package io.netty.incubator.codec.quic;

import io.netty.util.CharsetUtil;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.security.auth.x500.X500Principal;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:essential-6bc87794c50ef8bd707bfe06f2383ef0.jar:gg/essential/sps/quic/jvm/netty.jar:io/netty/incubator/codec/quic/BoringSSLCertificateCallback.class */
public final class BoringSSLCertificateCallback {
    private static final byte TLS_CT_RSA_SIGN = 1;
    private static final byte TLS_CT_DSS_SIGN = 2;
    private static final byte TLS_CT_RSA_FIXED_DH = 3;
    private static final byte TLS_CT_DSS_FIXED_DH = 4;
    private static final byte TLS_CT_ECDSA_SIGN = 64;
    private static final byte TLS_CT_RSA_FIXED_ECDH = 65;
    private static final byte TLS_CT_ECDSA_FIXED_ECDH = 66;
    static final String KEY_TYPE_RSA = "RSA";
    static final String KEY_TYPE_DH_RSA = "DH_RSA";
    static final String KEY_TYPE_EC = "EC";
    static final String KEY_TYPE_EC_EC = "EC_EC";
    static final String KEY_TYPE_EC_RSA = "EC_RSA";
    private static final Set<String> SUPPORTED_KEY_TYPES;
    private static final long[] NO_KEY_MATERIAL_CLIENT_SIDE;
    private final QuicheQuicSslEngineMap engineMap;
    private final X509ExtendedKeyManager keyManager;
    private final String password;
    private static final byte[] BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----\n".getBytes(CharsetUtil.US_ASCII);
    private static final byte[] END_PRIVATE_KEY = "\n-----END PRIVATE KEY-----\n".getBytes(CharsetUtil.US_ASCII);
    private static final Map<String, String> KEY_TYPES = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    public BoringSSLCertificateCallback(QuicheQuicSslEngineMap quicheQuicSslEngineMap, X509ExtendedKeyManager x509ExtendedKeyManager, String str) {
        this.engineMap = quicheQuicSslEngineMap;
        this.keyManager = x509ExtendedKeyManager;
        this.password = str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public long[] handle(long j, byte[] bArr, byte[][] bArr2, String[] strArr) {
        X500Principal[] x500PrincipalArr;
        QuicheQuicSslEngine quicheQuicSslEngine = this.engineMap.get(j);
        if (quicheQuicSslEngine == null) {
            return null;
        }
        try {
            if (this.keyManager == null) {
                if (quicheQuicSslEngine.getUseClientMode()) {
                    return NO_KEY_MATERIAL_CLIENT_SIDE;
                }
                return null;
            }
            if (!quicheQuicSslEngine.getUseClientMode()) {
                return removeMappingIfNeeded(j, selectKeyMaterialServerSide(j, quicheQuicSslEngine, strArr));
            }
            String[] strArr2 = (String[]) supportedClientKeyTypes(bArr).toArray(new String[0]);
            if (bArr2 == null) {
                x500PrincipalArr = null;
            } else {
                x500PrincipalArr = new X500Principal[bArr2.length];
                for (int i = 0; i < bArr2.length; i++) {
                    x500PrincipalArr[i] = new X500Principal(bArr2[i]);
                }
            }
            return removeMappingIfNeeded(j, selectKeyMaterialClientSide(j, quicheQuicSslEngine, strArr2, x500PrincipalArr));
        } catch (SSLException e) {
            this.engineMap.remove(j);
            return null;
        } catch (Throwable th) {
            this.engineMap.remove(j);
            throw th;
        }
    }

    private long[] removeMappingIfNeeded(long j, long[] jArr) {
        if (jArr == null) {
            this.engineMap.remove(j);
        }
        return jArr;
    }

    private long[] selectKeyMaterialServerSide(long j, QuicheQuicSslEngine quicheQuicSslEngine, String[] strArr) throws SSLException {
        String chooseServerAlias;
        if (strArr.length == 0) {
            throw new SSLHandshakeException("Unable to find key material");
        }
        HashSet hashSet = new HashSet(KEY_TYPES.size());
        for (String str : strArr) {
            String str2 = KEY_TYPES.get(str);
            if (str2 != null && hashSet.add(str2) && (chooseServerAlias = chooseServerAlias(quicheQuicSslEngine, str2)) != null) {
                return selectMaterial(j, quicheQuicSslEngine, chooseServerAlias);
            }
        }
        throw new SSLHandshakeException("Unable to find key material for auth method(s): " + Arrays.toString(strArr));
    }

    private long[] selectKeyMaterialClientSide(long j, QuicheQuicSslEngine quicheQuicSslEngine, String[] strArr, X500Principal[] x500PrincipalArr) {
        String chooseClientAlias = chooseClientAlias(quicheQuicSslEngine, strArr, x500PrincipalArr);
        return chooseClientAlias != null ? selectMaterial(j, quicheQuicSslEngine, chooseClientAlias) : NO_KEY_MATERIAL_CLIENT_SIDE;
    }

