package org.bouncycastle.crypto.tls;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.SecureRandom;
import java.util.Enumeration;
import java.util.Hashtable;
import java.util.Vector;
import org.bouncycastle.crypto.tls.ee;

/* loaded from: classes2.dex */
public class de extends ee {
    dd a;
    protected cx authentication;
    protected u certificateRequest;
    protected v certificateStatus;
    protected dv keyExchange;
    protected byte[] selectedSessionID;
    protected db tlsClient;

    public de(InputStream inputStream, OutputStream outputStream, SecureRandom secureRandom) {
        super(inputStream, outputStream, secureRandom);
        this.tlsClient = null;
        this.a = null;
        this.selectedSessionID = null;
        this.keyExchange = null;
        this.authentication = null;
        this.certificateStatus = null;
        this.certificateRequest = null;
    }

    public de(SecureRandom secureRandom) {
        super(secureRandom);
        this.tlsClient = null;
        this.a = null;
        this.selectedSessionID = null;
        this.keyExchange = null;
        this.authentication = null;
        this.certificateStatus = null;
        this.certificateRequest = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.bouncycastle.crypto.tls.ee
    public void a() {
        super.a();
        this.selectedSessionID = null;
        this.keyExchange = null;
        this.authentication = null;
        this.certificateStatus = null;
        this.certificateRequest = null;
    }

    protected void a(ByteArrayInputStream byteArrayInputStream) throws IOException {
        bx parse = bx.parse(byteArrayInputStream);
        d(byteArrayInputStream);
        this.tlsClient.notifyNewSessionTicket(parse);
    }

    protected void a(Vector vector) throws IOException {
        this.tlsClient.processServerSupplementalData(vector);
        this.connection_state = (short) 3;
        this.keyExchange = this.tlsClient.getKeyExchange();
        this.keyExchange.init(getContext());
    }

    protected void a(be beVar) throws IOException {
        ee.a aVar = new ee.a(this, (short) 15);
        beVar.encode(aVar);
        aVar.a();
    }

    @Override // org.bouncycastle.crypto.tls.ee
    d b() {
        return this.a;
    }

