package io.apigee.trireme.kernel.tls;

import io.apigee.trireme.kernel.BiCallback;
import io.apigee.trireme.kernel.Callback;
import io.apigee.trireme.kernel.GenericNodeRuntime;
import io.apigee.trireme.kernel.TriCallback;
import io.apigee.trireme.kernel.util.BufferUtils;
import java.nio.ByteBuffer;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayDeque;
import java.util.Iterator;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/apigee/trireme/kernel/tls/TLSConnection.class */
public class TLSConnection {
    private static final Logger log = LoggerFactory.getLogger(TLSConnection.class.getName());
    private static final ByteBuffer EMPTY = ByteBuffer.allocate(0);
    private final ArrayDeque<TLSChunk> outgoing = new ArrayDeque<>();
    private final ArrayDeque<TLSChunk> incoming = new ArrayDeque<>();
    private final GenericNodeRuntime runtime;
    private final boolean isServer;
    private final String serverName;
    private final int serverPort;
    private boolean requestCert;
    private boolean rejectUnauthorized;
    private TriCallback<ByteBuffer, Boolean, Object> writeCallback;
    private BiCallback<ByteBuffer, Integer> readCallback;
    private Callback<Void> onHandshakeStart;
    private Callback<Void> onHandshakeDone;
    private Callback<Throwable> onError;
    private SSLEngine engine;
    private X509TrustManager trustManager;
    private ByteBuffer writeBuf;
    private ByteBuffer readBuf;
    private boolean handshaking;
    private boolean initFinished;
    private boolean sentShutdown;
    private boolean receivedShutdown;
    private SSLException error;
    private SSLException verifyError;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.apigee.trireme.kernel.tls.TLSConnection$2, reason: invalid class name */
    /* loaded from: input_file:io/apigee/trireme/kernel/tls/TLSConnection$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.FINISHED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public TLSConnection(GenericNodeRuntime genericNodeRuntime, boolean z, String str, int i) {
        this.runtime = genericNodeRuntime;
        this.isServer = z;
        this.serverName = str;
        this.serverPort = i;
    }

    public void init(SSLContext sSLContext, String[] strArr, X509TrustManager x509TrustManager) {
        this.trustManager = x509TrustManager;
        if (this.isServer || this.serverName == null) {
            this.engine = sSLContext.createSSLEngine();
        } else {
            this.engine = sSLContext.createSSLEngine(this.serverName, this.serverPort);
        }
        this.engine.setUseClientMode(!this.isServer);
        if (log.isDebugEnabled()) {
            log.debug("Created SSLEngine {}", this.engine);
        }
        if (log.isDebugEnabled()) {
            log.debug("Allocating read and write buffers of size {}", Integer.valueOf(this.engine.getSession().getPacketBufferSize()));
        }
        this.readBuf = ByteBuffer.allocate(this.engine.getSession().getPacketBufferSize());
        this.writeBuf = ByteBuffer.allocate(this.engine.getSession().getPacketBufferSize());
        if (strArr != null) {
            try {
                this.engine.setEnabledCipherSuites(strArr);
            } catch (IllegalArgumentException e) {
                handleError(new SSLException(e));
            }
        }
    }

    public void setVerificationMode(boolean z, boolean z2) {
        this.requestCert = z;
        this.rejectUnauthorized = z2;
        if (z) {
            if (z2) {
                this.engine.setNeedClientAuth(true);
            } else {
                this.engine.setWantClientAuth(true);
            }
        }
    }

    public void setWriteCallback(TriCallback<ByteBuffer, Boolean, Object> triCallback) {
        this.writeCallback = triCallback;
    }

    public void setReadCallback(BiCallback<ByteBuffer, Integer> biCallback) {
        this.readCallback = biCallback;
    }

    public void setHandshakeStartCallback(Callback<Void> callback) {
        this.onHandshakeStart = callback;
    }

