package net.luminis.tls.handshake;

import j$.util.Collection;
import j$.util.Objects;
import j$.util.Optional;
import j$.util.function.Predicate$CC;
import j$.util.stream.Collectors;
import j$.util.stream.Stream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import net.luminis.tls.CertificateWithPrivateKey;
import net.luminis.tls.DefaultHostnameVerifier;
import net.luminis.tls.HostnameVerifier;
import net.luminis.tls.Logger;
import net.luminis.tls.NewSessionTicket;
import net.luminis.tls.ProtectionKeysType;
import net.luminis.tls.TlsConstants;
import net.luminis.tls.TlsProtocolException;
import net.luminis.tls.TlsState;
import net.luminis.tls.TranscriptHash;
import net.luminis.tls.alert.BadCertificateAlert;
import net.luminis.tls.alert.DecryptErrorAlert;
import net.luminis.tls.alert.ErrorAlert;
import net.luminis.tls.alert.HandshakeFailureAlert;
import net.luminis.tls.alert.IllegalParameterAlert;
import net.luminis.tls.alert.MissingExtensionAlert;
import net.luminis.tls.alert.UnexpectedMessageAlert;
import net.luminis.tls.alert.UnsupportedExtensionAlert;
import net.luminis.tls.extension.CertificateAuthoritiesExtension;
import net.luminis.tls.extension.ClientHelloPreSharedKeyExtension;
import net.luminis.tls.extension.Extension;
import net.luminis.tls.extension.KeyShareExtension;
import net.luminis.tls.extension.PreSharedKeyExtension;
import net.luminis.tls.extension.ServerPreSharedKeyExtension;
import net.luminis.tls.extension.SignatureAlgorithmsExtension;
import net.luminis.tls.extension.SupportedVersionsExtension;
import net.luminis.tls.extension.UnknownExtension;
import net.luminis.tls.handshake.ClientHello;

/* loaded from: classes2.dex */
public class TlsClientEngine extends TlsEngine implements ClientMessageProcessor {
    public static final List<TlsConstants.SignatureScheme> AVAILABLE_SIGNATURES;
    private static final Charset ISO_8859_1;
    private boolean clientAuthRequested;
    private List<X500Principal> clientCertificateAuthorities;
    private ClientHello clientHello;
    private boolean compatibilityMode;
    private X509TrustManager customTrustManager;
    private NewSessionTicket newSessionTicket;
    private TlsConstants.CipherSuite selectedCipher;
    private final ClientMessageSender sender;
    private List<Extension> sentExtensions;
    private X509Certificate serverCertificate;
    private String serverName;
    private List<TlsConstants.SignatureScheme> serverSupportedSignatureSchemes;
    private final TlsStatusEventHandler statusHandler;
    private List<TlsConstants.SignatureScheme> supportedSignatures;
    private TranscriptHash transcriptHash;
    private Status status = Status.Initial;
    private List<X509Certificate> serverCertificateChain = Collections.emptyList();
    private boolean pskAccepted = false;
    private List<TlsConstants.CipherSuite> supportedCiphers = new ArrayList();
    private List<Extension> requestedExtensions = new ArrayList();
    private HostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();
    private List<NewSessionTicket> obtainedNewSessionTickets = new ArrayList();
    private Function<List<X500Principal>, CertificateWithPrivateKey> clientCertificateSelector = new Object();

    /* loaded from: classes2.dex */
    public enum Status {
        Initial,
        ClientHelloSent,
        ServerHelloReceived,
        EncryptedExtensionsReceived,
        CertificateRequestReceived,
        CertificateReceived,
        CertificateVerifyReceived,
        Finished
    }

    static {
        Object[] objArr = {TlsConstants.SignatureScheme.rsa_pss_rsae_sha256, TlsConstants.SignatureScheme.rsa_pss_rsae_sha384, TlsConstants.SignatureScheme.rsa_pss_rsae_sha512, TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256};
        ArrayList arrayList = new ArrayList(4);
        for (int i = 0; i < 4; i++) {
            Object obj = objArr[i];
            Objects.requireNonNull(obj);
            arrayList.add(obj);
        }
        AVAILABLE_SIGNATURES = Collections.unmodifiableList(arrayList);
        ISO_8859_1 = Charset.forName("ISO-8859-1");
    }

