package io.netty.handler.ssl;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import io.netty.buffer.Unpooled;
import io.netty.handler.codec.base64.Base64;
import io.netty.handler.codec.compression.Lz4Constants;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.util.CharsetUtil;
import io.netty.util.internal.ObjectUtil;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.SystemPropertyUtil;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import java.nio.charset.Charset;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateRevokedException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSL;
import org.apache.tomcat.jni.SSLContext;

/* loaded from: classes2.dex */
public abstract class OpenSslContext extends SslContext {
    private static final byte[] BEGIN_CERT;
    private static final byte[] BEGIN_PRIVATE_KEY;
    private static final List<String> DEFAULT_CIPHERS;
    private static final byte[] END_CERT;
    private static final byte[] END_PRIVATE_KEY;
    private static final boolean JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
    public static final OpenSslApplicationProtocolNegotiator NONE_PROTOCOL_NEGOTIATOR;
    public static final int VERIFY_DEPTH = 10;
    private static final InternalLogger logger;
    private final OpenSslApplicationProtocolNegotiator apn;
    public long aprPool;
    private volatile int aprPoolDestroyed;
    private final ClientAuth clientAuth;
    public volatile long ctx;
    private final OpenSslEngineMap engineMap;
    private final Certificate[] keyCertChain;
    private final int mode;
    private volatile boolean rejectRemoteInitiatedRenegotiation;
    private final long sessionCacheSize;
    private final long sessionTimeout;
    private final List<String> unmodifiableCiphers;

    /* renamed from: io.netty.handler.ssl.OpenSslContext$2, reason: invalid class name */
    /* loaded from: classes2.dex */
    public static /* synthetic */ class AnonymousClass2 {
        public static final /* synthetic */ int[] $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol;
        public static final /* synthetic */ int[] $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectedListenerFailureBehavior;
        public static final /* synthetic */ int[] $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectorFailureBehavior;

        static {
            int[] iArr = new int[ApplicationProtocolConfig.SelectedListenerFailureBehavior.values().length];
            $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectedListenerFailureBehavior = iArr;
            try {
                iArr[ApplicationProtocolConfig.SelectedListenerFailureBehavior.CHOOSE_MY_LAST_PROTOCOL.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectedListenerFailureBehavior[ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            int[] iArr2 = new int[ApplicationProtocolConfig.SelectorFailureBehavior.values().length];
            $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectorFailureBehavior = iArr2;
            try {
                iArr2[ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE.ordinal()] = 1;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectorFailureBehavior[ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL.ordinal()] = 2;
            } catch (NoSuchFieldError unused4) {
            }
            int[] iArr3 = new int[ApplicationProtocolConfig.Protocol.values().length];
            $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol = iArr3;
            try {
                iArr3[ApplicationProtocolConfig.Protocol.NPN.ordinal()] = 1;
            } catch (NoSuchFieldError unused5) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol[ApplicationProtocolConfig.Protocol.ALPN.ordinal()] = 2;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol[ApplicationProtocolConfig.Protocol.NPN_AND_ALPN.ordinal()] = 3;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                $SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol[ApplicationProtocolConfig.Protocol.NONE.ordinal()] = 4;
            } catch (NoSuchFieldError unused8) {
            }
        }
    }

    /* loaded from: classes2.dex */
    public abstract class AbstractCertificateVerifier implements CertificateVerifier {
        public AbstractCertificateVerifier() {
        }

        public final int verify(long j8, byte[][] bArr, String str) {
            X509Certificate[] certificates = OpenSslContext.certificates(bArr);
            OpenSslEngine remove = OpenSslContext.this.engineMap.remove(j8);
            try {
                verify(remove, certificates, str);
                return 0;
            } catch (Throwable th) {
                OpenSslContext.logger.debug("verification of certificate failed", (Throwable) th);
                SSLHandshakeException sSLHandshakeException = new SSLHandshakeException("General OpenSslEngine problem");
                sSLHandshakeException.initCause(th);
                remove.handshakeException = sSLHandshakeException;
                if (th instanceof OpenSslCertificateException) {
                    return th.errorCode();
                }
                if (th instanceof CertificateExpiredException) {
                    return 10;
                }
                if (th instanceof CertificateNotYetValidException) {
                    return 9;
                }
                return (PlatformDependent.javaVersion() < 7 || !(th instanceof CertificateRevokedException)) ? 1 : 23;
            }
        }

        public abstract void verify(OpenSslEngine openSslEngine, X509Certificate[] x509CertificateArr, String str) throws Exception;
    }