    public void setHandshakeDoneCallback(Callback<Void> callback) {
        this.onHandshakeDone = callback;
    }

    public void setErrorCallback(Callback<Throwable> callback) {
        this.onError = callback;
    }

    public SSLException getVerifyError() {
        return this.verifyError;
    }

    public SSLException getError() {
        return this.error;
    }

    public boolean isInitFinished() {
        return this.initFinished;
    }

    public boolean isSentShutdown() {
        return this.sentShutdown;
    }

    public boolean isReceivedShutdown() {
        return this.receivedShutdown;
    }

    public int getWriteQueueLength() {
        int i = 0;
        Iterator<TLSChunk> it = this.outgoing.iterator();
        while (it.hasNext()) {
            TLSChunk next = it.next();
            if (next.getBuf() != null) {
                i += next.getBuf().remaining();
            }
        }
        return i;
    }

    public void wrap(ByteBuffer byteBuffer, Callback<Object> callback) {
        this.outgoing.add(new TLSChunk(byteBuffer, false, callback));
        encodeLoop();
    }

    public void shutdown(Callback<Object> callback) {
        this.outgoing.add(new TLSChunk(null, true, callback));
        encodeLoop();
    }

    public void shutdownInbound(Callback<Object> callback) {
        try {
            this.engine.closeInbound();
        } catch (SSLException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error closing inbound SSLEngine: {}", e);
            }
        }
        if (callback != null) {
            callback.call(null);
        }
        doUnwrap();
        encodeLoop();
    }

    public void unwrap(ByteBuffer byteBuffer, Callback<Object> callback) {
        this.incoming.add(new TLSChunk(byteBuffer, false, callback));
        encodeLoop();
    }

    public void inboundError(int i) {
        TLSChunk tLSChunk = new TLSChunk(null, false, null);
        tLSChunk.setInboundErr(i);
        this.incoming.add(tLSChunk);
        encodeLoop();
    }

    public void start() {
        if (this.isServer) {
            return;
        }
        wrap(null, null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void encodeLoop() {
        while (true) {
            if (log.isTraceEnabled()) {
                log.trace("engine status: {} incoming: {} outgoing: {}", new Object[]{this.engine.getHandshakeStatus(), Integer.valueOf(this.incoming.size()), Integer.valueOf(this.outgoing.size())});
            }
            switch (AnonymousClass2.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[this.engine.getHandshakeStatus().ordinal()]) {
                case 1:
                    processHandshaking();
                    if (doWrap()) {
                        break;
                    } else {
                        return;
                    }
                case 2:
                    processHandshaking();
                    if (doUnwrap()) {
                        break;
                    } else {
                        return;
                    }
                case 3:
                    processTasks();
                    return;
                case 4:
                case 5:
                    if (this.outgoing.isEmpty() && this.incoming.isEmpty()) {
                        return;
                    }
                    if (!this.outgoing.isEmpty() && !doWrap()) {
                        return;
                    }
                    if (!this.incoming.isEmpty() && !doUnwrap()) {
                        return;
                    }
                    break;
            }
        }
    }

    private boolean doWrap() {
        SSLEngineResult wrap;
        TLSChunk peek = this.outgoing.peek();
        ByteBuffer buf = peek == null ? EMPTY : peek.getBuf();
        if (buf == null) {
            buf = EMPTY;
        }
        boolean z = false;
        do {
            if (peek != null && peek.isShutdown()) {
                log.trace("Sending closeOutbound");
                this.engine.closeOutbound();
                this.sentShutdown = true;
                z = true;
            }
            if (log.isTraceEnabled()) {
                log.trace("Wrapping {}", buf);
            }
            try {
                wrap = this.engine.wrap(buf, this.writeBuf);
                if (log.isTraceEnabled()) {
                    log.trace("wrap result: {}", wrap);
                }
                if (wrap.getStatus() == SSLEngineResult.Status.BUFFER_OVERFLOW) {
                    this.writeBuf = BufferUtils.doubleBuffer(this.writeBuf);
                }
            } catch (SSLException e) {
                handleEncodingError(peek, e);
                if (peek == null) {
                    return false;
                }
                this.outgoing.remove();
                return false;
            }
        } while (wrap.getStatus() == SSLEngineResult.Status.BUFFER_OVERFLOW);
        Callback<Object> callback = null;
        if (peek != null && !buf.hasRemaining() && this.initFinished) {
            this.outgoing.remove();
            callback = peek.removeCallback();
        }
        if (wrap.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.FINISHED) {
            processNotHandshaking();
        }
        if (wrap.bytesProduced() > 0) {
            deliverWriteBuffer(z, callback);
        } else if (callback != null) {
            callback.call(null);
        }
        return wrap.getStatus() == SSLEngineResult.Status.OK;
    }

