package org.glassfish.grizzly.ssl;

import java.io.ByteArrayInputStream;
import java.io.EOFException;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.CancellationException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.glassfish.grizzly.Buffer;
import org.glassfish.grizzly.CompletionHandler;
import org.glassfish.grizzly.Connection;
import org.glassfish.grizzly.EmptyCompletionHandler;
import org.glassfish.grizzly.Grizzly;
import org.glassfish.grizzly.PendingWriteQueueLimitExceededException;
import org.glassfish.grizzly.WriteResult;
import org.glassfish.grizzly.attributes.Attribute;
import org.glassfish.grizzly.attributes.AttributeStorage;
import org.glassfish.grizzly.filterchain.AbstractCodecFilter;
import org.glassfish.grizzly.filterchain.FilterChainContext;
import org.glassfish.grizzly.filterchain.FilterChainEvent;
import org.glassfish.grizzly.filterchain.NextAction;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/grizzly-core-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter.class
 */
/* loaded from: input_file:WEB-INF/lib/grizzly-framework-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter.class */
public class SSLFilter extends AbstractCodecFilter<Buffer, Buffer> {
    private static final Logger LOGGER = Grizzly.logger(SSLFilter.class);
    private final Attribute<CompletionHandler<SSLEngine>> handshakeCompletionHandlerAttr;
    private final Attribute<FilterChainContext> initiatingContextAttr;
    private final SSLEngineConfigurator serverSSLEngineConfigurator;
    private final SSLEngineConfigurator clientSSLEngineConfigurator;
    private final boolean renegotiateOnClientAuthWant;
    private final ConnectionCloseListener closeListener;
    protected volatile int maxPendingBytes;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/grizzly-core-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$1.class
     */
    /* renamed from: org.glassfish.grizzly.ssl.SSLFilter$1, reason: invalid class name */
    /* loaded from: input_file:WEB-INF/lib/grizzly-framework-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.FINISHED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/grizzly-core-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$CertificateEvent.class
     */
    /* loaded from: input_file:WEB-INF/lib/grizzly-framework-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$CertificateEvent.class */
    public static class CertificateEvent implements FilterChainEvent {
        private static final String TYPE = "CERT_EVENT";
        private Object[] certs;
        private final boolean needClientAuth;

        public CertificateEvent(boolean z) {
            this.needClientAuth = z;
        }

        @Override // org.glassfish.grizzly.filterchain.FilterChainEvent
        public final Object type() {
            return TYPE;
        }

        public Object[] getCertificates() {
            return this.certs;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/grizzly-core-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$ConnectionCloseListener.class
     */
    /* loaded from: input_file:WEB-INF/lib/grizzly-framework-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$ConnectionCloseListener.class */
    public final class ConnectionCloseListener implements Connection.CloseListener {
        private ConnectionCloseListener() {
        }

        @Override // org.glassfish.grizzly.Connection.CloseListener
        public void onClosed(Connection connection) throws IOException {
            CompletionHandler completionHandler = (CompletionHandler) SSLFilter.this.handshakeCompletionHandlerAttr.remove(connection);
            if (completionHandler != null) {
                completionHandler.failed(new EOFException());
            }
        }

        /* synthetic */ ConnectionCloseListener(SSLFilter sSLFilter, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/grizzly-core-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$PendingWriteCompletionHandler.class
     */
    /* loaded from: input_file:WEB-INF/lib/grizzly-framework-2.1.4.jar:org/glassfish/grizzly/ssl/SSLFilter$PendingWriteCompletionHandler.class */
    public final class PendingWriteCompletionHandler extends EmptyCompletionHandler<SSLEngine> {
        private final Connection connection;
        private IOException error;
        private boolean isComplete;
        private int sizeInBytes = 0;
        private final List<FilterChainContext> pendingWriteContexts = new LinkedList();

        public PendingWriteCompletionHandler(Connection connection) {
            this.connection = connection;
        }

        public boolean add(FilterChainContext filterChainContext) throws IOException {
            synchronized (this.connection) {
                if (this.error != null) {
                    throw this.error;
                }
                if (this.isComplete) {
                    return false;
                }
                int remaining = this.sizeInBytes + ((Buffer) filterChainContext.getMessage()).remaining();
                if (remaining > SSLFilter.this.maxPendingBytes) {
                    throw new PendingWriteQueueLimitExceededException("Max queued data limit exceeded: " + remaining + '>' + SSLFilter.this.maxPendingBytes);
                }
                this.sizeInBytes = remaining;
                this.pendingWriteContexts.add(filterChainContext);
                return true;
            }
        }

