package com.sun.net.ssl.internal.ssl;

import com.sun.net.ssl.internal.ssl.HandshakeMessage;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import sun.security.jgss.LoginUtility;
import sun.security.jgss.krb5.Krb5Util;

/* loaded from: input_file:118668-02/SUNWj5rt/reloc/jdk/instances/jdk1.5.0/jre/lib/jsse.jar:com/sun/net/ssl/internal/ssl/ClientHandshaker.class */
final class ClientHandshaker extends Handshaker {
    private PublicKey serverKey;
    private BigInteger serverDH;
    private DHKeyExchange dh;
    private HandshakeMessage.CertificateRequest certRequest;
    private boolean serverKeyExchangeReceived;
    private ProtocolVersion maxProtocolVersion;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientHandshaker(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList) {
        super(sSLSocketImpl, sSLContextImpl, protocolList, true, true);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ClientHandshaker(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList) {
        super(sSLEngineImpl, sSLContextImpl, protocolList, true, true);
    }

    @Override // com.sun.net.ssl.internal.ssl.Handshaker
    void processMessage(byte b, int i) throws IOException {
        if (this.state > b && b != 0 && this.state != 1) {
            throw new SSLProtocolException("Handshake message sequence violation, " + ((int) b));
        }
        switch (b) {
            case 0:
                serverHelloRequest(new HandshakeMessage.HelloRequest(this.input));
                break;
            case 1:
            case 3:
            case 4:
            case 5:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            default:
                throw new SSLProtocolException("Illegal client handshake msg, " + ((int) b));
            case 2:
                serverHello(new HandshakeMessage.ServerHello(this.input));
                break;
            case 11:
                if (this.keyExchange == K_DH_ANON || this.keyExchange == K_KRB5 || this.keyExchange == K_KRB5_EXPORT) {
                    fatalSE((byte) 10, "unexpected server cert chain");
                }
                serverCertificate(new HandshakeMessage.CertificateMsg(this.input));
                this.serverKey = this.session.getPeerCertificates()[0].getPublicKey();
                break;
            case 12:
                this.serverKeyExchangeReceived = true;
                if (this.keyExchange == K_RSA || this.keyExchange == K_RSA_EXPORT) {
                    try {
                        serverKeyExchange(new HandshakeMessage.RSA_ServerKeyExchange(this.input, i));
                        break;
                    } catch (GeneralSecurityException e) {
                        throwSSLException("Server key", e);
                        break;
                    }
                } else if (this.keyExchange == K_DH_ANON) {
                    serverKeyExchange(new HandshakeMessage.DH_ServerKeyExchange(this.input));
                    break;
                } else {
                    if (this.keyExchange != K_DHE_DSS && this.keyExchange != K_DHE_RSA) {
                        if (this.keyExchange != K_KRB5 && this.keyExchange != K_KRB5_EXPORT) {
                            throw new SSLProtocolException("unsupported key exchange algorithm = " + ((Object) this.keyExchange));
                        }
                        throw new SSLProtocolException("unexpected receipt of server key exchange algorithm");
                    }
                    try {
                        serverKeyExchange(new HandshakeMessage.DH_ServerKeyExchange(this.input, this.serverKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, i));
                        break;
                    } catch (GeneralSecurityException e2) {
                        throwSSLException("Server key", e2);
                        break;
                    }
                }
                break;
            case 13:
                if (this.keyExchange != K_DH_ANON) {
                    if (this.keyExchange != K_KRB5 && this.keyExchange != K_KRB5_EXPORT) {
                        this.certRequest = new HandshakeMessage.CertificateRequest(this.input);
                        if (debug != null && Debug.isOn("handshake")) {
                            this.certRequest.print(System.out);
                            break;
                        }
                    } else {
                        throw new SSLHandshakeException("Client certificate requested for kerberos cipher suite.");
                    }
                } else {
                    throw new SSLHandshakeException("Client authentication requested for anonymous cipher suite.");
                }
                break;
            case 14:
                serverHelloDone(new HandshakeMessage.ServerHelloDone(this.input));
                break;
            case 20:
                serverFinished(new HandshakeMessage.Finished(this.protocolVersion, this.input));
                break;
        }
        if (this.state < b) {
            this.state = b;
        }
    }

    private void serverHelloRequest(HandshakeMessage.HelloRequest helloRequest) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            helloRequest.print(System.out);
        }
        if (this.state < 1) {
            kickstart();
        }
    }