    private boolean doUnwrap() {
        TLSChunk peek = this.incoming.peek();
        ByteBuffer buf = peek == null ? EMPTY : peek.getBuf();
        SSLEngineResult sSLEngineResult = null;
        while (true) {
            if (buf == null) {
                break;
            }
            do {
                if (log.isTraceEnabled()) {
                    log.trace("Unwrapping {}", buf);
                }
                try {
                    sSLEngineResult = this.engine.unwrap(buf, this.readBuf);
                    if (log.isTraceEnabled()) {
                        log.trace("unwrap result: {}", sSLEngineResult);
                    }
                    if (sSLEngineResult.getStatus() == SSLEngineResult.Status.BUFFER_OVERFLOW) {
                        this.readBuf = BufferUtils.doubleBuffer(this.readBuf);
                    }
                } catch (SSLException e) {
                    handleEncodingError(peek, e);
                    return false;
                }
            } while (sSLEngineResult.getStatus() == SSLEngineResult.Status.BUFFER_OVERFLOW);
            if (sSLEngineResult.getStatus() != SSLEngineResult.Status.BUFFER_UNDERFLOW || peek == null) {
                break;
            }
            Callback<Object> removeCallback = peek.removeCallback();
            if (removeCallback != null) {
                removeCallback.call(null);
            }
            if (this.incoming.size() < 2) {
                peek = this.incoming.peek();
                break;
            }
            TLSChunk poll = this.incoming.poll();
            peek = this.incoming.peek();
            peek.setBuf(BufferUtils.catBuffers(poll.getBuf(), peek.getBuf()));
            buf = peek.getBuf();
        }
        int inboundErr = peek == null ? 0 : peek.getInboundErr();
        if (inboundErr != 0) {
            try {
                this.engine.closeInbound();
            } catch (SSLException e2) {
            }
        }
        if (sSLEngineResult != null && sSLEngineResult.getStatus() == SSLEngineResult.Status.CLOSED && !this.receivedShutdown) {
            this.receivedShutdown = true;
            inboundErr = -99;
        }
        if (peek != null && (peek.getBuf() == null || !peek.getBuf().hasRemaining())) {
            this.incoming.poll();
            Callback<Object> removeCallback2 = peek.removeCallback();
            if (removeCallback2 != null) {
                removeCallback2.call(null);
            }
        }
        if (sSLEngineResult != null && sSLEngineResult.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.FINISHED) {
            processNotHandshaking();
        }
        if ((sSLEngineResult != null && sSLEngineResult.bytesProduced() > 0) || inboundErr != 0) {
            deliverReadBuffer(inboundErr);
        }
        return sSLEngineResult == null || sSLEngineResult.getStatus() == SSLEngineResult.Status.OK;
    }