    /* loaded from: classes2.dex */
    public static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
        private final Map<Long, OpenSslEngine> engines;

        private DefaultOpenSslEngineMap() {
            this.engines = PlatformDependent.newConcurrentHashMap();
        }

        @Override // io.netty.handler.ssl.OpenSslEngineMap
        public void add(OpenSslEngine openSslEngine) {
            this.engines.put(Long.valueOf(openSslEngine.sslPointer()), openSslEngine);
        }

        @Override // io.netty.handler.ssl.OpenSslEngineMap
        public OpenSslEngine remove(long j8) {
            return this.engines.remove(Long.valueOf(j8));
        }
    }

    static {
        Charset charset = CharsetUtil.US_ASCII;
        BEGIN_CERT = "-----BEGIN CERTIFICATE-----\n".getBytes(charset);
        END_CERT = "\n-----END CERTIFICATE-----\n".getBytes(charset);
        BEGIN_PRIVATE_KEY = "-----BEGIN PRIVATE KEY-----\n".getBytes(charset);
        END_PRIVATE_KEY = "\n-----END PRIVATE KEY-----\n".getBytes(charset);
        InternalLogger internalLoggerFactory = InternalLoggerFactory.getInstance((Class<?>) OpenSslContext.class);
        logger = internalLoggerFactory;
        JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION = SystemPropertyUtil.getBoolean("jdk.tls.rejectClientInitiatedRenegotiation", false);
        NONE_PROTOCOL_NEGOTIATOR = new OpenSslApplicationProtocolNegotiator() { // from class: io.netty.handler.ssl.OpenSslContext.1
            @Override // io.netty.handler.ssl.OpenSslApplicationProtocolNegotiator
            public ApplicationProtocolConfig.Protocol protocol() {
                return ApplicationProtocolConfig.Protocol.NONE;
            }

            @Override // io.netty.handler.ssl.ApplicationProtocolNegotiator
            public List<String> protocols() {
                return Collections.emptyList();
            }

            @Override // io.netty.handler.ssl.OpenSslApplicationProtocolNegotiator
            public ApplicationProtocolConfig.SelectedListenerFailureBehavior selectedListenerFailureBehavior() {
                return ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT;
            }

            @Override // io.netty.handler.ssl.OpenSslApplicationProtocolNegotiator
            public ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior() {
                return ApplicationProtocolConfig.SelectorFailureBehavior.CHOOSE_MY_LAST_PROTOCOL;
            }
        };
        ArrayList arrayList = new ArrayList();
        Collections.addAll(arrayList, "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AES128-GCM-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA");
        DEFAULT_CIPHERS = Collections.unmodifiableList(arrayList);
        if (internalLoggerFactory.isDebugEnabled()) {
            internalLoggerFactory.debug("Default cipher suite (OpenSSL): " + arrayList);
        }
    }

