package tech.lp2p.tls;

import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import tech.lp2p.tls.ClientHello;
import tech.lp2p.tls.KeyShareExtension;
import tech.lp2p.tls.TlsEngine;

/* loaded from: classes3.dex */
public final class TlsClientEngine extends TlsEngine implements ClientMessageProcessor {
    private boolean clientAuthRequested;
    private X500Principal[] clientCertificateAuthorities;
    private Function<X500Principal[], CertificateWithPrivateKey> clientCertificateSelector;
    private HostnameVerifier hostnameVerifier;
    private boolean pskAccepted;
    private final List<Extension> requestedExtensions;
    private CipherSuite selectedCipher;
    private final ClientMessageSender sender;
    private Extension[] sentExtensions;
    private final String serverName;
    private SignatureScheme[] serverSupportedSignatureSchemes;
    private TlsEngine.Status status;
    private final TlsStatusEventHandler statusHandler;
    private final List<CipherSuite> supportedCiphers;
    private SignatureScheme[] supportedSignatures;
    private TranscriptHash transcriptHash;
    private static final X500Principal[] PRINCIPALS_EMPTY = new X500Principal[0];
    private static final List<SignatureScheme> AVAILABLE_SIGNATURES = List.of(SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_rsae_sha384, SignatureScheme.rsa_pss_rsae_sha512, SignatureScheme.ecdsa_secp256r1_sha256);

    public TlsClientEngine(String str, X509TrustManager x509TrustManager, List<CipherSuite> list, List<Extension> list2, ClientMessageSender clientMessageSender, TlsStatusEventHandler tlsStatusEventHandler) {
        super(x509TrustManager);
        this.status = TlsEngine.Status.Initial;
        this.pskAccepted = false;
        this.serverName = str;
        this.sender = clientMessageSender;
        this.statusHandler = tlsStatusEventHandler;
        this.supportedCiphers = list;
        this.requestedExtensions = list2;
        this.hostnameVerifier = new DefaultHostnameVerifier();
        this.clientCertificateSelector = new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda19
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return TlsClientEngine.lambda$new$0((X500Principal[]) obj);
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean certificateSupportsSignature(X509Certificate x509Certificate, SignatureScheme signatureScheme) {
        String sigAlgName = x509Certificate.getSigAlgName();
        return sigAlgName.toLowerCase().contains("withrsa") ? List.of(SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.rsa_pss_rsae_sha384).contains(signatureScheme) : sigAlgName.toLowerCase().contains("withecdsa") && SignatureScheme.ecdsa_secp256r1_sha256 == signatureScheme;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ CertificateWithPrivateKey lambda$new$0(X500Principal[] x500PrincipalArr) {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$10(Extension extension) {
        return !(extension instanceof UnknownExtension);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$12(Extension extension) {
        return extension instanceof SignatureAlgorithmsExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$14(Extension extension) {
        return extension instanceof CertificateAuthoritiesExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$2(Extension extension) {
        return extension instanceof SupportedVersionsExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$3(Extension extension) {
        return (extension instanceof PreSharedKeyExtension) || (extension instanceof KeyShareExtension);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$4(Extension extension) {
        return extension instanceof SupportedVersionsExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$6(Extension extension) {
        return ((extension instanceof SupportedVersionsExtension) || (extension instanceof PreSharedKeyExtension) || (extension instanceof KeyShareExtension)) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$7(Extension extension) {
        return extension instanceof KeyShareExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ KeyShareExtension.KeyShareEntry lambda$received$8(Extension extension) {
        return ((KeyShareExtension) extension).keyShareEntries()[0];
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$received$9(Extension extension) {
        return extension instanceof ServerPreSharedKeyExtension;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ HandshakeFailureAlert lambda$sendClientAuth$17() {
        return new HandshakeFailureAlert("failed to negotiate signature scheme");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ boolean lambda$startHandshake$1(SignatureScheme signatureScheme) {
        return !AVAILABLE_SIGNATURES.contains(signatureScheme);
    }

