package by.avest.net.tls;

import by.avest.net.tls.CertificateRequest;
import by.avest.net.tls.Handshake;
import by.avest.net.tls.SSLSession;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.WeakHashMap;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.x500.X500Principal;
import javax.security.cert.X509Certificate;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:by/avest/net/tls/ServerHandshakeExecutor.class */
public class ServerHandshakeExecutor extends HandshakeExecutor {
    private static final int SESSION_ID_LENGTH = 32;
    private static final String KEY_ALG = "1.3.6.1.4.1.12656.1.37";
    private static final boolean DESTROY_OUTDATED_SOCKETS = false;
    private static final boolean allowInvalidServerCertificate;
    private static final String[] LEGACY_CIPHER_SUITE_KEY_ALGS;
    private static Map<X509Certificate, SSLSocket> clientSocketsMap;
    private SecureRandom sessionIDGenerator;
    private String serverAlias;
    private PrivateKey serverPrivateKey;
    private java.security.cert.X509Certificate[] serverCertificateChain;
    private boolean onlyLegacyCipherSuiteAllowed;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerHandshakeExecutor(SSLSocket sSLSocket, RecordInputStream recordInputStream, RecordOutputStream recordOutputStream) throws SSLHandshakeException {
        super(sSLSocket, recordInputStream, recordOutputStream);
        this.onlyLegacyCipherSuiteAllowed = false;
        this.serverAlias = getKeyManager().chooseServerAlias(KEY_ALG, null, sSLSocket);
        if (Util.isDebug()) {
            Util.log("ServerHandshakeExecutor, alias: " + this.serverAlias);
        }
        this.serverPrivateKey = getKeyManager().getPrivateKey(this.serverAlias);
        if (this.serverPrivateKey == null) {
            throw new SSLHandshakeException("could not find server private key for chosen alias: " + this.serverAlias);
        }
        this.serverCertificateChain = getKeyManager().getCertificateChain(this.serverAlias);
        if (this.serverCertificateChain == null || this.serverCertificateChain.length == 0) {
            throw new SSLHandshakeException("could not find server certificate chain for chosen alias: " + this.serverAlias);
        }
        checkOnlyLegacyCipherSuiteAllowed();
        try {
            this.serverCertificateChain[0].checkValidity();
        } catch (CertificateException e) {
            if (!allowInvalidServerCertificate) {
                SSLHandshakeException sSLHandshakeException = new SSLHandshakeException("server certificate validity check failed");
                sSLHandshakeException.initCause(e);
                throw sSLHandshakeException;
            }
            System.err.println("WARNING: server certificate validity check failed: " + e.getMessage());
        }
        try {
            this.sessionIDGenerator = SecureRandom.getInstance("BelPrd");
        } catch (NoSuchAlgorithmException e2) {
            SSLHandshakeException sSLHandshakeException2 = new SSLHandshakeException(e2.getMessage());
            sSLHandshakeException2.initCause(e2);
            throw sSLHandshakeException2;
        }
    }

    private void checkOnlyLegacyCipherSuiteAllowed() throws SSLHandshakeException {
        String algorithm = this.serverPrivateKey.getAlgorithm();
        String[] strArr = LEGACY_CIPHER_SUITE_KEY_ALGS;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (strArr[i].equalsIgnoreCase(algorithm)) {
                this.onlyLegacyCipherSuiteAllowed = true;
                break;
            }
            i++;
        }
        if (this.onlyLegacyCipherSuiteAllowed && !this.socket.isCipherSuiteEnabled(CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF)) {
            throw new SSLHandshakeException("Invalid server configuration: server private key (algorithm: " + this.serverPrivateKey.getAlgorithm() + ") restricts supported cipher suite list to the only TLS_BDH_BDS_WITH_GOST28147_CFB_BHF cipher suite which is disabled in current socket configuration");
        }
    }

