package org.openjsse.sun.security.ssl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.SSLProtocolException;
import javax.security.auth.x500.X500Principal;
import org.openjsse.sun.security.ssl.SSLExtension;
import org.openjsse.sun.security.ssl.SSLHandshake;

/* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension.class */
final class CertificateAuthorityExtension {
    static final HandshakeProducer chNetworkProducer = new CHCertificateAuthoritiesProducer();
    static final SSLExtension.ExtensionConsumer chOnLoadConsumer = new CHCertificateAuthoritiesConsumer();
    static final HandshakeConsumer chOnTradeConsumer = new CHCertificateAuthoritiesUpdate();
    static final HandshakeProducer crNetworkProducer = new CRCertificateAuthoritiesProducer();
    static final SSLExtension.ExtensionConsumer crOnLoadConsumer = new CRCertificateAuthoritiesConsumer();
    static final HandshakeConsumer crOnTradeConsumer = new CRCertificateAuthoritiesUpdate();
    static final SSLStringizer ssStringizer = new CertificateAuthoritiesStringizer();

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CHCertificateAuthoritiesConsumer.class */
    private static final class CHCertificateAuthoritiesConsumer implements SSLExtension.ExtensionConsumer {
        private CHCertificateAuthoritiesConsumer() {
        }

        @Override // org.openjsse.sun.security.ssl.SSLExtension.ExtensionConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage, ByteBuffer byteBuffer) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            if (serverHandshakeContext.sslConfig.isAvailable(SSLExtension.CH_CERTIFICATE_AUTHORITIES)) {
                try {
                    serverHandshakeContext.handshakeExtensions.put(SSLExtension.CH_CERTIFICATE_AUTHORITIES, new CertificateAuthoritiesSpec(byteBuffer));
                    return;
                } catch (IOException e) {
                    throw serverHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
                }
            }
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Ignore unavailable certificate_authorities extension", new Object[0]);
            }
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CHCertificateAuthoritiesProducer.class */
    private static final class CHCertificateAuthoritiesProducer implements HandshakeProducer {
        private final boolean enableCAExtension;
        private final int maxCAExtensionSize;

        private CHCertificateAuthoritiesProducer() {
            this.enableCAExtension = Utilities.getBooleanProperty("org.openjsse.client.enableCAExtension", false);
            this.maxCAExtensionSize = Utilities.getUIntProperty("org.openjsse.client.maxCAExtensionSize", 8192);
        }

        @Override // org.openjsse.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            if (!clientHandshakeContext.sslConfig.isAvailable(SSLExtension.CH_CERTIFICATE_AUTHORITIES)) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                    return null;
                }
                SSLLogger.fine("Ignore unavailable certificate_authorities extension", new Object[0]);
                return null;
            }
            if (!this.enableCAExtension) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                    return null;
                }
                SSLLogger.fine("Ignore disabled certificate_authorities extension", new Object[0]);
                return null;
            }
            if (clientHandshakeContext.localSupportedAuthorities == null) {
                X509Certificate[] acceptedIssuers = clientHandshakeContext.sslContext.getX509TrustManager().getAcceptedIssuers();
                ArrayList arrayList = new ArrayList(acceptedIssuers.length);
                for (X509Certificate x509Certificate : acceptedIssuers) {
                    arrayList.add(x509Certificate.getSubjectX500Principal());
                }
                if (!arrayList.isEmpty()) {
                    clientHandshakeContext.localSupportedAuthorities = arrayList;
                }
            }
            if (clientHandshakeContext.localSupportedAuthorities == null) {
                return null;
            }
            int i = 0;
            ArrayList arrayList2 = new ArrayList();
            Iterator<X500Principal> it = clientHandshakeContext.localSupportedAuthorities.iterator();
            while (it.hasNext()) {
                byte[] encoded = it.next().getEncoded();
                int length = encoded.length + 2;
                if (i + length <= this.maxCAExtensionSize) {
                    i += length;
                    arrayList2.add(encoded);
                }
            }
            byte[] bArr = new byte[i + 2];
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            Record.putInt16(wrap, i);
            Iterator<E> it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                Record.putBytes16(wrap, (byte[]) it2.next());
            }
            clientHandshakeContext.handshakeExtensions.put(SSLExtension.CH_CERTIFICATE_AUTHORITIES, new CertificateAuthoritiesSpec(clientHandshakeContext.localSupportedAuthorities));
            return bArr;
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CHCertificateAuthoritiesUpdate.class */
    private static final class CHCertificateAuthoritiesUpdate implements HandshakeConsumer {
        private CHCertificateAuthoritiesUpdate() {
        }

