package sun.security.ssl;

import java.io.IOException;
import java.math.BigInteger;
import java.net.Socket;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.AlgorithmConstraints;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.Subject;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import org.glassfish.ejb.deployment.EjbTagNames;
import org.glassfish.grizzly.npn.AlpnServerNegotiator;
import org.glassfish.grizzly.npn.NegotiationSupport;
import org.glassfish.grizzly.npn.ServerSideNegotiator;
import org.h2.security.CipherFactory;
import sun.security.action.GetPropertyAction;
import sun.security.ssl.CipherSuite;
import sun.security.ssl.HandshakeMessage;
import sun.security.ssl.SignatureAndHashAlgorithm;
import sun.security.util.KeyUtil;
import sun.security.util.LegacyAlgorithmConstraints;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:sun/security/ssl/ServerHandshaker.class */
public final class ServerHandshaker extends Handshaker {
    private byte doClientAuth;
    private X509Certificate[] certs;
    private PrivateKey privateKey;
    private Object serviceCreds;
    private boolean needClientVerify;
    private PrivateKey tempPrivateKey;
    private PublicKey tempPublicKey;
    private DHCrypt dh;
    private ECDHCrypt ecdh;
    private ProtocolVersion clientRequestedVersion;
    private SupportedEllipticCurvesExtension supportedCurves;
    SignatureAndHashAlgorithm preferableSignatureAlgorithm;
    private static final boolean useSmartEphemeralDHKeys;
    private static final boolean useLegacyEphemeralDHKeys;
    private static final int customizedDHKeySize;
    private static final AlgorithmConstraints legacyAlgorithmConstraints = new LegacyAlgorithmConstraints(CipherFactory.LEGACY_ALGORITHMS_SECURITY_KEY, new SSLAlgorithmDecomposer());

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: sun.security.ssl.ServerHandshaker$3, reason: invalid class name */
    /* loaded from: input_file:sun/security/ssl/ServerHandshaker$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange = new int[CipherSuite.KeyExchange.values().length];

        static {
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_RSA.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_RSA_EXPORT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_KRB5.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_KRB5_EXPORT.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DHE_RSA.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DHE_DSS.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DH_ANON.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDH_RSA.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDH_ECDSA.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDHE_RSA.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDHE_ECDSA.ordinal()] = 11;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_ECDH_ANON.ordinal()] = 12;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DH_RSA.ordinal()] = 13;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[CipherSuite.KeyExchange.K_DH_DSS.ordinal()] = 14;
            } catch (NoSuchFieldError e14) {
            }
        }
    }

    ServerHandshaker(SSLSocketImpl sSLSocketImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, byte b, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLSocketImpl, sSLContextImpl, protocolList, b != 0, false, protocolVersion, z, z2, bArr, bArr2);
        this.needClientVerify = false;
        this.doClientAuth = b;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerHandshaker(SSLEngineImpl sSLEngineImpl, SSLContextImpl sSLContextImpl, ProtocolList protocolList, byte b, ProtocolVersion protocolVersion, boolean z, boolean z2, byte[] bArr, byte[] bArr2) {
        super(sSLEngineImpl, sSLContextImpl, protocolList, b != 0, false, protocolVersion, z, z2, bArr, bArr2);
        this.needClientVerify = false;
        this.doClientAuth = b;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setClientAuth(byte b) {
        this.doClientAuth = b;
    }

    @Override // sun.security.ssl.Handshaker
    void processMessage(byte b, int i) throws IOException {
        SecretKey clientKeyExchange;
        if (this.state >= b && this.state != 16 && b != 15) {
            throw new SSLProtocolException("Handshake message sequence violation, state = " + this.state + ", type = " + ((int) b));
        }
        switch (b) {
            case 1:
                clientHello(new HandshakeMessage.ClientHello(this.input, i));
                break;
            case 11:
                if (this.doClientAuth == 0) {
                    fatalSE((byte) 10, "client sent unsolicited cert chain");
                }
                clientCertificate(new HandshakeMessage.CertificateMsg(this.input));
                break;
            case 15:
                clientCertificateVerify(new HandshakeMessage.CertificateVerify(this.input, getLocalSupportedSignAlgs(), this.protocolVersion));
                break;
            case 16:
                switch (AnonymousClass3.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[this.keyExchange.ordinal()]) {
                    case 1:
                    case 2:
                        clientKeyExchange = clientKeyExchange(new RSAClientKeyExchange(this.protocolVersion, this.clientRequestedVersion, this.sslContext.getSecureRandom(), this.input, i, this.privateKey));
                        break;
                    case 3:
                    case 4:
                        clientKeyExchange = clientKeyExchange(new KerberosClientKeyExchange(this.protocolVersion, this.clientRequestedVersion, this.sslContext.getSecureRandom(), this.input, getAccSE(), this.serviceCreds));
                        break;
                    case 5:
                    case 6:
                    case 7:
                        clientKeyExchange = clientKeyExchange(new DHClientKeyExchange(this.input));
                        break;
                    case 8:
                    case 9:
                    case 10:
                    case 11:
                    case 12:
                        clientKeyExchange = clientKeyExchange(new ECDHClientKeyExchange(this.input));
                        break;
                    default:
                        throw new SSLProtocolException("Unrecognized key exchange: " + this.keyExchange);
                }
                calculateKeys(clientKeyExchange, this.clientRequestedVersion);
                break;
            case 20:
                if (!receivedChangeCipherSpec()) {
                    fatalSE((byte) 40, "Received Finished message before ChangeCipherSpec");
                }
                clientFinished(new HandshakeMessage.Finished(this.protocolVersion, this.input, this.cipherSuite));
                break;
            case 67:
                protocolSelected(this.input);
                break;
            default:
                throw new SSLProtocolException("Illegal server handshake msg, " + ((int) b));
        }
        if (this.state >= b || b == 67) {
            return;
        }
        if (b == 15) {
            this.state = b + 2;
        } else {
            this.state = b;
        }
    }

