package io.netty.handler.ssl;

import com.alibaba.com.caucho.hessian.io.Hessian2Constants;
import io.netty.buffer.ByteBufAllocator;
import io.netty.util.internal.ObjectUtil;
import io.netty.util.internal.PlatformDependent;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicIntegerFieldUpdater;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.transaction.xa.XAResource;
import org.apache.tomcat.jni.CertificateVerifier;
import org.apache.tomcat.jni.Pool;
import org.apache.tomcat.jni.SSLContext;

/* loaded from: input_file:lib/netty-handler-4.0.27.Final.jar:io/netty/handler/ssl/OpenSslContext.class */
public abstract class OpenSslContext extends SslContext {
    private static final InternalLogger logger = InternalLoggerFactory.getInstance((Class<?>) OpenSslContext.class);
    private static final List<String> DEFAULT_CIPHERS;
    private static final AtomicIntegerFieldUpdater<OpenSslContext> DESTROY_UPDATER;
    protected static final int VERIFY_DEPTH = 10;
    private final long aprPool;
    private volatile int aprPoolDestroyed;
    private final List<String> ciphers;
    private final List<String> unmodifiableCiphers;
    private final long sessionCacheSize;
    private final long sessionTimeout;
    private final OpenSslApplicationProtocolNegotiator apn;
    protected final long ctx;
    private final int mode;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:lib/netty-handler-4.0.27.Final.jar:io/netty/handler/ssl/OpenSslContext$AbstractCertificateVerifier.class */
    public static abstract class AbstractCertificateVerifier implements CertificateVerifier {
        public final boolean verify(long j, byte[][] bArr, String str) {
            try {
                verify(j, OpenSslContext.certificates(bArr), str);
                return true;
            } catch (Exception e) {
                OpenSslContext.logger.debug("verification of certificate failed", (Throwable) e);
                return false;
            }
        }

        abstract void verify(long j, X509Certificate[] x509CertificateArr, String str) throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/netty-handler-4.0.27.Final.jar:io/netty/handler/ssl/OpenSslContext$DefaultOpenSslEngineMap.class */
    public static final class DefaultOpenSslEngineMap implements OpenSslEngineMap {
        private final Map<Long, OpenSslEngine> engines;

        private DefaultOpenSslEngineMap() {
            this.engines = PlatformDependent.newConcurrentHashMap();
        }

        @Override // io.netty.handler.ssl.OpenSslEngineMap
        public OpenSslEngine remove(long j) {
            return this.engines.remove(Long.valueOf(j));
        }

