package sun.security.ssl;

import java.io.IOException;
import java.nio.BufferOverflowException;
import java.nio.BufferUnderflowException;
import java.nio.ByteBuffer;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Collections;
import java.util.EnumMap;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Queue;
import javax.crypto.SecretKey;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLHandshakeException;
import javax.security.auth.x500.X500Principal;
import sun.security.ssl.NamedGroup;
import sun.security.ssl.SSLExtension;
import sun.security.ssl.SupportedGroupsExtension;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:META-INF/modules/java.base/classes/sun/security/ssl/HandshakeContext.class */
public abstract class HandshakeContext implements ConnectionContext {
    static final boolean allowUnsafeRenegotiation = Utilities.getBooleanProperty("sun.security.ssl.allowUnsafeRenegotiation", false);
    static final boolean allowLegacyHelloMessages = Utilities.getBooleanProperty("sun.security.ssl.allowLegacyHelloMessages", true);
    LinkedHashMap<Byte, SSLConsumer> handshakeConsumers;
    final HashMap<Byte, HandshakeProducer> handshakeProducers;
    final SSLContextImpl sslContext;
    final TransportContext conContext;
    final SSLConfiguration sslConfig;
    final List<ProtocolVersion> activeProtocols;
    final List<CipherSuite> activeCipherSuites;
    final AlgorithmConstraints algorithmConstraints;
    final ProtocolVersion maximumActiveProtocol;
    final HandshakeOutStream handshakeOutput;
    final HandshakeHash handshakeHash;
    SSLSessionImpl handshakeSession;
    boolean handshakeFinished;
    boolean kickstartMessageDelivered;
    boolean isResumption;
    SSLSessionImpl resumingSession;
    boolean statelessResumption;
    final Queue<Map.Entry<Byte, ByteBuffer>> delegatedActions;
    volatile boolean taskDelegated;
    volatile Exception delegatedThrown;
    ProtocolVersion negotiatedProtocol;
    CipherSuite negotiatedCipherSuite;
    final List<SSLPossession> handshakePossessions;
    final List<SSLCredentials> handshakeCredentials;
    SSLKeyDerivation handshakeKeyDerivation;
    SSLKeyExchange handshakeKeyExchange;
    SecretKey baseReadSecret;
    SecretKey baseWriteSecret;
    int clientHelloVersion;
    String applicationProtocol;
    RandomCookie clientHelloRandom;
    RandomCookie serverHelloRandom;
    byte[] certRequestContext;
    final Map<SSLExtension, SSLExtension.SSLExtensionSpec> handshakeExtensions;
    int maxFragmentLength;
    List<SignatureScheme> localSupportedSignAlgs;
    List<SignatureScheme> peerRequestedSignatureSchemes;
    List<SignatureScheme> peerRequestedCertSignSchemes;
    X500Principal[] peerSupportedAuthorities;
    List<NamedGroup> clientRequestedNamedGroups;
    NamedGroup serverSelectedNamedGroup;
    List<SNIServerName> requestedServerNames;
    SNIServerName negotiatedServerName;
    boolean staplingActive;

    /* JADX INFO: Access modifiers changed from: protected */
    public HandshakeContext(SSLContextImpl sSLContextImpl, TransportContext transportContext) throws IOException {
        this.statelessResumption = false;
        this.taskDelegated = false;
        this.delegatedThrown = null;
        this.peerSupportedAuthorities = null;
        this.staplingActive = false;
        this.sslContext = sSLContextImpl;
        this.conContext = transportContext;
        this.sslConfig = (SSLConfiguration) transportContext.sslConfig.clone();
        this.activeProtocols = getActiveProtocols(this.sslConfig.enabledProtocols, this.sslConfig.enabledCipherSuites, this.sslConfig.algorithmConstraints);
        if (this.activeProtocols.isEmpty()) {
            throw new SSLHandshakeException("No appropriate protocol (protocol is disabled or cipher suites are inappropriate)");
        }
        ProtocolVersion protocolVersion = ProtocolVersion.NONE;
        for (ProtocolVersion protocolVersion2 : this.activeProtocols) {
            if (protocolVersion == ProtocolVersion.NONE || protocolVersion2.compare(protocolVersion) > 0) {
                protocolVersion = protocolVersion2;
            }
        }
        this.maximumActiveProtocol = protocolVersion;
        this.activeCipherSuites = getActiveCipherSuites(this.activeProtocols, this.sslConfig.enabledCipherSuites, this.sslConfig.algorithmConstraints);
        if (this.activeCipherSuites.isEmpty()) {
            throw new SSLHandshakeException("No appropriate cipher suite");
        }
        this.algorithmConstraints = new SSLAlgorithmConstraints(this.sslConfig.algorithmConstraints);
        this.handshakeConsumers = new LinkedHashMap<>();
        this.handshakeProducers = new HashMap<>();
        this.handshakeHash = transportContext.inputRecord.handshakeHash;
        this.handshakeOutput = new HandshakeOutStream(transportContext.outputRecord);
        this.handshakeFinished = false;
        this.kickstartMessageDelivered = false;
        this.delegatedActions = new LinkedList();
        this.handshakeExtensions = new HashMap();
        this.handshakePossessions = new LinkedList();
        this.handshakeCredentials = new LinkedList();
        this.requestedServerNames = null;
        this.negotiatedServerName = null;
        this.negotiatedCipherSuite = transportContext.cipherSuite;
        initialize();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HandshakeContext(TransportContext transportContext) {
        this.statelessResumption = false;
        this.taskDelegated = false;
        this.delegatedThrown = null;
        this.peerSupportedAuthorities = null;
        this.staplingActive = false;
        this.sslContext = transportContext.sslContext;
        this.conContext = transportContext;
        this.sslConfig = transportContext.sslConfig;
        this.negotiatedProtocol = transportContext.protocolVersion;
        this.negotiatedCipherSuite = transportContext.cipherSuite;
        this.handshakeOutput = new HandshakeOutStream(transportContext.outputRecord);
        this.delegatedActions = new LinkedList();
        this.handshakeProducers = null;
        this.handshakeHash = null;
        this.activeProtocols = null;
        this.activeCipherSuites = null;
        this.algorithmConstraints = null;
        this.maximumActiveProtocol = null;
        this.handshakeExtensions = Collections.emptyMap();
        this.handshakePossessions = null;
        this.handshakeCredentials = null;
    }