    private void protocolSelected(HandshakeInStream handshakeInStream) throws IOException {
        ServerSideNegotiator serverSideNegotiator = NegotiationSupport.getServerSideNegotiator(this.engine);
        if (serverSideNegotiator != null) {
            HandshakeMessage.NextProtocol build = HandshakeMessage.NextProtocol.builder().handshakeIn(handshakeInStream).build();
            if (build.protocolBytes.length == 0) {
                serverSideNegotiator.onNoDeal(this.engine);
                return;
            }
            String str = new String(build.protocolBytes, "ISO-8859-1");
            if (debug != null && Debug.isOn("handshake")) {
                System.out.println("NPN selected protocol is: " + str);
            }
            serverSideNegotiator.onSuccess(this.engine, str);
        }
    }

    private void clientHello(HandshakeMessage.ClientHello clientHello) throws IOException {
        HandshakeMessage handshakeMessage;
        SignatureAlgorithmsExtension signatureAlgorithmsExtension;
        SSLSessionImpl sSLSessionImpl;
        Subject subject;
        AlpnServerNegotiator alpnServerNegotiator;
        ServerSideNegotiator serverSideNegotiator;
        if (debug != null && Debug.isOn("handshake")) {
            clientHello.print(System.out);
        }
        if (rejectClientInitiatedRenego && !this.isInitialHandshake && this.state != 0) {
            fatalSE((byte) 40, "Client initiated renegotiation is not allowed");
        }
        ServerNameExtension serverNameExtension = clientHello.extensions.get(ExtensionType.EXT_SERVER_NAME);
        if (!this.sniMatchers.isEmpty() && serverNameExtension != null && !serverNameExtension.isMatched(this.sniMatchers)) {
            fatalSE((byte) 112, "Unrecognized server name indication");
        }
        boolean z = false;
        if (clientHello.getCipherSuites().contains(CipherSuite.C_SCSV)) {
            z = true;
            if (this.isInitialHandshake) {
                this.secureRenegotiation = true;
            } else if (this.secureRenegotiation) {
                fatalSE((byte) 40, "The SCSV is present in a secure renegotiation");
            } else {
                fatalSE((byte) 40, "The SCSV is present in a insecure renegotiation");
            }
        }
        RenegotiationInfoExtension renegotiationInfoExtension = clientHello.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
        if (renegotiationInfoExtension != null) {
            z = true;
            if (this.isInitialHandshake) {
                if (!renegotiationInfoExtension.isEmpty()) {
                    fatalSE((byte) 40, "The renegotiation_info field is not empty");
                }
                this.secureRenegotiation = true;
            } else {
                if (!this.secureRenegotiation) {
                    fatalSE((byte) 40, "The renegotiation_info is present in a insecure renegotiation");
                }
                if (!MessageDigest.isEqual(this.clientVerifyData, renegotiationInfoExtension.getRenegotiatedConnection())) {
                    fatalSE((byte) 40, "Incorrect verify data in ClientHello renegotiation_info message");
                }
            }
        } else if (!this.isInitialHandshake && this.secureRenegotiation) {
            fatalSE((byte) 40, "Inconsistent secure renegotiation indication");
        }
        if (!z || !this.secureRenegotiation) {
            if (this.isInitialHandshake) {
                if (!allowLegacyHelloMessages) {
                    fatalSE((byte) 40, "Failed to negotiate the use of secure renegotiation");
                }
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: No renegotiation indication in ClientHello, allow legacy ClientHello");
                }
            } else if (allowUnsafeRenegotiation) {
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Warning: continue with insecure renegotiation");
                }
            } else {
                if (this.activeProtocolVersion.v >= ProtocolVersion.TLS10.v) {
                    warningSE((byte) 100);
                    this.invalidated = true;
                    if (this.input.available() > 0) {
                        fatalSE((byte) 10, "ClientHello followed by an unexpected  handshake message");
                        return;
                    }
                    return;
                }
                fatalSE((byte) 40, "Renegotiation is not allowed");
            }
        }
        NextProtocolNegotiationExtension nextProtocolNegotiationExtension = null;
        if (this.isInitialHandshake && ((NextProtocolNegotiationExtension) clientHello.extensions.get(ExtensionType.EXT_NEXT_PROTOCOL_NEGOTIATION)) != null && (serverSideNegotiator = NegotiationSupport.getServerSideNegotiator(this.engine)) != null) {
            nextProtocolNegotiationExtension = NextProtocolNegotiationExtension.builder().protocols(serverSideNegotiator.supportedProtocols(this.engine)).build();
        }
        String str = null;
        AlpnExtension alpnExtension = (AlpnExtension) clientHello.extensions.get(ExtensionType.EXT_APPLICATION_LEVEL_PROTOCOL_NEGOTIATION);
        if (alpnExtension != null && (alpnServerNegotiator = NegotiationSupport.getAlpnServerNegotiator(this.engine)) != null) {
            str = alpnServerNegotiator.selectProtocol(this.engine, alpnExtension.protocols);
            if (str == null || str.isEmpty()) {
                fatalSE((byte) 120, "No matching application protocol found.");
            }
        }
        this.input.digestNow();
        HandshakeMessage.ServerHello serverHello = new HandshakeMessage.ServerHello();
        this.clientRequestedVersion = clientHello.protocolVersion;
        ProtocolVersion selectProtocolVersion = selectProtocolVersion(this.clientRequestedVersion);
        if (selectProtocolVersion == null || selectProtocolVersion.v == ProtocolVersion.SSL20Hello.v) {
            fatalSE((byte) 40, "Client requested protocol " + this.clientRequestedVersion + " not enabled or not supported");
        }
        this.handshakeHash.protocolDetermined(selectProtocolVersion);
        setVersion(selectProtocolVersion);
        serverHello.protocolVersion = this.protocolVersion;
        this.clnt_random = clientHello.clnt_random;
        this.svr_random = new RandomCookie(this.sslContext.getSecureRandom());
        serverHello.svr_random = this.svr_random;
        this.session = null;
