package cfca.sadk.tls.sun.security.ssl.manager;

import cfca.sadk.tls.java.security.CFCAAlgorithmConstraints;
import cfca.sadk.tls.javax.net.ssl.CFCASNIServerName;
import cfca.sadk.tls.javax.net.ssl.CFCASSLEngine;
import cfca.sadk.tls.javax.net.ssl.CFCASSLSocket;
import cfca.sadk.tls.sun.security.provider.certpath.CFCAAlgorithmChecker;
import cfca.sadk.tls.sun.security.ssl.Debugger;
import cfca.sadk.tls.sun.security.util.CFCAAlgorithmConstraintsHelper;
import cfca.sadk.tls.sun.security.util.CFCASSLHelper;
import java.lang.ref.Reference;
import java.lang.ref.SoftReference;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;

/* loaded from: input_file:cfca/sadk/tls/sun/security/ssl/manager/CFCAX509KeyManager.class */
final class CFCAX509KeyManager extends X509ExtendedKeyManager implements X509KeyManager {
    private final List<KeyStore.Builder> builders;
    private final AtomicLong uidCounter;
    private final Map<String, Reference<KeyStore.PrivateKeyEntry>> entryCacheMap;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CFCAX509KeyManager(KeyStore.Builder builder) {
        this((List<KeyStore.Builder>) Collections.singletonList(builder));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CFCAX509KeyManager(List<KeyStore.Builder> list) {
        this.builders = list;
        this.uidCounter = new AtomicLong();
        this.entryCacheMap = Collections.synchronizedMap(new CertKeyCacheSizedMap());
    }

    @Override // javax.net.ssl.X509KeyManager
    public final X509Certificate[] getCertificateChain(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        X509Certificate[] x509CertificateArr = null;
        if (entry != null) {
            x509CertificateArr = (X509Certificate[]) entry.getCertificateChain();
        }
        return x509CertificateArr;
    }

    @Override // javax.net.ssl.X509KeyManager
    public final PrivateKey getPrivateKey(String str) {
        KeyStore.PrivateKeyEntry entry = getEntry(str);
        PrivateKey privateKey = null;
        if (entry != null) {
            privateKey = entry.getPrivateKey();
        }
        return privateKey;
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseBestAlias(strArr, principalArr, CertCheckType.CLIENT, getAlgorithmConstraints(socket), null, null);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public final String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseBestAlias(strArr, principalArr, CertCheckType.CLIENT, getAlgorithmConstraints(sSLEngine), null, null);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return chooseBestAlias(new String[]{str}, principalArr, CertCheckType.SERVER, getAlgorithmConstraints(socket), CFCASSLHelper.getRequestedServerNames(socket), "HTTPS");
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public final String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseBestAlias(new String[]{str}, principalArr, CertCheckType.SERVER, getAlgorithmConstraints(sSLEngine), CFCASSLHelper.getRequestedServerNames(sSLEngine), "HTTPS");
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String[] getClientAliases(String str, Principal[] principalArr) {
        return findAliases(new String[]{str}, principalArr, CertCheckType.CLIENT, null);
    }

    @Override // javax.net.ssl.X509KeyManager
    public final String[] getServerAliases(String str, Principal[] principalArr) {
        return findAliases(new String[]{str}, principalArr, CertCheckType.SERVER, null);
    }

    private final CFCAAlgorithmConstraints getAlgorithmConstraints(Socket socket) {
        CFCASSLSocket cFCASSLSocket = null;
        if (socket != null && socket.isConnected() && (socket instanceof CFCASSLSocket)) {
            cFCASSLSocket = (CFCASSLSocket) socket;
        }
        return CFCAAlgorithmConstraintsHelper.createAlgorithmConstraintsKeyManager(cFCASSLSocket);
    }