    @Override // by.avest.net.tls.HandshakeExecutor
    public void doHandshake() throws IOException {
        Util.log("Start handshake.");
        init();
        ClientHello receiveClientHello = receiveClientHello();
        if (!receiveClientHello.getSessionID().isEmpty()) {
            if (Util.isDebug()) {
                Util.log("Client wants to resume session. Session ID: " + Util.toHexString(receiveClientHello.getSessionID().getId(), ' ') + ".");
            }
            this.session = (SSLSession) this.socket.getSessionContext().getSession(receiveClientHello.getSessionID().getId());
        }
        if (this.session == null || !this.session.isValid()) {
            if (Util.isDebug()) {
                Util.log("No valid session cache match found.");
            }
            if (this.session != null && !this.session.isValid()) {
                if (Util.isDebug()) {
                    Util.log("Found session is not valid. Remove session from context.");
                }
                this.socket.getSessionContext().removeSession(this.session);
            }
            startNewSessionFullHandshake(receiveClientHello);
        } else {
            try {
                if (Util.isDebug()) {
                    Util.log("Valid session cache match found.");
                }
                this.session.notifyClientStarted(this.socket);
                if (isSessionResumable(receiveClientHello)) {
                    if (Util.isDebug()) {
                        Util.log("Session is resumable.");
                        Util.log("Do abbreaviated handshake.");
                    }
                    continueAbbreviatedHandshake(receiveClientHello);
                } else {
                    if (Util.isDebug()) {
                        Util.log("Session is not resumable. Continue full handshake.");
                    }
                    startNewSessionFullHandshake(receiveClientHello);
                }
            } catch (IOException e) {
                if (Util.isDebug()) {
                    Util.log("Exception occured during handshake. Invalidate session and remove it from context.");
                    e.printStackTrace();
                }
                this.session.invalidate();
                this.socket.getSessionContext().removeSession(this.session);
                throw e;
            }
        }
        fin();
        destroyOutdatedSockets();
    }

    private void startNewSessionFullHandshake(ClientHello clientHello) throws SSLHandshakeException, IOException {
        if (!this.socket.getEnableSessionCreation()) {
            if (Util.isDebug()) {
                Util.log("Session creation disabled.");
            }
            throw new SSLHandshakeException("Session creation disabled. No existing session to resume found.");
        }
        if (Util.isDebug()) {
            Util.log("Do full handshake.");
        }
        this.session = new SSLSession(this.socket.getInetAddress().getHostAddress(), this.socket.getPort());
        this.session.notifyClientStarted(this.socket);
        continueFullHandshake(clientHello);
        this.session.setSessionContext(this.socket.getSessionContext());
        this.socket.getSessionContext().putSession(this.session);
    }

    @Override // by.avest.net.tls.HandshakeExecutor
    public void renewHandshake(TLSText tLSText) throws IOException {
        if (Util.isDebug()) {
            Util.log("???? renewHandshake on server ignore ????");
        }
    }

    protected void continueAbbreviatedHandshake(ClientHello clientHello) throws IOException {
        processClientHello(clientHello, true);
        sendAbbreviatedServerHello();
        sendChangeCipherSpec();
        sendFinished(true);
        flushOutBuffer();
        receiveChangeCipherSpec();
        receiveFinished(true);
    }

    protected void continueFullHandshake(ClientHello clientHello) throws IOException {
        processClientHello(clientHello, false);
        if (this.socket.getNeedClientAuth() || this.socket.getWantClientAuth()) {
            if (Util.isDebug()) {
                Util.log("Do client auth handshake.");
            }
            doClientAuthHandshake();
        } else {
            if (Util.isDebug()) {
                Util.log("Do plain handshake.");
            }
            doPlainHandshake();
        }
        receiveChangeCipherSpec();
        receiveFinished(false);
        sendChangeCipherSpec();
        sendFinished(false);
        flushOutBuffer();
    }

    private boolean isSessionResumable(ClientHello clientHello) throws SSLHandshakeException {
        if (!this.session.getProtocolVersion().equals(clientHello.getProtocolVersion()) || clientHello.getCipherSuites().isEmpty() || !clientHello.getCipherSuites().contains(this.session.getCipherSuiteInt())) {
            return false;
        }
        if (!clientHello.getCompressionMethods().isEmpty() || this.session.getCompressionMethod().equals(CompressionMethod.NULL)) {
            return clientHello.getCompressionMethods().isEmpty() || clientHello.getCompressionMethods().contains(this.session.getCompressionMethod());
        }
        return false;
    }