    /* JADX WARN: Type inference failed for: r2v5, types: [java.util.function.Function<java.util.List<javax.security.auth.x500.X500Principal>, net.luminis.tls.CertificateWithPrivateKey>, java.lang.Object] */
    public TlsClientEngine(ClientMessageSender clientMessageSender, TlsStatusEventHandler tlsStatusEventHandler) {
        this.sender = clientMessageSender;
        this.statusHandler = tlsStatusEventHandler;
    }

    private boolean certificateSupportsSignature(X509Certificate x509Certificate, TlsConstants.SignatureScheme signatureScheme) {
        String sigAlgName = x509Certificate.getSigAlgName();
        if (sigAlgName.toLowerCase().contains("withrsa")) {
            Object[] objArr = {TlsConstants.SignatureScheme.rsa_pss_rsae_sha256, TlsConstants.SignatureScheme.rsa_pss_rsae_sha384};
            ArrayList arrayList = new ArrayList(2);
            for (int i = 0; i < 2; i++) {
                Object obj = objArr[i];
                Objects.requireNonNull(obj);
                arrayList.add(obj);
            }
            return Collections.unmodifiableList(arrayList).contains(signatureScheme);
        }
        if (!sigAlgName.toLowerCase().contains("withecdsa")) {
            return false;
        }
        Object[] objArr2 = {TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256};
        ArrayList arrayList2 = new ArrayList(1);
        Object obj2 = objArr2[0];
        Objects.requireNonNull(obj2);
        arrayList2.add(obj2);
        return Collections.unmodifiableList(arrayList2).contains(signatureScheme);
    }

    private Optional<String> extractReason(CertificateException certificateException) {
        CertPathValidatorException.Reason reason;
        Throwable cause = certificateException.getCause();
        if (!(cause instanceof CertPathValidatorException)) {
            return cause instanceof CertPathBuilderException ? Optional.of(cause.getMessage()) : Optional.empty();
        }
        String message = cause.getMessage();
        reason = ((CertPathValidatorException) cause).getReason();
        return Optional.of(message + ": " + reason);
    }

    public static /* synthetic */ CertificateWithPrivateKey lambda$new$0(List list) {
        return null;
    }

    public static /* synthetic */ boolean lambda$received$11(Extension extension) {
        return !(extension instanceof UnknownExtension);
    }

    public static /* synthetic */ boolean lambda$received$12(List list, Extension extension) {
        return list.contains(extension.getClass());
    }

    public static /* synthetic */ boolean lambda$received$14(Extension extension) {
        return extension instanceof SignatureAlgorithmsExtension;
    }

    public static /* synthetic */ List lambda$received$15(Extension extension) {
        return ((SignatureAlgorithmsExtension) extension).getSignatureAlgorithms();
    }

    public static /* synthetic */ MissingExtensionAlert lambda$received$16() {
        return new MissingExtensionAlert();
    }

    public static /* synthetic */ boolean lambda$received$17(Extension extension) {
        return extension instanceof CertificateAuthoritiesExtension;
    }

    public static /* synthetic */ List lambda$received$18(Extension extension) {
        return ((CertificateAuthoritiesExtension) extension).getAuthorities();
    }

    public static /* synthetic */ boolean lambda$received$2(Extension extension) {
        return extension instanceof SupportedVersionsExtension;
    }

    public static /* synthetic */ boolean lambda$received$3(Extension extension) {
        return (extension instanceof PreSharedKeyExtension) || (extension instanceof KeyShareExtension);
    }

    public static /* synthetic */ boolean lambda$received$4(Extension extension) {
        return extension instanceof SupportedVersionsExtension;
    }

    public static /* synthetic */ Short lambda$received$5(Extension extension) {
        return Short.valueOf(((SupportedVersionsExtension) extension).getTlsVersion());
    }

    public static /* synthetic */ boolean lambda$received$6(Extension extension) {
        return ((extension instanceof SupportedVersionsExtension) || (extension instanceof PreSharedKeyExtension) || (extension instanceof KeyShareExtension)) ? false : true;
    }

    public static /* synthetic */ boolean lambda$received$7(Extension extension) {
        return extension instanceof KeyShareExtension;
    }

    public static /* synthetic */ KeyShareExtension.KeyShareEntry lambda$received$8(Extension extension) {
        return ((KeyShareExtension) extension).getKeyShareEntries().get(0);
    }

    public static /* synthetic */ boolean lambda$received$9(Extension extension) {
        return extension instanceof ServerPreSharedKeyExtension;
    }

