package sun.security.ssl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.text.MessageFormat;
import java.util.Locale;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.net.ssl.SSLProtocolException;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.SSLExtension;
import sun.security.ssl.SSLHandshake;
import sun.security.ssl.SupportedGroupsExtension;
import sun.security.util.HexDumpEncoder;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension.class */
public final class SessionTicketExtension {
    private static final int TIMEOUT_DEFAULT = 3600000;
    private static final int keyTimeout;
    private static final int KEYLEN = 256;
    static final HandshakeProducer chNetworkProducer = new T12CHSessionTicketProducer();
    static final SSLExtension.ExtensionConsumer chOnLoadConsumer = new T12CHSessionTicketConsumer();
    static final HandshakeProducer shNetworkProducer = new T12SHSessionTicketProducer();
    static final SSLExtension.ExtensionConsumer shOnLoadConsumer = new T12SHSessionTicketConsumer();
    static final SSLStringizer steStringizer = new SessionTicketStringizer();
    private static int currentKeyID = new SecureRandom().nextInt();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$KeyState.class */
    public static final class KeyState {
        private KeyState() {
        }

        static StatelessKey getKey(HandshakeContext handshakeContext, int i) {
            StatelessKey statelessKey = handshakeContext.sslContext.keyHashMap.get(Integer.valueOf(i));
            if (statelessKey == null || statelessKey.isInvalid(getSessionTimeout(handshakeContext))) {
                return null;
            }
            return statelessKey;
        }

        static StatelessKey getCurrentKey(HandshakeContext handshakeContext) {
            StatelessKey statelessKey = handshakeContext.sslContext.keyHashMap.get(Integer.valueOf(SessionTicketExtension.currentKeyID));
            return (statelessKey == null || statelessKey.isExpired()) ? nextKey(handshakeContext) : statelessKey;
        }

        private static StatelessKey nextKey(HandshakeContext handshakeContext) {
            synchronized (handshakeContext.sslContext.keyHashMap) {
                StatelessKey statelessKey = handshakeContext.sslContext.keyHashMap.get(Integer.valueOf(SessionTicketExtension.currentKeyID));
                if (statelessKey != null && !statelessKey.isExpired()) {
                    return statelessKey;
                }
                int i = SessionTicketExtension.currentKeyID == Integer.MAX_VALUE ? 0 : SessionTicketExtension.currentKeyID + 1;
                StatelessKey statelessKey2 = new StatelessKey(handshakeContext, i);
                SessionTicketExtension.currentKeyID = i;
                cleanup(handshakeContext);
                return statelessKey2;
            }
        }

        static void cleanup(HandshakeContext handshakeContext) {
            int sessionTimeout = getSessionTimeout(handshakeContext);
            for (Object obj : handshakeContext.sslContext.keyHashMap.keySet().toArray()) {
                Integer num = (Integer) obj;
                StatelessKey statelessKey = handshakeContext.sslContext.keyHashMap.get(num);
                if (statelessKey.isInvalid(sessionTimeout)) {
                    try {
                        statelessKey.key.destroy();
                    } catch (Exception e) {
                    }
                    handshakeContext.sslContext.keyHashMap.remove(num);
                }
            }
        }

        static int getSessionTimeout(HandshakeContext handshakeContext) {
            return handshakeContext.sslContext.engineGetServerSessionContext().getSessionTimeout() * 1000;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$SessionTicketSpec.class */
    static final class SessionTicketSpec implements SSLExtension.SSLExtensionSpec {
        private static final int GCM_TAG_LEN = 128;
        ByteBuffer data;
        static final ByteBuffer zero = ByteBuffer.wrap(new byte[0]);

        /* JADX INFO: Access modifiers changed from: package-private */
        public SessionTicketSpec() {
            this.data = zero;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public SessionTicketSpec(byte[] bArr) throws IOException {
            this(ByteBuffer.wrap(bArr));
        }

