package tech.lp2p.tls;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.X509TrustManager;
import tech.lp2p.tls.KeyShareExtension;
import tech.lp2p.tls.TlsEngine;

/* loaded from: classes3.dex */
public final class TlsServerEngine extends TlsEngine implements ServerMessageProcessor {
    private static final SignatureScheme[] SUPPORTED_SIGNATURES = {SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_rsae_sha384, SignatureScheme.rsa_pss_rsae_sha512, SignatureScheme.ecdsa_secp256r1_sha256};
    private final PrivateKey certificatePrivateKey;
    private CipherSuite selectedCipher;
    private final X509Certificate[] serverCertificateChain;
    private final List<Extension> serverExtensions;
    private final ServerMessageSender serverMessageSender;
    private TlsEngine.Status status;
    private final TlsStatusEventHandler statusHandler;
    private final List<CipherSuite> supportedCiphers;
    private final TranscriptHash transcriptHash;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TlsServerEngine(X509TrustManager x509TrustManager, X509Certificate[] x509CertificateArr, PrivateKey privateKey, ServerMessageSender serverMessageSender, TlsStatusEventHandler tlsStatusEventHandler) {
        super(x509TrustManager);
        ArrayList arrayList = new ArrayList();
        this.supportedCiphers = arrayList;
        this.serverExtensions = new ArrayList();
        this.status = TlsEngine.Status.Initial;
        this.serverCertificateChain = x509CertificateArr;
        this.certificatePrivateKey = privateKey;
        this.serverMessageSender = serverMessageSender;
        this.statusHandler = tlsStatusEventHandler;
        this.transcriptHash = new TranscriptHash(32);
        arrayList.add(CipherSuite.TLS_AES_128_GCM_SHA256);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ HandshakeFailureAlert lambda$received$0() {
        return new HandshakeFailureAlert("Failed to negotiate a cipher (server only supports " + ((String) this.supportedCiphers.stream().map(new Function() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda2
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                String str;
                str = ((CipherSuite) obj).toString();
                return str;
            }
        }).collect(Collectors.joining(", "))) + ")");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$1(Extension extension) {
        return extension instanceof SupportedGroupsExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ MissingExtensionAlert lambda$received$2() {
        return new MissingExtensionAlert("supported groups extension is required in Client Hello");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$3(Extension extension) {
        return extension instanceof KeyShareExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ MissingExtensionAlert lambda$received$4() {
        return new MissingExtensionAlert("key share extension is required in Client Hello");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ IllegalParameterAlert lambda$received$6() {
        return new IllegalParameterAlert("key share named group not supported (and no HelloRetryRequest support)");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$7(Extension extension) {
        return extension instanceof SignatureAlgorithmsExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ MissingExtensionAlert lambda$received$8() {
        return new MissingExtensionAlert("signature algorithms extension is required in Client Hello");
    }

    public static void setSelectedApplicationLayerProtocol(String str) {
        if (str == null) {
            throw new IllegalArgumentException();
        }
    }

    public void addServerExtensions(Extension extension) {
        this.serverExtensions.add(extension);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addSupportedCiphers(List<CipherSuite> list) {
        this.supportedCiphers.addAll(list);
    }