    public /* synthetic */ boolean lambda$sendClientAuth$19(CertificateWithPrivateKey certificateWithPrivateKey, TlsConstants.SignatureScheme signatureScheme) {
        return certificateSupportsSignature(certificateWithPrivateKey.getCertificate(), signatureScheme);
    }

    public static /* synthetic */ HandshakeFailureAlert lambda$sendClientAuth$20() {
        return new HandshakeFailureAlert("failed to negotiate signature scheme");
    }

    public static /* synthetic */ boolean lambda$startHandshake$1(TlsConstants.SignatureScheme signatureScheme) {
        return !AVAILABLE_SIGNATURES.contains(signatureScheme);
    }

    private void sendClientAuth() throws IOException, ErrorAlert {
        final CertificateWithPrivateKey apply = this.clientCertificateSelector.apply(this.clientCertificateAuthorities);
        CertificateMessage certificateMessage = new CertificateMessage(apply != null ? apply.getCertificate() : null);
        this.sender.send(certificateMessage);
        this.transcriptHash.recordClient(certificateMessage);
        if (apply != null) {
            Stream stream = Collection.EL.stream(this.serverSupportedSignatureSchemes);
            final List<TlsConstants.SignatureScheme> list = this.supportedSignatures;
            Objects.requireNonNull(list);
            TlsConstants.SignatureScheme signatureScheme = (TlsConstants.SignatureScheme) stream.filter(new Predicate() { // from class: net.luminis.tls.handshake.o00000O
                public final /* synthetic */ Predicate and(Predicate predicate) {
                    return Predicate$CC.$default$and(this, predicate);
                }

                public final /* synthetic */ Predicate negate() {
                    return Predicate$CC.$default$negate(this);
                }

                public final /* synthetic */ Predicate or(Predicate predicate) {
                    return Predicate$CC.$default$or(this, predicate);
                }

                @Override // java.util.function.Predicate
                public final boolean test(Object obj) {
                    return list.contains((TlsConstants.SignatureScheme) obj);
                }
            }).filter(new Predicate() { // from class: net.luminis.tls.handshake.o00000OO
                public final /* synthetic */ Predicate and(Predicate predicate) {
                    return Predicate$CC.$default$and(this, predicate);
                }

                public final /* synthetic */ Predicate negate() {
                    return Predicate$CC.$default$negate(this);
                }

                public final /* synthetic */ Predicate or(Predicate predicate) {
                    return Predicate$CC.$default$or(this, predicate);
                }

                @Override // java.util.function.Predicate
                public final boolean test(Object obj) {
                    boolean lambda$sendClientAuth$19;
                    lambda$sendClientAuth$19 = TlsClientEngine.this.lambda$sendClientAuth$19(apply, (TlsConstants.SignatureScheme) obj);
                    return lambda$sendClientAuth$19;
                }
            }).findFirst().orElseThrow(new Object());
            CertificateVerifyMessage certificateVerifyMessage = new CertificateVerifyMessage(signatureScheme, computeSignature(this.transcriptHash.getClientHash(TlsConstants.HandshakeType.certificate), apply.getPrivateKey(), signatureScheme, true));
            this.sender.send(certificateVerifyMessage);
            this.transcriptHash.recordClient(certificateVerifyMessage);
        }
    }

    public void add(Extension extension) {
        this.requestedExtensions.add(extension);
    }

    public void addExtensions(List<Extension> list) {
        this.requestedExtensions.addAll(list);
    }

    public void addSupportedCiphers(List<TlsConstants.CipherSuite> list) {
        this.supportedCiphers.addAll(list);
    }

    public void checkCertificateValidity(List<X509Certificate> list) throws BadCertificateAlert {
        try {
            X509TrustManager x509TrustManager = this.customTrustManager;
            if (x509TrustManager != null) {
                x509TrustManager.checkServerTrusted((X509Certificate[]) list.toArray(new X509Certificate[list.size()]), "RSA");
                return;
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            trustManagerFactory.init((KeyStore) null);
            ((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).checkServerTrusted((X509Certificate[]) list.toArray(new X509Certificate[list.size()]), "UNKNOWN");
        } catch (KeyStoreException unused) {
            throw new RuntimeException("keystore exception");
        } catch (NoSuchAlgorithmException unused2) {
            throw new RuntimeException("unsupported trust manager algorithm");
        } catch (CertificateException e) {
            throw new BadCertificateAlert(extractReason(e).orElse("certificate validation failed"));
        }
    }

    public List<NewSessionTicket> getNewSessionTickets() {
        return this.obtainedNewSessionTickets;
    }

