package cfca.sadk.tls.sun.security.ssl.manager;

import cfca.sadk.tls.javax.net.ssl.GMSSLEngine;
import cfca.sadk.tls.javax.net.ssl.GMSSLSocket;
import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.ssl.Record;
import cfca.sadk.tls.sun.security.ssl.sec.SSLAlgorithmConstraints;
import cfca.sadk.tls.sun.security.util.GMSSLConstants;
import cfca.sadk.tls.sun.security.validator.GMAlgorithmChecker;
import cfca.sadk.tls.sun.security.validator.GMAlgorithmConstraints;
import cfca.sadk.tls.sun.security.validator.GMCertificateException;
import cfca.sadk.tls.sun.security.validator.GMCertificateExpiredException;
import cfca.sadk.tls.sun.security.validator.GMCertificateNotYetValidException;
import cfca.sadk.tls.util.ECCurveType;
import cfca.sadk.tls.util.Loggings;
import java.lang.ref.Reference;
import java.lang.ref.SoftReference;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;

/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/manager/GMX509KeyManager.class */
final class GMX509KeyManager extends X509ExtendedKeyManager implements X509KeyManager {
    private final List<KeyStore.Builder> builders;
    private final AtomicLong uidCounter;
    private final Map<String, Reference<KeyStore.PrivateKeyEntry>> entryCacheMap;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: cfca.sadk.tls.sun.security.ssl.manager.GMX509KeyManager$1, reason: invalid class name */
    /* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/manager/GMX509KeyManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult = new int[CertCheckResult.values().length];

        static {
            try {
                $SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult[CertCheckResult.NOTYETVALID.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult[CertCheckResult.EXPIRED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult[CertCheckResult.EXTENSION_MISMATCH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult[CertCheckResult.OK.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult[CertCheckResult.INSENSITIVE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GMX509KeyManager(KeyStore.Builder builder) {
        this((List<KeyStore.Builder>) Collections.singletonList(builder));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GMX509KeyManager(List<KeyStore.Builder> list) {
        this.builders = list;
        this.uidCounter = new AtomicLong();
        this.entryCacheMap = Collections.synchronizedMap(new LRULinkedHashMap(GMSSLConstants.cacheSizeOfPrivateKeys));
    }

    @Override // javax.net.ssl.X509KeyManager
    public final X509Certificate[] getCertificateChain(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        X509Certificate[] x509CertificateArr = null;
        if (entry != null) {
            x509CertificateArr = (X509Certificate[]) entry.getCertificateChain();
        }
        return x509CertificateArr;
    }

    @Override // javax.net.ssl.X509KeyManager
    public final PrivateKey getPrivateKey(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        PrivateKey privateKey = null;
        if (entry != null) {
            privateKey = entry.getPrivateKey();
        }
        return privateKey;
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseBestAlias(strArr, principalArr, CertCheckType.CLIENT, getAlgorithmConstraints(socket));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public final String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseBestAlias(strArr, principalArr, CertCheckType.CLIENT, getAlgorithmConstraints(sSLEngine));
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return chooseBestAlias(new String[]{str}, principalArr, CertCheckType.SERVER, getAlgorithmConstraints(socket));
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public final String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseBestAlias(new String[]{str}, principalArr, CertCheckType.SERVER, getAlgorithmConstraints(sSLEngine));
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String[] getClientAliases(String str, Principal[] principalArr) {
        return findAliases(new String[]{str}, principalArr, CertCheckType.CLIENT, null);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String[] getServerAliases(String str, Principal[] principalArr) {
        return findAliases(new String[]{str}, principalArr, CertCheckType.SERVER, null);
    }

    private final GMAlgorithmConstraints getAlgorithmConstraints(Socket socket) {
        GMSSLSocket gMSSLSocket = null;
        if (socket != null && socket.isConnected() && (socket instanceof GMSSLSocket)) {
            gMSSLSocket = (GMSSLSocket) socket;
        }
        return new SSLAlgorithmConstraints(gMSSLSocket, true);
    }