    protected void b(ByteArrayInputStream byteArrayInputStream) throws IOException {
        cc readVersion = ex.readVersion(byteArrayInputStream);
        if (readVersion.isDTLS()) {
            throw new TlsFatalAlert((short) 47);
        }
        if (!readVersion.equals(this.b.b())) {
            throw new TlsFatalAlert((short) 47);
        }
        if (!readVersion.isEqualOrEarlierVersionOf(getContext().getClientVersion())) {
            throw new TlsFatalAlert((short) 47);
        }
        this.b.b(readVersion);
        b().b(readVersion);
        this.tlsClient.notifyServerVersion(readVersion);
        this.securityParameters.h = ex.readFully(32, byteArrayInputStream);
        this.selectedSessionID = ex.readOpaque8(byteArrayInputStream);
        if (this.selectedSessionID.length > 32) {
            throw new TlsFatalAlert((short) 47);
        }
        this.tlsClient.notifySessionID(this.selectedSessionID);
        this.resumedSession = this.selectedSessionID.length > 0 && this.tlsSession != null && org.bouncycastle.util.a.areEqual(this.selectedSessionID, this.tlsSession.getSessionID());
        int readUint16 = ex.readUint16(byteArrayInputStream);
        if (!org.bouncycastle.util.a.contains(this.offeredCipherSuites, readUint16) || readUint16 == 0 || ac.isSCSV(readUint16) || !ex.isValidCipherSuiteForVersion(readUint16, getContext().getServerVersion())) {
            throw new TlsFatalAlert((short) 47);
        }
        this.tlsClient.notifySelectedCipherSuite(readUint16);
        short readUint8 = ex.readUint8(byteArrayInputStream);
        if (!org.bouncycastle.util.a.contains(this.offeredCompressionMethods, readUint8)) {
            throw new TlsFatalAlert((short) 47);
        }
        this.tlsClient.notifySelectedCompressionMethod(readUint8);
        this.serverExtensions = e(byteArrayInputStream);
        if (this.serverExtensions != null) {
            Enumeration keys = this.serverExtensions.keys();
            while (keys.hasMoreElements()) {
                Integer num = (Integer) keys.nextElement();
                if (!num.equals(EXT_RenegotiationInfo)) {
                    if (ex.getExtensionData(this.clientExtensions, num) == null) {
                        throw new TlsFatalAlert(l.unsupported_extension);
                    }
                    if (this.resumedSession) {
                    }
                }
            }
        }
        byte[] extensionData = ex.getExtensionData(this.serverExtensions, EXT_RenegotiationInfo);
        if (extensionData != null) {
            this.secure_renegotiation = true;
            if (!org.bouncycastle.util.a.constantTimeAreEqual(extensionData, a(ex.EMPTY_BYTES))) {
                throw new TlsFatalAlert((short) 40);
            }
        }
        this.tlsClient.notifySecureRenegotiation(this.secure_renegotiation);
        Hashtable hashtable = this.clientExtensions;
        Hashtable hashtable2 = this.serverExtensions;
        if (this.resumedSession) {
            if (readUint16 != this.sessionParameters.getCipherSuite() || readUint8 != this.sessionParameters.getCompressionAlgorithm()) {
                throw new TlsFatalAlert((short) 47);
            }
            hashtable = null;
            hashtable2 = this.sessionParameters.readServerExtensions();
        }
        this.securityParameters.b = readUint16;
        this.securityParameters.c = readUint8;
        if (hashtable2 != null) {
            boolean hasEncryptThenMACExtension = ds.hasEncryptThenMACExtension(hashtable2);
            if (hasEncryptThenMACExtension && !ex.isBlockCipherSuite(readUint16)) {
                throw new TlsFatalAlert((short) 47);
            }
            this.securityParameters.n = hasEncryptThenMACExtension;
            this.securityParameters.o = ds.hasExtendedMasterSecretExtension(hashtable2);
            this.securityParameters.l = a(hashtable, hashtable2, (short) 47);
            this.securityParameters.m = ds.hasTruncatedHMacExtension(hashtable2);
            this.allowCertificateStatus = !this.resumedSession && ex.hasExpectedEmptyExtensionData(hashtable2, ds.EXT_status_request, (short) 47);
            this.expectSessionTicket = !this.resumedSession && ex.hasExpectedEmptyExtensionData(hashtable2, ee.EXT_SessionTicket, (short) 47);
        }
        if (hashtable != null) {
            this.tlsClient.processServerExtensions(hashtable2);
        }
        this.securityParameters.d = a(getContext(), this.securityParameters.getCipherSuite());
        this.securityParameters.e = 12;
    }

    protected void c() throws IOException {
        this.b.b(this.tlsClient.getClientHelloRecordLayerVersion());
        cc clientVersion = this.tlsClient.getClientVersion();
        if (clientVersion.isDTLS()) {
            throw new TlsFatalAlert((short) 80);
        }
        b().a(clientVersion);
        byte[] bArr = ex.EMPTY_BYTES;
        if (this.tlsSession != null && ((bArr = this.tlsSession.getSessionID()) == null || bArr.length > 32)) {
            bArr = ex.EMPTY_BYTES;
        }
        boolean isFallback = this.tlsClient.isFallback();
        this.offeredCipherSuites = this.tlsClient.getCipherSuites();
        this.offeredCompressionMethods = this.tlsClient.getCompressionMethods();
        if (bArr.length > 0 && this.sessionParameters != null && (!org.bouncycastle.util.a.contains(this.offeredCipherSuites, this.sessionParameters.getCipherSuite()) || !org.bouncycastle.util.a.contains(this.offeredCompressionMethods, this.sessionParameters.getCompressionAlgorithm()))) {
            bArr = ex.EMPTY_BYTES;
        }
        this.clientExtensions = this.tlsClient.getClientExtensions();
        ee.a aVar = new ee.a(this, (short) 1);
        ex.writeVersion(clientVersion, aVar);
        aVar.write(this.securityParameters.getClientRandom());
        ex.writeOpaque8(bArr, aVar);
        boolean z = ex.getExtensionData(this.clientExtensions, EXT_RenegotiationInfo) == null;
        boolean z2 = org.bouncycastle.util.a.contains(this.offeredCipherSuites, 255) ? false : true;
        if (z && z2) {
            this.offeredCipherSuites = org.bouncycastle.util.a.append(this.offeredCipherSuites, 255);
        }
        if (isFallback && !org.bouncycastle.util.a.contains(this.offeredCipherSuites, ac.TLS_FALLBACK_SCSV)) {
            this.offeredCipherSuites = org.bouncycastle.util.a.append(this.offeredCipherSuites, ac.TLS_FALLBACK_SCSV);
        }
        ex.writeUint16ArrayWithUint16Length(this.offeredCipherSuites, aVar);
        ex.writeUint8ArrayWithUint8Length(this.offeredCompressionMethods, aVar);
        if (this.clientExtensions != null) {
            a(aVar, this.clientExtensions);
        }
        aVar.a();
    }