    private void processClientHello(ClientHello clientHello, boolean z) throws IOException {
        chooseProcotolAndCipherSuite(clientHello, z);
        boolean z2 = false;
        if (clientHello.getCipherSuites().contains(CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
            if (Util.isDebug()) {
                Util.log("Received TLS_EMPTY_RENEGOTIATION_INFO_SCSV.");
            }
            z2 = true;
            if (this.socket.isRenewHandshake()) {
                if (Util.isDebug()) {
                    Util.log("Received RENEGOTIATION SCSV during renegotiation.");
                }
                throw new AlertException(Alert.fatal("handshake_failure"), true);
            }
            this.socket.setSecureRenegotiation(true);
        }
        if (Util.isDebug()) {
            Util.log("Choosen protocol version: " + this.session.getProtocolVersion() + ".");
            Util.log("Choosen cipher suite: " + this.session.getCipherSuiteInt() + ".");
            Util.log("Choosen compression method: " + this.session.getCompressionMethod() + ".");
        }
        RenegotiationInfoExtension renegotiationInfoExtension = (RenegotiationInfoExtension) clientHello.getExtensionById(65281);
        if (renegotiationInfoExtension != null) {
            z2 = true;
            if (this.socket.isRenewHandshake()) {
                if (!this.socket.isSecureRenegotiation()) {
                    if (Util.isDebug()) {
                        Util.log("RenegotiationInfoExtension present in an insecure renegotiation");
                    }
                    throw new AlertException(Alert.fatal("handshake_failure"), true);
                }
                byte[] peerVerify = this.socket.getPeerVerify();
                if (Util.isDebug()) {
                    Util.log("Previous verify data: " + Util.toHexString(peerVerify, ' '));
                }
                if (!Arrays.equals(peerVerify, renegotiationInfoExtension.getRenegotiatedConnection())) {
                    if (Util.isDebug()) {
                        Util.log("Wrong verify_data in RenegotiationInfoExtension");
                    }
                    throw new AlertException(Alert.fatal("handshake_failure"), true);
                }
            } else {
                if (renegotiationInfoExtension.getRenegotiatedConnection().length != 0) {
                    if (Util.isDebug()) {
                        Util.log("Renegotiated connection is not empty in initial handshake");
                    }
                    throw new AlertException(Alert.fatal("handshake_failure"), true);
                }
                this.socket.setSecureRenegotiation(true);
            }
        } else if (this.socket.isRenewHandshake() && this.socket.isSecureRenegotiation()) {
            if (Util.isDebug()) {
                Util.log("Got no RenegotiationInfoExtension when renewing handshake with secure renegotiation");
            }
            throw new AlertException(Alert.fatal("handshake_failure"), true);
        }
        if (!z2 || !this.socket.isSecureRenegotiation()) {
            if (this.socket.isRenewHandshake()) {
                if (allowUnsafeRenegotiation) {
                    if (Util.isDebug()) {
                        Util.log("WARNING: continue with insecure renegotiation");
                    }
                } else if (clientHello.getProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0) {
                    throw new AlertException(Alert.warn("no_renegotiation"), true);
                }
            } else {
                if (!allowLegacyHelloMessages) {
                    throw new AlertException(Alert.fatal("handshake_failure"), true);
                }
                if (Util.isDebug()) {
                    Util.log("WARNING: no SCSV or RenegotiationInfoExtension found in ClientHello, allow legacy ClientHello");
                }
            }
        }
        if (!this.socket.isRenewHandshake() && this.session.getCipherSuiteInt().equals(CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT)) {
            SignatureAlgorithmsExtension signatureAlgorithmsExtension = (SignatureAlgorithmsExtension) clientHello.getExtensionById(13);
            if (signatureAlgorithmsExtension == null) {
                this.signatureAndHashAlgorithm = SignatureAndHashAlgorithm.BELT_WITH_BIGN;
            } else if (signatureAlgorithmsExtension.getSupportedSignatureAlgorithms().contains(SignatureAndHashAlgorithm.BELT_WITH_BIGN)) {
                this.signatureAndHashAlgorithm = SignatureAndHashAlgorithm.BELT_WITH_BIGN;
            }
        }
        this.clientRandom = clientHello.getRandom();
        getMasterSecretGenerator().setClientRandom(this.clientRandom.getEncoded());
        if (Util.isDebug()) {
            Util.log("MasterSecret initialized.");
        }
    }