        SessionTicketSpec(ByteBuffer byteBuffer) throws IOException {
            if (byteBuffer == null) {
                throw new SSLProtocolException("SessionTicket buffer too small");
            }
            if (byteBuffer.remaining() > 65536) {
                throw new SSLProtocolException("SessionTicket buffer too large. " + byteBuffer.remaining());
            }
            this.data = byteBuffer;
        }

        public byte[] encrypt(HandshakeContext handshakeContext, SSLSessionImpl sSLSessionImpl) {
            if (!handshakeContext.handshakeSession.isStatelessable(handshakeContext)) {
                return new byte[0];
            }
            try {
                StatelessKey currentKey = KeyState.getCurrentKey(handshakeContext);
                byte[] bArr = new byte[16];
                handshakeContext.sslContext.getSecureRandom().nextBytes(bArr);
                Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                cipher.init(1, currentKey.key, new GCMParameterSpec(128, bArr));
                cipher.updateAAD(new byte[]{(byte) (currentKey.num >>> 24), (byte) (currentKey.num >>> 16), (byte) (currentKey.num >>> 8), (byte) currentKey.num});
                byte[] write = sSLSessionImpl.write();
                if (write.length == 0) {
                    return write;
                }
                byte[] doFinal = cipher.doFinal(write);
                byte[] bArr2 = new byte[doFinal.length + 4 + bArr.length];
                bArr2[0] = (byte) (currentKey.num >>> 24);
                bArr2[1] = (byte) (currentKey.num >>> 16);
                bArr2[2] = (byte) (currentKey.num >>> 8);
                bArr2[3] = (byte) currentKey.num;
                System.arraycopy(bArr, 0, bArr2, 4, bArr.length);
                System.arraycopy(doFinal, 0, bArr2, 4 + bArr.length, doFinal.length);
                return bArr2;
            } catch (Exception e) {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                    SSLLogger.fine("Encryption failed." + ((Object) e), new Object[0]);
                }
                return new byte[0];
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public ByteBuffer decrypt(HandshakeContext handshakeContext) {
            try {
                int i = this.data.getInt();
                StatelessKey key = KeyState.getKey(handshakeContext, i);
                if (key == null) {
                    return null;
                }
                byte[] bArr = new byte[16];
                this.data.get(bArr);
                Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                cipher.init(2, key.key, new GCMParameterSpec(128, bArr));
                cipher.updateAAD(new byte[]{(byte) (i >>> 24), (byte) (i >>> 16), (byte) (i >>> 8), (byte) i});
                ByteBuffer allocate = ByteBuffer.allocate(this.data.remaining() - 16);
                cipher.doFinal(this.data, allocate);
                allocate.flip();
                return allocate;
            } catch (Exception e) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                    return null;
                }
                SSLLogger.fine("Decryption failed." + e.getMessage(), new Object[0]);
                return null;
            }
        }

        byte[] getEncoded() {
            byte[] bArr = new byte[this.data.capacity()];
            this.data.duplicate().get(bArr);
            return bArr;
        }

        public String toString() {
            return this.data == null ? "<null>" : this.data.capacity() == 0 ? "<empty>" : new MessageFormat("  \"ticket\" : '{'\n{0}\n  '}'", Locale.ENGLISH).format(new Object[]{Utilities.indent(new HexDumpEncoder().encode(this.data.duplicate()), "    ")});
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$SessionTicketStringizer.class */
    static final class SessionTicketStringizer implements SSLStringizer {
        SessionTicketStringizer() {
        }

        @Override // sun.security.ssl.SSLStringizer
        public String toString(ByteBuffer byteBuffer) {
            try {
                return new SessionTicketSpec(byteBuffer).toString();
            } catch (IOException e) {
                return e.getMessage();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$StatelessKey.class */
    public static final class StatelessKey {
        final long timeout;
        final SecretKey key;
        final int num;

        StatelessKey(HandshakeContext handshakeContext, int i) {
            SecretKey secretKey = null;
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
                keyGenerator.init(256, handshakeContext.sslContext.getSecureRandom());
                secretKey = keyGenerator.generateKey();
            } catch (NoSuchAlgorithmException e) {
            }
            this.key = secretKey;
            this.timeout = System.currentTimeMillis() + SessionTicketExtension.keyTimeout;
            this.num = i;
            handshakeContext.sslContext.keyHashMap.put(Integer.valueOf(this.num), this);
        }

        boolean isExpired() {
            return System.currentTimeMillis() > this.timeout;
        }

        boolean isInvalid(long j) {
            return System.currentTimeMillis() > this.timeout + j;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$T12CHSessionTicketConsumer.class */
    private static final class T12CHSessionTicketConsumer implements SSLExtension.ExtensionConsumer {
        T12CHSessionTicketConsumer() {
        }