        @Override // org.openjsse.sun.security.ssl.HandshakeConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            CertificateAuthoritiesSpec certificateAuthoritiesSpec = (CertificateAuthoritiesSpec) serverHandshakeContext.handshakeExtensions.get(SSLExtension.CH_CERTIFICATE_AUTHORITIES);
            if (certificateAuthoritiesSpec == null) {
                return;
            }
            serverHandshakeContext.peerSupportedAuthorities = certificateAuthoritiesSpec.getAuthorities();
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CRCertificateAuthoritiesConsumer.class */
    private static final class CRCertificateAuthoritiesConsumer implements SSLExtension.ExtensionConsumer {
        private CRCertificateAuthoritiesConsumer() {
        }

        @Override // org.openjsse.sun.security.ssl.SSLExtension.ExtensionConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage, ByteBuffer byteBuffer) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            if (!clientHandshakeContext.sslConfig.isAvailable(SSLExtension.CR_CERTIFICATE_AUTHORITIES)) {
                throw clientHandshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE, "No available certificate_authority extension for client certificate authentication");
            }
            try {
                clientHandshakeContext.handshakeExtensions.put(SSLExtension.CR_CERTIFICATE_AUTHORITIES, new CertificateAuthoritiesSpec(byteBuffer));
            } catch (IOException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
            }
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CRCertificateAuthoritiesProducer.class */
    private static final class CRCertificateAuthoritiesProducer implements HandshakeProducer {
        private final boolean enableCAExtension;
        private final int maxCAExtensionSize;

        private CRCertificateAuthoritiesProducer() {
            this.enableCAExtension = Utilities.getBooleanProperty("org.openjsse.server.enableCAExtension", true);
            this.maxCAExtensionSize = Utilities.getUIntProperty("org.openjsse.server.maxCAExtensionSize", 8192);
        }

        @Override // org.openjsse.sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ServerHandshakeContext serverHandshakeContext = (ServerHandshakeContext) connectionContext;
            if (!serverHandshakeContext.sslConfig.isAvailable(SSLExtension.CR_CERTIFICATE_AUTHORITIES)) {
                throw serverHandshakeContext.conContext.fatal(Alert.MISSING_EXTENSION, "No available certificate_authority extension for client certificate authentication");
            }
            if (!this.enableCAExtension) {
                if (!SSLLogger.isOn || !SSLLogger.isOn("ssl,handshake")) {
                    return null;
                }
                SSLLogger.fine("Ignore disabled certificate_authorities extension", new Object[0]);
                return null;
            }
            if (serverHandshakeContext.localSupportedAuthorities == null) {
                X509Certificate[] acceptedIssuers = serverHandshakeContext.sslContext.getX509TrustManager().getAcceptedIssuers();
                ArrayList arrayList = new ArrayList(acceptedIssuers.length);
                for (X509Certificate x509Certificate : acceptedIssuers) {
                    arrayList.add(x509Certificate.getSubjectX500Principal());
                }
                if (!arrayList.isEmpty()) {
                    serverHandshakeContext.localSupportedAuthorities = arrayList;
                }
            }
            if (serverHandshakeContext.localSupportedAuthorities == null) {
                return null;
            }
            int i = 0;
            ArrayList arrayList2 = new ArrayList();
            Iterator<X500Principal> it = serverHandshakeContext.localSupportedAuthorities.iterator();
            while (it.hasNext()) {
                byte[] encoded = it.next().getEncoded();
                int length = encoded.length + 2;
                if (i + length <= this.maxCAExtensionSize) {
                    i += length;
                    arrayList2.add(encoded);
                }
            }
            byte[] bArr = new byte[i + 2];
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            Record.putInt16(wrap, i);
            Iterator<E> it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                Record.putBytes16(wrap, (byte[]) it2.next());
            }
            serverHandshakeContext.handshakeExtensions.put(SSLExtension.CR_CERTIFICATE_AUTHORITIES, new CertificateAuthoritiesSpec(serverHandshakeContext.localSupportedAuthorities));
            return bArr;
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CRCertificateAuthoritiesUpdate.class */
    private static final class CRCertificateAuthoritiesUpdate implements HandshakeConsumer {
        private CRCertificateAuthoritiesUpdate() {
        }