    private final CFCAAlgorithmConstraints getAlgorithmConstraints(SSLEngine sSLEngine) {
        CFCASSLEngine cFCASSLEngine = null;
        if (sSLEngine instanceof CFCASSLEngine) {
            cFCASSLEngine = (CFCASSLEngine) sSLEngine;
        }
        return CFCAAlgorithmConstraintsHelper.createAlgorithmConstraintsKeyManager(cFCASSLEngine);
    }

    private final String makeAlias(CertKeyEntryStatus certKeyEntryStatus) {
        return this.uidCounter.incrementAndGet() + "." + certKeyEntryStatus.builderIndex + "." + certKeyEntryStatus.alias;
    }

    private final KeyStore.PrivateKeyEntry getEntry(String str) {
        if (str == null) {
            return null;
        }
        KeyStore.PrivateKeyEntry findPrivateKeyEntryFromCache = findPrivateKeyEntryFromCache(str);
        if (findPrivateKeyEntryFromCache != null) {
            return findPrivateKeyEntryFromCache;
        }
        Debugger.check.debug("Find the PrivateKeyEntry({}) from builders running...", str);
        try {
            KeyStore.PrivateKeyEntry findPrivateKeyEntryFromBuilders = findPrivateKeyEntryFromBuilders(this.builders, str);
            Debugger.check.debug("Find the PrivateKeyEntry({}) from builders Finished.", str);
            if (findPrivateKeyEntryFromBuilders != null) {
                this.entryCacheMap.put(str, new SoftReference(findPrivateKeyEntryFromBuilders));
                if (Debugger.check.isDebugEnabled()) {
                    Debugger.check.debug("Find the PrivateKeyEntry({}) from builders, and current caches is {}", str, Integer.valueOf(this.entryCacheMap.size()));
                }
            }
            return findPrivateKeyEntryFromBuilders;
        } catch (KeyStoreException e) {
            Debugger.check.warn("Find the PrivateKeyEntry({}) from builders failure: {}", new Object[]{str, e.getMessage(), e});
            throw new SecurityException("UnrecoverablePrivatekeyEntry with KeyStoreException", e);
        } catch (NoSuchAlgorithmException e2) {
            Debugger.check.warn("Find the PrivateKeyEntry({}) from builders failure: {}", new Object[]{str, e2.getMessage(), e2});
            throw new SecurityException("UnrecoverablePrivatekeyEntry with NoSuchAlgorithmException", e2);
        } catch (UnrecoverableEntryException e3) {
            Debugger.check.warn("Find the PrivateKeyEntry({}) from builders failure: {} (password invalid/jce-policy: illegal-key-size)", new Object[]{str, e3.getMessage(), e3});
            throw new SecurityException("UnrecoverablePrivatekeyEntry with UnrecoverableEntryException(password invalid/jce-policy: illegal-key-size)", e3);
        }
    }

    private final KeyStore.PrivateKeyEntry findPrivateKeyEntryFromCache(String str) {
        Debugger.check.debug("Find the PrivateKeyEntry({}) from cache running...", str);
        boolean z = false;
        try {
            if (str == null) {
                Debugger.check.debug("Find the PrivateKeyEntry({}) from cache Finished findFlag={}", str, false);
                return null;
            }
            Reference<KeyStore.PrivateKeyEntry> reference = this.entryCacheMap.get(str);
            KeyStore.PrivateKeyEntry privateKeyEntry = reference != null ? reference.get() : null;
            if (privateKeyEntry != null) {
                z = true;
            }
            Debugger.check.debug("Find the PrivateKeyEntry({}) from cache Finished findFlag={}", str, Boolean.valueOf(z));
            return privateKeyEntry;
        } catch (Throwable th) {
            Debugger.check.debug("Find the PrivateKeyEntry({}) from cache Finished findFlag={}", str, false);
            throw th;
        }
    }