    @Override // net.luminis.tls.handshake.TlsEngine
    public TlsConstants.CipherSuite getSelectedCipher() {
        TlsConstants.CipherSuite cipherSuite = this.selectedCipher;
        if (cipherSuite != null) {
            return cipherSuite;
        }
        throw new IllegalStateException("No (valid) server hello received yet");
    }

    public List<X509Certificate> getServerCertificateChain() {
        return this.serverCertificateChain;
    }

    public boolean handshakeFinished() {
        return this.status == Status.Finished;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(CertificateMessage certificateMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        Status status = this.status;
        if (status != Status.EncryptedExtensionsReceived && status != Status.CertificateRequestReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate message");
        }
        if (certificateMessage.getRequestContext().length > 0) {
            throw new IllegalParameterAlert("certificate request context should be zero length");
        }
        if (certificateMessage.getEndEntityCertificate() == null) {
            throw new IllegalParameterAlert("missing certificate");
        }
        this.serverCertificate = certificateMessage.getEndEntityCertificate();
        this.serverCertificateChain = certificateMessage.getCertificateChain();
        this.transcriptHash.recordServer(certificateMessage);
        this.status = Status.CertificateReceived;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(CertificateRequestMessage certificateRequestMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException, IOException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.EncryptedExtensionsReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate request message");
        }
        this.serverSupportedSignatureSchemes = (List) Collection.EL.stream(certificateRequestMessage.getExtensions()).filter(new Object()).findFirst().map(new Object()).orElseThrow(new Object());
        this.transcriptHash.record(certificateRequestMessage);
        this.clientCertificateAuthorities = (List) Collection.EL.stream(certificateRequestMessage.getExtensions()).filter(new Object()).findFirst().map(new Object()).orElse(Collections.emptyList());
        this.clientAuthRequested = true;
        this.status = Status.CertificateRequestReceived;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(CertificateVerifyMessage certificateVerifyMessage, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.CertificateReceived) {
            throw new UnexpectedMessageAlert("unexpected certificate verify message");
        }
        TlsConstants.SignatureScheme signatureScheme = certificateVerifyMessage.getSignatureScheme();
        if (!this.supportedSignatures.contains(signatureScheme)) {
            throw new IllegalParameterAlert("signature scheme does not match");
        }
        if (!verifySignature(certificateVerifyMessage.getSignature(), signatureScheme, this.serverCertificate, this.transcriptHash.getServerHash(TlsConstants.HandshakeType.certificate))) {
            throw new DecryptErrorAlert("signature verification fails");
        }
        checkCertificateValidity(this.serverCertificateChain);
        this.transcriptHash.recordServer(certificateVerifyMessage);
        this.status = Status.CertificateVerifyReceived;
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public final /* synthetic */ void received(ClientHello clientHello, ProtectionKeysType protectionKeysType) {
        OooOo00.OooO00o(this, clientHello, protectionKeysType);
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(EncryptedExtensions encryptedExtensions, ProtectionKeysType protectionKeysType) throws TlsProtocolException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != Status.ServerHelloReceived) {
            throw new UnexpectedMessageAlert("unexpected encrypted extensions message");
        }
        if (!Collection.EL.stream(encryptedExtensions.getExtensions()).filter(new net.luminis.quic.cid.o00Oo0(1)).allMatch(new net.luminis.quic.cid.o00Ooo((List) Collection.EL.stream(this.sentExtensions).map(new Object()).collect(Collectors.toList()), 1))) {
            throw new UnsupportedExtensionAlert("extension response to missing request");
        }
        if (((Set) Collection.EL.stream(encryptedExtensions.getExtensions()).map(new Object()).collect(Collectors.toSet())).size() != encryptedExtensions.getExtensions().size()) {
            throw new UnsupportedExtensionAlert("duplicate extensions not allowed");
        }
        this.transcriptHash.record(encryptedExtensions);
        this.status = Status.EncryptedExtensionsReceived;
        this.statusHandler.extensionsReceived(encryptedExtensions.getExtensions());
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(FinishedMessage finishedMessage, ProtectionKeysType protectionKeysType) throws ErrorAlert, IOException {
        if (protectionKeysType != ProtectionKeysType.Handshake) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        if (this.status != (this.pskAccepted ? Status.EncryptedExtensionsReceived : Status.CertificateVerifyReceived)) {
            throw new UnexpectedMessageAlert("unexpected finished message");
        }
        this.transcriptHash.recordServer(finishedMessage);
        TranscriptHash transcriptHash = this.transcriptHash;
        TlsConstants.HandshakeType handshakeType = TlsConstants.HandshakeType.certificate_verify;
        if (!Arrays.equals(finishedMessage.getVerifyData(), computeFinishedVerifyData(transcriptHash.getServerHash(handshakeType), this.state.getServerHandshakeTrafficSecret()))) {
            throw new DecryptErrorAlert("incorrect finished message");
        }
        if (this.clientAuthRequested) {
            sendClientAuth();
        }
        FinishedMessage finishedMessage2 = new FinishedMessage(computeFinishedVerifyData(this.transcriptHash.getClientHash(handshakeType), this.state.getClientHandshakeTrafficSecret()));
        this.sender.send(finishedMessage2);
        this.transcriptHash.recordClient(finishedMessage2);
        this.state.computeApplicationSecrets();
        this.state.computeResumptionMasterSecret();
        this.status = Status.Finished;
        this.statusHandler.handshakeFinished();
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(NewSessionTicketMessage newSessionTicketMessage, ProtectionKeysType protectionKeysType) throws UnexpectedMessageAlert {
        if (protectionKeysType != ProtectionKeysType.Application) {
            throw new UnexpectedMessageAlert("incorrect protection level");
        }
        NewSessionTicket newSessionTicket = new NewSessionTicket(this.state, newSessionTicketMessage);
        this.obtainedNewSessionTickets.add(newSessionTicket);
        this.statusHandler.newSessionTicketReceived(newSessionTicket);
    }