    private final GMAlgorithmConstraints getAlgorithmConstraints(SSLEngine sSLEngine) {
        GMSSLEngine gMSSLEngine = null;
        if (sSLEngine instanceof GMSSLEngine) {
            gMSSLEngine = (GMSSLEngine) sSLEngine;
        }
        return new SSLAlgorithmConstraints(gMSSLEngine, true);
    }

    private final String makeAlias(CertKeyEntryStatus certKeyEntryStatus) {
        return this.uidCounter.incrementAndGet() + "." + certKeyEntryStatus.builderIndex + "." + certKeyEntryStatus.alias;
    }

    private final KeyStore.PrivateKeyEntry getEntry(String str) {
        if (str == null) {
            return null;
        }
        KeyStore.PrivateKeyEntry findPrivateKeyEntryFromCache = findPrivateKeyEntryFromCache(str);
        if (findPrivateKeyEntryFromCache != null) {
            return findPrivateKeyEntryFromCache;
        }
        Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from builders running...", str);
        try {
            KeyStore.PrivateKeyEntry findPrivateKeyEntryFromBuilders = findPrivateKeyEntryFromBuilders(this.builders, str);
            Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from builders Finished.", str);
            if (findPrivateKeyEntryFromBuilders != null) {
                this.entryCacheMap.put(str, new SoftReference(findPrivateKeyEntryFromBuilders));
                if (Debugger.handshaker.isDebugEnabled()) {
                    Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from builders, and current caches is {}", str, Integer.valueOf(this.entryCacheMap.size()));
                }
            }
            return findPrivateKeyEntryFromBuilders;
        } catch (KeyStoreException e) {
            Debugger.handshaker.warn("Find the PrivateKeyEntry({}) from builders failure: {}", new Object[]{str, e.getMessage(), e});
            throw new SecurityException("UnrecoverablePrivatekeyEntry with KeyStoreException", e);
        } catch (NoSuchAlgorithmException e2) {
            Debugger.handshaker.warn("Find the PrivateKeyEntry({}) from builders failure: {}", new Object[]{str, e2.getMessage(), e2});
            throw new SecurityException("UnrecoverablePrivatekeyEntry with NoSuchAlgorithmException", e2);
        } catch (UnrecoverableEntryException e3) {
            Debugger.handshaker.warn("Find the PrivateKeyEntry({}) from builders failure: {} (password invalid/jce-policy: illegal-key-size)", new Object[]{str, e3.getMessage(), e3});
            throw new SecurityException("UnrecoverablePrivatekeyEntry with UnrecoverableEntryException(password invalid/jce-policy: illegal-key-size)", e3);
        }
    }

    private final KeyStore.PrivateKeyEntry findPrivateKeyEntryFromCache(String str) {
        Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from cache running...", str);
        boolean z = false;
        try {
            if (str == null) {
                Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from cache Finished findFlag={}", str, false);
                return null;
            }
            Reference<KeyStore.PrivateKeyEntry> reference = this.entryCacheMap.get(str);
            KeyStore.PrivateKeyEntry privateKeyEntry = reference != null ? reference.get() : null;
            if (privateKeyEntry != null) {
                z = true;
            }
            Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from cache Finished findFlag={}", str, Boolean.valueOf(z));
            return privateKeyEntry;
        } catch (Throwable th) {
            Debugger.handshaker.debug("Find the PrivateKeyEntry({}) from cache Finished findFlag={}", str, false);
            throw th;
        }
    }

    private final KeyStore.PrivateKeyEntry findPrivateKeyEntryFromBuilders(List<KeyStore.Builder> list, String str) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        if (list == null || str == null) {
            return null;
        }
        int indexOf = str.indexOf(46);
        int indexOf2 = str.indexOf(46, indexOf + 1);
        if (indexOf == -1 || indexOf2 == indexOf) {
            return null;
        }
        KeyStore.PrivateKeyEntry privateKeyEntry = null;
        int parseInt = Integer.parseInt(str.substring(indexOf + 1, indexOf2));
        String substring = str.substring(indexOf2 + 1);
        KeyStore.Builder builder = list.get(parseInt);
        KeyStore.Entry entry = builder.getKeyStore().getEntry(substring, builder.getProtectionParameter(str));
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
        }
        return privateKeyEntry;
    }