    public OpenSslContext(Iterable<String> iterable, CipherSuiteFilter cipherSuiteFilter, ApplicationProtocolConfig applicationProtocolConfig, long j8, long j9, int i8, Certificate[] certificateArr, ClientAuth clientAuth) throws SSLException {
        this(iterable, cipherSuiteFilter, toNegotiator(applicationProtocolConfig), j8, j9, i8, certificateArr, clientAuth);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public OpenSslContext(Iterable<String> iterable, CipherSuiteFilter cipherSuiteFilter, OpenSslApplicationProtocolNegotiator openSslApplicationProtocolNegotiator, long j8, long j9, int i8, Certificate[] certificateArr, ClientAuth clientAuth) throws SSLException {
        String next;
        ArrayList arrayList = null;
        this.engineMap = new DefaultOpenSslEngineMap();
        OpenSsl.ensureAvailability();
        if (i8 != 1 && i8 != 0) {
            throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
        }
        this.mode = i8;
        this.clientAuth = isServer() ? (ClientAuth) ObjectUtil.checkNotNull(clientAuth, "clientAuth") : ClientAuth.NONE;
        if (i8 == 1) {
            this.rejectRemoteInitiatedRenegotiation = JDK_REJECT_CLIENT_INITIATED_RENEGOTIATION;
        }
        this.keyCertChain = certificateArr == null ? null : (Certificate[]) certificateArr.clone();
        if (iterable != null) {
            arrayList = new ArrayList();
            Iterator<String> it = iterable.iterator();
            while (it.hasNext() && (next = it.next()) != null) {
                String openSsl = CipherSuiteConverter.toOpenSsl(next);
                if (openSsl != null) {
                    next = openSsl;
                }
                arrayList.add(next);
            }
        }
        List<String> asList = Arrays.asList(((CipherSuiteFilter) ObjectUtil.checkNotNull(cipherSuiteFilter, "cipherFilter")).filterCipherSuites(arrayList, DEFAULT_CIPHERS, OpenSsl.availableCipherSuites()));
        this.unmodifiableCiphers = asList;
        this.apn = (OpenSslApplicationProtocolNegotiator) ObjectUtil.checkNotNull(openSslApplicationProtocolNegotiator, "apn");
        this.aprPool = Pool.create(0L);
        try {
            synchronized (OpenSslContext.class) {
                try {
                    try {
                        this.ctx = SSLContext.make(this.aprPool, 31, i8);
                        SSLContext.setOptions(this.ctx, 4095);
                        SSLContext.setOptions(this.ctx, 16777216);
                        SSLContext.setOptions(this.ctx, Lz4Constants.MAX_BLOCK_SIZE);
                        SSLContext.setOptions(this.ctx, 4194304);
                        SSLContext.setOptions(this.ctx, 524288);
                        SSLContext.setOptions(this.ctx, 1048576);
                        SSLContext.setOptions(this.ctx, 65536);
                        SSLContext.setMode(this.ctx, SSLContext.getMode(this.ctx) | 2);
                        try {
                            SSLContext.setCipherSuite(this.ctx, CipherSuiteConverter.toOpenSsl(asList));
                            List<String> protocols = openSslApplicationProtocolNegotiator.protocols();
                            if (!protocols.isEmpty()) {
                                String[] strArr = (String[]) protocols.toArray(new String[protocols.size()]);
                                int opensslSelectorFailureBehavior = opensslSelectorFailureBehavior(openSslApplicationProtocolNegotiator.selectorFailureBehavior());
                                int i9 = AnonymousClass2.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol[openSslApplicationProtocolNegotiator.protocol().ordinal()];
                                if (i9 == 1) {
                                    SSLContext.setNpnProtos(this.ctx, strArr, opensslSelectorFailureBehavior);
                                } else if (i9 == 2) {
                                    SSLContext.setAlpnProtos(this.ctx, strArr, opensslSelectorFailureBehavior);
                                } else {
                                    if (i9 != 3) {
                                        throw new Error();
                                    }
                                    SSLContext.setNpnProtos(this.ctx, strArr, opensslSelectorFailureBehavior);
                                    SSLContext.setAlpnProtos(this.ctx, strArr, opensslSelectorFailureBehavior);
                                }
                            }
                            if (j8 > 0) {
                                this.sessionCacheSize = j8;
                                SSLContext.setSessionCacheSize(this.ctx, j8);
                            } else {
                                long sessionCacheSize = SSLContext.setSessionCacheSize(this.ctx, 20480L);
                                this.sessionCacheSize = sessionCacheSize;
                                SSLContext.setSessionCacheSize(this.ctx, sessionCacheSize);
                            }
                            if (j9 > 0) {
                                this.sessionTimeout = j9;
                                SSLContext.setSessionCacheTimeout(this.ctx, j9);
                            } else {
                                long sessionCacheTimeout = SSLContext.setSessionCacheTimeout(this.ctx, 300L);
                                this.sessionTimeout = sessionCacheTimeout;
                                SSLContext.setSessionCacheTimeout(this.ctx, sessionCacheTimeout);
                            }
                        } catch (SSLException e8) {
                            throw e8;
                        } catch (Exception e9) {
                            throw new SSLException("failed to set cipher suite: " + this.unmodifiableCiphers, e9);
                        }
                    } catch (Exception e10) {
                        throw new SSLException("failed to create an SSL_CTX", e10);
                    }
                } catch (Throwable th) {
                    throw th;
                }
            }
        } catch (Throwable th2) {
            destroy();
            throw th2;
        }
    }