    @Override // net.luminis.tls.handshake.MessageProcessor
    public void received(ServerHello serverHello, ProtectionKeysType protectionKeysType) throws MissingExtensionAlert, IllegalParameterAlert {
        boolean anyMatch = Collection.EL.stream(serverHello.getExtensions()).anyMatch(new Object());
        boolean anyMatch2 = Collection.EL.stream(serverHello.getExtensions()).anyMatch(new Object());
        if (!anyMatch || !anyMatch2) {
            throw new MissingExtensionAlert();
        }
        if (((Short) Collection.EL.stream(serverHello.getExtensions()).filter(new Object()).map(new Object()).findFirst().get()).shortValue() != 772) {
            throw new IllegalParameterAlert("invalid tls version");
        }
        if (Collection.EL.stream(serverHello.getExtensions()).anyMatch(new net.luminis.quic.send.OooOO0(1))) {
            throw new IllegalParameterAlert("illegal extension in server hello");
        }
        Optional findFirst = Collection.EL.stream(serverHello.getExtensions()).filter(new Object()).map(new Object()).findFirst();
        Optional findFirst2 = Collection.EL.stream(serverHello.getExtensions()).filter(new Object()).findFirst();
        if (!findFirst.isPresent() && !findFirst2.isPresent()) {
            throw new MissingExtensionAlert(" either the pre_shared_key extension or the key_share extension must be present");
        }
        if (findFirst2.isPresent()) {
            this.pskAccepted = true;
            System.out.println("JOH! PSK accepted!");
        }
        if (!this.supportedCiphers.contains(serverHello.getCipherSuite())) {
            throw new IllegalParameterAlert("cipher suite does not match");
        }
        this.selectedCipher = serverHello.getCipherSuite();
        if (findFirst2.isPresent()) {
            this.state.setPskSelected(((ServerPreSharedKeyExtension) findFirst2.get()).getSelectedIdentity());
            Logger.debug("Server has accepted PSK key establishment");
        } else {
            this.state.setNoPskSelected();
        }
        if (findFirst.isPresent()) {
            this.state.setPeerKey(((KeyShareExtension.KeyShareEntry) findFirst.get()).getKey());
            this.state.computeSharedSecret();
        }
        this.transcriptHash.record(serverHello);
        this.state.computeHandshakeSecrets();
        this.status = Status.ServerHelloReceived;
        this.statusHandler.handshakeSecretsKnown();
    }

    public void setClientCertificateCallback(Function<List<X500Principal>, CertificateWithPrivateKey> function) {
        this.clientCertificateSelector = function;
    }

    public void setCompatibilityMode(boolean z) {
        this.compatibilityMode = z;
    }