    private void sendAbbreviatedServerHello() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send abbreviated ServerHello start.");
        }
        try {
            this.serverRandom = new Random(Util.unixTime(), SecureRandom.getInstance("BelPrd").generateSeed(28));
            getMasterSecretGenerator().setServerRandom(this.serverRandom.getEncoded());
            ArrayList arrayList = null;
            if (this.session.getProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0 && this.socket.isSecureRenegotiation()) {
                arrayList = new ArrayList();
                arrayList.add(new RenegotiationInfoExtension(this.socket.getPeerVerify(), this.socket.getOwnVerify()));
            }
            ServerHello serverHello = new ServerHello(this.session.getProtocolVersion(), this.serverRandom, this.session.getIdInt(), this.session.getCipherSuiteInt(), this.session.getCompressionMethod(), arrayList);
            new Handshake(Handshake.Type.SERVER_HELLO, serverHello).write(this.handshakeOut);
            this.handshakeOut.flush();
            if (Util.isDebug()) {
                Util.log("Abbreviated ServerHello sent.");
                Util.log(serverHello.toString());
            }
        } catch (NoSuchAlgorithmException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.toString());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        }
    }

    private ClientHello receiveClientHello() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive ClientHello start.");
        }
        Handshake read = Handshake.read(this.handshakeIn, null, null);
        if (!(read.getBody() instanceof ClientHello)) {
            throw new SSLHandshakeException("Handshake message ClientHello expected.");
        }
        ClientHello clientHello = (ClientHello) read.getBody();
        clientHello.setRecordProtocolVersion(getLastRecordProtocolVersion());
        if (Util.isDebug()) {
            Util.log("ClientHello received.");
            Util.log(clientHello.toString());
        }
        return clientHello;
    }

    private void chooseProcotolAndCipherSuite(ClientHello clientHello, boolean z) throws SSLHandshakeException, AlertException {
        if (Util.isDebug()) {
            Util.log("Choosing protocol version and cipher suite.");
        }
        if (z) {
            if (Util.isDebug()) {
                Util.log("No choosing needed when session is resumed");
            }
            this.socket.setChosenProtocolVersion(this.session.getProtocolVersion());
            return;
        }
        ProtocolVersion protocolVersion = null;
        CipherSuite cipherSuite = null;
        List<CipherSuite> cipherSuites = clientHello.getCipherSuites();
        boolean isProtocolEnabled = this.socket.isProtocolEnabled(ProtocolVersion.TLS_1);
        boolean isProtocolEnabled2 = this.socket.isProtocolEnabled(ProtocolVersion.TLS_1_1);
        boolean z2 = isProtocolEnabled || isProtocolEnabled2;
        boolean isProtocolEnabled3 = this.socket.isProtocolEnabled(ProtocolVersion.TLS_1_2);
        if (this.onlyLegacyCipherSuiteAllowed) {
            if (Util.isDebug()) {
                Util.log("Server certificate allows only TLS_BDH_BDS_WITH_GOST28147_CFB_BHF");
            }
            protocolVersion = ProtocolVersion.TLS_1;
            cipherSuite = CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF;
        } else if (clientHello.getProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0) {
            if (areBothClientAndServerSupport(cipherSuites, CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) && isProtocolEnabled3) {
                if (Util.isDebug()) {
                    Util.log("Both client and server support TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT over >= TLSv1.2 - ok");
                }
                protocolVersion = ProtocolVersion.TLS_1_2;
                cipherSuite = CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT;
            } else if (areBothClientAndServerSupport(cipherSuites, CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF)) {
                if (!z2) {
                    if (Util.isDebug()) {
                        Util.log("Client supports TLS_BDH_BDS_WITH_GOST28147_CFB_BHF but server does not support TLSv1.1 neither TLSv1 - sending PV alert");
                    }
                    throw new AlertException(Alert.fatal("protocol_version"), true);
                }
                if (clientHello.getRecordProtocolVersion().compareTo(ProtocolVersion.TLS_1_1) != 0) {
                    if (Util.isDebug()) {
                        Util.log("Both client and server support TLS_BDH_BDS_WITH_GOST28147_CFB_BHF and record protocol version is <> TLSv1.1 - downgrading protocol to TLSv1/TLSv1.1");
                    }
                    protocolVersion = isProtocolEnabled ? ProtocolVersion.TLS_1 : ProtocolVersion.TLS_1_1;
                    cipherSuite = CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF;
                } else {
                    if (!isProtocolEnabled2) {
                        if (Util.isDebug()) {
                            Util.log("Client supports TLS_BDH_BDS_WITH_GOST28147_CFB_BHF and record protocol version is TLSv1.1 but server does not support TLSv1.1 - sending PV alert");
                        }
                        throw new AlertException(Alert.fatal("protocol_version"), true);
                    }
                    if (Util.isDebug()) {
                        Util.log("Both client and server support TLS_BDH_BDS_WITH_GOST28147_CFB_BHF and record protocol version is TLSv1.1 - downgrading protocol to TLSv1.1");
                    }
                    protocolVersion = ProtocolVersion.TLS_1_1;
                    cipherSuite = CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF;
                }
            } else if (clientHasNoCipherSuites(cipherSuites, CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT, CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) && this.socket.isCipherSuiteEnabled(CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) && isProtocolEnabled3) {
                if (Util.isDebug()) {
                    Util.log("Client support nothing, but server does TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT over >= TLSv1.2 - ok");
                }
                protocolVersion = ProtocolVersion.TLS_1_2;
                cipherSuite = CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT;
            }
        } else if (areBothClientAndServerSupport(cipherSuites, CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) && z2) {
            if (Util.isDebug()) {
                Util.log("Both client and server support TLS_BDH_BDS_WITH_GOST28147_CFB_BHF over < TLSv1.2 - ok");
            }
            protocolVersion = isProtocolEnabled ? ProtocolVersion.TLS_1 : ProtocolVersion.TLS_1_1;
            cipherSuite = CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF;
        } else {
            if (areBothClientAndServerSupport(cipherSuites, CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT)) {
                if (Util.isDebug()) {
                    Util.log("Both client and server support TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT but protocol version is < TLSv1.2 - sending PV alert");
                }
                throw new AlertException(Alert.fatal("protocol_version"), true);
            }
            if (clientHasNoCipherSuites(cipherSuites, CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) && this.socket.isCipherSuiteEnabled(CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) && z2) {
                if (Util.isDebug()) {
                    Util.log("Client support nothing, but server does TLS_BDH_BDS_WITH_GOST28147_CFB_BHF over < TLSv1.2 - ok");
                }
                protocolVersion = isProtocolEnabled ? ProtocolVersion.TLS_1 : ProtocolVersion.TLS_1_1;
                cipherSuite = CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF;
            }
        }
        if (protocolVersion == null || cipherSuite == null) {
            if (Util.isDebug()) {
                Util.log("Could not find any protocol cipher suite match (supported protocols: " + Arrays.toString(this.socket.getEnabledProtocols()) + ", cipher suites: " + Arrays.toString(this.socket.getEnabledCipherSuites()) + ") - sending HF alert");
            }
            throw new AlertException(Alert.fatal("handshake_failure"), true);
        }
        this.session.setProtocolVersion(protocolVersion);
        this.session.setCipherSuite(cipherSuite);
        this.socket.setChosenProtocolVersion(protocolVersion);
        this.session.setCompressionMethod(chooseCompressionMethod(clientHello.getCompressionMethods()));
    }