    private void deliverWriteBuffer(boolean z, Callback<Object> callback) {
        ByteBuffer byteBuffer;
        if (this.writeCallback == null) {
            this.writeBuf.clear();
            if (callback != null) {
                callback.call(null);
                return;
            }
            return;
        }
        if (this.writeBuf.position() > 0) {
            this.writeBuf.flip();
            byteBuffer = ByteBuffer.allocate(this.writeBuf.remaining());
            byteBuffer.put(this.writeBuf);
            this.writeBuf.clear();
            byteBuffer.flip();
            if (log.isTraceEnabled()) {
                log.trace("Delivering {} bytes to the onwrap callback. shutdown = {}", Integer.valueOf(byteBuffer.remaining()), Boolean.valueOf(z));
            }
        } else {
            byteBuffer = null;
        }
        this.writeCallback.call(byteBuffer, Boolean.valueOf(z), callback);
    }

    private void deliverReadBuffer(int i) {
        ByteBuffer byteBuffer;
        if (this.readCallback == null) {
            this.readBuf.clear();
            return;
        }
        if (this.readBuf.position() > 0) {
            this.readBuf.flip();
            byteBuffer = ByteBuffer.allocate(this.readBuf.remaining());
            byteBuffer.put(this.readBuf);
            byteBuffer.flip();
            this.readBuf.clear();
            if (log.isTraceEnabled()) {
                log.trace("Delivering {} bytes to the onunwrap callback. err = {}", Integer.valueOf(byteBuffer.remaining()), Integer.valueOf(i));
            }
        } else {
            byteBuffer = null;
        }
        this.readCallback.call(byteBuffer, Integer.valueOf(i));
    }

    private void processHandshaking() {
        if (this.handshaking || this.sentShutdown || this.receivedShutdown) {
            return;
        }
        this.handshaking = true;
        if (this.onHandshakeStart != null) {
            this.onHandshakeStart.call(null);
        }
    }

    private void processNotHandshaking() {
        if (this.handshaking) {
            checkPeerAuthorization();
            this.handshaking = false;
            this.initFinished = true;
            if (this.onHandshakeDone != null) {
                this.onHandshakeDone.call(null);
            }
        }
    }

    private void processTasks() {
        this.runtime.getAsyncPool().submit(new Runnable() { // from class: io.apigee.trireme.kernel.tls.TLSConnection.1
            @Override // java.lang.Runnable
            public void run() {
                Runnable delegatedTask = TLSConnection.this.engine.getDelegatedTask();
                while (true) {
                    Runnable runnable = delegatedTask;
                    if (runnable == null) {
                        TLSConnection.this.runtime.executeScriptTask(new Runnable() { // from class: io.apigee.trireme.kernel.tls.TLSConnection.1.1
                            @Override // java.lang.Runnable
                            public void run() {
                                TLSConnection.this.encodeLoop();
                            }
                        }, TLSConnection.this.runtime.getDomain());
                        return;
                    } else {
                        if (TLSConnection.log.isTraceEnabled()) {
                            TLSConnection.log.trace("Running SSLEngine task {}", runnable);
                        }
                        runnable.run();
                        delegatedTask = TLSConnection.this.engine.getDelegatedTask();
                    }
                }
            }
        });
    }

    private void handleError(SSLException sSLException) {
        if (log.isDebugEnabled()) {
            log.debug("SSL exception: handshaking = {}: {}", new Object[]{Boolean.valueOf(this.handshaking), sSLException, sSLException});
        }
        Throwable th = sSLException;
        while (true) {
            Throwable th2 = th;
            if (th2.getCause() == null) {
                break;
            } else {
                th = th2.getCause();
            }
        }
        if (this.handshaking) {
            this.verifyError = sSLException;
        } else {
            this.error = sSLException;
        }
    }

    private void handleEncodingError(TLSChunk tLSChunk, SSLException sSLException) {
        Throwable th;
        if (log.isDebugEnabled()) {
            log.debug("SSL exception: {}", sSLException, sSLException);
        }
        Throwable th2 = sSLException;
        while (true) {
            th = th2;
            if (th.getCause() == null) {
                break;
            } else {
                th2 = th.getCause();
            }
        }
        this.error = sSLException;
        if (!this.initFinished) {
            this.verifyError = sSLException;
            if (this.onError != null) {
                this.onError.call(th);
                return;
            }
            return;
        }
        if (tLSChunk == null) {
            if (this.onError != null) {
                this.onError.call(th);
            }
        } else {
            Callback<Object> removeCallback = tLSChunk.removeCallback();
            if (removeCallback != null) {
                removeCallback.call(sSLException.toString());
            }
        }
    }