    private void initialize() {
        ProtocolVersion protocolVersion;
        ProtocolVersion protocolVersion2;
        if (this.conContext.isNegotiated) {
            protocolVersion = this.conContext.protocolVersion;
            protocolVersion2 = this.conContext.protocolVersion;
        } else if (this.activeProtocols.contains(ProtocolVersion.SSL20Hello)) {
            protocolVersion = ProtocolVersion.SSL20Hello;
            protocolVersion2 = this.maximumActiveProtocol.useTLS13PlusSpec() ? this.maximumActiveProtocol : ProtocolVersion.SSL20Hello;
        } else {
            protocolVersion = this.maximumActiveProtocol;
            protocolVersion2 = this.maximumActiveProtocol;
        }
        this.conContext.inputRecord.setHelloVersion(protocolVersion);
        this.conContext.outputRecord.setHelloVersion(protocolVersion2);
        if (!this.conContext.isNegotiated) {
            this.conContext.protocolVersion = this.maximumActiveProtocol;
        }
        this.conContext.outputRecord.setVersion(this.conContext.protocolVersion);
    }

    private static List<ProtocolVersion> getActiveProtocols(List<ProtocolVersion> list, List<CipherSuite> list2, AlgorithmConstraints algorithmConstraints) {
        boolean z = false;
        ArrayList arrayList = new ArrayList(4);
        for (ProtocolVersion protocolVersion : list) {
            if (!z && protocolVersion == ProtocolVersion.SSL20Hello) {
                z = true;
            } else if (algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), protocolVersion.name, null)) {
                boolean z2 = false;
                EnumMap enumMap = new EnumMap(NamedGroup.NamedGroupSpec.class);
                Iterator<CipherSuite> it = list2.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    CipherSuite next = it.next();
                    if (next.isAvailable() && next.supports(protocolVersion)) {
                        if (isActivatable(next, algorithmConstraints, enumMap)) {
                            arrayList.add(protocolVersion);
                            z2 = true;
                            break;
                        }
                    } else if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
                        SSLLogger.fine("Ignore unsupported cipher suite: " + ((Object) next) + " for " + ((Object) protocolVersion), new Object[0]);
                    }
                }
                if (!z2 && SSLLogger.isOn && SSLLogger.isOn("handshake")) {
                    SSLLogger.fine("No available cipher suite for " + ((Object) protocolVersion), new Object[0]);
                }
            }
        }
        if (!arrayList.isEmpty()) {
            if (z) {
                arrayList.add(ProtocolVersion.SSL20Hello);
            }
            Collections.sort(arrayList);
        }
        return Collections.unmodifiableList(arrayList);
    }