    private void serverHello(HandshakeMessage.ServerHello serverHello) throws IOException {
        Subject subject;
        this.serverKeyExchangeReceived = false;
        if (debug != null && Debug.isOn("handshake")) {
            serverHello.print(System.out);
        }
        ProtocolVersion protocolVersion = serverHello.protocolVersion;
        if (!this.enabledProtocols.contains(protocolVersion)) {
            throw new SSLHandshakeException("Server chose unsupported or disabled protocol: " + ((Object) protocolVersion));
        }
        setVersion(protocolVersion);
        this.svr_random = serverHello.svr_random;
        if (!isEnabled(serverHello.cipherSuite)) {
            fatalSE((byte) 47, "Server selected disabled ciphersuite " + ((Object) this.cipherSuite));
        }
        setCipherSuite(serverHello.cipherSuite);
        if (serverHello.compression_method != 0) {
            fatalSE((byte) 47, "compression type not supported, " + ((int) serverHello.compression_method));
        }
        if (this.session != null) {
            if (this.session.getSessionId().equals(serverHello.sessionId)) {
                CipherSuite suite = this.session.getSuite();
                if (this.cipherSuite != suite) {
                    throw new SSLProtocolException("Server returned wrong cipher suite for session");
                }
                if (this.protocolVersion != this.session.getProtocolVersion()) {
                    throw new SSLProtocolException("Server resumed session with wrong protocol version");
                }
                if (suite.keyExchange == K_KRB5 || suite.keyExchange == K_KRB5_EXPORT) {
                    Principal localPrincipal = this.session.getLocalPrincipal();
                    try {
                        subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction() { // from class: com.sun.net.ssl.internal.ssl.ClientHandshaker.1
                            @Override // java.security.PrivilegedExceptionAction
                            public Object run() throws Exception {
                                return Krb5Util.getSubject(LoginUtility.JSSE_CLIENT_ENTRY, ClientHandshaker.this.getAccSE());
                            }
                        });
                    } catch (PrivilegedActionException e) {
                        subject = null;
                        if (debug != null && Debug.isOn("session")) {
                            System.out.println("Attempt to obtain subject failed!");
                        }
                    }
                    if (subject == null) {
                        if (debug != null && Debug.isOn("session")) {
                            System.out.println("Kerberos credentials are not present in the current Subject; check if  javax.security.auth.useSubjectAsCreds system property has been set to false");
                        }
                        throw new SSLProtocolException("Server resumed session with no subject");
                    }
                    if (!subject.getPrincipals(KerberosPrincipal.class).contains(localPrincipal)) {
                        throw new SSLProtocolException("Server resumed session with wrong subject identity");
                    }
                    if (debug != null && Debug.isOn("session")) {
                        System.out.println("Subject identity is same");
                    }
                }
                this.resumingSession = true;
                this.state = 19;
                calculateConnectionKeys(this.session.getMasterSecret());
                if (debug == null || !Debug.isOn("session")) {
                    return;
                }
                System.out.println("%% Server resumed " + ((Object) this.session));
                return;
            }
            this.session = null;
            if (!this.enableNewSession) {
                throw new SSLException("New session creation is disabled");
            }
        }
        this.session = new SSLSessionImpl(this.protocolVersion, this.cipherSuite, serverHello.sessionId, getHostSE(), getPortSE());
        if (debug == null || !Debug.isOn("handshake")) {
            return;
        }
        System.out.println("** " + ((Object) this.cipherSuite));
    }

    private void serverKeyExchange(HandshakeMessage.RSA_ServerKeyExchange rSA_ServerKeyExchange) throws IOException, GeneralSecurityException {
        if (debug != null && Debug.isOn("handshake")) {
            rSA_ServerKeyExchange.print(System.out);
        }
        if (!rSA_ServerKeyExchange.verify(this.serverKey, this.clnt_random, this.svr_random)) {
            fatalSE((byte) 40, "server key exchange invalid");
        }
        this.serverKey = rSA_ServerKeyExchange.getPublicKey();
    }

    private void getDHephemeral(BigInteger bigInteger, BigInteger bigInteger2) {
        this.dh = new DHKeyExchange(bigInteger, bigInteger2);
        this.dh.generateKeyPair(this.sslContext.getSecureRandom(), !this.cipherSuite.exportable ? 768 : 512);
    }

    private void serverKeyExchange(HandshakeMessage.DH_ServerKeyExchange dH_ServerKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            dH_ServerKeyExchange.print(System.out);
        }
        getDHephemeral(dH_ServerKeyExchange.getModulus(), dH_ServerKeyExchange.getBase());
        this.serverDH = dH_ServerKeyExchange.getServerPublicKey();
    }