        if (clientHello.sessionId.length() != 0 && (sSLSessionImpl = this.sslContext.engineGetServerSessionContext().get(clientHello.sessionId.getId())) != null) {
            this.resumingSession = sSLSessionImpl.isRejoinable();
            if (this.resumingSession && sSLSessionImpl.getProtocolVersion() != this.protocolVersion) {
                this.resumingSession = false;
            }
            if (this.resumingSession) {
                List requestedServerNames = sSLSessionImpl.getRequestedServerNames();
                if (serverNameExtension != null) {
                    if (!serverNameExtension.isIdentical(requestedServerNames)) {
                        this.resumingSession = false;
                    }
                } else if (!requestedServerNames.isEmpty()) {
                    this.resumingSession = false;
                }
                if (!this.resumingSession && debug != null && Debug.isOn("handshake")) {
                    System.out.println("The requested server name indication is not identical to the previous one");
                }
            }
            if (this.resumingSession && this.doClientAuth == 2) {
                try {
                    sSLSessionImpl.getPeerPrincipal();
                } catch (SSLPeerUnverifiedException e) {
                    this.resumingSession = false;
                }
            }
            if (this.resumingSession) {
                CipherSuite suite = sSLSessionImpl.getSuite();
                if (suite.keyExchange == CipherSuite.KeyExchange.K_KRB5 || suite.keyExchange == CipherSuite.KeyExchange.K_KRB5_EXPORT) {
                    Principal localPrincipal = sSLSessionImpl.getLocalPrincipal();
                    try {
                        subject = (Subject) AccessController.doPrivileged(new PrivilegedExceptionAction<Subject>() { // from class: sun.security.ssl.ServerHandshaker.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public Subject run() throws Exception {
                                return Krb5Helper.getServerSubject(ServerHandshaker.this.getAccSE());
                            }
                        });
                    } catch (PrivilegedActionException e2) {
                        subject = null;
                        if (debug != null && Debug.isOn(EjbTagNames.SESSION)) {
                            System.out.println("Attempt to obtain subject failed!");
                        }
                    }
                    if (subject == null) {
                        this.resumingSession = false;
                        if (debug != null && Debug.isOn(EjbTagNames.SESSION)) {
                            System.out.println("Kerberos credentials are not present in the current Subject; check if  javax.security.auth.useSubjectAsCreds system property has been set to false");
                        }
                    } else if (!Krb5Helper.isRelated(subject, localPrincipal)) {
                        this.resumingSession = false;
                        if (debug != null && Debug.isOn(EjbTagNames.SESSION)) {
                            System.out.println("Subject cannot provide creds for princ");
                        }
                    } else if (debug != null && Debug.isOn(EjbTagNames.SESSION)) {
                        System.out.println("Subject can provide creds for princ");
                    }
                }
            }
            if (this.resumingSession) {
                CipherSuite suite2 = sSLSessionImpl.getSuite();
                if (isNegotiable(suite2) && clientHello.getCipherSuites().contains(suite2)) {
                    setCipherSuite(suite2);
                } else {
                    this.resumingSession = false;
                }
            }
            if (this.resumingSession) {
                this.session = sSLSessionImpl;
                if (debug != null && (Debug.isOn("handshake") || Debug.isOn(EjbTagNames.SESSION))) {
                    System.out.println("%% Resuming " + this.session);
                }
            }
        }
        if (this.session != null) {
            setHandshakeSessionSE(this.session);
        } else {
            if (!this.enableNewSession) {
                throw new SSLException("Client did not resume a session");
            }
            this.supportedCurves = clientHello.extensions.get(ExtensionType.EXT_ELLIPTIC_CURVES);
            if (this.protocolVersion.v >= ProtocolVersion.TLS12.v && (signatureAlgorithmsExtension = clientHello.extensions.get(ExtensionType.EXT_SIGNATURE_ALGORITHMS)) != null) {
                Collection signAlgorithms = signatureAlgorithmsExtension.getSignAlgorithms();
                if (signAlgorithms == null || signAlgorithms.isEmpty()) {
                    throw new SSLHandshakeException("No peer supported signature algorithms");
                }
                Collection<SignatureAndHashAlgorithm> supportedAlgorithms = SignatureAndHashAlgorithm.getSupportedAlgorithms(this.algorithmConstraints, signAlgorithms);
                if (supportedAlgorithms.isEmpty()) {
                    throw new SSLHandshakeException("No signature and hash algorithm in common");
                }
                setPeerSupportedSignAlgs(supportedAlgorithms);
            }
            this.session = new SSLSessionImpl(this.protocolVersion, CipherSuite.C_NULL, getLocalSupportedSignAlgs(), this.sslContext.getSecureRandom(), getHostAddressSE(), getPortSE());
            if (this.protocolVersion.v >= ProtocolVersion.TLS12.v && this.peerSupportedSignAlgs != null) {
                this.session.setPeerSupportedSignatureAlgorithms(this.peerSupportedSignAlgs);
            }
            List emptyList = Collections.emptyList();
            if (serverNameExtension != null) {
                emptyList = serverNameExtension.getServerNames();
            }
            this.session.setRequestedServerNames(emptyList);
            setHandshakeSessionSE(this.session);
            chooseCipherSuite(clientHello);
            this.session.setSuite(this.cipherSuite);
            this.session.setLocalPrivateKey(this.privateKey);
        }
        if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
            this.handshakeHash.setFinishedAlg(this.cipherSuite.prfAlg.getPRFHashAlg());
        }
        serverHello.cipherSuite = this.cipherSuite;
        serverHello.sessionId = this.session.getSessionId();