        @Override // io.netty.handler.ssl.OpenSslEngineMap
        public void add(OpenSslEngine openSslEngine) {
            this.engines.put(Long.valueOf(openSslEngine.ssl()), openSslEngine);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpenSslContext(Iterable<String> iterable, ApplicationProtocolConfig applicationProtocolConfig, long j, long j2, int i) throws SSLException {
        this(iterable, toNegotiator(applicationProtocolConfig, i == 1), j, j2, i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public OpenSslContext(Iterable<String> iterable, OpenSslApplicationProtocolNegotiator openSslApplicationProtocolNegotiator, long j, long j2, int i) throws SSLException {
        this.ciphers = new ArrayList();
        this.unmodifiableCiphers = Collections.unmodifiableList(this.ciphers);
        OpenSsl.ensureAvailability();
        if (i != 1 && i != 0) {
            throw new IllegalArgumentException("mode most be either SSL.SSL_MODE_SERVER or SSL.SSL_MODE_CLIENT");
        }
        this.mode = i;
        for (String str : iterable == null ? DEFAULT_CIPHERS : iterable) {
            if (str == null) {
                break;
            }
            String openSsl = CipherSuiteConverter.toOpenSsl(str);
            if (openSsl != null) {
                str = openSsl;
            }
            this.ciphers.add(str);
        }
        this.apn = (OpenSslApplicationProtocolNegotiator) ObjectUtil.checkNotNull(openSslApplicationProtocolNegotiator, "apn");
        this.aprPool = Pool.create(0L);
        try {
            synchronized (OpenSslContext.class) {
                try {
                    this.ctx = SSLContext.make(this.aprPool, 28, i);
                    SSLContext.setOptions(this.ctx, Hessian2Constants.PACKET_SHORT_MAX);
                    SSLContext.setOptions(this.ctx, XAResource.TMSTARTRSCAN);
                    SSLContext.setOptions(this.ctx, XAResource.TMSUSPEND);
                    SSLContext.setOptions(this.ctx, 4194304);
                    SSLContext.setOptions(this.ctx, 524288);
                    SSLContext.setOptions(this.ctx, 1048576);
                    SSLContext.setOptions(this.ctx, 65536);
                    try {
                        SSLContext.setCipherSuite(this.ctx, CipherSuiteConverter.toOpenSsl(this.ciphers));
                        List<String> protocols = openSslApplicationProtocolNegotiator.protocols();
                        if (!protocols.isEmpty()) {
                            StringBuilder sb = new StringBuilder();
                            Iterator<String> it = protocols.iterator();
                            while (it.hasNext()) {
                                sb.append(it.next());
                                sb.append(',');
                            }
                            sb.setLength(sb.length() - 1);
                            SSLContext.setNextProtos(this.ctx, sb.toString());
                        }
                        if (j > 0) {
                            this.sessionCacheSize = j;
                            SSLContext.setSessionCacheSize(this.ctx, j);
                        } else {
                            this.sessionCacheSize = SSLContext.setSessionCacheSize(this.ctx, 20480L);
                            SSLContext.setSessionCacheSize(this.ctx, this);
                        }
                        if (j2 > 0) {
                            this.sessionTimeout = j2;
                            SSLContext.setSessionCacheTimeout(this.ctx, j2);
                        } else {
                            this.sessionTimeout = SSLContext.setSessionCacheTimeout(this.ctx, 300L);
                            SSLContext.setSessionCacheTimeout(this.ctx, this);
                        }
                    } catch (SSLException e) {
                        throw e;
                    } catch (Exception e2) {
                        throw new SSLException("failed to set cipher suite: " + this.ciphers, e2);
                    }
                } catch (Exception e3) {
                    throw new SSLException("failed to create an SSL_CTX", e3);
                }
            }
            if (1 == 0) {
                destroyPools();
            }
        } catch (Throwable th) {
            if (0 == 0) {
                destroyPools();
            }
            throw th;
        }
    }

    @Override // io.netty.handler.ssl.SslContext
    public final List<String> cipherSuites() {
        return this.unmodifiableCiphers;
    }

    @Override // io.netty.handler.ssl.SslContext
    public final long sessionCacheSize() {
        return this.sessionCacheSize;
    }

    @Override // io.netty.handler.ssl.SslContext
    public final long sessionTimeout() {
        return this.sessionTimeout;
    }

    @Override // io.netty.handler.ssl.SslContext
    public ApplicationProtocolNegotiator applicationProtocolNegotiator() {
        return this.apn;
    }

    @Override // io.netty.handler.ssl.SslContext
    public final boolean isClient() {
        return this.mode == 0;
    }

    @Override // io.netty.handler.ssl.SslContext
    public final SSLEngine newEngine(ByteBufAllocator byteBufAllocator, String str, int i) {
        throw new UnsupportedOperationException();
    }

