package sun.security.ssl;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLProtocolException;
import sun.security.AuthContext;
import sun.security.TrustDecider;
import sun.security.jsafe.Provider;
import sun.security.jsafe.RSAKey;
import sun.security.jsafe.RSAPublicKey;
import sun.security.ssl.HandshakeMessage;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:sun/security/ssl/ServerHandshaker.class */
public final class ServerHandshaker extends Handshaker {
    private boolean requireClientCert;
    private X509Certificate[] certs;
    private PrivateKey privateKey;
    private PrivateKey tempPrivateKey;
    private RSAPublicKey tempPublicKey;
    private DHKeyExchange dh;

    private boolean getEphemeralRSAKeys(boolean z) {
        if (!Provider.isAvailable()) {
            return false;
        }
        int i = !z ? 1024 : 512;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(i, CipherSpec.generator);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            this.tempPublicKey = (RSAPublicKey) generateKeyPair.getPublic();
            this.tempPrivateKey = generateKeyPair.getPrivate();
            return true;
        } catch (Exception unused) {
            return false;
        }
    }

    private void getEphemeralDHKeys(boolean z) {
        if (z) {
            this.dh = new DHKeyExchange(DHKeyExchange.export512Modulus, DHKeyExchange.export512Base);
            this.dh.generateKeyPair(CipherSpec.generator, 512);
        } else {
            this.dh = new DHKeyExchange();
            this.dh.generateKeyPair(CipherSpec.generator, 768);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerHandshaker(SSLSocketImpl sSLSocketImpl, AuthContext authContext, boolean z) throws NoSuchAlgorithmException {
        super(sSLSocketImpl, authContext, z);
        this.requireClientCert = z;
    }

    @Override // sun.security.ssl.Handshaker
    protected boolean canExchange(int i, boolean z) {
        if (i != 1 && i != 2 && i != 5) {
            if (i != 6) {
                if (i != 7) {
                    return false;
                }
                getEphemeralDHKeys(z);
                return true;
            }
            this.certs = (X509Certificate[]) this.authContext.get(AuthKeys.chainDSS);
            this.privateKey = (PrivateKey) this.authContext.get(AuthKeys.privateDSS);
            if (this.certs == null) {
                return false;
            }
            getEphemeralDHKeys(z);
            return this.privateKey != null;
        }
        this.certs = (X509Certificate[]) this.authContext.get(AuthKeys.chainRSA);
        this.privateKey = (PrivateKey) this.authContext.get(AuthKeys.privateRSA);
        if (this.certs == null) {
            return false;
        }
        RSAPublicKey rSAPublicKey = (RSAPublicKey) this.certs[0].getPublicKey();
        if (i == 2 && ((rSAPublicKey.getModulusLen() > 512 || rSAPublicKey.isSigningOnly()) && !getEphemeralRSAKeys(z))) {
            return false;
        }
        if (i == 5) {
            getEphemeralDHKeys(z);
        }
        return this.privateKey != null && (this.privateKey instanceof RSAKey);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // sun.security.ssl.Handshaker
    public boolean canUseCipherSuite(String str) {
        if (str.startsWith("SSL_RSA_")) {
            return canExchange(1, false);
        }
        if (str.startsWith("SSL_DH_anon_")) {
            return canExchange(7, false);
        }
        if (str.startsWith("SSL_DHE_DSS_")) {
            return canExchange(6, false);
        }
        return false;
    }