        @Override // org.glassfish.grizzly.EmptyCompletionHandler, org.glassfish.grizzly.CompletionHandler
        public void completed(SSLEngine sSLEngine) {
            try {
                synchronized (this.connection) {
                    this.isComplete = true;
                    Iterator<FilterChainContext> it = this.pendingWriteContexts.iterator();
                    while (it.hasNext()) {
                        it.next().resume();
                    }
                    this.pendingWriteContexts.clear();
                    this.sizeInBytes = 0;
                }
            } catch (Exception e) {
                failed(e);
            }
        }

        @Override // org.glassfish.grizzly.EmptyCompletionHandler, org.glassfish.grizzly.CompletionHandler
        public void cancelled() {
            failed(new CancellationException());
        }

        @Override // org.glassfish.grizzly.EmptyCompletionHandler, org.glassfish.grizzly.CompletionHandler
        public void failed(Throwable th) {
            synchronized (this.connection) {
                if (th instanceof IOException) {
                    this.error = (IOException) th;
                } else {
                    this.error = new IOException(th);
                }
            }
            try {
                this.connection.close();
            } catch (IOException e) {
            }
        }
    }

    public SSLFilter() {
        this(null, null);
    }

    public SSLFilter(SSLEngineConfigurator sSLEngineConfigurator, SSLEngineConfigurator sSLEngineConfigurator2) {
        this(sSLEngineConfigurator, sSLEngineConfigurator2, true);
    }

    public SSLFilter(SSLEngineConfigurator sSLEngineConfigurator, SSLEngineConfigurator sSLEngineConfigurator2, boolean z) {
        super(new SSLDecoderTransformer(), new SSLEncoderTransformer());
        this.closeListener = new ConnectionCloseListener(this, null);
        this.maxPendingBytes = Integer.MAX_VALUE;
        this.renegotiateOnClientAuthWant = z;
        if (sSLEngineConfigurator == null) {
            this.serverSSLEngineConfigurator = new SSLEngineConfigurator(SSLContextConfigurator.DEFAULT_CONFIG.createSSLContext(), false, false, false);
        } else {
            this.serverSSLEngineConfigurator = sSLEngineConfigurator;
        }
        if (sSLEngineConfigurator2 == null) {
            this.clientSSLEngineConfigurator = new SSLEngineConfigurator(SSLContextConfigurator.DEFAULT_CONFIG.createSSLContext(), true, false, false);
        } else {
            this.clientSSLEngineConfigurator = sSLEngineConfigurator2;
        }
        this.handshakeCompletionHandlerAttr = Grizzly.DEFAULT_ATTRIBUTE_BUILDER.createAttribute("SSLFilter-HandshakeCompletionHandlerAttr");
        this.initiatingContextAttr = Grizzly.DEFAULT_ATTRIBUTE_BUILDER.createAttribute("SSLFilter-HandshakingInitiatingContextAttr");
    }

    @Override // org.glassfish.grizzly.filterchain.BaseFilter, org.glassfish.grizzly.filterchain.Filter
    public NextAction handleEvent(FilterChainContext filterChainContext, FilterChainEvent filterChainEvent) throws IOException {
        if (filterChainEvent.type() != "CERT_EVENT") {
            return filterChainContext.getInvokeAction();
        }
        CertificateEvent certificateEvent = (CertificateEvent) filterChainEvent;
        certificateEvent.certs = getPeerCertificateChain(SSLUtils.getSSLEngine(filterChainContext.getConnection()), filterChainContext, certificateEvent.needClientAuth);
        return filterChainContext.getStopAction();
    }