    private void sendClientAuth() throws ErrorAlert {
        final CertificateWithPrivateKey apply = this.clientCertificateSelector.apply(this.clientCertificateAuthorities);
        CertificateMessage createCertificateMessage = CertificateMessage.createCertificateMessage(apply != null ? apply.certificate() : null);
        this.sender.send(createCertificateMessage);
        this.transcriptHash.recordClient(createCertificateMessage);
        if (apply != null) {
            Stream stream = Arrays.stream(this.serverSupportedSignatureSchemes);
            final List asList = Arrays.asList(this.supportedSignatures);
            Objects.requireNonNull(asList);
            SignatureScheme signatureScheme = (SignatureScheme) stream.filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda5
                @Override // java.util.function.Predicate
                public final boolean test(Object obj) {
                    return asList.contains((SignatureScheme) obj);
                }
            }).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda6
                @Override // java.util.function.Predicate
                public final boolean test(Object obj) {
                    boolean certificateSupportsSignature;
                    certificateSupportsSignature = TlsClientEngine.certificateSupportsSignature(CertificateWithPrivateKey.this.certificate(), (SignatureScheme) obj);
                    return certificateSupportsSignature;
                }
            }).findFirst().orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda7
                @Override // java.util.function.Supplier
                public final Object get() {
                    return TlsClientEngine.lambda$sendClientAuth$17();
                }
            });
            CertificateVerifyMessage createCertificateVerifyMessage = CertificateVerifyMessage.createCertificateVerifyMessage(signatureScheme, computeSignature(this.transcriptHash.getClientHash(HandshakeType.certificate), apply.privateKey(), signatureScheme, true));
            this.sender.send(createCertificateVerifyMessage);
            this.transcriptHash.recordClient(createCertificateVerifyMessage);
        }
    }

    private void startHandshake(SignatureScheme[] signatureSchemeArr) throws BadRecordMacAlert {
        if (Arrays.stream(signatureSchemeArr).anyMatch(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda8
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$startHandshake$1((SignatureScheme) obj);
            }
        })) {
            List asList = Arrays.asList(signatureSchemeArr);
            asList.removeAll(AVAILABLE_SIGNATURES);
            throw new IllegalArgumentException("Unsupported signature scheme(s): " + asList);
        }
        this.supportedSignatures = signatureSchemeArr;
        generateKeys(NamedGroup.secp256r1);
        if (this.serverName == null || this.supportedCiphers.isEmpty()) {
            throw new IllegalStateException("not all mandatory properties are set");
        }
        this.transcriptHash = new TranscriptHash(32);
        this.state = new TlsState(this.transcriptHash);
        ClientHello createClientHello = ClientHello.createClientHello(this.serverName, this.publicKey, false, this.supportedCiphers, this.supportedSignatures, NamedGroup.secp256r1, this.requestedExtensions, ClientHello.PskKeyEstablishmentMode.PSKwithDHE);
        this.sentExtensions = createClientHello.extensions();
        this.sender.send(createClientHello);
        this.status = TlsEngine.Status.ClientHelloSent;
        this.transcriptHash.record(createClientHello);
        this.state.setOwnKey(this.privateKey);
        this.state.computeEarlyTrafficSecret();
    }