    private boolean areBothClientAndServerSupport(List<CipherSuite> list, CipherSuite cipherSuite) {
        return list.contains(cipherSuite) && this.socket.isCipherSuiteEnabled(cipherSuite);
    }

    private boolean clientHasNoCipherSuites(List<CipherSuite> list, CipherSuite... cipherSuiteArr) {
        for (CipherSuite cipherSuite : cipherSuiteArr) {
            if (list.contains(cipherSuite)) {
                return false;
            }
        }
        return true;
    }

    private CompressionMethod chooseCompressionMethod(List<CompressionMethod> list) throws SSLHandshakeException {
        for (CompressionMethod compressionMethod : list) {
            if (this.socket.isCompressionMethodEnabled(compressionMethod)) {
                return compressionMethod;
            }
        }
        return this.socket.getEnabledCompressionMethodsList().get(0);
    }

    private void sendServerHello() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send ServerHello start.");
        }
        try {
            this.serverRandom = new Random(Util.unixTime(), SecureRandom.getInstance("BelPrd").generateSeed(28));
            getMasterSecretGenerator().setServerRandom(this.serverRandom.getEncoded());
            SSLSession.ID id = new SSLSession.ID(generateSessionID());
            this.session.setId(id);
            ArrayList arrayList = null;
            if (this.session.getProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0 && this.socket.isSecureRenegotiation()) {
                arrayList = new ArrayList();
                arrayList.add(new RenegotiationInfoExtension(this.socket.getPeerVerify(), this.socket.getOwnVerify()));
            }
            ServerHello serverHello = new ServerHello(this.session.getProtocolVersion(), this.serverRandom, id, this.session.getCipherSuiteInt(), this.session.getCompressionMethod(), arrayList);
            new Handshake(Handshake.Type.SERVER_HELLO, serverHello).write(this.handshakeOut);
            this.handshakeOut.flush();
            if (Util.isDebug()) {
                Util.log("ServerHello sent.");
                Util.log(serverHello.toString());
            }
        } catch (NoSuchAlgorithmException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.toString());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        }
    }