        @Override // org.openjsse.sun.security.ssl.HandshakeConsumer
        public void consume(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            ClientHandshakeContext clientHandshakeContext = (ClientHandshakeContext) connectionContext;
            CertificateAuthoritiesSpec certificateAuthoritiesSpec = (CertificateAuthoritiesSpec) clientHandshakeContext.handshakeExtensions.get(SSLExtension.CR_CERTIFICATE_AUTHORITIES);
            if (certificateAuthoritiesSpec == null) {
                return;
            }
            clientHandshakeContext.peerSupportedAuthorities = certificateAuthoritiesSpec.getAuthorities();
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CertificateAuthoritiesSpec.class */
    static final class CertificateAuthoritiesSpec implements SSLExtension.SSLExtensionSpec {
        final X500Principal[] authorities;

        CertificateAuthoritiesSpec(List<X500Principal> list) {
            if (list == null) {
                this.authorities = new X500Principal[0];
                return;
            }
            this.authorities = new X500Principal[list.size()];
            int i = 0;
            Iterator<X500Principal> it = list.iterator();
            while (it.hasNext()) {
                int i2 = i;
                i++;
                this.authorities[i2] = it.next();
            }
        }

        CertificateAuthoritiesSpec(ByteBuffer byteBuffer) throws IOException {
            if (byteBuffer.remaining() < 2) {
                throw new SSLProtocolException("Invalid signature_algorithms: insufficient data");
            }
            if (byteBuffer.remaining() != Record.getInt16(byteBuffer)) {
                throw new SSLProtocolException("Invalid certificate_authorities: incorrect data size");
            }
            ArrayList arrayList = new ArrayList();
            while (byteBuffer.remaining() > 0) {
                arrayList.add(new X500Principal(Record.getBytes16(byteBuffer)));
            }
            this.authorities = (X500Principal[]) arrayList.toArray(new X500Principal[arrayList.size()]);
        }

        X500Principal[] getAuthorities() {
            return this.authorities;
        }

        public String toString() {
            MessageFormat messageFormat = new MessageFormat("\"certificate authorities\": '['{0}']'", Locale.ENGLISH);
            if (this.authorities == null || this.authorities.length == 0) {
                return messageFormat.format(new Object[]{"<no supported certificate authorities specified>"});
            }
            StringBuilder sb = new StringBuilder(512);
            boolean z = true;
            for (X500Principal x500Principal : this.authorities) {
                if (z) {
                    z = false;
                } else {
                    sb.append("]; [");
                }
                sb.append((Object) x500Principal);
            }
            return messageFormat.format(new Object[]{sb.toString()});
        }
    }

    /* loaded from: input_file:jre/lib/ext/openjsse.jar:org/openjsse/sun/security/ssl/CertificateAuthorityExtension$CertificateAuthoritiesStringizer.class */
    private static final class CertificateAuthoritiesStringizer implements SSLStringizer {
        private CertificateAuthoritiesStringizer() {
        }

        @Override // org.openjsse.sun.security.ssl.SSLStringizer
        public String toString(ByteBuffer byteBuffer) {
            try {
                return new CertificateAuthoritiesSpec(byteBuffer).toString();
            } catch (IOException e) {
                return e.getMessage();
            }
        }
    }

    CertificateAuthorityExtension() {
    }
}
