection length met - sending HF alert");
                            }
                            throw new AlertException(Alert.fatal("handshake_failure"), true);
                        }
                        this.socket.setSecureRenegotiation(true);
                    }
                } else if (!this.socket.isRenewHandshake()) {
                    if (!allowLegacyHelloMessages) {
                        if (Util.isDebug()) {
                            Util.log("Legacy hello messages disallowed - sending HF alert");
                        }
                        throw new AlertException(Alert.fatal("handshake_failure"), true);
                    }
                    this.socket.setSecureRenegotiation(false);
                    if (Util.isDebug()) {
                        Util.log("WARNING: no RenegotiationInfoExtension in ServerHello");
                    }
                } else if (this.socket.isSecureRenegotiation()) {
                    if (Util.isDebug()) {
                        Util.log("Expected RenegotiationInfoExtension not found in secure renegotiation - sending HF alert");
                    }
                    throw new AlertException(Alert.fatal("handshake_failure"), true);
                }
            }
            for (Extension extension : serverHello.getExtensions()) {
                if (extension.getId() != 65281 && !isExtensionSent(extension)) {
                    if (Util.isDebug()) {
                        Util.log("Found extension which wasnt present in ClientHello, id=" + extension.getId() + " - sending UE alert");
                    }
                    throw new AlertException(Alert.fatal("unsupported_extension"), true);
                }
            }
        }
        this.serverRandom = serverHello.getRandom();
        getMasterSecretGenerator().setClientRandom(this.clientRandom.getEncoded());
        getMasterSecretGenerator().setServerRandom(this.serverRandom.getEncoded());
        if (Util.isDebug()) {
            Util.log("ServerHello processed.");
        }
    }

    private boolean isExtensionSent(Extension extension) {
        Iterator<Extension> it = this.extensionsSent.iterator();
        while (it.hasNext()) {
            if (it.next().getId() == extension.getId()) {
                return true;
            }
        }
        return false;
    }

    private void receiveCertificate() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive Certificate start.");
        }
        Handshake.Body body = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt()).getBody();
        if (!(body instanceof Certificate)) {
            if (Util.isDebug()) {
                Util.log("Handshake message Certificate expected. Received message: " + (body == null ? null : body.getClass().getName()));
            }
            throw new AlertException(Alert.fatal("unexpected_message"), true);
        }
        Certificate certificate = (Certificate) body;
        if (Util.isDebug()) {
            Util.log("Certificate received.");
            Util.log(certificate.toString());
        }
        X509Certificate[] certificates = certificate.getCertificates();
        if (certificates == null || certificates.length == 0) {
            if (Util.isDebug()) {
                Util.log("Server certificate chain is empty.");
            }
            throw new AlertException(Alert.fatal("handshake_failure"), true);
        }
        try {
            getTrustManager().checkServerTrusted(certificates, "UNKNOWN");
            this.session.setPeerCertificates(certificates);
            if (Util.isDebug()) {
                Util.log("Peer certificates successfully checked.");
            }
            if (Util.isDebug()) {
                Util.log("Certificate processed.");
                Util.log(certificate.toString());
            }
            if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
                ((ClientPreMasterSecretDHT) getMasterSecretGenerator()).setServerParams(new ServerDHTParams(certificates[0].getPublicKey()));
            }
        } catch (CertificateException e) {
            if (Util.isDebug()) {
                Util.log("Peer certificates check failed.");
                e.printStackTrace();
            }
            throw new AlertException(Alert.fatal("bad_certificate"), true);
        }
    }

    private void receiveServerKeyExchange() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive ServerKeyExchange start.");
        }
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
            if (Util.isDebug()) {
                Util.log("Skip ServerKeyExchange receive.");
                return;
            }
            return;
        }
        Handshake.Body body = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt()).getBody();
        if (!(body instanceof ServerKeyExchange)) {
            if (Util.isDebug()) {
                Util.log("Handshake message ServerKeyExchange expected. Received message: " + (body == null ? null : body.getClass().getName()));
            }
            throw new AlertException(Alert.fatal("unexpected_message"), true);
        }
        ServerKeyExchange serverKeyExchange = (ServerKeyExchange) body;
        if (Util.isDebug()) {
            Util.log("ServerKeyExchange received.");
            Util.log(serverKeyExchange.toString());
        }
        verifyParams(serverKeyExchange.getParams(), serverKeyExchange.getSignature());
        ((ClientPreMasterSecret) getMasterSecretGenerator()).setServerParams(serverKeyExchange.getParams());
        if (Util.isDebug()) {
            Util.log("ServerKeyExchange processed.");
        }
    }