    private byte[] generateSessionID() {
        byte[] bArr = new byte[32];
        this.sessionIDGenerator.nextBytes(bArr);
        return bArr;
    }

    private void sendCertificate() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send Certificate start.");
        }
        Certificate certificate = new Certificate(this.serverCertificateChain);
        new Handshake(Handshake.Type.CERTIFICATE, certificate).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("Certificate sent.");
            Util.log(certificate.toString());
        }
        this.session.setLocalCertificates(this.serverCertificateChain);
    }

    private void sendServerKeyExchange() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send ServerKeyExchange start.");
        }
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
            if (Util.isDebug()) {
                Util.log("Skip ServerKeyExchange send.");
                return;
            }
            return;
        }
        ServerBDHParams serverParams = ((ServerPreMasterSecret) getMasterSecretGenerator()).getServerParams();
        ServerKeyExchange serverKeyExchange = new ServerKeyExchange(serverParams, signParams(serverParams));
        new Handshake(Handshake.Type.SERVER_KEY_EXCHANGE, serverKeyExchange).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("ServerKeyExchange sent.");
            Util.log(serverKeyExchange.toString());
        }
    }

    private void doPlainHandshake() throws IOException {
        sendServerHello();
        sendCertificate();
        sendServerKeyExchange();
        sendServerHelloDone();
        flushOutBuffer();
        receiveClientKeyExchange();
        initMasterSecret();
        if (Util.isDebug()) {
            Util.log("MasterSecret is generated.");
        }
    }

    private void initMasterSecret() {
        if (this.session.getMasterSecret() == null) {
            this.session.setMasterSecret(getMasterSecretGenerator().generate());
        }
    }

    private void doClientAuthHandshake() throws IOException {
        sendServerHello();
        sendCertificate();
        sendServerKeyExchange();
        sendCertificateRequest();
        sendServerHelloDone();
        flushOutBuffer();
        receiveCertificate();
        receiveClientKeyExchange();
        initMasterSecret();
        if (Util.isDebug()) {
            Util.log("MasterSecret is generated.");
        }
        receiveCertificateVerify();
    }

    private void destroyOutdatedSockets() throws SSLPeerUnverifiedException, IOException {
        if (Util.isDebug()) {
            Util.log("Destroying outdated client sockets");
        }
        if (Util.isDebug()) {
            Util.log("Destroying outdated client sockets DISABLED");
        }
    }

    private byte[] signParams(ServerBDHParams serverBDHParams) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(serverBDHParams.getParamP());
        byteArrayOutputStream.write(serverBDHParams.getParamG());
        byteArrayOutputStream.write(serverBDHParams.getParamVa());
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        if (Util.isDebug()) {
            Util.log("ServerKeyExchange TBS: " + Util.toHexString(byteArray, ' '));
        }
        try {
            String algorithm = this.serverPrivateKey.getAlgorithm();
            Signature signature = Signature.getInstance((algorithm.equalsIgnoreCase("Bign") || algorithm.equalsIgnoreCase("1.2.112.0.2.0.34.101.45.2.1")) ? "AvBhfWithBign" : "AvBhfWithAvBds");
            signature.initSign(this.serverPrivateKey);
            signature.update(byteArray);
            byte[] sign = signature.sign();
            if (Util.isDebug()) {
                Util.log("ServerKeyExchange signature: " + Util.toHexString(sign, ' '));
            }
            Util.reverse(sign);
            if (Util.isDebug()) {
                Util.log("ServerKeyExchange signature reversed: " + Util.toHexString(sign, ' '));
                Util.log("ServerKeyExchange parameters signature generated.");
            }
            return sign;
        } catch (InvalidKeyException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.getMessage());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        } catch (NoSuchAlgorithmException e2) {
            SSLHandshakeException sSLHandshakeException2 = new SSLHandshakeException(e2.getMessage());
            sSLHandshakeException2.initCause(e2);
            throw sSLHandshakeException2;
        } catch (SignatureException e3) {
            SSLHandshakeException sSLHandshakeException3 = new SSLHandshakeException(e3.getMessage());
            sSLHandshakeException3.initCause(e3);
            throw sSLHandshakeException3;
        }
    }