    private final KeyStore.PrivateKeyEntry findPrivateKeyEntryFromBuilders(List<KeyStore.Builder> list, String str) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        if (list == null || str == null) {
            return null;
        }
        int indexOf = str.indexOf(46);
        int indexOf2 = str.indexOf(46, indexOf + 1);
        if (indexOf == -1 || indexOf2 == indexOf) {
            return null;
        }
        KeyStore.PrivateKeyEntry privateKeyEntry = null;
        int parseInt = Integer.parseInt(str.substring(indexOf + 1, indexOf2));
        String substring = str.substring(indexOf2 + 1);
        KeyStore.Builder builder = list.get(parseInt);
        KeyStore.Entry entry = builder.getKeyStore().getEntry(substring, builder.getProtectionParameter(str));
        if (entry instanceof KeyStore.PrivateKeyEntry) {
            privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
        }
        return privateKeyEntry;
    }

    private final String chooseBestAlias(String[] strArr, Principal[] principalArr, CertCheckType certCheckType, CFCAAlgorithmConstraints cFCAAlgorithmConstraints, List<CFCASNIServerName> list, String str) {
        String str2 = null;
        String[] findAliases = findAliases(strArr, principalArr, certCheckType, cFCAAlgorithmConstraints, false, list, str, true);
        if (findAliases != null && findAliases.length > 0) {
            str2 = findAliases[0];
        }
        return str2;
    }

    private final String[] findAliases(String[] strArr, Principal[] principalArr, CertCheckType certCheckType, CFCAAlgorithmConstraints cFCAAlgorithmConstraints) {
        return findAliases(strArr, principalArr, certCheckType, cFCAAlgorithmConstraints, true, null, null, false);
    }

    private final String[] findAliases(String[] strArr, Principal[] principalArr, CertCheckType certCheckType, CFCAAlgorithmConstraints cFCAAlgorithmConstraints, boolean z, List<CFCASNIServerName> list, String str, boolean z2) {
        List<CertKeyEntryStatus> aliases;
        if (strArr == null || strArr.length == 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        if (strArr != null) {
            for (String str2 : strArr) {
                if (str2 != null) {
                    arrayList.add(new CertKeyType(str2));
                }
            }
        }
        if (arrayList.size() == 0) {
            return null;
        }
        HashSet hashSet = new HashSet();
        if (principalArr != null && principalArr.length > 0) {
            for (Principal principal : principalArr) {
                if (principal != null) {
                    hashSet.add(principal);
                }
            }
        }
        ArrayList arrayList2 = new ArrayList();
        int size = this.builders.size();
        for (int i = 0; i < size; i++) {
            try {
                aliases = getAliases(i, arrayList, hashSet, z, certCheckType, cFCAAlgorithmConstraints, list, str);
            } catch (Exception e) {
                if (Debugger.check.isDebugEnabled()) {
                    Debugger.check.debug("KeyManager getAliases failure from build{}: {}", Integer.valueOf(i), e.getMessage());
                }
            }
            if (aliases != null && aliases.size() > 0) {
                if (z2) {
                    CertKeyEntryStatus certKeyEntryStatus = aliases.get(0);
                    if (certKeyEntryStatus != null) {
                        if (certKeyEntryStatus.checkResult == CertCheckResult.OK) {
                            Debugger.check.debug("KeyManager Find the best alias={}", certKeyEntryStatus);
                            arrayList2.clear();
                            arrayList2.add(certKeyEntryStatus);
                            break;
                        }
                    }
                }
                arrayList2.addAll(aliases);
            }
        }
        String[] strArr2 = null;
        if (arrayList2.isEmpty()) {
            Debugger.check.debug("KeyManager no matching alias found");
        } else {
            Collections.sort(arrayList2);
            Debugger.check.debug("KeyManager: no good matching key found, returning best match out of: {}", arrayList2);
            strArr2 = toAliases(arrayList2);
        }
        return strArr2;
    }

    private final String[] toAliases(List<CertKeyEntryStatus> list) {
        String[] strArr;
        if (list == null) {
            strArr = new String[0];
        } else {
            strArr = new String[list.size()];
            int i = 0;
            Iterator<CertKeyEntryStatus> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                strArr[i2] = makeAlias(it.next());
            }
        }
        return strArr;
    }