    public static X509Certificate[] certificates(byte[][] bArr) {
        int length = bArr.length;
        X509Certificate[] x509CertificateArr = new X509Certificate[length];
        for (int i8 = 0; i8 < length; i8++) {
            x509CertificateArr[i8] = new OpenSslX509Certificate(bArr[i8]);
        }
        return x509CertificateArr;
    }

    public static void checkKeyManagerFactory(KeyManagerFactory keyManagerFactory) {
        if (keyManagerFactory != null) {
            throw new IllegalArgumentException("KeyManagerFactory is currently not supported with OpenSslContext");
        }
    }

    public static X509TrustManager chooseTrustManager(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException("no X509TrustManager found");
    }

    private static long newBIO(ByteBuf byteBuf) throws Exception {
        long newMemBIO = SSL.newMemBIO();
        int readableBytes = byteBuf.readableBytes();
        if (SSL.writeToBIO(newMemBIO, OpenSsl.memoryAddress(byteBuf), readableBytes) == readableBytes) {
            return newMemBIO;
        }
        SSL.freeBIO(newMemBIO);
        throw new IllegalStateException("Could not write data to memory BIO");
    }

    private static int opensslSelectorFailureBehavior(ApplicationProtocolConfig.SelectorFailureBehavior selectorFailureBehavior) {
        int i8 = AnonymousClass2.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectorFailureBehavior[selectorFailureBehavior.ordinal()];
        if (i8 == 1) {
            return 0;
        }
        if (i8 == 2) {
            return 1;
        }
        throw new Error();
    }

    public static long toBIO(PrivateKey privateKey) throws Exception {
        if (privateKey == null) {
            return 0L;
        }
        ByteBuf directBuffer = Unpooled.directBuffer();
        try {
            directBuffer.writeBytes(BEGIN_PRIVATE_KEY);
            ByteBuf wrappedBuffer = Unpooled.wrappedBuffer(privateKey.getEncoded());
            try {
                ByteBuf encode = Base64.encode(wrappedBuffer, true);
                try {
                    directBuffer.writeBytes(encode);
                    wrappedBuffer.release();
                    directBuffer.writeBytes(END_PRIVATE_KEY);
                    return newBIO(directBuffer);
                } finally {
                    encode.release();
                }
            } catch (Throwable th) {
                wrappedBuffer.release();
                throw th;
            }
        } finally {
            directBuffer.release();
        }
    }

    public static long toBIO(X509Certificate[] x509CertificateArr) throws Exception {
        if (x509CertificateArr == null) {
            return 0L;
        }
        ByteBuf directBuffer = Unpooled.directBuffer();
        try {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                directBuffer.writeBytes(BEGIN_CERT);
                ByteBuf wrappedBuffer = Unpooled.wrappedBuffer(x509Certificate.getEncoded());
                try {
                    try {
                        directBuffer.writeBytes(Base64.encode(wrappedBuffer, true));
                        wrappedBuffer.release();
                        directBuffer.writeBytes(END_CERT);
                    } finally {
                    }
                } catch (Throwable th) {
                    wrappedBuffer.release();
                    throw th;
                }
            }
            return newBIO(directBuffer);
        } finally {
            directBuffer.release();
        }
    }