    private void sendCertificateRequest() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send CertificateRequest start.");
        }
        CertificateRequest certificateRequest = new CertificateRequest(getCertificateTypes(), getSignatureAndHashAlgorithms(), getCertificateAuthorities());
        new Handshake(Handshake.Type.CERTIFICATE_REQUEST, certificateRequest).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("CertificateRequest sent.");
            Util.log(certificateRequest.toString());
        }
    }

    private SignatureAndHashAlgorithm[] getSignatureAndHashAlgorithms() {
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
            return new SignatureAndHashAlgorithm[]{SignatureAndHashAlgorithm.BELT_WITH_BIGN};
        }
        if (this.session.getProtocolVersion().compareTo(ProtocolVersion.TLS_1_2) >= 0) {
            return new SignatureAndHashAlgorithm[0];
        }
        return null;
    }

    private CertificateRequest.ClientCertificateType[] getCertificateTypes() {
        return this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT ? new CertificateRequest.ClientCertificateType[]{CertificateRequest.ClientCertificateType.BIGN128_SIGN} : new CertificateRequest.ClientCertificateType[]{CertificateRequest.ClientCertificateType.RSA_SIGN, CertificateRequest.ClientCertificateType.DSS_SIGN, CertificateRequest.ClientCertificateType.RSA_FIXED_DH, CertificateRequest.ClientCertificateType.DSS_FIXED_DH};
    }

    private X500Principal[] getCertificateAuthorities() throws IOException {
        java.security.cert.X509Certificate[] acceptedIssuers = getTrustManager().getAcceptedIssuers();
        if (acceptedIssuers == null || acceptedIssuers.length == 0) {
            throw new SSLHandshakeException("No accepted issuers available.");
        }
        X500Principal[] x500PrincipalArr = new X500Principal[acceptedIssuers.length];
        for (int i = 0; i < acceptedIssuers.length; i++) {
            x500PrincipalArr[i] = acceptedIssuers[i].getSubjectX500Principal();
        }
        return x500PrincipalArr;
    }

    private void sendServerHelloDone() throws IOException {
        if (Util.isDebug()) {
            Util.log("Send ServerHelloDone start.");
        }
        new Handshake(Handshake.Type.SERVER_HELLO_DONE, null).write(this.handshakeOut);
        this.handshakeOut.flush();
        if (Util.isDebug()) {
            Util.log("ServerHelloDone sent.");
        }
    }

    private void receiveCertificate() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive Certificate start.");
        }
        Handshake read = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt());
        if (!(read.getBody() instanceof Certificate)) {
            throw new SSLHandshakeException("Handshake message Certificate expected.");
        }
        Certificate certificate = (Certificate) read.getBody();
        if (Util.isDebug()) {
            Util.log("Certificate received.");
            Util.log(certificate.toString());
        }
        if (certificate.getCertificates().length == 0) {
            if (Util.isDebug()) {
                Util.log("Client certificate message is empty (no certificate chain provided).");
            }
            if (this.socket.getNeedClientAuth()) {
                if (Util.isDebug()) {
                    Util.log("Server needs client auth. Throw an exception.");
                }
                throw new AlertException(Alert.fatal("handshake_failure"), true);
            }
            if (this.socket.getWantClientAuth() && Util.isDebug()) {
                Util.log("Server wants client auth. Client certificate is not compulsory. Continue.");
            }
        } else {
            try {
                getTrustManager().checkClientTrusted(certificate.getCertificates(), "UNKNOWN");
                this.session.setPeerCertificates(certificate.getCertificates());
            } catch (CertificateException e) {
                SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.toString());
                sSLHandshakeException.initCause(e);
                throw sSLHandshakeException;
            }
        }
        if (Util.isDebug()) {
            Util.log("Client certificate successfully processed.");
        }
    }

    private void receiveClientKeyExchange() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive ClientKeyExchange start.");
        }
        Handshake read = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt());
        if (!(read.getBody() instanceof ClientKeyExchange)) {
            throw new SSLHandshakeException("Handshake message ClientKeyExchange expected.");
        }
        ClientKeyExchange clientKeyExchange = (ClientKeyExchange) read.getBody();
        if (Util.isDebug()) {
            Util.log("ClientKeyExchange received.");
            Util.log(clientKeyExchange.toString());
        }
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
            ((ServerPreMasterSecret) getMasterSecretGenerator()).setClientParams((ClientBDHParams) clientKeyExchange.getParams());
        } else if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
            ((ServerPreMasterSecretDHT) getMasterSecretGenerator()).setClientParams((ClientDHTParams) clientKeyExchange.getParams());
        }
    }