    @Override // org.glassfish.grizzly.filterchain.AbstractCodecFilter, org.glassfish.grizzly.filterchain.BaseFilter, org.glassfish.grizzly.filterchain.Filter
    public NextAction handleRead(FilterChainContext filterChainContext) throws IOException {
        Connection connection = filterChainContext.getConnection();
        SSLEngine sSLEngine = SSLUtils.getSSLEngine(connection);
        if (sSLEngine != null && !SSLUtils.isHandshaking(sSLEngine)) {
            return super.handleRead(filterChainContext);
        }
        if (sSLEngine == null) {
            sSLEngine = this.serverSSLEngineConfigurator.createSSLEngine();
            sSLEngine.beginHandshake();
            SSLUtils.setSSLEngine(connection, sSLEngine);
        }
        Buffer doHandshakeStep = doHandshakeStep(sSLEngine, filterChainContext);
        boolean hasRemaining = doHandshakeStep.hasRemaining();
        if (!SSLUtils.isHandshaking(sSLEngine)) {
            notifyHandshakeCompleted(connection, sSLEngine);
            if (hasRemaining) {
                filterChainContext.setMessage(doHandshakeStep);
                return super.handleRead(filterChainContext);
            }
        }
        return filterChainContext.getStopAction(hasRemaining ? doHandshakeStep : null);
    }

    @Override // org.glassfish.grizzly.filterchain.AbstractCodecFilter, org.glassfish.grizzly.filterchain.BaseFilter, org.glassfish.grizzly.filterchain.Filter
    public NextAction handleWrite(FilterChainContext filterChainContext) throws IOException {
        NextAction accurateWrite;
        Connection connection = filterChainContext.getConnection();
        SSLEngine sSLEngine = SSLUtils.getSSLEngine(connection);
        if (sSLEngine != null && !SSLUtils.isHandshaking(sSLEngine)) {
            return accurateWrite(filterChainContext, true);
        }
        synchronized (connection) {
            if (SSLUtils.getSSLEngine(connection) == null) {
                this.initiatingContextAttr.set((AttributeStorage) filterChainContext.getConnection(), (Connection) filterChainContext);
                handshake(connection, new PendingWriteCompletionHandler(connection), null, this.clientSSLEngineConfigurator);
            }
            accurateWrite = accurateWrite(filterChainContext, false);
        }
        return accurateWrite;
    }

    public int getMaxPendingBytesPerConnection() {
        return this.maxPendingBytes;
    }

    public void setMaxPendingBytesPerConnection(int i) {
        this.maxPendingBytes = i;
    }

    public void handshake(Connection connection, CompletionHandler<SSLEngine> completionHandler) throws IOException {
        handshake(connection, completionHandler, null, this.clientSSLEngineConfigurator);
    }

    public void handshake(Connection connection, CompletionHandler<SSLEngine> completionHandler, Object obj) throws IOException {
        handshake(connection, completionHandler, obj, this.clientSSLEngineConfigurator);
    }