    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
        if (hostnameVerifier != null) {
            this.hostnameVerifier = hostnameVerifier;
        }
    }

    public void setNewSessionTicket(NewSessionTicket newSessionTicket) {
        this.newSessionTicket = newSessionTicket;
    }

    public void setServerName(String str) {
        this.serverName = str;
    }

    public void setTrustManager(X509TrustManager x509TrustManager) {
        this.customTrustManager = x509TrustManager;
    }

    public void startHandshake() throws IOException {
        TlsConstants.NamedGroup namedGroup = TlsConstants.NamedGroup.secp256r1;
        Object[] objArr = {TlsConstants.SignatureScheme.rsa_pss_rsae_sha256, TlsConstants.SignatureScheme.ecdsa_secp256r1_sha256};
        ArrayList arrayList = new ArrayList(2);
        for (int i = 0; i < 2; i++) {
            Object obj = objArr[i];
            Objects.requireNonNull(obj);
            arrayList.add(obj);
        }
        startHandshake(namedGroup, Collections.unmodifiableList(arrayList));
    }

    public void startHandshake(TlsConstants.NamedGroup namedGroup) throws IOException {
        Object[] objArr = {TlsConstants.SignatureScheme.rsa_pss_rsae_sha256};
        ArrayList arrayList = new ArrayList(1);
        Object obj = objArr[0];
        Objects.requireNonNull(obj);
        arrayList.add(obj);
        startHandshake(namedGroup, Collections.unmodifiableList(arrayList));
    }

    public void startHandshake(TlsConstants.NamedGroup namedGroup, List<TlsConstants.SignatureScheme> list) throws IOException {
        List<Extension> list2;
        if (Collection.EL.stream(list).anyMatch(new Object())) {
            ArrayList arrayList = new ArrayList(list);
            arrayList.removeAll(AVAILABLE_SIGNATURES);
            throw new IllegalArgumentException("Unsupported signature scheme(s): " + arrayList);
        }
        this.supportedSignatures = list;
        generateKeys(namedGroup);
        if (this.serverName == null || this.supportedCiphers.isEmpty()) {
            throw new IllegalStateException("not all mandatory properties are set");
        }
        this.transcriptHash = new TranscriptHash(32);
        List<Extension> list3 = this.requestedExtensions;
        if (this.newSessionTicket != null) {
            ArrayList arrayList2 = new ArrayList();
            arrayList2.addAll(this.requestedExtensions);
            this.state = new TlsState(this.transcriptHash, this.newSessionTicket.getPSK());
            arrayList2.add(new ClientHelloPreSharedKeyExtension(this.newSessionTicket));
            list2 = arrayList2;
        } else {
            this.state = new TlsState(this.transcriptHash);
            list2 = list3;
        }
        ClientHello clientHello = new ClientHello(this.serverName, this.publicKey, this.compatibilityMode, this.supportedCiphers, this.supportedSignatures, namedGroup, list2, this.state, ClientHello.PskKeyEstablishmentMode.PSKwithDHE);
        this.clientHello = clientHello;
        this.sentExtensions = clientHello.getExtensions();
        this.sender.send(this.clientHello);
        this.status = Status.ClientHelloSent;
        this.transcriptHash.record(this.clientHello);
        this.state.setOwnKey(this.privateKey);
        this.state.computeEarlyTrafficSecret();
        this.statusHandler.earlySecretsKnown();
    }

    public boolean verifySignature(byte[] bArr, TlsConstants.SignatureScheme signatureScheme, Certificate certificate, byte[] bArr2) throws HandshakeFailureAlert {
        ByteBuffer allocate = ByteBuffer.allocate("TLS 1.3, server CertificateVerify".getBytes(ISO_8859_1).length + 65 + bArr2.length);
        for (int i = 0; i < 64; i++) {
            allocate.put((byte) 32);
        }
        allocate.put("TLS 1.3, server CertificateVerify".getBytes(ISO_8859_1));
        allocate.put((byte) 0);
        allocate.put(bArr2);
        try {
            Signature signatureAlgorithm = getSignatureAlgorithm(signatureScheme);
            signatureAlgorithm.initVerify(certificate);
            signatureAlgorithm.update(allocate.array());
            return signatureAlgorithm.verify(bArr);
        } catch (InvalidKeyException unused) {
            Logger.debug("Certificate verify: invalid key.");
            return false;
        } catch (SignatureException unused2) {
            Logger.debug("Certificate verify: invalid signature.");
            return false;
        }
    }
}