    private void receiveCertificateVerify() throws IOException {
        if (Util.isDebug()) {
            Util.log("Receive CertificateVerify start.");
        }
        byte[] handshakeMsgsBuffer = getHandshakeMsgsBuffer();
        Handshake read = Handshake.read(this.handshakeIn, this.session.getProtocolVersion(), this.session.getCipherSuiteInt());
        if (!(read.getBody() instanceof CertificateVerify)) {
            throw new SSLHandshakeException("Handshake message CertificateVerify expected.");
        }
        CertificateVerify certificateVerify = (CertificateVerify) read.getBody();
        if (Util.isDebug()) {
            Util.log("CertificateVerify received.");
            Util.log(certificateVerify.toString());
        }
        verifyHandshakeMsgsBuffer(handshakeMsgsBuffer, certificateVerify.getSignature());
    }

    private void verifyHandshakeMsgsBuffer(byte[] bArr, byte[] bArr2) throws SSLHandshakeException {
        if (Util.isDebug()) {
            Util.log("Verify sent/received handshake data signature.");
        }
        try {
            java.security.cert.X509Certificate x509Certificate = (java.security.cert.X509Certificate) this.session.getPeerCertificates()[0];
            String algorithm = x509Certificate.getPublicKey().getAlgorithm();
            String str = null;
            if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
                str = (algorithm.equalsIgnoreCase("Bign") || algorithm.equalsIgnoreCase("1.2.112.0.2.0.34.101.45.2.1")) ? "AvBhfWithBign" : "AvBhfWithAvBds";
            } else if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
                str = this.signatureAndHashAlgorithm.getAlgorithm();
            }
            Signature signature = Signature.getInstance(str);
            signature.initVerify(x509Certificate);
            signature.update(bArr);
            byte[] bArr3 = (byte[]) bArr2.clone();
            if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
                Util.reverse(bArr3);
            }
            if (!signature.verify(bArr3)) {
                throw new SSLHandshakeException("Client CertificateVerify message is not valid.");
            }
            if (Util.isDebug()) {
                Util.log("Sent/received handshake data signature is valid.");
            }
        } catch (InvalidKeyException e) {
            SSLHandshakeException sSLHandshakeException = new SSLHandshakeException(e.getMessage());
            sSLHandshakeException.initCause(e);
            throw sSLHandshakeException;
        } catch (NoSuchAlgorithmException e2) {
            SSLHandshakeException sSLHandshakeException2 = new SSLHandshakeException(e2.getMessage());
            sSLHandshakeException2.initCause(e2);
            throw sSLHandshakeException2;
        } catch (SignatureException e3) {
            SSLHandshakeException sSLHandshakeException3 = new SSLHandshakeException(e3.getMessage());
            sSLHandshakeException3.initCause(e3);
            throw sSLHandshakeException3;
        } catch (SSLPeerUnverifiedException e4) {
            SSLHandshakeException sSLHandshakeException4 = new SSLHandshakeException(e4.getMessage());
            sSLHandshakeException4.initCause(e4);
            throw sSLHandshakeException4;
        }
    }

    @Override // by.avest.net.tls.HandshakeExecutor
    protected PreMasterSecret createMasterSecretGenerator() {
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_BDH_BDS_WITH_GOST28147_CFB_BHF) {
            return new ServerPreMasterSecret();
        }
        if (this.session.getCipherSuiteInt() == CipherSuite.TLS_DHT_BIGN_WITH_BELT_CTR_MAC_HBELT) {
            return new ServerPreMasterSecretDHT(this.serverPrivateKey, this.serverCertificateChain[0].getPublicKey());
        }
        throw new IllegalStateException("dont know how to create master secret generator");
    }

    static {
        allowInvalidServerCertificate = System.getProperty("by.avest.net.tls.allowInvalidServerCertificate") != null;
        LEGACY_CIPHER_SUITE_KEY_ALGS = new String[]{"Bds", "BdsPro", "BdsProBdh", "BdsBdh", "AvBds", "AvBdsHash", "AvCompoundBds", "AvCompoundBdsHash", "BdsHash", "CompoundBds", "CompoundBdsHash"};
        clientSocketsMap = new WeakHashMap();
    }
}