    private final String chooseBestAlias(String[] strArr, Principal[] principalArr, CertCheckType certCheckType, GMAlgorithmConstraints gMAlgorithmConstraints) {
        String str = null;
        String[] findAliases = findAliases(strArr, principalArr, certCheckType, gMAlgorithmConstraints, false, true);
        if (findAliases != null && findAliases.length > 0) {
            str = findAliases[0];
        }
        return str;
    }

    private final String[] findAliases(String[] strArr, Principal[] principalArr, CertCheckType certCheckType, GMAlgorithmConstraints gMAlgorithmConstraints) {
        return findAliases(strArr, principalArr, certCheckType, gMAlgorithmConstraints, true, false);
    }

    /* JADX WARN: Code restructure failed: missing block: B:54:0x0108, code lost:
    
        cfca.sadk.tls.sun.security.ssl.Debugger.handshaker.debug("KeyManager Find the best alias={}", r0);
        r0.clear();
        r0.add(r0);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private final java.lang.String[] findAliases(java.lang.String[] r9, java.security.Principal[] r10, cfca.sadk.tls.sun.security.ssl.manager.CertCheckType r11, cfca.sadk.tls.sun.security.validator.GMAlgorithmConstraints r12, boolean r13, boolean r14) {
        /*
            Method dump skipped, instructions count: 469
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: cfca.sadk.tls.sun.security.ssl.manager.GMX509KeyManager.findAliases(java.lang.String[], java.security.Principal[], cfca.sadk.tls.sun.security.ssl.manager.CertCheckType, cfca.sadk.tls.sun.security.validator.GMAlgorithmConstraints, boolean, boolean):java.lang.String[]");
    }

    private final String[] toAliases(List<CertKeyEntryStatus> list) {
        String[] strArr;
        if (list == null) {
            strArr = new String[0];
        } else {
            strArr = new String[list.size()];
            int i = 0;
            Iterator<CertKeyEntryStatus> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                strArr[i2] = makeAlias(it.next());
            }
        }
        return strArr;
    }