        serverHello.compression_method = this.session.getCompression();
        if (this.secureRenegotiation) {
            serverHello.extensions.add(new RenegotiationInfoExtension(this.clientVerifyData, this.serverVerifyData));
        }
        if (!this.sniMatchers.isEmpty() && serverNameExtension != null && !this.resumingSession) {
            serverHello.extensions.add(new ServerNameExtension());
        }
        if (nextProtocolNegotiationExtension != null) {
            serverHello.extensions.add(nextProtocolNegotiationExtension);
        }
        if (this.isInitialHandshake && str != null) {
            serverHello.extensions.add(AlpnExtension.builder().selectedProtocol(str).build());
        }
        if (debug != null && Debug.isOn("handshake")) {
            serverHello.print(System.out);
            System.out.println("Cipher suite:  " + this.session.getSuite());
        }
        serverHello.write(this.output);
        if (this.resumingSession) {
            calculateConnectionKeys(this.session.getMasterSecret());
            sendChangeCipherAndFinish(false);
            return;
        }
        if (this.keyExchange != CipherSuite.KeyExchange.K_KRB5 && this.keyExchange != CipherSuite.KeyExchange.K_KRB5_EXPORT) {
            if (this.keyExchange == CipherSuite.KeyExchange.K_DH_ANON || this.keyExchange == CipherSuite.KeyExchange.K_ECDH_ANON) {
                if (this.certs != null) {
                    throw new RuntimeException("anonymous keyexchange with certs");
                }
            } else {
                if (this.certs == null) {
                    throw new RuntimeException("no certificates");
                }
                HandshakeMessage.CertificateMsg certificateMsg = new HandshakeMessage.CertificateMsg(this.certs);
                this.session.setLocalCertificates(this.certs);
                if (debug != null && Debug.isOn("handshake")) {
                    certificateMsg.print(System.out);
                }
                certificateMsg.write(this.output);
            }
        }
        switch (AnonymousClass3.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[this.keyExchange.ordinal()]) {
            case 1:
            case 3:
            case 4:
                handshakeMessage = null;
                break;
            case 2:
                if (JsseJce.getRSAKeyLength(this.certs[0].getPublicKey()) <= 512) {
                    handshakeMessage = null;
                    break;
                } else {
                    try {
                        handshakeMessage = new HandshakeMessage.RSA_ServerKeyExchange(this.tempPublicKey, this.privateKey, this.clnt_random, this.svr_random, this.sslContext.getSecureRandom());
                        this.privateKey = this.tempPrivateKey;
                        break;
                    } catch (GeneralSecurityException e3) {
                        throwSSLException("Error generating RSA server key exchange", e3);
                        handshakeMessage = null;
                        break;
                    }
                }
            case 5:
            case 6:
                try {
                    handshakeMessage = new HandshakeMessage.DH_ServerKeyExchange(this.dh, this.privateKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, this.sslContext.getSecureRandom(), this.preferableSignatureAlgorithm, this.protocolVersion);
                    break;
                } catch (GeneralSecurityException e4) {
                    throwSSLException("Error generating DH server key exchange", e4);
                    handshakeMessage = null;
                    break;
                }
            case 7:
                handshakeMessage = new HandshakeMessage.DH_ServerKeyExchange(this.dh, this.protocolVersion);
                break;
            case 8:
            case 9:
                handshakeMessage = null;
                break;
            case 10:
            case 11:
            case 12:
                try {
                    handshakeMessage = new HandshakeMessage.ECDH_ServerKeyExchange(this.ecdh, this.privateKey, this.clnt_random.random_bytes, this.svr_random.random_bytes, this.sslContext.getSecureRandom(), this.preferableSignatureAlgorithm, this.protocolVersion);
                    break;
                } catch (GeneralSecurityException e5) {
                    throwSSLException("Error generating ECDH server key exchange", e5);
                    handshakeMessage = null;
                    break;
                }
            default:
                throw new RuntimeException("internal error: " + this.keyExchange);
        }
        if (handshakeMessage != null) {
            if (debug != null && Debug.isOn("handshake")) {
                handshakeMessage.print(System.out);
            }
            handshakeMessage.write(this.output);
        }
        if (this.doClientAuth != 0 && this.keyExchange != CipherSuite.KeyExchange.K_DH_ANON && this.keyExchange != CipherSuite.KeyExchange.K_ECDH_ANON && this.keyExchange != CipherSuite.KeyExchange.K_KRB5 && this.keyExchange != CipherSuite.KeyExchange.K_KRB5_EXPORT) {
            Collection<SignatureAndHashAlgorithm> collection = null;
            if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                collection = getLocalSupportedSignAlgs();
                if (collection.isEmpty()) {
                    throw new SSLHandshakeException("No supported signature algorithm");
                }
                if (SignatureAndHashAlgorithm.getHashAlgorithmNames(collection).isEmpty()) {
                    throw new SSLHandshakeException("No supported signature algorithm");
                }
            }
            HandshakeMessage.CertificateRequest certificateRequest = new HandshakeMessage.CertificateRequest(this.sslContext.getX509TrustManager().getAcceptedIssuers(), this.keyExchange, collection, this.protocolVersion);
            if (debug != null && Debug.isOn("handshake")) {
                certificateRequest.print(System.out);
            }
            certificateRequest.write(this.output);
        }
        HandshakeMessage.ServerHelloDone serverHelloDone = new HandshakeMessage.ServerHelloDone();
        if (debug != null && Debug.isOn("handshake")) {
            serverHelloDone.print(System.out);
        }
        serverHelloDone.write(this.output);
        this.output.flush();
    }