    private void checkPeerAuthorization() {
        try {
            Certificate[] peerCertificates = this.engine.getSession().getPeerCertificates();
            if (peerCertificates == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Peer has no client- or server-side certs");
                }
                if (!this.isServer || this.requestCert) {
                    handleError(new SSLException("Peer has no certificates"));
                    return;
                }
                return;
            }
            if (this.trustManager == null) {
                handleError(new SSLException("No trusted CAs"));
                return;
            }
            try {
                String figureTrustAlgorithm = figureTrustAlgorithm();
                if (this.isServer) {
                    this.trustManager.checkClientTrusted((X509Certificate[]) peerCertificates, figureTrustAlgorithm);
                } else {
                    this.trustManager.checkServerTrusted((X509Certificate[]) peerCertificates, figureTrustAlgorithm);
                }
                if (log.isDebugEnabled()) {
                    log.debug("SSL peer {} is valid", this.engine.getSession());
                }
            } catch (CertificateException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error verifying SSL peer {}: {}", this.engine.getSession(), e);
                }
                handleError(new SSLException(e));
            }
        } catch (SSLPeerUnverifiedException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Peer is unverified");
            }
            if (!this.isServer || this.requestCert) {
                handleError(e2);
            }
        }
    }

    private String figureTrustAlgorithm() {
        String cipherSuite = this.engine.getSession().getCipherSuite();
        String protocol = this.engine.getSession().getProtocol();
        String str = cipherSuite.startsWith("TLS_ECDHE_ECDSA") ? "ECDHE_ECDSA" : cipherSuite.startsWith("TLS_ECDHE_RSA") ? "ECDHE_RSA" : cipherSuite.startsWith("TLS_ECDH_ECDSA") ? "ECDH_ECDSA" : cipherSuite.startsWith("TLS_DHE_DSS") ? "DHE_DSS" : cipherSuite.startsWith("TLS_DHE_RSA") ? "DHE_RSA" : cipherSuite.startsWith("TLS_ECDH_RSA") ? "ECDH_RSA" : cipherSuite.startsWith("SSL_RSA_EXPORT") ? "RSA_EXPORT" : (cipherSuite.startsWith("TLS_RSA") || cipherSuite.startsWith("SSL_RSA")) ? "RSA" : "UNKNOWN";
        if (log.isDebugEnabled()) {
            log.debug("Protocol = {}: suite = {}. Checking trust using {}", new Object[]{protocol, cipherSuite, str});
        }
        return str;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v16, types: [java.security.cert.Certificate[]] */
    /* JADX WARN: Type inference failed for: r0v17 */
    public X509Certificate getPeerCertificate() {
        X509Certificate x509Certificate;
        if (this.engine.getSession() == null) {
            return null;
        }
        try {
            x509Certificate = this.engine.getSession().getPeerCertificates()[0];
        } catch (SSLPeerUnverifiedException e) {
            if (log.isDebugEnabled()) {
                log.debug("getPeerCertificates threw {}", e);
            }
            x509Certificate = null;
        }
        if (x509Certificate instanceof X509Certificate) {
            return x509Certificate;
        }
        log.debug("Peer certificate is not an X.509 cert");
        return null;
    }

    public String getCipherSuite() {
        if (this.engine.getSession() == null) {
            return null;
        }
        return this.engine.getSession().getCipherSuite();
    }

    public String getProtocol() {
        if (this.engine.getSession() == null) {
            return null;
        }
        return this.engine.getSession().getProtocol();
    }
}