    @Override // sun.security.ssl.Handshaker
    protected void processMessage(byte b, int i) throws IOException, NoSuchAlgorithmException {
        byte[] clientKeyExchange;
        if (this.state > b && this.state != 16 && b != 15) {
            throw new SSLProtocolException(new StringBuffer("Handshake message sequence violation, state = ").append(this.state).append(", type = ").append((int) b).toString());
        }
        switch (b) {
            case 1:
                clientHello(new HandshakeMessage.ClientHello(this.input));
                break;
            case 11:
                if (!this.requireClientCert) {
                    this.conn.fatal((byte) 10, "client sent unsolicited cert chain");
                }
                peerCertificate(new HandshakeMessage.CertificateMsg(this.input));
                break;
            case 15:
                clientCertificateVerify(new HandshakeMessage.CertificateVerify(this.input));
                break;
            case 16:
                switch (this.key_exchange_algorithm) {
                    case 1:
                    case 2:
                        clientKeyExchange = clientKeyExchange(new PreMasterSecret(this.input, i, this.privateKey));
                        break;
                    case 3:
                    case 4:
                    case Record.headerSize /* 5 */:
                    case 6:
                    case 7:
                        clientKeyExchange = clientKeyExchange(new ClientDiffieHellmanPublic(this.input));
                        break;
                    default:
                        throw new SSLProtocolException(new StringBuffer("unsupported key exchange algorithm = ").append(this.key_exchange_algorithm).toString());
                }
                calculateKeys(clientKeyExchange);
                for (int i2 = 0; i2 < clientKeyExchange.length; i2++) {
                    clientKeyExchange[i2] = 0;
                }
                break;
            case 20:
                clientFinished(new HandshakeMessage.Finished(this.input));
                break;
            default:
                throw new SSLProtocolException(new StringBuffer("Illegal server handshake msg, ").append((int) b).toString());
        }
        if (this.state >= b || b == 15) {
            return;
        }
        this.state = b;
    }