    private void serverHelloDone(HandshakeMessage.ServerHelloDone serverHelloDone) throws IOException {
        HandshakeMessage preMasterSecret;
        HandshakeMessage.CertificateVerify certificateVerify;
        Object obj;
        if (debug != null && Debug.isOn("handshake")) {
            serverHelloDone.print(System.out);
        }
        this.input.digestNow();
        PrivateKey privateKey = null;
        if (this.certRequest != null) {
            X509ExtendedKeyManager x509KeyManager = this.sslContext.getX509KeyManager();
            String str = null;
            HandshakeMessage.CertificateMsg certificateMsg = null;
            X509Certificate[] x509CertificateArr = null;
            ArrayList arrayList = new ArrayList(4);
            for (int i = 0; i < this.certRequest.types.length; i++) {
                switch (this.certRequest.types[i]) {
                    case 1:
                        obj = "RSA";
                        break;
                    case 2:
                        obj = "DSA";
                        break;
                    case 3:
                        obj = "DH_RSA";
                        break;
                    case 4:
                        obj = "DH_DSA";
                        break;
                    case 5:
                    case 6:
                    default:
                        obj = null;
                        break;
                }
                if (obj != null && !arrayList.contains(obj)) {
                    arrayList.add(obj);
                }
            }
            int size = arrayList.size();
            if (size != 0) {
                String[] strArr = (String[]) arrayList.toArray(new String[size]);
                str = this.conn != null ? x509KeyManager.chooseClientAlias(strArr, this.certRequest.getAuthorities(), this.conn) : x509KeyManager.chooseEngineClientAlias(strArr, this.certRequest.getAuthorities(), this.engine);
            }
            if (str != null) {
                x509CertificateArr = x509KeyManager.getCertificateChain(str);
                certificateMsg = new HandshakeMessage.CertificateMsg(x509CertificateArr);
                privateKey = x509KeyManager.getPrivateKey(str);
                this.session.setLocalPrivateKey(privateKey);
            } else if (this.protocolVersion.v >= ProtocolVersion.TLS10.v) {
                certificateMsg = new HandshakeMessage.CertificateMsg(new X509Certificate[0]);
            } else {
                warningSE((byte) 41);
            }
            if (certificateMsg != null) {
                this.session.setLocalCertificates(x509CertificateArr);
                if (debug != null && Debug.isOn("handshake")) {
                    certificateMsg.print(System.out);
                }
                certificateMsg.write(this.output);
            }
        }
        if (this.keyExchange == K_RSA || this.keyExchange == K_RSA_EXPORT) {
            preMasterSecret = new PreMasterSecret(this.protocolVersion, this.maxProtocolVersion, this.sslContext.getSecureRandom(), this.serverKey);
        } else if (this.keyExchange == K_DH_RSA || this.keyExchange == K_DH_DSS) {
            preMasterSecret = new ClientDiffieHellmanPublic();
        } else if (this.keyExchange == K_DHE_RSA || this.keyExchange == K_DHE_DSS || this.keyExchange == K_DH_ANON) {
            preMasterSecret = new ClientDiffieHellmanPublic(this.dh.getPublicKey());
        } else {
            if (this.keyExchange != K_KRB5 && this.keyExchange != K_KRB5_EXPORT) {
                throw new RuntimeException("Unsupported key exchange: " + ((Object) this.keyExchange));
            }
            String hostSE = getHostSE();
            if (hostSE == null) {
                throw new IOException("Hostname is required to use Kerberos cipher suites");
            }
            KerberosWrapper kerberosWrapper = new KerberosWrapper(hostSE, isLoopbackSE(), getAccSE(), this.protocolVersion, this.sslContext.getSecureRandom());
            this.session.setPeerPrincipal(kerberosWrapper.getPeerPrincipal());
            this.session.setLocalPrincipal(kerberosWrapper.getLocalPrincipal());
            preMasterSecret = kerberosWrapper;
        }
        if (debug != null && Debug.isOn("handshake")) {
            preMasterSecret.print(System.out);
        }
        preMasterSecret.write(this.output);
        this.output.doHashes();
        this.output.flush();
        byte[] unencrypted = (this.keyExchange == K_RSA || this.keyExchange == K_RSA_EXPORT) ? ((PreMasterSecret) preMasterSecret).preMaster : (this.keyExchange == K_KRB5 || this.keyExchange == K_KRB5_EXPORT) ? ((KerberosWrapper) preMasterSecret).getPreMasterSecret().getUnencrypted() : this.dh.getAgreedSecret(this.serverDH);
        calculateKeys(unencrypted);
        Arrays.fill(unencrypted, (byte) 0);
        if (privateKey != null) {
            try {
                certificateVerify = new HandshakeMessage.CertificateVerify(this.protocolVersion, this.handshakeHash, privateKey, this.session.getMasterSecret(), this.sslContext.getSecureRandom());
            } catch (GeneralSecurityException e) {
                fatalSE((byte) 40, "Error signing certificate verify", e);
                certificateVerify = null;
            }
            if (debug != null && Debug.isOn("handshake")) {
                certificateVerify.print(System.out);
            }
            certificateVerify.write(this.output);
            this.output.doHashes();
        }
        sendChangeCipherAndFinish(false);
    }