    public void handshake(Connection connection, CompletionHandler<SSLEngine> completionHandler, Object obj, SSLEngineConfigurator sSLEngineConfigurator) throws IOException {
        SSLEngine sSLEngine = SSLUtils.getSSLEngine(connection);
        if (sSLEngine == null) {
            sSLEngine = sSLEngineConfigurator.createSSLEngine();
            sSLEngine.beginHandshake();
            SSLUtils.setSSLEngine(connection, sSLEngine);
        } else {
            sSLEngineConfigurator.configure(sSLEngine);
            sSLEngine.beginHandshake();
        }
        if (completionHandler != null) {
            this.handshakeCompletionHandlerAttr.set((AttributeStorage) connection, (Connection) completionHandler);
            connection.addCloseListener(this.closeListener);
        }
        doHandshakeStep(sSLEngine, createContext(connection, FilterChainContext.Operation.WRITE));
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:11:0x0052. Please report as an issue. */
    protected Buffer doHandshakeStep(SSLEngine sSLEngine, FilterChainContext filterChainContext) throws IOException {
        Connection connection = filterChainContext.getConnection();
        Object address = filterChainContext.getAddress();
        Buffer buffer = (Buffer) filterChainContext.getMessage();
        boolean isLoggable = LOGGER.isLoggable(Level.FINEST);
        try {
            synchronized (connection) {
                SSLEngineResult.HandshakeStatus handshakeStatus = sSLEngine.getHandshakeStatus();
                do {
                    if (isLoggable) {
                        LOGGER.log(Level.FINEST, "Loop Engine: {0} handshakeStatus={1}", new Object[]{sSLEngine, sSLEngine.getHandshakeStatus()});
                    }
                    switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[handshakeStatus.ordinal()]) {
                        case 1:
                            if (isLoggable) {
                                LOGGER.log(Level.FINEST, "NEED_UNWRAP Engine: {0}", sSLEngine);
                            }
                            if (buffer != null && buffer.hasRemaining()) {
                                SSLEngineResult handshakeUnwrap = SSLUtils.handshakeUnwrap(connection, sSLEngine, buffer);
                                if (handshakeUnwrap != null) {
                                    SSLEngineResult.Status status = handshakeUnwrap.getStatus();
                                    if (status != SSLEngineResult.Status.BUFFER_UNDERFLOW) {
                                        if (status != SSLEngineResult.Status.BUFFER_OVERFLOW) {
                                            handshakeStatus = sSLEngine.getHandshakeStatus();
                                            break;
                                        } else {
                                            throw new SSLException("Buffer overflow");
                                        }
                                    } else {
                                        return buffer;
                                    }
                                } else {
                                    return buffer;
                                }
                            } else {
                                return buffer;
                            }
                            break;
                        case 2:
                            if (isLoggable) {
                                LOGGER.log(Level.FINEST, "NEED_WRAP Engine: {0}", sSLEngine);
                            }
                            Buffer handshakeWrap = SSLUtils.handshakeWrap(connection, sSLEngine);
                            try {
                                filterChainContext.write(address, handshakeWrap, (CompletionHandler<WriteResult>) null);
                                handshakeStatus = sSLEngine.getHandshakeStatus();
                                break;
                            } catch (IOException e) {
                                handshakeWrap.dispose();
                                throw e;
                            } catch (Exception e2) {
                                handshakeWrap.dispose();
                                throw new IOException("Unexpected exception", e2);
                            }
                        case 3:
                            if (isLoggable) {
                                LOGGER.log(Level.FINEST, "NEED_TASK Engine: {0}", sSLEngine);
                            }
                            SSLUtils.executeDelegatedTask(sSLEngine);
                            handshakeStatus = sSLEngine.getHandshakeStatus();
                            break;
                        case 4:
                        case 5:
                            return buffer;
                    }
                } while (handshakeStatus != SSLEngineResult.HandshakeStatus.FINISHED);
                return buffer;
            }
        } catch (IOException e3) {
            FilterChainContext filterChainContext2 = this.initiatingContextAttr.get(connection);
            if (filterChainContext2 != null) {
                try {
                    filterChainContext2.getFilterChain().fail(filterChainContext2, e3);
                } finally {
                    this.initiatingContextAttr.remove(connection);
                }
            }
            this.initiatingContextAttr.remove(connection);
            throw e3;
        }
    }

    protected void renegotiate(SSLEngine sSLEngine, FilterChainContext filterChainContext) throws IOException {
        if (!sSLEngine.getWantClientAuth() || this.renegotiateOnClientAuthWant) {
            boolean z = sSLEngine.getWantClientAuth() || sSLEngine.getNeedClientAuth();
            if (!z) {
                sSLEngine.setNeedClientAuth(true);
            }
            Connection connection = filterChainContext.getConnection();
            sSLEngine.getSession().invalidate();
            try {
                sSLEngine.beginHandshake();
                try {
                    try {
                        Buffer handshakeWrap = SSLUtils.handshakeWrap(connection, sSLEngine);
                        try {
                            filterChainContext.write(filterChainContext.getAddress(), handshakeWrap, (CompletionHandler<WriteResult>) null);
                            Buffer buffer = (Buffer) filterChainContext.read().getMessage();
                            filterChainContext.setMessage(buffer);
                            while (SSLUtils.isHandshaking(sSLEngine)) {
                                doHandshakeStep(sSLEngine, filterChainContext);
                                if (!buffer.hasRemaining() && SSLUtils.isHandshaking(sSLEngine)) {
                                    buffer = (Buffer) filterChainContext.read().getMessage();
                                    filterChainContext.setMessage(buffer);
                                }
                            }
                            if (z) {
                                return;
                            }
                            sSLEngine.setNeedClientAuth(false);
                        } catch (IOException e) {
                            handshakeWrap.dispose();
                            throw e;
                        } catch (Exception e2) {
                            handshakeWrap.dispose();
                            throw new IOException("Unexpected exception", e2);
                        }
                    } catch (Throwable th) {
                        if (LOGGER.isLoggable(Level.FINE)) {
                            LOGGER.log(Level.FINE, "Error during handshake", th);
                        }
                        if (z) {
                            return;
                        }
                        sSLEngine.setNeedClientAuth(false);
                    }
                } catch (Throwable th2) {
                    if (!z) {
                        sSLEngine.setNeedClientAuth(false);
                    }
                    throw th2;
                }
            } catch (SSLHandshakeException e3) {
                if (e3.toString().toLowerCase().contains("insecure renegotiation") && LOGGER.isLoggable(Level.SEVERE)) {
                    LOGGER.severe("Secure SSL/TLS renegotiation is not supported by the peer.  This is most likely due to the peer using an older SSL/TLS implementation that does not implement RFC 5746.");
                }
                throw e3;
            }
        }
    }