    /* JADX WARN: Type inference failed for: r0v10, types: [byte[], byte[][]] */
    private long[] selectMaterial(long j, QuicheQuicSslEngine quicheQuicSslEngine, String str) {
        long EVP_PKEY_parse;
        X509Certificate[] certificateChain = this.keyManager.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length == 0) {
            return null;
        }
        ?? r0 = new byte[certificateChain.length];
        for (int i = 0; i < certificateChain.length; i++) {
            try {
                r0[i] = certificateChain[i].getEncoded();
            } catch (CertificateEncodingException e) {
                return null;
            }
        }
        PrivateKey privateKey = this.keyManager.getPrivateKey(str);
        if (privateKey == BoringSSLKeylessPrivateKey.INSTANCE) {
            EVP_PKEY_parse = 0;
        } else {
            byte[] pemEncoded = toPemEncoded(privateKey);
            if (pemEncoded == null) {
                return null;
            }
            EVP_PKEY_parse = BoringSSL.EVP_PKEY_parse(pemEncoded, this.password);
        }
        long CRYPTO_BUFFER_stack_new = BoringSSL.CRYPTO_BUFFER_stack_new(j, r0);
        quicheQuicSslEngine.setLocalCertificateChain(certificateChain);
        return new long[]{EVP_PKEY_parse, CRYPTO_BUFFER_stack_new};
    }

    private static byte[] toPemEncoded(PrivateKey privateKey) {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            Throwable th = null;
            try {
                byteArrayOutputStream.write(BEGIN_PRIVATE_KEY);
                byteArrayOutputStream.write(Base64.getEncoder().encode(privateKey.getEncoded()));
                byteArrayOutputStream.write(END_PRIVATE_KEY);
                byte[] byteArray = byteArrayOutputStream.toByteArray();
                if (byteArrayOutputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayOutputStream.close();
                    }
                }
                return byteArray;
            } finally {
            }
        } catch (IOException e) {
            return null;
        }
    }

    private String chooseClientAlias(QuicheQuicSslEngine quicheQuicSslEngine, String[] strArr, X500Principal[] x500PrincipalArr) {
        return this.keyManager.chooseEngineClientAlias(strArr, x500PrincipalArr, quicheQuicSslEngine);
    }

    private String chooseServerAlias(QuicheQuicSslEngine quicheQuicSslEngine, String str) {
        return this.keyManager.chooseEngineServerAlias(str, null, quicheQuicSslEngine);
    }

    private static Set<String> supportedClientKeyTypes(byte[] bArr) {
        if (bArr == null) {
            return SUPPORTED_KEY_TYPES;
        }
        HashSet hashSet = new HashSet(bArr.length);
        for (byte b : bArr) {
            String clientKeyType = clientKeyType(b);
            if (clientKeyType != null) {
                hashSet.add(clientKeyType);
            }
        }
        return hashSet;
    }

    private static String clientKeyType(byte b) {
        switch (b) {
            case 1:
                return KEY_TYPE_RSA;
            case 3:
                return KEY_TYPE_DH_RSA;
            case 64:
                return KEY_TYPE_EC;
            case 65:
                return KEY_TYPE_EC_RSA;
            case 66:
                return KEY_TYPE_EC_EC;
            default:
                return null;
        }
    }

    static {
        KEY_TYPES.put(KEY_TYPE_RSA, KEY_TYPE_RSA);
        KEY_TYPES.put("DHE_RSA", KEY_TYPE_RSA);
        KEY_TYPES.put("ECDHE_RSA", KEY_TYPE_RSA);
        KEY_TYPES.put("ECDHE_ECDSA", KEY_TYPE_EC);
        KEY_TYPES.put("ECDH_RSA", KEY_TYPE_EC_RSA);
        KEY_TYPES.put("ECDH_ECDSA", KEY_TYPE_EC_EC);
        KEY_TYPES.put(KEY_TYPE_DH_RSA, KEY_TYPE_DH_RSA);
        SUPPORTED_KEY_TYPES = Collections.unmodifiableSet(new LinkedHashSet(Arrays.asList(KEY_TYPE_RSA, KEY_TYPE_DH_RSA, KEY_TYPE_EC, KEY_TYPE_EC_RSA, KEY_TYPE_EC_EC)));
        NO_KEY_MATERIAL_CLIENT_SIDE = new long[]{0, 0};
    }
}