    private void serverFinished(HandshakeMessage.Finished finished) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            finished.print(System.out);
        }
        if (!finished.verify(this.protocolVersion, this.handshakeHash, 2, this.session.getMasterSecret())) {
            fatalSE((byte) 47, "server 'finished' message doesn't verify");
        }
        if (this.resumingSession) {
            this.input.digestNow();
            sendChangeCipherAndFinish(true);
        }
        this.session.setLastAccessedTime(System.currentTimeMillis());
        if (this.resumingSession) {
            return;
        }
        if (!this.session.isRejoinable()) {
            if (debug == null || !Debug.isOn("session")) {
                return;
            }
            System.out.println("%% Didn't cache non-resumable client session: " + ((Object) this.session));
            return;
        }
        ((SSLSessionContextImpl) this.sslContext.engineGetClientSessionContext()).put(this.session);
        if (debug == null || !Debug.isOn("session")) {
            return;
        }
        System.out.println("%% Cached client session: " + ((Object) this.session));
    }

    private void sendChangeCipherAndFinish(boolean z) throws IOException {
        sendChangeCipherSpec(new HandshakeMessage.Finished(this.protocolVersion, this.handshakeHash, 1, this.session.getMasterSecret()), z);
        this.state = 19;
    }

    @Override // com.sun.net.ssl.internal.ssl.Handshaker
    HandshakeMessage getKickstartMessage() throws SSLException {
        HandshakeMessage.ClientHello clientHello = new HandshakeMessage.ClientHello(this.sslContext.getSecureRandom(), this.protocolVersion);
        this.maxProtocolVersion = this.protocolVersion;
        this.clnt_random = clientHello.clnt_random;
        this.session = ((SSLSessionContextImpl) this.sslContext.engineGetClientSessionContext()).get(getHostSE(), getPortSE());
        if (debug != null && Debug.isOn("session")) {
            if (this.session != null) {
                System.out.println("%% Client cached " + ((Object) this.session) + (this.session.isRejoinable() ? "" : " (not rejoinable)"));
            } else {
                System.out.println("%% No cached client session");
            }
        }
        if (this.session != null && !this.session.isRejoinable()) {
            this.session = null;
        }
        if (this.session != null) {
            CipherSuite suite = this.session.getSuite();
            ProtocolVersion protocolVersion = this.session.getProtocolVersion();
            if (!isEnabled(suite)) {
                if (debug != null && Debug.isOn("session")) {
                    System.out.println("%% can't resume, cipher disabled");
                }
                this.session = null;
            }
            if (this.session != null && !this.enabledProtocols.contains(protocolVersion)) {
                if (debug != null && Debug.isOn("session")) {
                    System.out.println("%% can't resume, protocol disabled");
                }
                this.session = null;
            }
            if (this.session != null) {
                if (debug != null && (Debug.isOn("handshake") || Debug.isOn("session"))) {
                    System.out.println("%% Try resuming " + ((Object) this.session) + " from port " + getLocalPortSE());
                }
                clientHello.sessionId = this.session.getSessionId();
                clientHello.protocolVersion = protocolVersion;
                this.maxProtocolVersion = protocolVersion;
                setVersion(protocolVersion);
            }
            if (!this.enableNewSession) {
                if (this.session == null) {
                    throw new SSLException("Can't reuse existing SSL client session");
                }
                clientHello.cipherSuites = new CipherSuiteList(suite);
                return clientHello;
            }
        }
        if (this.session == null) {
            if (!this.enableNewSession) {
                throw new SSLException("No existing session to resume.");
            }
            clientHello.sessionId = SSLSessionImpl.nullSession.getSessionId();
        }
        clientHello.cipherSuites = this.enabledCipherSuites;
        return clientHello;
    }

    @Override // com.sun.net.ssl.internal.ssl.Handshaker
    void handshakeAlert(byte b) throws SSLProtocolException {
        String alertDescription = Alerts.alertDescription(b);
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("SSL - handshake alert: " + alertDescription);
        }
        throw new SSLProtocolException("handshake alert:  " + alertDescription);
    }

    private void serverCertificate(HandshakeMessage.CertificateMsg certificateMsg) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            certificateMsg.print(System.out);
        }
        X509Certificate[] certificateChain = certificateMsg.getCertificateChain();
        if (certificateChain.length == 0) {
            fatalSE((byte) 42, "empty certificate chain");
        }
        try {
            this.sslContext.getX509TrustManager().checkServerTrusted(certificateChain != null ? (X509Certificate[]) certificateChain.clone() : certificateChain, (this.keyExchange != K_RSA_EXPORT || this.serverKeyExchangeReceived) ? this.keyExchange.name : K_RSA.name);
        } catch (CertificateException e) {
            fatalSE((byte) 46, e);
        }
        this.session.setPeerCertificates(certificateChain);
    }
}