    protected Object[] getPeerCertificateChain(SSLEngine sSLEngine, FilterChainContext filterChainContext, boolean z) throws IOException {
        X509Certificate[] extractX509Certs;
        Certificate[] peerCertificates = getPeerCertificates(sSLEngine);
        if (peerCertificates != null) {
            return peerCertificates;
        }
        if (z) {
            renegotiate(sSLEngine, filterChainContext);
        }
        Certificate[] peerCertificates2 = getPeerCertificates(sSLEngine);
        if (peerCertificates2 == null || (extractX509Certs = extractX509Certs(peerCertificates2)) == null || extractX509Certs.length < 1) {
            return null;
        }
        return extractX509Certs;
    }

    private NextAction accurateWrite(FilterChainContext filterChainContext, boolean z) throws IOException {
        Connection connection = filterChainContext.getConnection();
        CompletionHandler<SSLEngine> completionHandler = this.handshakeCompletionHandlerAttr.get(connection);
        boolean z2 = completionHandler instanceof PendingWriteCompletionHandler;
        if (z && !z2) {
            return super.handleWrite(filterChainContext);
        }
        if (z2) {
            return !((PendingWriteCompletionHandler) completionHandler).add(filterChainContext) ? super.handleWrite(filterChainContext) : filterChainContext.getSuspendAction();
        }
        SSLEngine sSLEngine = SSLUtils.getSSLEngine(connection);
        if (sSLEngine == null || SSLUtils.isHandshaking(sSLEngine)) {
            throw new IllegalStateException("Handshake is not completed!");
        }
        return super.handleWrite(filterChainContext);
    }

    private X509Certificate[] extractX509Certs(Certificate[] certificateArr) {
        X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
        int length = certificateArr.length;
        for (int i = 0; i < length; i++) {
            if (certificateArr[i] instanceof X509Certificate) {
                x509CertificateArr[i] = (X509Certificate) certificateArr[i];
            } else {
                try {
                    x509CertificateArr[i] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(certificateArr[i].getEncoded()));
                } catch (Exception e) {
                    LOGGER.log(Level.INFO, "Error translating cert " + certificateArr[i], (Throwable) e);
                    return null;
                }
            }
            if (LOGGER.isLoggable(Level.FINE)) {
                LOGGER.log(Level.FINE, "Cert #{0} = {1}", new Object[]{Integer.valueOf(i), x509CertificateArr[i]});
            }
        }
        return x509CertificateArr;
    }

    private Certificate[] getPeerCertificates(SSLEngine sSLEngine) {
        try {
            return sSLEngine.getSession().getPeerCertificates();
        } catch (Throwable th) {
            if (!LOGGER.isLoggable(Level.FINE)) {
                return null;
            }
            LOGGER.log(Level.FINE, "Error getting client certs", th);
            return null;
        }
    }

    private void notifyHandshakeCompleted(Connection connection, SSLEngine sSLEngine) {
        CompletionHandler<SSLEngine> completionHandler = this.handshakeCompletionHandlerAttr.get(connection);
        if (completionHandler != null) {
            connection.removeCloseListener(this.closeListener);
            completionHandler.completed(sSLEngine);
            this.handshakeCompletionHandlerAttr.remove(connection);
        }
    }
}