    private List<CertKeyEntryStatus> getAliases(int i, List<CertKeyType> list, Set<Principal> set, boolean z, CertCheckType certCheckType, GMAlgorithmConstraints gMAlgorithmConstraints) throws GMCertificateException, Exception {
        ArrayList arrayList = new ArrayList(2);
        Date date = new Date();
        KeyStore.Builder builder = this.builders.get(i);
        Loggings.datashaker.debug("GetAliases builder->{}", builder);
        KeyStore keyStore = builder.getKeyStore();
        Enumeration<String> aliases = keyStore.aliases();
        Loggings.datashaker.debug("GetAliases keystore->{}->{}", keyStore, Integer.valueOf(keyStore.size()));
        boolean z2 = false;
        boolean z3 = false;
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            Loggings.datashaker.debug("Find alias {}", nextElement);
            if (keyStore.isKeyEntry(nextElement)) {
                Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                if (certificateChain != null && certificateChain.length != 0) {
                    if (conformsToX509Format(certificateChain)) {
                        int conformsToKeyType = conformsToKeyType(certificateChain, list);
                        if (conformsToKeyType != -1) {
                            if (!conformsToIssuers(certificateChain, set)) {
                                Loggings.datashaker.debug("Ignoring alias {}: issuers does not match", nextElement);
                            } else if (conformsToAlgorithmConstraints(certificateChain, gMAlgorithmConstraints)) {
                                X509Certificate x509Certificate = (X509Certificate) certificateChain[0];
                                CertCheckResult check = certCheckType.check(x509Certificate, date);
                                switch (AnonymousClass1.$SwitchMap$cfca$sadk$tls$sun$security$ssl$manager$CertCheckResult[check.ordinal()]) {
                                    case 1:
                                        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd HH:mm:ssZ");
                                        String format = String.format("NotYetValid SN=%s,NotBefore=%s,servTime=%s", x509Certificate.getSerialNumber().toString(16), simpleDateFormat.format(x509Certificate.getNotBefore()), simpleDateFormat.format(date));
                                        Loggings.datashaker.error("Ignoring alias {}: {}", nextElement, format);
                                        throw new GMCertificateNotYetValidException(format);
                                    case 2:
                                        SimpleDateFormat simpleDateFormat2 = new SimpleDateFormat("yyyy-MM-dd HH:mm:ssZ");
                                        String format2 = String.format("Expired SN=%s,NotAfter=%s,servTime=%s", x509Certificate.getSerialNumber().toString(16), simpleDateFormat2.format(x509Certificate.getNotAfter()), simpleDateFormat2.format(date));
                                        Loggings.datashaker.error("Ignoring alias {}: {}", nextElement, format2);
                                        throw new GMCertificateExpiredException(format2);
                                    case ECCurveType.named_curve /* 3 */:
                                    case 4:
                                    case Record.headerSize /* 5 */:
                                    default:
                                        if (nextElement.endsWith("@signer")) {
                                            Loggings.datashaker.debug("find signer alias {}", nextElement);
                                            z2 = true;
                                        } else if (nextElement.endsWith("@cipher")) {
                                            Loggings.datashaker.debug("find cipher alias {}", nextElement);
                                            z3 = true;
                                        }
                                        arrayList.add(new CertKeyEntryStatus(i, conformsToKeyType, nextElement, certificateChain, check));
                                        break;
                                }
                            } else {
                                Loggings.datashaker.debug("Ignoring alias {}: ertificate list does not conform to algorithm constraints", nextElement);
                            }
                        } else {
                            Loggings.datashaker.debug("Ignoring alias {}: key algorithm does not match", nextElement);
                        }
                    } else {
                        Loggings.datashaker.debug("Ignoring alias {}: chain does not match", nextElement);
                    }
                } else {
                    Loggings.datashaker.debug("Ignoring alias {}: chain==null", nextElement);
                }
            } else {
                Loggings.datashaker.debug("Ignoring alias {}: not KeyEntry", nextElement);
            }
        }
        if (!z2) {
            Loggings.datashaker.warn("missing signer cert for issuers={}", set);
        }
        if (!z3) {
            Loggings.datashaker.warn("missing cipher cert for issuers={}", set);
        }
        return arrayList;
    }

    private final boolean conformsToX509Format(Certificate[] certificateArr) {
        boolean z = true;
        if (certificateArr == null || certificateArr.length == 0) {
            z = false;
        } else {
            for (Certificate certificate : certificateArr) {
                if (certificate == null || !(certificate instanceof X509Certificate)) {
                    z = false;
                    break;
                }
            }
        }
        return z;
    }

    private final int conformsToKeyType(Certificate[] certificateArr, List<CertKeyType> list) {
        int i = -1;
        int i2 = 0;
        Iterator<CertKeyType> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().matches(certificateArr)) {
                i = i2;
                break;
            }
            i2++;
        }
        return i;
    }

    private final boolean conformsToIssuers(Certificate[] certificateArr, Set<Principal> set) {
        boolean z;
        if (set == null || set.size() == 0) {
            z = true;
        } else {
            z = false;
            int length = certificateArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Certificate certificate = certificateArr[i];
                if (certificate != null && set.contains(((X509Certificate) certificate).getIssuerX500Principal())) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        return z;
    }

    private boolean conformsToAlgorithmConstraints(Certificate[] certificateArr, GMAlgorithmConstraints gMAlgorithmConstraints) {
        boolean z = true;
        if (gMAlgorithmConstraints == null) {
            z = true;
        } else {
            GMAlgorithmChecker gMAlgorithmChecker = new GMAlgorithmChecker(gMAlgorithmConstraints);
            try {
                gMAlgorithmChecker.init(false);
            } catch (CertPathValidatorException e) {
                z = false;
            }
            if (z) {
                for (int length = certificateArr.length - 1; length >= 0; length--) {
                    try {
                        gMAlgorithmChecker.check(certificateArr[length], Collections.emptySet());
                    } catch (CertPathValidatorException e2) {
                        z = false;
                    }
                }
            }
        }
        return z;
    }
}
