package org.bouncycastle.jsse.provider;

import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jsse.BCX509ExtendedKeyManager;
import org.bouncycastle.jsse.BCX509Key;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.jsse.provider.ProvX509KeyManager;
import org.bouncycastle.tls.TlsUtils;

/* loaded from: input_file:BOOT-INF/lib/bctls-jdk18on-1.78.1.jar:org/bouncycastle/jsse/provider/ProvX509KeyManagerSimple.class */
class ProvX509KeyManagerSimple extends BCX509ExtendedKeyManager {
    private static final Logger LOG = Logger.getLogger(ProvX509KeyManagerSimple.class.getName());
    private final boolean isInFipsMode;
    private final JcaJceHelper helper;
    private final Map<String, Credential> credentials;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/bctls-jdk18on-1.78.1.jar:org/bouncycastle/jsse/provider/ProvX509KeyManagerSimple$Credential.class */
    public static class Credential {
        private final String alias;
        private final PrivateKey privateKey;
        private final X509Certificate[] certificateChain;

        Credential(String str, PrivateKey privateKey, X509Certificate[] x509CertificateArr) {
            this.alias = str;
            this.privateKey = privateKey;
            this.certificateChain = x509CertificateArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/bctls-jdk18on-1.78.1.jar:org/bouncycastle/jsse/provider/ProvX509KeyManagerSimple$Match.class */
    public static final class Match implements Comparable<Match> {
        static final ProvX509KeyManager.MatchQuality INVALID = ProvX509KeyManager.MatchQuality.MISMATCH_SNI;
        static final Match NOTHING = new Match(ProvX509KeyManager.MatchQuality.NONE, Integer.MAX_VALUE, null);
        final ProvX509KeyManager.MatchQuality quality;
        final int keyTypeIndex;
        final Credential credential;

        Match(ProvX509KeyManager.MatchQuality matchQuality, int i, Credential credential) {
            this.quality = matchQuality;
            this.keyTypeIndex = i;
            this.credential = credential;
        }

        @Override // java.lang.Comparable
        public int compareTo(Match match) {
            boolean isValid = isValid();
            return isValid != match.isValid() ? isValid ? -1 : 1 : this.keyTypeIndex != match.keyTypeIndex ? this.keyTypeIndex < match.keyTypeIndex ? -1 : 1 : this.quality.compareTo(match.quality);
        }

        boolean isIdeal() {
            return ProvX509KeyManager.MatchQuality.OK == this.quality && 0 == this.keyTypeIndex;
        }

        boolean isValid() {
            return this.quality.compareTo(INVALID) < 0;
        }
    }

    private static Map<String, Credential> loadCredentials(KeyStore keyStore, char[] cArr) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        PrivateKey privateKey;
        HashMap hashMap = new HashMap(4);
        if (null != keyStore) {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.entryInstanceOf(nextElement, KeyStore.PrivateKeyEntry.class) && null != (privateKey = (PrivateKey) keyStore.getKey(nextElement, cArr))) {
                    X509Certificate[] x509CertificateChain = JsseUtils.getX509CertificateChain(keyStore.getCertificateChain(nextElement));
                    if (!TlsUtils.isNullOrEmpty(x509CertificateChain)) {
                        hashMap.put(nextElement, new Credential(nextElement, privateKey, x509CertificateChain));
                    }
                }
            }
        }
        return Collections.unmodifiableMap(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ProvX509KeyManagerSimple(boolean z, JcaJceHelper jcaJceHelper, KeyStore keyStore, char[] cArr) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        this.isInFipsMode = z;
        this.helper = jcaJceHelper;
        this.credentials = loadCredentials(keyStore, cArr);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseAlias(ProvX509KeyManager.getKeyTypes(strArr), principalArr, TransportData.from(socket), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public BCX509Key chooseClientKeyBC(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseKeyBC(ProvX509KeyManager.getKeyTypes(strArr), principalArr, TransportData.from(socket), false);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseAlias(ProvX509KeyManager.getKeyTypes(strArr), principalArr, TransportData.from(sSLEngine), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public BCX509Key chooseEngineClientKeyBC(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseKeyBC(ProvX509KeyManager.getKeyTypes(strArr), principalArr, TransportData.from(sSLEngine), false);
    }

    @Override // javax.net.ssl.X509ExtendedKeyManager
    public String chooseEngineServerAlias(String str, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseAlias(ProvX509KeyManager.getKeyTypes(str), principalArr, TransportData.from(sSLEngine), true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public BCX509Key chooseEngineServerKeyBC(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
        return chooseKeyBC(ProvX509KeyManager.getKeyTypes(strArr), principalArr, TransportData.from(sSLEngine), true);
    }

    @Override // javax.net.ssl.X509KeyManager
    public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
        return chooseAlias(ProvX509KeyManager.getKeyTypes(str), principalArr, TransportData.from(socket), true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    public BCX509Key chooseServerKeyBC(String[] strArr, Principal[] principalArr, Socket socket) {
        return chooseKeyBC(ProvX509KeyManager.getKeyTypes(strArr), principalArr, TransportData.from(socket), true);
    }

    @Override // javax.net.ssl.X509KeyManager
    public X509Certificate[] getCertificateChain(String str) {
        Credential credential = getCredential(str);
        if (null == credential) {
            return null;
        }
        return (X509Certificate[]) credential.certificateChain.clone();
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getClientAliases(String str, Principal[] principalArr) {
        return getAliases(ProvX509KeyManager.getKeyTypes(str), principalArr, null, false);
    }

