package sun.security.ssl;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.ProviderException;
import java.text.MessageFormat;
import java.util.Locale;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.SSLPeerUnverifiedException;
import jdk.internal.event.EventHelper;
import jdk.internal.event.TLSHandshakeEvent;
import sun.security.internal.spec.TlsPrfParameterSpec;
import sun.security.ssl.CipherSuite;
import sun.security.ssl.SSLBasicKeyDerivation;
import sun.security.ssl.SSLCipher;
import sun.security.ssl.SSLHandshake;
import sun.security.util.HexDumpEncoder;
import sun.util.locale.LanguageTag;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished.class */
public final class Finished {
    static final SSLConsumer t12HandshakeConsumer = new T12FinishedConsumer();
    static final HandshakeProducer t12HandshakeProducer = new T12FinishedProducer();
    static final SSLConsumer t13HandshakeConsumer = new T13FinishedConsumer();
    static final HandshakeProducer t13HandshakeProducer = new T13FinishedProducer();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$FinishedMessage.class */
    public static final class FinishedMessage extends SSLHandshake.HandshakeMessage {
        private final byte[] verifyData;

        FinishedMessage(HandshakeContext handshakeContext) throws IOException {
            super(handshakeContext);
            try {
                this.verifyData = VerifyDataScheme.valueOf(handshakeContext.negotiatedProtocol).createVerifyData(handshakeContext, false);
            } catch (IOException e) {
                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Failed to generate verify_data", e);
            }
        }

        FinishedMessage(HandshakeContext handshakeContext, ByteBuffer byteBuffer) throws IOException {
            super(handshakeContext);
            int i = 12;
            if (handshakeContext.negotiatedProtocol == ProtocolVersion.SSL30) {
                i = 36;
            } else if (handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
                i = handshakeContext.negotiatedCipherSuite.hashAlg.hashLength;
            }
            if (byteBuffer.remaining() != i) {
                throw handshakeContext.conContext.fatal(Alert.DECODE_ERROR, "Inappropriate finished message: need " + i + " but remaining " + byteBuffer.remaining() + " bytes verify_data");
            }
            this.verifyData = new byte[i];
            byteBuffer.get(this.verifyData);
            try {
                if (!MessageDigest.isEqual(VerifyDataScheme.valueOf(handshakeContext.negotiatedProtocol).createVerifyData(handshakeContext, true), this.verifyData)) {
                    throw handshakeContext.conContext.fatal(Alert.DECRYPT_ERROR, "The Finished message cannot be verified.");
                }
            } catch (IOException e) {
                throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Failed to generate verify_data", e);
            }
        }

        @Override // sun.security.ssl.SSLHandshake.HandshakeMessage
        public SSLHandshake handshakeType() {
            return SSLHandshake.FINISHED;
        }

        @Override // sun.security.ssl.SSLHandshake.HandshakeMessage
        public int messageLength() {
            return this.verifyData.length;
        }

        @Override // sun.security.ssl.SSLHandshake.HandshakeMessage
        public void send(HandshakeOutStream handshakeOutStream) throws IOException {
            handshakeOutStream.write(this.verifyData);
        }

        public String toString() {
            return new MessageFormat("\"Finished\": '{'\n  \"verify data\": '{'\n{0}\n  '}'\n'}'", Locale.ENGLISH).format(new Object[]{Utilities.indent(new HexDumpEncoder().encode(this.verifyData), "    ")});
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$S30VerifyDataGenerator.class */
    private static final class S30VerifyDataGenerator implements VerifyDataGenerator {
        private S30VerifyDataGenerator() {
        }

        @Override // sun.security.ssl.Finished.VerifyDataGenerator
        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            return handshakeContext.handshakeHash.digest((handshakeContext.sslConfig.isClientMode && !z) || (!handshakeContext.sslConfig.isClientMode && z), handshakeContext.handshakeSession.getMasterSecret());
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T10VerifyDataGenerator.class */
    private static final class T10VerifyDataGenerator implements VerifyDataGenerator {
        private T10VerifyDataGenerator() {
        }