    public void connect(db dbVar) throws IOException {
        co exportSessionParameters;
        if (dbVar == null) {
            throw new IllegalArgumentException("'tlsClient' cannot be null");
        }
        if (this.tlsClient != null) {
            throw new IllegalStateException("'connect' can only be called once");
        }
        this.tlsClient = dbVar;
        this.securityParameters = new ci();
        this.securityParameters.a = 1;
        this.a = new dd(this.secureRandom, this.securityParameters);
        this.securityParameters.g = a(dbVar.shouldUseGMTUnixTime(), this.a.getNonceRandomGenerator());
        this.tlsClient.init(this.a);
        this.b.a(this.a);
        es sessionToResume = dbVar.getSessionToResume();
        if (sessionToResume != null && sessionToResume.isResumable() && (exportSessionParameters = sessionToResume.exportSessionParameters()) != null) {
            this.tlsSession = sessionToResume;
            this.sessionParameters = exportSessionParameters;
        }
        c();
        this.connection_state = (short) 1;
        g();
    }

    protected void d() throws IOException {
        ee.a aVar = new ee.a(this, (short) 16);
        this.keyExchange.generateClientKeyExchange(aVar);
        aVar.a();
    }

    @Override // org.bouncycastle.crypto.tls.ee
    protected dg getContext() {
        return this.a;
    }