    private void verifyParams(ServerBDHParams serverBDHParams, byte[] bArr) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(serverBDHParams.getParamP());
        byteArrayOutputStream.write(serverBDHParams.getParamG());
        byteArrayOutputStream.write(serverBDHParams.getParamVa());
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        if (Util.isDebug()) {
            Util.log("ServerKeyExchange TBS: " + Util.toHexString(byteArray, ' '));
        }
        byte[] bArr2 = (byte[]) bArr.clone();
        Util.reverse(bArr2);
        if (Util.isDebug()) {
            Util.log("ServerKeyExchange signature: " + Util.toHexString(bArr, ' '));
            Util.log("ServerKeyExchange signature reversed: " + Util.toHexString(bArr2, ' '));
        }
        X509Certificate x509Certificate = (X509Certificate) this.session.getPeerCertificates()[0];
        try {
            String algorithm = x509Certificate.getPublicKey().getAlgorithm();
            Signature signature = Signature.getInstance((algorithm.equalsIgnoreCase("Bign") || algorithm.equalsIgnoreCase("1.2.112.0.2.0.34.101.45.2.1")) ? "AvBhfWithBign" : "AvBhfWithAvBds");
            signature.initVerify(x509Certificate);
            signature.update(byteArray);
            if (!signature.verify(bArr2)) {
                throw new SSLHandshakeException("ServerKeyExchange parameters signature is not valid.");
            }
            if (Util.isDebug()) {
                Util.log("ServerKeyExchange parameters signature verified.");
            }
        } catch (InvalidKeyException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.getMessage());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        } catch (NoSuchAlgorithmException e2) {
            SSLHandshakeException sSLHandshakeException2 = new SSLHandshakeException(e2.getMessage());
            sSLHandshakeException2.initCause(e2);
            throw sSLHandshakeException2;
        } catch (SignatureException e3) {
            SSLHandshakeException sSLHandshakeException3 = new SSLHandshakeException(e3.getMessage());
            sSLHandshakeException3.initCause(e3);
            throw sSLHandshakeException3;
        }
    }

    private void doPlainHandshake() throws IOException {
        initMasterSecret();
        sendClientKeyExchange();
    }

    private void doClientAuthHandshake(Handshake handshake) throws IOException {
        parseCertificateRequest(handshake);
        receiveServerHelloDone();
        sendCertificate();
        initMasterSecret();
        sendClientKeyExchange();
        sendCertificateVerify();
    }

    private void initMasterSecret() {
        if (this.session.getMasterSecret() == null) {
            this.session.setMasterSecret(getMasterSecretGenerator().generate());
            if (Util.isDebug()) {
                Util.log("MasterSecret generated.");
            }
        }
    }

    private void parseCertificateRequest(Handshake handshake) throws IOException {
        if (Util.isDebug()) {
            Util.log("Process CertificateRequest.");
        }
        CertificateRequest certificateRequest = (CertificateRequest) handshake.getBody();
        if (Util.isDebug()) {
            Util.log("CertificateRequest parsed.");
            Util.log(certificateRequest.toString());
        }
        this.certificateAuthorities = certificateRequest.getCertificateAuthorities();
        this.clientCertificateTypes = certificateRequest.getCertificateTypes();
        this.signatureAndHashAlgorithms = certificateRequest.getSupportedSignatureAlgorithms();
    }

    private void receiveServerHelloDone() throws IOException {
        Handshake read = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt());
        if (read.getType() != Handshake.Type.SERVER_HELLO_DONE) {
            if (Util.isDebug()) {
                Util.log("Handshake message ServerHelloDone expected. Received message: " + read.getType());
            }
            throw new AlertException(Alert.fatal("unexpected_message"), true);
        }
    }

    private void sendCertificate() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send Certificate start.");
        }
        X509Certificate[] clientCertificates = getClientCertificates();
        this.session.setLocalCertificates(clientCertificates);
        Certificate certificate = new Certificate(clientCertificates);
        new Handshake(Handshake.Type.CERTIFICATE, certificate).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("Certificate sent.");
            Util.log(certificate.toString());
        }
    }