    private void chooseCipherSuite(HandshakeMessage.ClientHello clientHello) throws IOException {
        CipherSuiteList cipherSuites;
        CipherSuiteList activeCipherSuites;
        if (this.preferLocalCipherSuites) {
            cipherSuites = getActiveCipherSuites();
            activeCipherSuites = clientHello.getCipherSuites();
        } else {
            cipherSuites = clientHello.getCipherSuites();
            activeCipherSuites = getActiveCipherSuites();
        }
        ArrayList arrayList = new ArrayList();
        for (CipherSuite cipherSuite : cipherSuites.collection()) {
            if (isNegotiable(activeCipherSuites, cipherSuite) && (this.doClientAuth != 2 || (cipherSuite.keyExchange != CipherSuite.KeyExchange.K_DH_ANON && cipherSuite.keyExchange != CipherSuite.KeyExchange.K_ECDH_ANON))) {
                if (!legacyAlgorithmConstraints.permits(null, cipherSuite.name, null)) {
                    arrayList.add(cipherSuite);
                } else if (trySetCipherSuite(cipherSuite)) {
                    return;
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            if (trySetCipherSuite((CipherSuite) it.next())) {
                return;
            }
        }
        fatalSE((byte) 40, "no cipher suites in common");
    }

    boolean trySetCipherSuite(CipherSuite cipherSuite) {
        if (this.resumingSession) {
            return true;
        }
        if (!cipherSuite.isNegotiable() || this.protocolVersion.v >= cipherSuite.obsoleted || this.protocolVersion.v < cipherSuite.supported) {
            return false;
        }
        CipherSuite.KeyExchange keyExchange = cipherSuite.keyExchange;
        this.privateKey = null;
        this.certs = null;
        this.dh = null;
        this.tempPrivateKey = null;
        this.tempPublicKey = null;
        Collection<SignatureAndHashAlgorithm> collection = null;
        if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
            if (this.peerSupportedSignAlgs != null) {
                collection = this.peerSupportedSignAlgs;
            } else {
                SignatureAndHashAlgorithm signatureAndHashAlgorithm = null;
                switch (AnonymousClass3.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[keyExchange.ordinal()]) {
                    case 1:
                    case 5:
                    case 8:
                    case 10:
                    case 13:
                        signatureAndHashAlgorithm = SignatureAndHashAlgorithm.valueOf(SignatureAndHashAlgorithm.HashAlgorithm.SHA1.value, SignatureAndHashAlgorithm.SignatureAlgorithm.RSA.value, 0);
                        break;
                    case 6:
                    case 14:
                        signatureAndHashAlgorithm = SignatureAndHashAlgorithm.valueOf(SignatureAndHashAlgorithm.HashAlgorithm.SHA1.value, SignatureAndHashAlgorithm.SignatureAlgorithm.DSA.value, 0);
                        break;
                    case 9:
                    case 11:
                        signatureAndHashAlgorithm = SignatureAndHashAlgorithm.valueOf(SignatureAndHashAlgorithm.HashAlgorithm.SHA1.value, SignatureAndHashAlgorithm.SignatureAlgorithm.ECDSA.value, 0);
                        break;
                }
                if (signatureAndHashAlgorithm == null) {
                    collection = Collections.emptySet();
                } else {
                    ArrayList arrayList = new ArrayList(1);
                    arrayList.add(signatureAndHashAlgorithm);
                    collection = SignatureAndHashAlgorithm.getSupportedAlgorithms(this.algorithmConstraints, arrayList);
                }
                this.session.setPeerSupportedSignatureAlgorithms(collection);
            }
        }
        switch (AnonymousClass3.$SwitchMap$sun$security$ssl$CipherSuite$KeyExchange[keyExchange.ordinal()]) {
            case 1:
                if (!setupPrivateKeyAndChain("RSA")) {
                    return false;
                }
                break;
            case 2:
                if (!setupPrivateKeyAndChain("RSA")) {
                    return false;
                }
                try {
                    if (JsseJce.getRSAKeyLength(this.certs[0].getPublicKey()) > 512) {
                        if (!setupEphemeralRSAKeys(cipherSuite.exportable)) {
                            return false;
                        }
                    }
                } catch (RuntimeException e) {
                    return false;
                }
                break;
            case 3:
            case 4:
                if (!setupKerberosKeys()) {
                    return false;
                }
                break;
            case 5:
                if (!setupPrivateKeyAndChain("RSA")) {
                    return false;
                }
                if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                    this.preferableSignatureAlgorithm = SignatureAndHashAlgorithm.getPreferableAlgorithm(collection, "RSA", this.privateKey);
                    if (this.preferableSignatureAlgorithm == null) {
                        if (debug == null || !Debug.isOn("handshake")) {
                            return false;
                        }
                        System.out.println("No signature and hash algorithm for cipher " + cipherSuite);
                        return false;
                    }
                }
                setupEphemeralDHKeys(cipherSuite.exportable, this.privateKey);
                break;
                break;
            case 6:
                if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                    this.preferableSignatureAlgorithm = SignatureAndHashAlgorithm.getPreferableAlgorithm(collection, "DSA");
                    if (this.preferableSignatureAlgorithm == null) {
                        if (debug == null || !Debug.isOn("handshake")) {
                            return false;
                        }
                        System.out.println("No signature and hash algorithm for cipher " + cipherSuite);
                        return false;
                    }
                }
                if (!setupPrivateKeyAndChain("DSA")) {
                    return false;
                }
                setupEphemeralDHKeys(cipherSuite.exportable, this.privateKey);
                break;
                break;
            case 7:
                setupEphemeralDHKeys(cipherSuite.exportable, null);
                break;
            case 8:
                if (!setupPrivateKeyAndChain("EC")) {
                    return false;
                }
                setupStaticECDHKeys();
                break;
            case 9:
                if (!setupPrivateKeyAndChain("EC")) {
                    return false;
                }
                setupStaticECDHKeys();
                break;
            case 10:
                if (!setupPrivateKeyAndChain("RSA")) {
                    return false;
                }
                if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                    this.preferableSignatureAlgorithm = SignatureAndHashAlgorithm.getPreferableAlgorithm(collection, "RSA", this.privateKey);
                    if (this.preferableSignatureAlgorithm == null) {
                        if (debug == null || !Debug.isOn("handshake")) {
                            return false;
                        }
                        System.out.println("No signature and hash algorithm for cipher " + cipherSuite);
                        return false;
                    }
                }
                if (!setupEphemeralECDHKeys()) {
                    return false;
                }
                break;
            case 11:
                if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
                    this.preferableSignatureAlgorithm = SignatureAndHashAlgorithm.getPreferableAlgorithm(collection, "ECDSA");
                    if (this.preferableSignatureAlgorithm == null) {
                        if (debug == null || !Debug.isOn("handshake")) {
                            return false;
                        }
                        System.out.println("No signature and hash algorithm for cipher " + cipherSuite);
                        return false;
                    }
                }
                if (!setupPrivateKeyAndChain("EC") || !setupEphemeralECDHKeys()) {
                    return false;
                }
                break;
            case 12:
                if (!setupEphemeralECDHKeys()) {
                    return false;
                }
                break;
            default:
                throw new RuntimeException("Unrecognized cipherSuite: " + cipherSuite);
        }
        setCipherSuite(cipherSuite);
        if (this.protocolVersion.v < ProtocolVersion.TLS12.v || this.peerSupportedSignAlgs != null) {
            return true;
        }
        setPeerSupportedSignAlgs(collection);
        return true;
    }