        @Override // sun.security.ssl.Finished.VerifyDataGenerator
        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            HandshakeHash handshakeHash = handshakeContext.handshakeHash;
            SecretKey masterSecret = handshakeContext.handshakeSession.getMasterSecret();
            String str = (handshakeContext.sslConfig.isClientMode && !z) || (!handshakeContext.sslConfig.isClientMode && z) ? "client finished" : "server finished";
            try {
                byte[] digest = handshakeHash.digest();
                CipherSuite.HashAlg hashAlg = CipherSuite.HashAlg.H_NONE;
                TlsPrfParameterSpec tlsPrfParameterSpec = new TlsPrfParameterSpec(masterSecret, str, digest, 12, hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
                KeyGenerator keyGenerator = KeyGenerator.getInstance("SunTlsPrf");
                keyGenerator.init(tlsPrfParameterSpec);
                SecretKey generateKey = keyGenerator.generateKey();
                if ("RAW".equals(generateKey.getFormat())) {
                    return generateKey.getEncoded();
                }
                throw new ProviderException("Invalid PRF output, format must be RAW. Format received: " + generateKey.getFormat());
            } catch (GeneralSecurityException e) {
                throw new RuntimeException("PRF failed", e);
            }
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T12FinishedConsumer.class */
    private static final class T12FinishedConsumer implements SSLConsumer {
        private T12FinishedConsumer() {
        }

        @Override // sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            HandshakeContext handshakeContext = (HandshakeContext) connectionContext;
            handshakeContext.handshakeConsumers.remove(Byte.valueOf(SSLHandshake.FINISHED.id));
            if (handshakeContext.conContext.consumers.containsKey(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id))) {
                throw handshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Missing ChangeCipherSpec message");
            }
            if (handshakeContext.sslConfig.isClientMode) {
                onConsumeFinished((ClientHandshakeContext) connectionContext, byteBuffer);
            } else {
                onConsumeFinished((ServerHandshakeContext) connectionContext, byteBuffer);
            }
        }

        private void onConsumeFinished(ClientHandshakeContext clientHandshakeContext, ByteBuffer byteBuffer) throws IOException {
            FinishedMessage finishedMessage = new FinishedMessage(clientHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming server Finished handshake message", finishedMessage);
            }
            if (clientHandshakeContext.conContext.secureRenegotiation) {
                clientHandshakeContext.conContext.serverVerifyData = finishedMessage.verifyData;
            }
            if (clientHandshakeContext.isResumption) {
                clientHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
            } else {
                if (clientHandshakeContext.handshakeSession.isRejoinable()) {
                    ((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).put(clientHandshakeContext.handshakeSession);
                }
                clientHandshakeContext.conContext.conSession = clientHandshakeContext.handshakeSession.finish();
                clientHandshakeContext.conContext.protocolVersion = clientHandshakeContext.negotiatedProtocol;
                clientHandshakeContext.handshakeFinished = true;
                Finished.recordEvent(clientHandshakeContext.conContext.conSession);
                if (!clientHandshakeContext.sslContext.isDTLS()) {
                    clientHandshakeContext.conContext.finishHandshake();
                }
            }
            for (SSLHandshake sSLHandshake : new SSLHandshake[]{SSLHandshake.FINISHED}) {
                HandshakeProducer remove = clientHandshakeContext.handshakeProducers.remove(Byte.valueOf(sSLHandshake.id));
                if (remove != null) {
                    remove.produce(clientHandshakeContext, finishedMessage);
                }
            }
        }