    private static List<CipherSuite> getActiveCipherSuites(List<ProtocolVersion> list, List<CipherSuite> list2, AlgorithmConstraints algorithmConstraints) {
        LinkedList linkedList = new LinkedList();
        if (list != null && !list.isEmpty()) {
            EnumMap enumMap = new EnumMap(NamedGroup.NamedGroupSpec.class);
            for (CipherSuite cipherSuite : list2) {
                if (cipherSuite.isAvailable()) {
                    boolean z = false;
                    Iterator<ProtocolVersion> it = list.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (cipherSuite.supports(it.next()) && isActivatable(cipherSuite, algorithmConstraints, enumMap)) {
                            linkedList.add(cipherSuite);
                            z = true;
                            break;
                        }
                    }
                    if (!z && SSLLogger.isOn && SSLLogger.isOn("verbose")) {
                        SSLLogger.finest("Ignore unsupported cipher suite: " + ((Object) cipherSuite), new Object[0]);
                    }
                }
            }
        }
        return Collections.unmodifiableList(linkedList);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte getHandshakeType(TransportContext transportContext, Plaintext plaintext) throws IOException {
        if (plaintext.contentType != ContentType.HANDSHAKE.id) {
            throw transportContext.fatal(Alert.INTERNAL_ERROR, "Unexpected operation for record: " + ((int) plaintext.contentType));
        }
        if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
            throw transportContext.fatal(Alert.UNEXPECTED_MESSAGE, "Invalid handshake message: insufficient data");
        }
        byte int8 = (byte) Record.getInt8(plaintext.fragment);
        if (Record.getInt24(plaintext.fragment) != plaintext.fragment.remaining()) {
            throw transportContext.fatal(Alert.UNEXPECTED_MESSAGE, "Invalid handshake message: insufficient handshake body");
        }
        return int8;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dispatch(byte b, Plaintext plaintext) throws IOException {
        if (!this.conContext.transport.useDelegatedTask()) {
            dispatch(b, plaintext.fragment);
            return;
        }
        boolean z = !this.delegatedActions.isEmpty();
        if (!z && (b == SSLHandshake.FINISHED.id || b == SSLHandshake.KEY_UPDATE.id || b == SSLHandshake.NEW_SESSION_TICKET.id)) {
            dispatch(b, plaintext.fragment);
            return;
        }
        if (!z) {
            this.taskDelegated = false;
            this.delegatedThrown = null;
        }
        ByteBuffer wrap = ByteBuffer.wrap(new byte[plaintext.fragment.remaining()]);
        wrap.put(plaintext.fragment);
        this.delegatedActions.add(new AbstractMap.SimpleImmutableEntry(Byte.valueOf(b), wrap.rewind()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void dispatch(byte b, ByteBuffer byteBuffer) throws IOException {
        SSLConsumer sSLConsumer = b == SSLHandshake.HELLO_REQUEST.id ? SSLHandshake.HELLO_REQUEST : this.handshakeConsumers.get(Byte.valueOf(b));
        if (sSLConsumer == null) {
            throw this.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected handshake message: " + SSLHandshake.nameOf(b));
        }
        try {
            sSLConsumer.consume(this, byteBuffer);
            this.handshakeHash.consume();
        } catch (UnsupportedOperationException e) {
            throw this.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unsupported handshake message: " + SSLHandshake.nameOf(b), e);
        } catch (BufferOverflowException | BufferUnderflowException e2) {
            throw this.conContext.fatal(Alert.DECODE_ERROR, "Illegal handshake message: " + SSLHandshake.nameOf(b), e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public abstract void kickstart() throws IOException;

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isNegotiable(CipherSuite cipherSuite) {
        return isNegotiable(this.activeCipherSuites, cipherSuite);
    }

    static final boolean isNegotiable(List<CipherSuite> list, CipherSuite cipherSuite) {
        return list.contains(cipherSuite) && cipherSuite.isNegotiable();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static final boolean isNegotiable(List<CipherSuite> list, ProtocolVersion protocolVersion, CipherSuite cipherSuite) {
        return list.contains(cipherSuite) && cipherSuite.isNegotiable() && cipherSuite.supports(protocolVersion);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isNegotiable(ProtocolVersion protocolVersion) {
        return this.activeProtocols.contains(protocolVersion);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setVersion(ProtocolVersion protocolVersion) {
        this.conContext.protocolVersion = protocolVersion;
    }

    private static boolean isActivatable(CipherSuite cipherSuite, AlgorithmConstraints algorithmConstraints, Map<NamedGroup.NamedGroupSpec, Boolean> map) {
        boolean z;
        boolean z2;
        boolean booleanValue;
        if (!algorithmConstraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), cipherSuite.name, null)) {
            if (!SSLLogger.isOn || !SSLLogger.isOn("verbose")) {
                return false;
            }
            SSLLogger.fine("Ignore disabled cipher suite: " + ((Object) cipherSuite), new Object[0]);
            return false;
        }
        if (cipherSuite.keyExchange == null) {
            return true;
        }
        boolean z3 = false;
        for (NamedGroup.NamedGroupSpec namedGroupSpec : cipherSuite.keyExchange.groupTypes) {
            if (namedGroupSpec != NamedGroup.NamedGroupSpec.NAMED_GROUP_NONE) {
                Boolean bool = map.get(namedGroupSpec);
                if (bool == null) {
                    booleanValue = SupportedGroupsExtension.SupportedGroups.isActivatable(algorithmConstraints, namedGroupSpec);
                    map.put(namedGroupSpec, Boolean.valueOf(booleanValue));
                    if (!booleanValue && SSLLogger.isOn && SSLLogger.isOn("verbose")) {
                        SSLLogger.fine("No activated named group in " + ((Object) namedGroupSpec), new Object[0]);
                    }
                } else {
                    booleanValue = bool.booleanValue();
                }
                z = z3;
                z2 = booleanValue;
            } else {
                z = z3;
                z2 = true;
            }
            z3 = z | z2;
        }
        if (!z3 && SSLLogger.isOn && SSLLogger.isOn("verbose")) {
            SSLLogger.fine("No active named group(s), ignore " + ((Object) cipherSuite), new Object[0]);
        }
        return z3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<SNIServerName> getRequestedServerNames() {
        return this.requestedServerNames == null ? Collections.emptyList() : this.requestedServerNames;
    }
}