    @Override // io.netty.handler.ssl.SslContext
    public final SSLEngine newEngine(ByteBufAllocator byteBufAllocator) {
        List<String> protocols = applicationProtocolNegotiator().protocols();
        OpenSslEngineMap engineMap = engineMap();
        OpenSslEngine openSslEngine = protocols.isEmpty() ? new OpenSslEngine(this.ctx, byteBufAllocator, null, isClient(), sessionContext(), engineMap) : new OpenSslEngine(this.ctx, byteBufAllocator, protocols.get(protocols.size() - 1), isClient(), sessionContext(), engineMap);
        engineMap.add(openSslEngine);
        return openSslEngine;
    }

    abstract OpenSslEngineMap engineMap();

    public final long context() {
        return this.ctx;
    }

    @Deprecated
    public final OpenSslSessionStats stats() {
        return sessionContext().stats();
    }

    protected final void finalize() throws Throwable {
        super.finalize();
        synchronized (OpenSslContext.class) {
            if (this.ctx != 0) {
                SSLContext.free(this.ctx);
            }
        }
        destroyPools();
    }

    @Deprecated
    public final void setTicketKeys(byte[] bArr) {
        sessionContext().setTicketKeys(bArr);
    }

    @Override // io.netty.handler.ssl.SslContext
    public abstract OpenSslSessionContext sessionContext();

    /* JADX INFO: Access modifiers changed from: protected */
    public final void destroyPools() {
        if (this.aprPool == 0 || !DESTROY_UPDATER.compareAndSet(this, 0, 1)) {
            return;
        }
        Pool.destroy(this.aprPool);
    }

    protected static X509Certificate[] certificates(byte[][] bArr) {
        X509Certificate[] x509CertificateArr = new X509Certificate[bArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            x509CertificateArr[i] = new OpenSslX509Certificate(bArr[i]);
        }
        return x509CertificateArr;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509TrustManager chooseTrustManager(TrustManager[] trustManagerArr) {
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException("no X509TrustManager found");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OpenSslApplicationProtocolNegotiator toNegotiator(ApplicationProtocolConfig applicationProtocolConfig, boolean z) {
        if (applicationProtocolConfig == null) {
            return OpenSslDefaultApplicationProtocolNegotiator.INSTANCE;
        }
        switch (applicationProtocolConfig.protocol()) {
            case NONE:
                return OpenSslDefaultApplicationProtocolNegotiator.INSTANCE;
            case NPN:
                if (!z) {
                    throw new UnsupportedOperationException("OpenSSL provider does not support client mode");
                }
                switch (applicationProtocolConfig.selectedListenerFailureBehavior()) {
                    case CHOOSE_MY_LAST_PROTOCOL:
                        return new OpenSslNpnApplicationProtocolNegotiator(applicationProtocolConfig.supportedProtocols());
                    default:
                        throw new UnsupportedOperationException("OpenSSL provider does not support " + applicationProtocolConfig.selectedListenerFailureBehavior() + " behavior");
                }
            default:
                throw new UnsupportedOperationException("OpenSSL provider does not support " + applicationProtocolConfig.protocol() + " protocol");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OpenSslEngineMap newEngineMap(X509TrustManager x509TrustManager) {
        return useExtendedTrustManager(x509TrustManager) ? new DefaultOpenSslEngineMap() : OpenSslEngineMap.EMPTY;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean useExtendedTrustManager(X509TrustManager x509TrustManager) {
        return PlatformDependent.javaVersion() >= 7 && (x509TrustManager instanceof X509ExtendedTrustManager);
    }

    static {
        ArrayList arrayList = new ArrayList();
        Collections.addAll(arrayList, "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES256-SHA", "AES128-GCM-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA", "RC4-SHA");
        DEFAULT_CIPHERS = Collections.unmodifiableList(arrayList);
        if (logger.isDebugEnabled()) {
            logger.debug("Default cipher suite (OpenSSL): " + arrayList);
        }
        AtomicIntegerFieldUpdater<OpenSslContext> newAtomicIntegerFieldUpdater = PlatformDependent.newAtomicIntegerFieldUpdater(OpenSslContext.class, "aprPoolDestroyed");
        if (newAtomicIntegerFieldUpdater == null) {
            newAtomicIntegerFieldUpdater = AtomicIntegerFieldUpdater.newUpdater(OpenSslContext.class, "aprPoolDestroyed");
        }
        DESTROY_UPDATER = newAtomicIntegerFieldUpdater;
    }
}