    private boolean setupEphemeralRSAKeys(boolean z) {
        KeyPair rSAKeyPair = this.sslContext.getEphemeralKeyManager().getRSAKeyPair(z, this.sslContext.getSecureRandom());
        if (rSAKeyPair == null) {
            return false;
        }
        this.tempPublicKey = rSAKeyPair.getPublic();
        this.tempPrivateKey = rSAKeyPair.getPrivate();
        return true;
    }

    private void setupEphemeralDHKeys(boolean z, Key key) {
        int i = z ? 512 : 1024;
        if (!z) {
            if (useLegacyEphemeralDHKeys) {
                i = 768;
            } else if (useSmartEphemeralDHKeys) {
                if (key != null) {
                    i = KeyUtil.getKeySize(key) <= 1024 ? 1024 : 2048;
                }
            } else if (customizedDHKeySize > 0) {
                i = customizedDHKeySize;
            }
        }
        this.dh = new DHCrypt(i, this.sslContext.getSecureRandom());
    }

    private boolean setupEphemeralECDHKeys() {
        int i = -1;
        if (this.supportedCurves != null) {
            int[] curveIds = this.supportedCurves.curveIds();
            int length = curveIds.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length) {
                    break;
                }
                int i3 = curveIds[i2];
                if (SupportedEllipticCurvesExtension.isSupported(i3)) {
                    i = i3;
                    break;
                }
                i2++;
            }
            if (i < 0) {
                return false;
            }
        } else {
            i = SupportedEllipticCurvesExtension.DEFAULT.curveIds()[0];
        }
        this.ecdh = new ECDHCrypt(SupportedEllipticCurvesExtension.getCurveOid(i), this.sslContext.getSecureRandom());
        return true;
    }