    @Override // org.bouncycastle.crypto.tls.ee
    protected ed getPeer() {
        return this.tlsClient;
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:67:0x012c. Please report as an issue. */
    /* JADX WARN: Failed to find 'out' block for switch in B:95:0x0208. Please report as an issue. */
    @Override // org.bouncycastle.crypto.tls.ee
    protected void handleHandshakeMessage(short s, byte[] bArr) throws IOException {
        dh clientCredentials;
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        if (this.resumedSession) {
            if (s != 20 || this.connection_state != 2) {
                throw new TlsFatalAlert((short) 10);
            }
            c(byteArrayInputStream);
            this.connection_state = (short) 15;
            m();
            this.connection_state = (short) 13;
            this.connection_state = (short) 16;
            h();
            return;
        }
        switch (s) {
            case 0:
                d(byteArrayInputStream);
                if (this.connection_state == 16) {
                    o();
                    return;
                }
                return;
            case 1:
            case 3:
            case 5:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
            case 15:
            case 16:
            case 17:
            case 18:
            case 19:
            case 21:
            default:
                throw new TlsFatalAlert((short) 10);
            case 2:
                switch (this.connection_state) {
                    case 1:
                        b(byteArrayInputStream);
                        this.connection_state = (short) 2;
                        this.b.g();
                        f();
                        if (this.resumedSession) {
                            this.securityParameters.f = org.bouncycastle.util.a.clone(this.sessionParameters.getMasterSecret());
                            this.b.a(getPeer().getCompression(), getPeer().getCipher());
                            l();
                            return;
                        } else {
                            k();
                            if (this.selectedSessionID.length > 0) {
                                this.tlsSession = new et(this.selectedSessionID, null);
                                return;
                            }
                            return;
                        }
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
            case 4:
                switch (this.connection_state) {
                    case 13:
                        if (!this.expectSessionTicket) {
                            throw new TlsFatalAlert((short) 10);
                        }
                        k();
                        a(byteArrayInputStream);
                        this.connection_state = (short) 14;
                        return;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
            case 11:
                switch (this.connection_state) {
                    case 2:
                        a((Vector) null);
                        break;
                    case 3:
                        break;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
                this.peerCertificate = t.parse(byteArrayInputStream);
                d(byteArrayInputStream);
                if (this.peerCertificate == null || this.peerCertificate.isEmpty()) {
                    this.allowCertificateStatus = false;
                }
                this.keyExchange.processServerCertificate(this.peerCertificate);
                this.authentication = this.tlsClient.getAuthentication();
                this.authentication.notifyServerCertificate(this.peerCertificate);
                this.connection_state = (short) 4;
                return;
            case 12:
                switch (this.connection_state) {
                    case 2:
                        a((Vector) null);
                    case 3:
                        this.keyExchange.skipServerCredentials();
                        this.authentication = null;
                    case 4:
                    case 5:
                        this.keyExchange.processServerKeyExchange(byteArrayInputStream);
                        d(byteArrayInputStream);
                        this.connection_state = (short) 6;
                        return;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
            case 13:
                switch (this.connection_state) {
                    case 4:
                    case 5:
                        this.keyExchange.skipServerKeyExchange();
                        break;
                    case 6:
                        break;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
                if (this.authentication == null) {
                    throw new TlsFatalAlert((short) 40);
                }
                this.certificateRequest = u.parse(getContext(), byteArrayInputStream);
                d(byteArrayInputStream);
                this.keyExchange.validateCertificateRequest(this.certificateRequest);
                ex.a(this.b.h(), this.certificateRequest.getSupportedSignatureAlgorithms());
                this.connection_state = (short) 7;
                return;
            case 14:
                switch (this.connection_state) {
                    case 2:
                        a((Vector) null);
                    case 3:
                        this.keyExchange.skipServerCredentials();
                        this.authentication = null;
                    case 4:
                    case 5:
                        this.keyExchange.skipServerKeyExchange();
                    case 6:
                    case 7:
                        d(byteArrayInputStream);
                        this.connection_state = (short) 8;
                        this.b.h().sealHashAlgorithms();
                        Vector clientSupplementalData = this.tlsClient.getClientSupplementalData();
                        if (clientSupplementalData != null) {
                            b(clientSupplementalData);
                        }
                        this.connection_state = (short) 9;
                        if (this.certificateRequest == null) {
                            this.keyExchange.skipClientCredentials();
                            clientCredentials = null;
                        } else {
                            clientCredentials = this.authentication.getClientCredentials(this.certificateRequest);
                            if (clientCredentials == null) {
                                this.keyExchange.skipClientCredentials();
                                a(t.EMPTY_CHAIN);
                            } else {
                                this.keyExchange.processClientCredentials(clientCredentials);
                                a(clientCredentials.getCertificate());
                            }
                        }
                        this.connection_state = (short) 10;
                        d();
                        this.connection_state = (short) 11;
                        dt i = this.b.i();
                        this.securityParameters.i = a(getContext(), i, (byte[]) null);
                        a(getContext(), this.keyExchange);
                        this.b.a(getPeer().getCompression(), getPeer().getCipher());
                        if (clientCredentials != null && (clientCredentials instanceof ev)) {
                            ev evVar = (ev) clientCredentials;
                            cq signatureAndHashAlgorithm = ex.getSignatureAndHashAlgorithm(getContext(), evVar);
                            a(new be(signatureAndHashAlgorithm, evVar.generateCertificateSignature(signatureAndHashAlgorithm == null ? this.securityParameters.getSessionHash() : i.getFinalHash(signatureAndHashAlgorithm.getHash()))));
                            this.connection_state = (short) 12;
                        }
                        l();
                        m();
                        this.connection_state = (short) 13;
                        return;
                    default:
                        throw new TlsFatalAlert((short) 40);
                }
                break;
            case 20:
                switch (this.connection_state) {
                    case 13:
                        if (this.expectSessionTicket) {
                            throw new TlsFatalAlert((short) 10);
                        }
                        break;
                    case 14:
                        break;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
                c(byteArrayInputStream);
                this.connection_state = (short) 15;
                this.connection_state = (short) 16;
                h();
                return;
            case 22:
                switch (this.connection_state) {
                    case 4:
                        if (!this.allowCertificateStatus) {
                            throw new TlsFatalAlert((short) 10);
                        }
                        this.certificateStatus = v.parse(byteArrayInputStream);
                        d(byteArrayInputStream);
                        this.connection_state = (short) 5;
                        return;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
            case 23:
                switch (this.connection_state) {
                    case 2:
                        a(f(byteArrayInputStream));
                        return;
                    default:
                        throw new TlsFatalAlert((short) 10);
                }
        }
    }
}