    public CipherSuite getSelectedCipher() {
        return this.selectedCipher;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(CertificateMessage certificateMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.FinishedSent) {
            throw new UnexpectedMessageAlert("unexpected certificate message");
        }
        if (certificateMessage.requestContext().length > 0) {
            throw new IllegalParameterAlert("certificate request context should be zero length");
        }
        if (certificateMessage.getEndEntityCertificate() == null) {
            throw new IllegalParameterAlert("missing certificate");
        }
        this.remoteCertificate = certificateMessage.getEndEntityCertificate();
        this.remoteCertificateChain = certificateMessage.certificateChain();
        this.transcriptHash.recordClient(certificateMessage);
        this.status = TlsEngine.Status.CertificateReceived;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(CertificateVerifyMessage certificateVerifyMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.CertificateReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate verify message");
        }
        SignatureScheme signatureScheme = certificateVerifyMessage.signatureScheme();
        if (!Arrays.asList(SUPPORTED_SIGNATURES).contains(signatureScheme)) {
            throw new IllegalParameterAlert("signature scheme does not match");
        }
        if (!verifySignature(certificateVerifyMessage.signature(), signatureScheme, this.remoteCertificate, this.transcriptHash.getClientHash(HandshakeType.certificate), true)) {
            throw new DecryptErrorAlert("signature verification fails");
        }
        checkCertificateValidity(this.remoteCertificateChain, false);
        this.transcriptHash.recordClient(certificateVerifyMessage);
        this.status = TlsEngine.Status.CertificateVerifyReceived;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(ClientHello clientHello) throws ErrorAlert {
        this.status = TlsEngine.Status.ClientHelloReceived;
        Stream stream = Arrays.stream(clientHello.cipherSuites());
        final List<CipherSuite> list = this.supportedCiphers;
        Objects.requireNonNull(list);
        this.selectedCipher = (CipherSuite) stream.filter(new Predicate() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda0
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return list.contains((CipherSuite) obj);
            }
        }).findFirst().orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda4
            @Override // java.util.function.Supplier
            public final Object get() {
                HandshakeFailureAlert lambda$received$0;
                lambda$received$0 = TlsServerEngine.this.lambda$received$0();
                return lambda$received$0;
            }
        });
        SupportedGroupsExtension supportedGroupsExtension = (SupportedGroupsExtension) Arrays.stream(clientHello.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda5
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsServerEngine.lambda$received$1((Extension) obj);
            }
        }).findFirst().orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda6
            @Override // java.util.function.Supplier
            public final Object get() {
                return TlsServerEngine.lambda$received$2();
            }
        });
        final List of = List.of(NamedGroup.secp256r1, NamedGroup.x25519, NamedGroup.x448);
        Stream stream2 = Arrays.stream(supportedGroupsExtension.namedGroups());
        Objects.requireNonNull(of);
        if (stream2.noneMatch(new Predicate() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda7
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return of.contains((NamedGroup) obj);
            }
        })) {
            throw new HandshakeFailureAlert(String.format("Failed to negotiate supported group (server only supports %s)", of));
        }
        KeyShareExtension.KeyShareEntry keyShareEntry = (KeyShareExtension.KeyShareEntry) Arrays.stream(((KeyShareExtension) Arrays.stream(clientHello.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda8
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsServerEngine.lambda$received$3((Extension) obj);
            }
        }).findFirst().orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda9
            @Override // java.util.function.Supplier
            public final Object get() {
                return TlsServerEngine.lambda$received$4();
            }
        })).keyShareEntries()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda10
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean contains;
                contains = of.contains(((KeyShareExtension.KeyShareEntry) obj).namedGroup());
                return contains;
            }
        }).findFirst().orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda11
            @Override // java.util.function.Supplier
            public final Object get() {
                return TlsServerEngine.lambda$received$6();
            }
        });
        if (!Arrays.asList(((SignatureAlgorithmsExtension) Arrays.stream(clientHello.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda1
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsServerEngine.lambda$received$7((Extension) obj);
            }
        }).findFirst().orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsServerEngine$$ExternalSyntheticLambda3
            @Override // java.util.function.Supplier
            public final Object get() {
                return TlsServerEngine.lambda$received$8();
            }
        })).algorithms()).contains(SignatureScheme.rsa_pss_rsae_sha256)) {
            throw new HandshakeFailureAlert("Failed to negotiate signature algorithm (server only supports rsa_pss_rsae_sha256");
        }
        this.statusHandler.extensionsReceived(clientHello.extensions());
        if (this.state == null) {
            this.state = new TlsState(this.transcriptHash);
        }
        this.transcriptHash.record(clientHello);
        generateKeys(keyShareEntry.namedGroup());
        this.state.setOwnKey(this.privateKey);
        this.state.computeEarlyTrafficSecret();
        ServerHello createServerHello = ServerHello.createServerHello(this.selectedCipher, new Extension[]{SupportedVersionsExtension.createSupportedVersionsExtension(HandshakeType.server_hello), KeyShareExtension.create(this.publicKey, keyShareEntry.namedGroup(), HandshakeType.server_hello)});
        this.serverMessageSender.send(createServerHello);
        this.status = TlsEngine.Status.ServerHelloSent;
        this.transcriptHash.record(createServerHello);
        this.state.setPeerKey(keyShareEntry.key());
        this.state.computeSharedSecret();
        this.state.computeHandshakeSecrets();
        this.statusHandler.handshakeSecretsKnown();
        EncryptedExtensions createEncryptedExtensions = EncryptedExtensions.createEncryptedExtensions((Extension[]) this.serverExtensions.toArray(new Extension[this.serverExtensions.size()]));
        this.serverMessageSender.send(createEncryptedExtensions);
        this.transcriptHash.record(createEncryptedExtensions);
        this.status = TlsEngine.Status.EncryptedExtensionsSent;
        CertificateRequestMessage createCertificateRequestMessage = CertificateRequestMessage.createCertificateRequestMessage(new SignatureAlgorithmsExtension(SUPPORTED_SIGNATURES));
        this.serverMessageSender.send(createCertificateRequestMessage);
        this.transcriptHash.record(createCertificateRequestMessage);
        this.status = TlsEngine.Status.CertificateRequestSent;
        CertificateMessage createCertificateMessage = CertificateMessage.createCertificateMessage(this.serverCertificateChain);
        this.serverMessageSender.send(createCertificateMessage);
        this.transcriptHash.recordServer(createCertificateMessage);
        this.status = TlsEngine.Status.CertificateSent;
        CertificateVerifyMessage createCertificateVerifyMessage = CertificateVerifyMessage.createCertificateVerifyMessage(SignatureScheme.ecdsa_secp256r1_sha256, computeSignature(this.transcriptHash.getServerHash(HandshakeType.certificate), this.certificatePrivateKey, SignatureScheme.ecdsa_secp256r1_sha256, false));
        this.serverMessageSender.send(createCertificateVerifyMessage);
        this.transcriptHash.recordServer(createCertificateVerifyMessage);
        this.status = TlsEngine.Status.CertificateVerifySent;
        FinishedMessage createFinishedMessage = FinishedMessage.createFinishedMessage(computeFinishedVerifyData(this.transcriptHash.getServerHash(HandshakeType.certificate_verify), this.state.getServerHandshakeTrafficSecret()));
        this.serverMessageSender.send(createFinishedMessage);
        this.transcriptHash.recordServer(createFinishedMessage);
        this.state.computeApplicationSecrets();
        this.status = TlsEngine.Status.FinishedSent;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(FinishedMessage finishedMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.CertificateVerifyReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate message");
        }
        this.status = TlsEngine.Status.FinishedReceived;
        this.transcriptHash.recordClient(finishedMessage);
        if (!Arrays.equals(finishedMessage.verifyData(), computeFinishedVerifyData(this.transcriptHash.getClientHash(HandshakeType.certificate_verify), this.state.getClientHandshakeTrafficSecret()))) {
            throw new DecryptErrorAlert("incorrect finished message");
        }
        this.statusHandler.handshakeFinished();
    }
}