    private void setupStaticECDHKeys() {
        this.ecdh = new ECDHCrypt(this.privateKey, this.certs[0].getPublicKey());
    }

    private boolean setupPrivateKeyAndChain(String str) {
        PrivateKey privateKey;
        X509Certificate[] certificateChain;
        X509ExtendedKeyManager x509KeyManager = this.sslContext.getX509KeyManager();
        String chooseServerAlias = this.conn != null ? x509KeyManager.chooseServerAlias(str, null, this.conn) : x509KeyManager.chooseEngineServerAlias(str, null, this.engine);
        if (chooseServerAlias == null || (privateKey = x509KeyManager.getPrivateKey(chooseServerAlias)) == null || (certificateChain = x509KeyManager.getCertificateChain(chooseServerAlias)) == null || certificateChain.length == 0) {
            return false;
        }
        String str2 = str.split("_")[0];
        PublicKey publicKey = certificateChain[0].getPublicKey();
        if (!privateKey.getAlgorithm().equals(str2) || !publicKey.getAlgorithm().equals(str2)) {
            return false;
        }
        if (str2.equals("EC")) {
            if (!(publicKey instanceof ECPublicKey)) {
                return false;
            }
            int curveIndex = SupportedEllipticCurvesExtension.getCurveIndex(((ECPublicKey) publicKey).getParams());
            if (!SupportedEllipticCurvesExtension.isSupported(curveIndex)) {
                return false;
            }
            if (this.supportedCurves != null && !this.supportedCurves.contains(curveIndex)) {
                return false;
            }
        }
        this.privateKey = privateKey;
        this.certs = certificateChain;
        return true;
    }

    private boolean setupKerberosKeys() {
        if (this.serviceCreds != null) {
            return true;
        }
        try {
            final AccessControlContext accSE = getAccSE();
            this.serviceCreds = AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: sun.security.ssl.ServerHandshaker.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    return Krb5Helper.getServiceCreds(accSE);
                }
            });
            if (this.serviceCreds != null) {
                if (debug != null && Debug.isOn("handshake")) {
                    System.out.println("Using Kerberos creds");
                }
                String serverPrincipalName = Krb5Helper.getServerPrincipalName(this.serviceCreds);
                if (serverPrincipalName != null) {
                    SecurityManager securityManager = System.getSecurityManager();
                    if (securityManager != null) {
                        try {
                            securityManager.checkPermission(Krb5Helper.getServicePermission(serverPrincipalName, "accept"), accSE);
                        } catch (SecurityException e) {
                            this.serviceCreds = null;
                            if (debug == null || !Debug.isOn("handshake")) {
                                return false;
                            }
                            System.out.println("Permission to access Kerberos secret key denied");
                            return false;
                        }
                    }
                }
            }
            return this.serviceCreds != null;
        } catch (PrivilegedActionException e2) {
            if (debug == null || !Debug.isOn("handshake")) {
                return false;
            }
            System.out.println("Attempt to obtain Kerberos key failed: " + e2.toString());
            return false;
        }
    }

    private SecretKey clientKeyExchange(KerberosClientKeyExchange kerberosClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            kerberosClientKeyExchange.print(System.out);
        }
        this.session.setPeerPrincipal(kerberosClientKeyExchange.getPeerPrincipal());
        this.session.setLocalPrincipal(kerberosClientKeyExchange.getLocalPrincipal());
        return new SecretKeySpec(kerberosClientKeyExchange.getUnencryptedPreMasterSecret(), "TlsPremasterSecret");
    }

    private SecretKey clientKeyExchange(DHClientKeyExchange dHClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            dHClientKeyExchange.print(System.out);
        }
        BigInteger clientPublicKey = dHClientKeyExchange.getClientPublicKey();
        this.dh.checkConstraints(this.algorithmConstraints, clientPublicKey);
        return this.dh.getAgreedSecret(clientPublicKey, false);
    }

    private SecretKey clientKeyExchange(ECDHClientKeyExchange eCDHClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            eCDHClientKeyExchange.print(System.out);
        }
        byte[] encodedPoint = eCDHClientKeyExchange.getEncodedPoint();
        this.ecdh.checkConstraints(this.algorithmConstraints, encodedPoint);
        return this.ecdh.getAgreedSecret(encodedPoint);
    }

    private void clientCertificateVerify(HandshakeMessage.CertificateVerify certificateVerify) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            certificateVerify.print(System.out);
        }
        if (this.protocolVersion.v >= ProtocolVersion.TLS12.v) {
            SignatureAndHashAlgorithm preferableSignatureAlgorithm = certificateVerify.getPreferableSignatureAlgorithm();
            if (preferableSignatureAlgorithm == null) {
                throw new SSLHandshakeException("Illegal CertificateVerify message");
            }
            String hashAlgorithmName = SignatureAndHashAlgorithm.getHashAlgorithmName(preferableSignatureAlgorithm);
            if (hashAlgorithmName == null || hashAlgorithmName.length() == 0) {
                throw new SSLHandshakeException("No supported hash algorithm");
            }
        }
        try {
            if (!certificateVerify.verify(this.protocolVersion, this.handshakeHash, this.session.getPeerCertificates()[0].getPublicKey(), this.session.getMasterSecret())) {
                fatalSE((byte) 42, "certificate verify message signature error");
            }
        } catch (GeneralSecurityException e) {
            fatalSE((byte) 42, "certificate verify format error", e);
        }
        this.needClientVerify = false;
    }