        private void onConsumeFinished(ServerHandshakeContext serverHandshakeContext, ByteBuffer byteBuffer) throws IOException {
            if (!serverHandshakeContext.isResumption && serverHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CERTIFICATE_VERIFY.id))) {
                throw serverHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected Finished handshake message");
            }
            FinishedMessage finishedMessage = new FinishedMessage(serverHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming client Finished handshake message", finishedMessage);
            }
            if (serverHandshakeContext.conContext.secureRenegotiation) {
                serverHandshakeContext.conContext.clientVerifyData = finishedMessage.verifyData;
            }
            if (serverHandshakeContext.isResumption) {
                if (serverHandshakeContext.handshakeSession.isRejoinable() && !serverHandshakeContext.statelessResumption) {
                    ((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext()).put(serverHandshakeContext.handshakeSession);
                }
                serverHandshakeContext.conContext.conSession = serverHandshakeContext.handshakeSession.finish();
                serverHandshakeContext.conContext.protocolVersion = serverHandshakeContext.negotiatedProtocol;
                serverHandshakeContext.handshakeFinished = true;
                Finished.recordEvent(serverHandshakeContext.conContext.conSession);
                if (!serverHandshakeContext.sslContext.isDTLS()) {
                    serverHandshakeContext.conContext.finishHandshake();
                }
            } else {
                serverHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
            }
            for (SSLHandshake sSLHandshake : new SSLHandshake[]{SSLHandshake.FINISHED}) {
                HandshakeProducer remove = serverHandshakeContext.handshakeProducers.remove(Byte.valueOf(sSLHandshake.id));
                if (remove != null) {
                    remove.produce(serverHandshakeContext, finishedMessage);
                }
            }
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T12FinishedProducer.class */
    private static final class T12FinishedProducer implements HandshakeProducer {
        private T12FinishedProducer() {
        }

        @Override // sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            return ((HandshakeContext) connectionContext).sslConfig.isClientMode ? onProduceFinished((ClientHandshakeContext) connectionContext, handshakeMessage) : onProduceFinished((ServerHandshakeContext) connectionContext, handshakeMessage);
        }

        private byte[] onProduceFinished(ClientHandshakeContext clientHandshakeContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            clientHandshakeContext.handshakeHash.update();
            FinishedMessage finishedMessage = new FinishedMessage(clientHandshakeContext);
            ChangeCipherSpec.t10Producer.produce(clientHandshakeContext, handshakeMessage);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced client Finished handshake message", finishedMessage);
            }
            finishedMessage.write(clientHandshakeContext.handshakeOutput);
            clientHandshakeContext.handshakeOutput.flush();
            if (clientHandshakeContext.conContext.secureRenegotiation) {
                clientHandshakeContext.conContext.clientVerifyData = finishedMessage.verifyData;
            }
            if (clientHandshakeContext.statelessResumption) {
                clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.NEW_SESSION_TICKET.id), SSLHandshake.NEW_SESSION_TICKET);
            }
            if (!clientHandshakeContext.isResumption) {
                clientHandshakeContext.conContext.consumers.put(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id), ChangeCipherSpec.t10Consumer);
                clientHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                clientHandshakeContext.conContext.inputRecord.expectingFinishFlight();
                return null;
            }
            if (clientHandshakeContext.handshakeSession.isRejoinable()) {
                ((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).put(clientHandshakeContext.handshakeSession);
            }
            clientHandshakeContext.conContext.conSession = clientHandshakeContext.handshakeSession.finish();
            clientHandshakeContext.conContext.protocolVersion = clientHandshakeContext.negotiatedProtocol;
            clientHandshakeContext.handshakeFinished = true;
            if (clientHandshakeContext.sslContext.isDTLS()) {
                return null;
            }
            clientHandshakeContext.conContext.finishHandshake();
            return null;
        }