    private void clientHello(HandshakeMessage.ClientHello clientHello) throws IOException {
        HandshakeMessage dH_ServerKeyExchange;
        SSLSessionImpl serverSession;
        this.input.digestNow();
        HandshakeMessage.ServerHello serverHello = new HandshakeMessage.ServerHello();
        if (clientHello.v_major != 3) {
            throw new SSLProtocolException(new StringBuffer("version mismatch, client is v").append((int) clientHello.v_major).append(".").append((int) clientHello.v_minor).toString());
        }
        serverHello.v_major = (byte) 3;
        this.v_major = clientHello.v_major;
        if (clientHello.v_minor > 0) {
            serverHello.v_minor = (byte) 0;
        } else {
            serverHello.v_minor = clientHello.v_minor;
        }
        this.v_minor = serverHello.v_minor;
        this.clnt_random = clientHello.clnt_random;
        this.svr_random = new RandomCookie(CipherSpec.generator);
        serverHello.svr_random = this.svr_random;
        this.session = null;
        if (clientHello.sessionId.length() != 0 && (serverSession = SSLSessionImpl.getServerSession(clientHello.sessionId, this.authContext)) != null) {
            byte[] cipherSuite = serverSession.getCipherSpec().getCipherSuite();
            this.resumingSession = serverSession.isRejoinable();
            if (this.resumingSession) {
                this.resumingSession = checkCipherSuite(clientHello, cipherSuite);
            }
            if (this.resumingSession && this.requireClientCert) {
                try {
                    serverSession.getPeerCertificateChain();
                } catch (SSLPeerUnverifiedException unused) {
                    this.resumingSession = false;
                }
            }
            if (this.resumingSession) {
                this.session = serverSession;
            }
        }
        if (this.session == null) {
            if (!this.enableNewSession) {
                throw new SSLException("Client did not resume a session");
            }
            this.session = new SSLSessionImpl(this);
            chooseCipherSuite(clientHello);
        }
        serverHello.cipher_suite = this.session.getCipherSpec().getCipherSuite();
        serverHello.sessionId = this.session.getSessionId();
        serverHello.compression_method = this.session.getCompression();
        serverHello.write(this.output);
        if (this.resumingSession) {
            try {
                calculateConnectionKeys(this.session.getMasterSecret());
                sendChangeCipherAndFinish(true);
                return;
            } catch (NoSuchAlgorithmException e) {
                throw new SSLException(new StringBuffer("Missing algorithm: ").append(e.getMessage()).toString());
            }
        }
        if (this.key_exchange_algorithm != 7) {
            if (this.certs == null) {
                throw new SSLException("internal error, no certs!");
            }
            new HandshakeMessage.CertificateMsg(this.certs).write(this.output);
        }
        boolean z = false;
        if (this.certs == null) {
            z = true;
        } else {
            switch (this.key_exchange_algorithm) {
                case 1:
                case 2:
                    try {
                        if (!((RSAKey) this.privateKey).isSigningOnly()) {
                            if (this.key_exchange_algorithm == 2) {
                                if (((RSAKey) this.privateKey).getModulusLen() > 512) {
                                    z = true;
                                    break;
                                }
                            }
                        } else {
                            z = true;
                            break;
                        }
                    } catch (InvalidKeyException e2) {
                        throw new SSLException(new StringBuffer("RSA Private Key error:  ").append(e2).toString());
                    }
                    break;
                case 3:
                case 4:
                    break;
                case Record.headerSize /* 5 */:
                case 6:
                case 7:
                    z = true;
                    break;
                default:
                    throw new SSLException(new StringBuffer("unsupported server key exchange ").append(this.key_exchange_algorithm).toString());
            }
        }
        if (z) {
            switch (this.key_exchange_algorithm) {
                case 1:
                case 2:
                    try {
                        if (this.certs != null) {
                            dH_ServerKeyExchange = new HandshakeMessage.RSA_ServerKeyExchange(this.tempPublicKey, this.privateKey, this.clnt_random, this.svr_random);
                            this.privateKey = this.tempPrivateKey;
                            break;
                        } else {
                            throw new SSLException("Anonymous RSA not supported");
                        }
                    } catch (InvalidKeyException e3) {
                        throw new SSLException(new StringBuffer("Bad RSA key, ").append(e3).toString());
                    } catch (NoSuchAlgorithmException e4) {
                        throw new SSLException(new StringBuffer("Algorithm missing, ").append(e4).toString());
                    }
                case 3:
                case 4:
                default:
                    throw new SSLException(new StringBuffer("unsupported server key exchange ").append(this.key_exchange_algorithm).toString());
                case Record.headerSize /* 5 */:
                case 6:
                    try {
                        dH_ServerKeyExchange = new HandshakeMessage.DH_ServerKeyExchange(this.dh, this.privateKey, this.clnt_random.random_bytes, this.svr_random.random_bytes);
                        break;
                    } catch (InvalidKeyException e5) {
                        throw new SSLException(new StringBuffer("Bad RSA or DSS key, ").append(e5).toString());
                    } catch (NoSuchAlgorithmException e6) {
                        throw new SSLException(new StringBuffer("Algorithm missing, ").append(e6).toString());
                    } catch (SignatureException e7) {
                        throw new SSLException(new StringBuffer("Internal error, ").append(e7).toString());
                    }
                case 7:
                    dH_ServerKeyExchange = new HandshakeMessage.DH_ServerKeyExchange(this.dh);
                    break;
            }
            dH_ServerKeyExchange.write(this.output);
        }
        if (this.requireClientCert) {
            TrustDecider trustDecider = this.authContext.getTrustDecider();
            if (trustDecider == null) {
                throw new SSLException("require client certs, but no trust decider is available");
            }
            new HandshakeMessage.CertificateRequest(trustDecider.getAcceptedCAs("channel"), this.key_exchange_algorithm).write(this.output);
        }
        new HandshakeMessage.ServerHelloDone().write(this.output);
        this.output.flush();
    }

    private boolean checkCipherSuite(HandshakeMessage.ClientHello clientHello, byte[] bArr) {
        boolean z = false;
        int i = 0;
        while (i < clientHello.cipher_suites.length && (bArr[0] != clientHello.cipher_suites[i] || bArr[1] != clientHello.cipher_suites[i + 1])) {
            i += 2;
        }
        if (i < clientHello.cipher_suites.length) {
            z = maybeSetCipherSuite(bArr[0], bArr[1]);
        }
        return z;
    }