    @Override // javax.net.ssl.X509KeyManager
    public PrivateKey getPrivateKey(String str) {
        Credential credential = getCredential(str);
        if (null == credential) {
            return null;
        }
        return credential.privateKey;
    }

    @Override // javax.net.ssl.X509KeyManager
    public String[] getServerAliases(String str, Principal[] principalArr) {
        return getAliases(ProvX509KeyManager.getKeyTypes(str), principalArr, null, true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedKeyManager
    protected BCX509Key getKeyBC(String str, String str2) {
        return createKeyBC(str, getCredential(str2));
    }

    private String chooseAlias(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        Match bestMatch = getBestMatch(list, principalArr, transportData, z);
        if (bestMatch.compareTo(Match.NOTHING) >= 0) {
            LOG.fine("No matching key found");
            return null;
        }
        String str = list.get(bestMatch.keyTypeIndex);
        String alias = getAlias(bestMatch);
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Found matching key of type: " + str + ", returning alias: " + alias);
        }
        return alias;
    }

    private BCX509Key chooseKeyBC(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        String str;
        BCX509Key createKeyBC;
        Match bestMatch = getBestMatch(list, principalArr, transportData, z);
        if (bestMatch.compareTo(Match.NOTHING) >= 0 || null == (createKeyBC = createKeyBC((str = list.get(bestMatch.keyTypeIndex)), bestMatch.credential))) {
            LOG.fine("No matching key found");
            return null;
        }
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Found matching key of type: " + str + ", from alias: " + getAlias(bestMatch));
        }
        return createKeyBC;
    }

    private BCX509Key createKeyBC(String str, Credential credential) {
        if (null == credential) {
            return null;
        }
        return new ProvX509Key(str, credential.privateKey, credential.certificateChain);
    }

    private String[] getAliases(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        if (this.credentials.isEmpty() || list.isEmpty()) {
            return null;
        }
        int size = list.size();
        Set<Principal> uniquePrincipals = ProvX509KeyManager.getUniquePrincipals(principalArr);
        BCAlgorithmConstraints algorithmConstraints = TransportData.getAlgorithmConstraints(transportData, true);
        Date date = new Date();
        String requestedHostName = ProvX509KeyManager.getRequestedHostName(transportData, z);
        List<Match> list2 = null;
        Iterator<Credential> it = this.credentials.values().iterator();
        while (it.hasNext()) {
            Match potentialMatch = getPotentialMatch(it.next(), list, size, uniquePrincipals, algorithmConstraints, z, date, requestedHostName);
            if (potentialMatch.compareTo(Match.NOTHING) < 0) {
                list2 = addToMatches(list2, potentialMatch);
            }
        }
        if (null == list2 || list2.isEmpty()) {
            return null;
        }
        Collections.sort(list2);
        return getAliases(list2);
    }

    private Match getBestMatch(List<String> list, Principal[] principalArr, TransportData transportData, boolean z) {
        Match match = Match.NOTHING;
        if (!this.credentials.isEmpty() && !list.isEmpty()) {
            int size = list.size();
            Set<Principal> uniquePrincipals = ProvX509KeyManager.getUniquePrincipals(principalArr);
            BCAlgorithmConstraints algorithmConstraints = TransportData.getAlgorithmConstraints(transportData, true);
            Date date = new Date();
            String requestedHostName = ProvX509KeyManager.getRequestedHostName(transportData, z);
            Iterator<Credential> it = this.credentials.values().iterator();
            while (it.hasNext()) {
                Match potentialMatch = getPotentialMatch(it.next(), list, size, uniquePrincipals, algorithmConstraints, z, date, requestedHostName);
                if (potentialMatch.compareTo(match) < 0) {
                    match = potentialMatch;
                    if (match.isIdeal()) {
                        return match;
                    }
                    if (match.isValid()) {
                        size = Math.min(size, match.keyTypeIndex + 1);
                    }
                }
            }
        }
        return match;
    }

    private Match getPotentialMatch(Credential credential, List<String> list, int i, Set<Principal> set, BCAlgorithmConstraints bCAlgorithmConstraints, boolean z, Date date, String str) {
        ProvX509KeyManager.MatchQuality keyTypeQuality;
        X509Certificate[] x509CertificateArr = credential.certificateChain;
        int potentialKeyType = ProvX509KeyManager.getPotentialKeyType(list, i, set, bCAlgorithmConstraints, z, x509CertificateArr);
        return (potentialKeyType < 0 || ProvX509KeyManager.MatchQuality.NONE == (keyTypeQuality = ProvX509KeyManager.getKeyTypeQuality(this.isInFipsMode, this.helper, list, bCAlgorithmConstraints, z, date, str, x509CertificateArr, potentialKeyType))) ? Match.NOTHING : new Match(keyTypeQuality, potentialKeyType, credential);
    }

    private Credential getCredential(String str) {
        if (null == str) {
            return null;
        }
        return this.credentials.get(str);
    }

    private static List<Match> addToMatches(List<Match> list, Match match) {
        if (null == list) {
            list = new ArrayList();
        }
        list.add(match);
        return list;
    }

    private static String getAlias(Match match) {
        return match.credential.alias;
    }

    private static String[] getAliases(List<Match> list) {
        int i = 0;
        String[] strArr = new String[list.size()];
        Iterator<Match> it = list.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            strArr[i2] = getAlias(it.next());
        }
        return strArr;
    }
}