    private List<CertKeyEntryStatus> getAliases(int i, List<CertKeyType> list, Set<Principal> set, boolean z, CertCheckType certCheckType, CFCAAlgorithmConstraints cFCAAlgorithmConstraints, List<CFCASNIServerName> list2, String str) throws Exception {
        Certificate[] certificateChain;
        Date date = new Date();
        KeyStore keyStore = this.builders.get(i).getKeyStore();
        ArrayList arrayList = null;
        boolean z2 = false;
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement) && (certificateChain = keyStore.getCertificateChain(nextElement)) != null && certificateChain.length != 0) {
                if (conformsToX509Format(certificateChain)) {
                    int conformsToKeyType = conformsToKeyType(certificateChain, list);
                    if (conformsToKeyType == -1) {
                        Debugger.check.debug("Ignoring alias {}: key algorithm does not match", nextElement);
                    } else if (!conformsToIssuers(certificateChain, set)) {
                        Debugger.check.debug("Ignoring alias {}: issuers does not match", nextElement);
                    } else if (conformsToAlgorithmConstraints(certificateChain, cFCAAlgorithmConstraints)) {
                        CertCheckResult check = certCheckType.check((X509Certificate) certificateChain[0], date, list2, str);
                        CertKeyEntryStatus certKeyEntryStatus = new CertKeyEntryStatus(i, conformsToKeyType, nextElement, certificateChain, check);
                        if (!z2 && check == CertCheckResult.OK && conformsToKeyType == 0) {
                            z2 = true;
                        }
                        if (z2 && !z) {
                            return Collections.singletonList(certKeyEntryStatus);
                        }
                        if (arrayList == null) {
                            arrayList = new ArrayList();
                        }
                        arrayList.add(certKeyEntryStatus);
                    } else {
                        Debugger.check.debug("Ignoring alias {}: ertificate list does not conform to algorithm constraints", nextElement);
                    }
                } else {
                    Debugger.check.debug("Ignoring alias {}: chain does not match", nextElement);
                }
            }
        }
        return arrayList;
    }

    private final boolean conformsToX509Format(Certificate[] certificateArr) {
        boolean z = true;
        if (certificateArr == null || certificateArr.length == 0) {
            z = false;
        } else {
            for (Certificate certificate : certificateArr) {
                if (certificate == null || !(certificate instanceof X509Certificate)) {
                    z = false;
                    break;
                }
            }
        }
        return z;
    }

    private final int conformsToKeyType(Certificate[] certificateArr, List<CertKeyType> list) {
        int i = -1;
        int i2 = 0;
        Iterator<CertKeyType> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (it.next().matches(certificateArr)) {
                i = i2;
                break;
            }
            i2++;
        }
        return i;
    }

    private final boolean conformsToIssuers(Certificate[] certificateArr, Set<Principal> set) {
        boolean z;
        if (set == null || set.size() == 0) {
            z = true;
        } else {
            z = false;
            int length = certificateArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Certificate certificate = certificateArr[i];
                if (certificate != null && set.contains(((X509Certificate) certificate).getIssuerX500Principal())) {
                    z = true;
                    break;
                }
                i++;
            }
        }
        return z;
    }

    private boolean conformsToAlgorithmConstraints(Certificate[] certificateArr, CFCAAlgorithmConstraints cFCAAlgorithmConstraints) {
        boolean z = true;
        if (cFCAAlgorithmConstraints == null) {
            z = true;
        } else {
            CFCAAlgorithmChecker cFCAAlgorithmChecker = new CFCAAlgorithmChecker(cFCAAlgorithmConstraints);
            try {
                cFCAAlgorithmChecker.init(false);
            } catch (CertPathValidatorException e) {
                z = false;
            }
            if (z) {
                for (int length = certificateArr.length - 1; length >= 0; length--) {
                    try {
                        cFCAAlgorithmChecker.check(certificateArr[length], Collections.emptySet());
                    } catch (CertPathValidatorException e2) {
                        z = false;
                    }
                }
            }
        }
        return z;
    }
}