    private void chooseCipherSuite(HandshakeMessage.ClientHello clientHello) throws IOException {
        int i = 0;
        while (i < clientHello.cipher_suites.length && (!maybeSetCipherSuite(clientHello.cipher_suites[i], clientHello.cipher_suites[i + 1]) || (this.requireClientCert && this.key_exchange_algorithm == 7))) {
            i += 2;
        }
        if (i >= clientHello.cipher_suites.length) {
            this.conn.fatal((byte) 40, "no cipher suites in common");
        }
    }

    private byte[] clientKeyExchange(PreMasterSecret preMasterSecret) throws IOException, NoSuchAlgorithmException {
        if (preMasterSecret.v_major == this.v_major && preMasterSecret.v_minor == this.v_minor) {
            return preMasterSecret.preMaster;
        }
        throw new SSLProtocolException("Incorrect RSA Key Exchange");
    }

    private byte[] clientKeyExchange(ClientDiffieHellmanPublic clientDiffieHellmanPublic) throws IOException, NoSuchAlgorithmException {
        return this.dh.getAgreedSecret(clientDiffieHellmanPublic.getClientPublicKey());
    }

    private void clientCertificateVerify(HandshakeMessage.CertificateVerify certificateVerify) throws IOException {
        boolean z = false;
        try {
            PublicKey publicKey = this.session.getPeerCertificateChain()[0].getPublicKey();
            try {
                z = certificateVerify.verify(publicKey, (MessageDigest) this.md5[0].clone(), (MessageDigest) this.sha1[0].clone(), this.session.getMasterSecret());
            } catch (CloneNotSupportedException unused) {
                z = certificateVerify.verify(publicKey, this.md5[2], this.sha1[2], this.session.getMasterSecret());
                this.md5[2] = null;
                this.sha1[2] = null;
            }
        } catch (InvalidKeyException unused2) {
        } catch (NoSuchAlgorithmException unused3) {
            this.conn.fatal((byte) 43, "client cert type is unsupported");
        } catch (SignatureException unused4) {
        }
        if (z) {
            return;
        }
        this.conn.fatal((byte) 42, "client cert didn't verify");
    }

    private void clientFinished(HandshakeMessage.Finished finished) throws IOException {
        try {
            if (!finished.verify((MessageDigest) this.md5[0].clone(), (MessageDigest) this.sha1[0].clone(), HandshakeMessage.Finished.client, this.session.getMasterSecret())) {
                this.conn.fatal((byte) 47, "client 'finished' message doesn't verify");
            }
        } catch (CloneNotSupportedException unused) {
            if (!finished.verify(this.md5[1], this.sha1[1], HandshakeMessage.Finished.client, this.session.getMasterSecret())) {
                this.conn.fatal((byte) 47, "client 'finished' message doesn't verify");
            }
            this.md5[1] = null;
            this.sha1[1] = null;
        }
        if (!this.resumingSession) {
            this.input.digestNow();
            sendChangeCipherAndFinish(false);
        }
        SSLSessionImpl.cacheServerSession(this.session, this.authContext);
    }

    private void sendChangeCipherAndFinish(boolean z) throws IOException {
        HandshakeMessage.Finished finished;
        this.output.flush();
        try {
            finished = new HandshakeMessage.Finished((MessageDigest) this.md5[0].clone(), (MessageDigest) this.sha1[0].clone(), HandshakeMessage.Finished.server, this.session.getMasterSecret());
        } catch (CloneNotSupportedException unused) {
            finished = new HandshakeMessage.Finished(this.md5[0], this.sha1[0], HandshakeMessage.Finished.server, this.session.getMasterSecret());
            if (!z || !this.resumingSession) {
                this.md5[0] = null;
                this.sha1[0] = null;
            }
        }
        sendChangeCipherSpec(finished);
        if (z && this.resumingSession) {
            return;
        }
        this.state = 20;
    }

    @Override // sun.security.ssl.Handshaker
    protected HandshakeMessage getKickstartMessage() {
        return new HandshakeMessage.HelloRequest();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.ssl.Handshaker
    public void handshakeAlert(byte b) throws SSLProtocolException {
        throw new SSLProtocolException(new StringBuffer("handshake alert not dealt with:  ").append((int) b).toString());
    }
}