    private void clientFinished(HandshakeMessage.Finished finished) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            finished.print(System.out);
        }
        if (this.doClientAuth == 2) {
            this.session.getPeerPrincipal();
        }
        if (this.needClientVerify) {
            fatalSE((byte) 40, "client did not send certificate verify message");
        }
        if (!finished.verify(this.handshakeHash, 1, this.session.getMasterSecret())) {
            fatalSE((byte) 40, "client 'finished' message doesn't verify");
        }
        if (this.secureRenegotiation) {
            this.clientVerifyData = finished.getVerifyData();
        }
        if (!this.resumingSession) {
            this.input.digestNow();
            sendChangeCipherAndFinish(true);
        }
        this.session.setLastAccessedTime(System.currentTimeMillis());
        if (this.resumingSession || !this.session.isRejoinable()) {
            if (this.resumingSession || debug == null || !Debug.isOn(EjbTagNames.SESSION)) {
                return;
            }
            System.out.println("%% Didn't cache non-resumable server session: " + this.session);
            return;
        }
        this.sslContext.engineGetServerSessionContext().put(this.session);
        if (debug == null || !Debug.isOn(EjbTagNames.SESSION)) {
            return;
        }
        System.out.println("%% Cached server session: " + this.session);
    }

    private void sendChangeCipherAndFinish(boolean z) throws IOException {
        this.output.flush();
        HandshakeMessage.Finished finished = new HandshakeMessage.Finished(this.protocolVersion, this.handshakeHash, 2, this.session.getMasterSecret(), this.cipherSuite);
        sendChangeCipherSpec(finished, z);
        if (this.secureRenegotiation) {
            this.serverVerifyData = finished.getVerifyData();
        }
        if (z) {
            this.state = 20;
        }
    }

    @Override // sun.security.ssl.Handshaker
    HandshakeMessage getKickstartMessage() {
        return new HandshakeMessage.HelloRequest();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // sun.security.ssl.Handshaker
    public void handshakeAlert(byte b) throws SSLProtocolException {
        String alertDescription = Alerts.alertDescription(b);
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("SSL -- handshake alert:  " + alertDescription);
        }
        if (b != 41 || this.doClientAuth != 1) {
            throw new SSLProtocolException("handshake alert: " + alertDescription);
        }
    }

    private SecretKey clientKeyExchange(RSAClientKeyExchange rSAClientKeyExchange) throws IOException {
        if (debug != null && Debug.isOn("handshake")) {
            rSAClientKeyExchange.print(System.out);
        }
        return rSAClientKeyExchange.preMaster;
    }

    private void clientCertificate(HandshakeMessage.CertificateMsg certificateMsg) throws IOException {
        String str;
        if (debug != null && Debug.isOn("handshake")) {
            certificateMsg.print(System.out);
        }
        X509Certificate[] certificateChain = certificateMsg.getCertificateChain();
        if (certificateChain.length == 0) {
            if (this.doClientAuth == 1) {
                return;
            } else {
                fatalSE((byte) 42, "null cert chain");
            }
        }
        X509TrustManager x509TrustManager = this.sslContext.getX509TrustManager();
        try {
            String algorithm = certificateChain[0].getPublicKey().getAlgorithm();
            str = algorithm.equals("RSA") ? "RSA" : algorithm.equals("DSA") ? "DSA" : algorithm.equals("EC") ? "EC" : Expression.UNKNOWN;
        } catch (CertificateException e) {
            fatalSE((byte) 46, e);
        }
        if (!(x509TrustManager instanceof X509ExtendedTrustManager)) {
            throw new CertificateException("Improper X509TrustManager implementation");
        }
        if (this.conn != null) {
            ((X509ExtendedTrustManager) x509TrustManager).checkClientTrusted((X509Certificate[]) certificateChain.clone(), str, (Socket) this.conn);
        } else {
            ((X509ExtendedTrustManager) x509TrustManager).checkClientTrusted((X509Certificate[]) certificateChain.clone(), str, this.engine);
        }
        this.needClientVerify = true;
        this.session.setPeerCertificates(certificateChain);
    }

    static {
        String str = (String) AccessController.doPrivileged((PrivilegedAction) new GetPropertyAction("jdk.tls.ephemeralDHKeySize"));
        if (str == null || str.length() == 0) {
            useLegacyEphemeralDHKeys = false;
            useSmartEphemeralDHKeys = false;
            customizedDHKeySize = -1;
            return;
        }
        if ("matched".equals(str)) {
            useLegacyEphemeralDHKeys = false;
            useSmartEphemeralDHKeys = true;
            customizedDHKeySize = -1;
        } else {
            if ("legacy".equals(str)) {
                useLegacyEphemeralDHKeys = true;
                useSmartEphemeralDHKeys = false;
                customizedDHKeySize = -1;
                return;
            }
            useLegacyEphemeralDHKeys = false;
            useSmartEphemeralDHKeys = false;
            try {
                customizedDHKeySize = Integer.parseUnsignedInt(str);
                if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
                    throw new IllegalArgumentException("Unsupported customized DH key size: " + customizedDHKeySize + ". The key size can only range from 1024 to 2048 (inclusive)");
                }
            } catch (NumberFormatException e) {
                throw new IllegalArgumentException("Invalid system property jdk.tls.ephemeralDHKeySize");
            }
        }
    }
}