    public CipherSuite getSelectedCipher() {
        CipherSuite cipherSuite = this.selectedCipher;
        if (cipherSuite != null) {
            return cipherSuite;
        }
        throw new IllegalStateException("No (valid) server hello received yet");
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(CertificateMessage certificateMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.EncryptedExtensionsReceived && this.status != TlsEngine.Status.CertificateRequestReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate message");
        }
        if (certificateMessage.requestContext().length > 0) {
            throw new IllegalParameterAlert("certificate request context should be zero length");
        }
        if (certificateMessage.getEndEntityCertificate() == null) {
            throw new IllegalParameterAlert("missing certificate");
        }
        this.remoteCertificate = certificateMessage.getEndEntityCertificate();
        this.remoteCertificateChain = certificateMessage.certificateChain();
        this.transcriptHash.recordServer(certificateMessage);
        this.status = TlsEngine.Status.CertificateReceived;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(CertificateRequestMessage certificateRequestMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.EncryptedExtensionsReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate request message");
        }
        this.serverSupportedSignatureSchemes = (SignatureScheme[]) Arrays.stream(certificateRequestMessage.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda20
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$12((Extension) obj);
            }
        }).findFirst().map(new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda1
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                SignatureScheme[] algorithms;
                algorithms = ((SignatureAlgorithmsExtension) ((Extension) obj)).algorithms();
                return algorithms;
            }
        }).orElseThrow(new Supplier() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda2
            @Override // java.util.function.Supplier
            public final Object get() {
                return new MissingExtensionAlert();
            }
        });
        this.transcriptHash.record(certificateRequestMessage);
        this.clientCertificateAuthorities = (X500Principal[]) Arrays.stream(certificateRequestMessage.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda3
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$14((Extension) obj);
            }
        }).findFirst().map(new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda4
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                X500Principal[] authorities;
                authorities = ((CertificateAuthoritiesExtension) ((Extension) obj)).authorities();
                return authorities;
            }
        }).orElse(PRINCIPALS_EMPTY);
        this.clientAuthRequested = true;
        this.status = TlsEngine.Status.CertificateRequestReceived;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(CertificateVerifyMessage certificateVerifyMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.CertificateReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate verify message");
        }
        SignatureScheme signatureScheme = certificateVerifyMessage.signatureScheme();
        if (!Arrays.asList(this.supportedSignatures).contains(signatureScheme)) {
            throw new IllegalParameterAlert("signature scheme does not match");
        }
        if (!verifySignature(certificateVerifyMessage.signature(), signatureScheme, this.remoteCertificate, this.transcriptHash.getServerHash(HandshakeType.certificate), false)) {
            throw new DecryptErrorAlert("signature verification fails");
        }
        checkCertificateValidity(this.remoteCertificateChain, true);
        if (!this.hostnameVerifier.verify(this.serverName, this.remoteCertificate)) {
            throw new CertificateUnknownAlert("servername does not match");
        }
        this.transcriptHash.recordServer(certificateVerifyMessage);
        this.status = TlsEngine.Status.CertificateVerifyReceived;
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(EncryptedExtensions encryptedExtensions, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != TlsEngine.Status.ServerHelloReceived) {
            throw new UnexpectedMessageAlert("unexpected encrypted extensions message");
        }
        final List list = (List) Arrays.stream(this.sentExtensions).map(new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda9
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Class cls;
                cls = ((Extension) obj).getClass();
                return cls;
            }
        }).collect(Collectors.toList());
        if (!Arrays.stream(encryptedExtensions.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda10
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$10((Extension) obj);
            }
        }).allMatch(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda12
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean contains;
                contains = list.contains(((Extension) obj).getClass());
                return contains;
            }
        })) {
            throw new UnsupportedExtensionAlert("extension response to missing request");
        }
        if (((Set) Arrays.stream(encryptedExtensions.extensions()).map(new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda9
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Class cls;
                cls = ((Extension) obj).getClass();
                return cls;
            }
        }).collect(Collectors.toSet())).size() != encryptedExtensions.extensions().length) {
            throw new UnsupportedExtensionAlert("duplicate extensions not allowed");
        }
        this.transcriptHash.record(encryptedExtensions);
        this.status = TlsEngine.Status.EncryptedExtensionsReceived;
        this.statusHandler.extensionsReceived(encryptedExtensions.extensions());
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(FinishedMessage finishedMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != (this.pskAccepted ? TlsEngine.Status.EncryptedExtensionsReceived : TlsEngine.Status.CertificateVerifyReceived)) {
            throw new UnexpectedMessageAlert("unexpected finished message");
        }
        this.transcriptHash.recordServer(finishedMessage);
        if (!Arrays.equals(finishedMessage.verifyData(), computeFinishedVerifyData(this.transcriptHash.getServerHash(HandshakeType.certificate_verify), this.state.getServerHandshakeTrafficSecret()))) {
            throw new DecryptErrorAlert("incorrect finished message");
        }
        if (this.clientAuthRequested) {
            sendClientAuth();
        }
        FinishedMessage createFinishedMessage = FinishedMessage.createFinishedMessage(computeFinishedVerifyData(this.transcriptHash.getClientHash(HandshakeType.certificate_verify), this.state.getClientHandshakeTrafficSecret()));
        this.sender.send(createFinishedMessage);
        this.transcriptHash.recordClient(createFinishedMessage);
        this.state.computeApplicationSecrets();
        this.status = TlsEngine.Status.Finished;
        this.statusHandler.handshakeFinished();
    }