        @Override // sun.security.ssl.SSLExtension.ExtensionConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage, ByteBuffer byteBuffer) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            if (serverHandshakeContext.sslConfig.isAvailable(SSLExtension.CH_SESSION_TICKET) && !serverHandshakeContext.statelessResumption && ((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext()).statelessEnabled()) {
                if (byteBuffer.remaining() == 0) {
                    serverHandshakeContext.statelessResumption = true;
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.fine("Client accepts session tickets.", new Object[0]);
                        return;
                    }
                    return;
                }
                try {
                    ByteBuffer decrypt = new SessionTicketSpec(byteBuffer).decrypt(serverHandshakeContext);
                    if (decrypt != null) {
                        serverHandshakeContext.resumingSession = new SSLSessionImpl(serverHandshakeContext, decrypt);
                        serverHandshakeContext.isResumption = true;
                        serverHandshakeContext.statelessResumption = true;
                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                            SSLLogger.fine("Valid stateless session ticket found", new Object[0]);
                        }
                    }
                } catch (IOException | RuntimeException e) {
                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                        SSLLogger.fine("SessionTicket data invalid. Doing full handshake.", new Object[0]);
                    }
                }
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$T12CHSessionTicketProducer.class */
    private static final class T12CHSessionTicketProducer extends SupportedGroupsExtension.SupportedGroups implements HandshakeProducer {
        T12CHSessionTicketProducer() {
        }

        @Override // sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            if (!((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).statelessEnabled()) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                    return null;
                }
                SSLLogger.fine("Stateless resumption not supported", new Object[0]);
                return null;
            }
            clientHandshakeContext.statelessResumption = true;
            if (clientHandshakeContext.isResumption && clientHandshakeContext.resumingSession != null) {
                if (clientHandshakeContext.localSupportedSignAlgs == null) {
                    clientHandshakeContext.localSupportedSignAlgs = SignatureScheme.getSupportedAlgorithms(clientHandshakeContext.algorithmConstraints, clientHandshakeContext.activeProtocols);
                }
                return clientHandshakeContext.resumingSession.getPskIdentity();
            }
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Stateless resumption supported", new Object[0]);
            }
            return new SessionTicketSpec().getEncoded();
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$T12SHSessionTicketConsumer.class */
    private static final class T12SHSessionTicketConsumer implements SSLExtension.ExtensionConsumer {
        T12SHSessionTicketConsumer() {
        }

        @Override // sun.security.ssl.SSLExtension.ExtensionConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage, ByteBuffer byteBuffer) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            if (!clientHandshakeContext.sslConfig.isAvailable(SSLExtension.SH_SESSION_TICKET)) {
                clientHandshakeContext.statelessResumption = false;
                return;
            }
            if (!((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).statelessEnabled()) {
                clientHandshakeContext.statelessResumption = false;
                return;
            }
            try {
                if (new SessionTicketSpec(byteBuffer) == null) {
                    return;
                }
                clientHandshakeContext.statelessResumption = true;
            } catch (IOException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
            }
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/java.base-2020-09-25.jar:META-INF/modules/java.base/classes/sun/security/ssl/SessionTicketExtension$T12SHSessionTicketProducer.class */
    private static final class T12SHSessionTicketProducer extends SupportedGroupsExtension.SupportedGroups implements HandshakeProducer {
        T12SHSessionTicketProducer() {
        }

        @Override // sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            if (!serverHandshakeContext.statelessResumption) {
                return null;
            }
            if (((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext()).statelessEnabled()) {
                return new byte[0];
            }
            serverHandshakeContext.statelessResumption = false;
            return null;
        }
    }

    SessionTicketExtension() {
    }

    static {
        int i;
        String privilegedGetProperty = GetPropertyAction.privilegedGetProperty("jdk.tls.server.statelessKeyTimeout");
        if (privilegedGetProperty == null) {
            keyTimeout = 3600000;
            return;
        }
        try {
            i = Integer.parseInt(privilegedGetProperty) * 1000;
            if (i < 0 || i > 604800) {
                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                    SSLLogger.warning("Invalid timeout for jdk.tls.server.statelessKeyTimeout: " + i + ".  Set to default value 3600000sec", new Object[0]);
                }
                i = 3600000;
            }
        } catch (NumberFormatException e) {
            i = 3600000;
            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
                SSLLogger.warning("Invalid timeout for jdk.tls.server.statelessKeyTimeout: " + privilegedGetProperty + ".  Set to default value 3600000sec", new Object[0]);
            }
        }
        keyTimeout = i;
    }
}