    private X509Certificate[] getClientCertificates() throws SSLHandshakeException {
        String[] strArr;
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
            strArr = (String[]) DEFAULT_KEY_TYPES.clone();
        } else {
            strArr = new String[this.clientCertificateTypes.length];
            for (int i = 0; i < strArr.length; i++) {
                strArr[i] = this.clientCertificateTypes[i].getAlgorithm();
            }
        }
        this.clientAlias = getKeyManager().chooseClientAlias(strArr, this.certificateAuthorities, this.socket);
        if (Util.isDebug()) {
            Util.log("Client alias = " + this.clientAlias + ".");
        }
        X509Certificate[] certificateChain = this.clientAlias != null ? getKeyManager().getCertificateChain(this.clientAlias) : null;
        if (certificateChain == null) {
            certificateChain = new X509Certificate[0];
        }
        if (Util.isDebug()) {
            Util.log("Client certificates:");
            if (certificateChain.length == 0) {
                Util.log("Empty certificate chain.");
            }
            for (int i2 = 0; i2 < certificateChain.length; i2++) {
                Util.log("#" + i2 + ":\r\nSubjectDN = " + certificateChain[i2].getSubjectDN() + "\r\nIssuerDN = " + certificateChain[i2].getIssuerDN() + "\r\nSN = " + certificateChain[i2].getSerialNumber());
            }
        }
        return certificateChain;
    }

    private void sendClientKeyExchange() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send ClientKeyExchange.");
        }
        ClientKeyExchange clientKeyExchange = new ClientKeyExchange(getMasterSecretGenerator().getClientParams());
        new Handshake(Handshake.Type.CLIENT_KEY_EXCHANGE, clientKeyExchange).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("ClientKeyExchange sent.");
            Util.log(clientKeyExchange.toString());
        }
    }

    private void sendCertificateVerify() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send CertificateVerify.");
        }
        CertificateVerify certificateVerify = new CertificateVerify(signHandshakeMsgsBuffer(), this.signatureAndHashAlgorithm);
        new Handshake(Handshake.Type.CERTIFICATE_VERIFY, certificateVerify).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("CertificateVerify sent.");
            Util.log(certificateVerify.toString());
        }
    }

    private byte[] signHandshakeMsgsBuffer() throws SSLHandshakeException {
        if (Util.isDebug()) {
            Util.log("Sign sent/received handshake data.");
        }
        byte[] handshakeMsgsBuffer = getHandshakeMsgsBuffer();
        if (Util.isDebugData()) {
            Util.log("Handshake messages TBS: " + Util.toHexString(handshakeMsgsBuffer, ' ', 16));
        }
        PrivateKey privateKey = getKeyManager().getPrivateKey(this.clientAlias);
        if (privateKey == null) {
            throw new SSLHandshakeException("could not find client private key");
        }
        try {
            String str = null;
            if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
                str = privateKey.getAlgorithm().equalsIgnoreCase("Bign") ? "AvBhfWithBign" : "AvBhfWithAvBds";
            } else if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
                str = this.signatureAndHashAlgorithm.getAlgorithm();
            }
            Signature signature = Signature.getInstance(str);
            signature.initSign(privateKey);
            signature.update(handshakeMsgsBuffer);
            byte[] sign = signature.sign();
            if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
                Util.reverse(sign);
            }
            if (Util.isDebug()) {
                Util.log("Sent/received handshake data is signed.");
            }
            return sign;
        } catch (InvalidKeyException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.getMessage());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        } catch (NoSuchAlgorithmException e2) {
            SSLHandshakeException sSLHandshakeException2 = new SSLHandshakeException(e2.getMessage());
            sSLHandshakeException2.initCause(e2);
            throw sSLHandshakeException2;
        } catch (SignatureException e3) {
            SSLHandshakeException sSLHandshakeException3 = new SSLHandshakeException(e3.getMessage());
            sSLHandshakeException3.initCause(e3);
            throw sSLHandshakeException3;
        }
    }

    @Override // by.avest.net.tls.HandshakeExecutor
    protected PreMasterSecret createMasterSecretGenerator() {
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
            return new ClientPreMasterSecret();
        }
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
            return new ClientPreMasterSecretDHT();
        }
        throw new IllegalStateException("dont know how to create master secret generator");
    }
}