    @Override // tech.lp2p.tls.MessageProcessor
    public void received(ServerHello serverHello) throws MissingExtensionAlert, IllegalParameterAlert, BadRecordMacAlert {
        boolean anyMatch = Arrays.stream(serverHello.extensions()).anyMatch(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda0
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$2((Extension) obj);
            }
        });
        boolean anyMatch2 = Arrays.stream(serverHello.extensions()).anyMatch(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda11
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$3((Extension) obj);
            }
        });
        if (!anyMatch || !anyMatch2) {
            throw new MissingExtensionAlert();
        }
        Optional findFirst = Arrays.stream(serverHello.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda13
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$4((Extension) obj);
            }
        }).map(new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda14
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Short valueOf;
                valueOf = Short.valueOf(((SupportedVersionsExtension) ((Extension) obj)).tlsVersion());
                return valueOf;
            }
        }).findFirst();
        if (!findFirst.isPresent()) {
            throw new IllegalParameterAlert("invalid tls version");
        }
        if (((Short) findFirst.get()).shortValue() != 772) {
            throw new IllegalParameterAlert("invalid tls version");
        }
        if (Arrays.stream(serverHello.extensions()).anyMatch(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda15
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$6((Extension) obj);
            }
        })) {
            throw new IllegalParameterAlert("illegal extension in server hello");
        }
        Optional findFirst2 = Arrays.stream(serverHello.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda16
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$7((Extension) obj);
            }
        }).map(new Function() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda17
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                return TlsClientEngine.lambda$received$8((Extension) obj);
            }
        }).findFirst();
        Optional findFirst3 = Arrays.stream(serverHello.extensions()).filter(new Predicate() { // from class: tech.lp2p.tls.TlsClientEngine$$ExternalSyntheticLambda18
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                return TlsClientEngine.lambda$received$9((Extension) obj);
            }
        }).findFirst();
        if (!findFirst2.isPresent() && !findFirst3.isPresent()) {
            throw new MissingExtensionAlert(" either the pre_shared_key extension or the key_share extension must be present");
        }
        if (findFirst3.isPresent()) {
            this.pskAccepted = true;
        }
        if (!this.supportedCiphers.contains(serverHello.cipherSuite())) {
            throw new IllegalParameterAlert("cipher suite does not match");
        }
        this.selectedCipher = serverHello.cipherSuite();
        if (findFirst3.isPresent()) {
            this.state.setPskSelected();
        } else {
            this.state.setNoPskSelected();
        }
        if (findFirst2.isPresent()) {
            this.state.setPeerKey(((KeyShareExtension.KeyShareEntry) findFirst2.get()).key());
            this.state.computeSharedSecret();
        }
        this.transcriptHash.record(serverHello);
        this.state.computeHandshakeSecrets();
        this.status = TlsEngine.Status.ServerHelloReceived;
        this.statusHandler.handshakeSecretsKnown();
    }

    public void setClientCertificateCallback(Function<X500Principal[], CertificateWithPrivateKey> function) {
        this.clientCertificateSelector = function;
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        if (hostnameVerifier != null) {
            this.hostnameVerifier = hostnameVerifier;
        }
    }

    public void startHandshake() throws BadRecordMacAlert {
        startHandshake(new SignatureScheme[]{SignatureScheme.rsa_pss_rsae_sha256, SignatureScheme.ecdsa_secp256r1_sha256});
    }
}