    public static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig applicationProtocolConfig) {
        if (applicationProtocolConfig == null) {
            return NONE_PROTOCOL_NEGOTIATOR;
        }
        int i8 = AnonymousClass2.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$Protocol[applicationProtocolConfig.protocol().ordinal()];
        if (i8 != 1 && i8 != 2 && i8 != 3) {
            if (i8 == 4) {
                return NONE_PROTOCOL_NEGOTIATOR;
            }
            throw new Error();
        }
        int i9 = AnonymousClass2.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectedListenerFailureBehavior[applicationProtocolConfig.selectedListenerFailureBehavior().ordinal()];
        if (i9 != 1 && i9 != 2) {
            throw new UnsupportedOperationException("OpenSSL provider does not support " + applicationProtocolConfig.selectedListenerFailureBehavior() + " behavior");
        }
        int i10 = AnonymousClass2.$SwitchMap$io$netty$handler$ssl$ApplicationProtocolConfig$SelectorFailureBehavior[applicationProtocolConfig.selectorFailureBehavior().ordinal()];
        if (i10 == 1 || i10 == 2) {
            return new OpenSslDefaultApplicationProtocolNegotiator(applicationProtocolConfig);
        }
        throw new UnsupportedOperationException("OpenSSL provider does not support " + applicationProtocolConfig.selectorFailureBehavior() + " behavior");
    }

    public static boolean useExtendedTrustManager(X509TrustManager x509TrustManager) {
        return PlatformDependent.javaVersion() >= 7 && (x509TrustManager instanceof X509ExtendedTrustManager);
    }

    @Override // io.netty.handler.ssl.SslContext
    public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
        return this.apn;
    }

    @Override // io.netty.handler.ssl.SslContext
    public final List<String> cipherSuites() {
        return this.unmodifiableCiphers;
    }

    @Deprecated
    public final long context() {
        return this.ctx;
    }

    public final void destroy() {
        synchronized (OpenSslContext.class) {
            if (this.ctx != 0) {
                SSLContext.free(this.ctx);
                this.ctx = 0L;
            }
            long j8 = this.aprPool;
            if (j8 != 0) {
                Pool.destroy(j8);
                this.aprPool = 0L;
            }
        }
    }

    public final void finalize() throws Throwable {
        super.finalize();
        destroy();
    }

    @Override // io.netty.handler.ssl.SslContext
    public final boolean isClient() {
        return this.mode == 0;
    }

    @Override // io.netty.handler.ssl.SslContext
    public final SSLEngine newEngine(ByteBufAllocator byteBufAllocator) {
        return newEngine(byteBufAllocator, null, -1);
    }

    @Override // io.netty.handler.ssl.SslContext
    public final SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String str, int i8) {
        return new OpenSslEngine(this.ctx, byteBufAllocator, isClient(), sessionContext(), this.apn, this.engineMap, this.rejectRemoteInitiatedRenegotiation, str, i8, this.keyCertChain, this.clientAuth);
    }

    @Override // io.netty.handler.ssl.SslContext
    public final long sessionCacheSize() {
        return this.sessionCacheSize;
    }

    @Override // io.netty.handler.ssl.SslContext
    public abstract OpenSslSessionContext sessionContext();

    @Override // io.netty.handler.ssl.SslContext
    public final long sessionTimeout() {
        return this.sessionTimeout;
    }

    public void setRejectRemoteInitiatedRenegotiation(boolean z8) {
        this.rejectRemoteInitiatedRenegotiation = z8;
    }

    @Deprecated
    public final void setTicketKeys(byte[] bArr) {
        sessionContext().setTicketKeys(bArr);
    }

    public final long sslCtxPointer() {
        return this.ctx;
    }

    @Deprecated
    public final OpenSslSessionStats stats() {
        return sessionContext().stats();
    }
}