        private byte[] onProduceFinished(ServerHandshakeContext serverHandshakeContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            if (serverHandshakeContext.statelessResumption) {
                NewSessionTicket.handshake12Producer.produce(serverHandshakeContext, handshakeMessage);
            }
            serverHandshakeContext.handshakeHash.update();
            FinishedMessage finishedMessage = new FinishedMessage(serverHandshakeContext);
            ChangeCipherSpec.t10Producer.produce(serverHandshakeContext, handshakeMessage);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced server Finished handshake message", finishedMessage);
            }
            finishedMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            if (serverHandshakeContext.conContext.secureRenegotiation) {
                serverHandshakeContext.conContext.serverVerifyData = finishedMessage.verifyData;
            }
            if (serverHandshakeContext.isResumption) {
                serverHandshakeContext.conContext.consumers.put(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id), ChangeCipherSpec.t10Consumer);
                serverHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                serverHandshakeContext.conContext.inputRecord.expectingFinishFlight();
                return null;
            }
            if (serverHandshakeContext.statelessResumption && serverHandshakeContext.handshakeSession.isStatelessable()) {
                serverHandshakeContext.handshakeSession.setContext((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext());
            } else if (serverHandshakeContext.handshakeSession.isRejoinable()) {
                ((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext()).put(serverHandshakeContext.handshakeSession);
            }
            serverHandshakeContext.conContext.conSession = serverHandshakeContext.handshakeSession.finish();
            serverHandshakeContext.conContext.protocolVersion = serverHandshakeContext.negotiatedProtocol;
            serverHandshakeContext.handshakeFinished = true;
            if (serverHandshakeContext.sslContext.isDTLS()) {
                return null;
            }
            serverHandshakeContext.conContext.finishHandshake();
            return null;
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T12VerifyDataGenerator.class */
    private static final class T12VerifyDataGenerator implements VerifyDataGenerator {
        private T12VerifyDataGenerator() {
        }

        @Override // sun.security.ssl.Finished.VerifyDataGenerator
        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            CipherSuite cipherSuite = handshakeContext.negotiatedCipherSuite;
            HandshakeHash handshakeHash = handshakeContext.handshakeHash;
            SecretKey masterSecret = handshakeContext.handshakeSession.getMasterSecret();
            String str = (handshakeContext.sslConfig.isClientMode && !z) || (!handshakeContext.sslConfig.isClientMode && z) ? "client finished" : "server finished";
            try {
                byte[] digest = handshakeHash.digest();
                CipherSuite.HashAlg hashAlg = cipherSuite.hashAlg;
                TlsPrfParameterSpec tlsPrfParameterSpec = new TlsPrfParameterSpec(masterSecret, str, digest, 12, hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
                KeyGenerator keyGenerator = KeyGenerator.getInstance("SunTls12Prf");
                keyGenerator.init(tlsPrfParameterSpec);
                SecretKey generateKey = keyGenerator.generateKey();
                if ("RAW".equals(generateKey.getFormat())) {
                    return generateKey.getEncoded();
                }
                throw new ProviderException("Invalid PRF output, format must be RAW. Format received: " + generateKey.getFormat());
            } catch (GeneralSecurityException e) {
                throw new RuntimeException("PRF failed", e);
            }
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T13FinishedConsumer.class */
    private static final class T13FinishedConsumer implements SSLConsumer {
        private T13FinishedConsumer() {
        }

        @Override // sun.security.ssl.SSLConsumer
        public void consume(ConnectionContext connectionContext, ByteBuffer byteBuffer) throws IOException {
            if (((HandshakeContext) connectionContext).sslConfig.isClientMode) {
                onConsumeFinished((ClientHandshakeContext) connectionContext, byteBuffer);
            } else {
                onConsumeFinished((ServerHandshakeContext) connectionContext, byteBuffer);
            }
        }

        private void onConsumeFinished(ClientHandshakeContext clientHandshakeContext, ByteBuffer byteBuffer) throws IOException {
            if (!clientHandshakeContext.isResumption && (clientHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CERTIFICATE.id)) || clientHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CERTIFICATE_VERIFY.id)))) {
                throw clientHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected Finished handshake message");
            }
            FinishedMessage finishedMessage = new FinishedMessage(clientHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming server Finished handshake message", finishedMessage);
            }
            if (clientHandshakeContext.conContext.secureRenegotiation) {
                clientHandshakeContext.conContext.serverVerifyData = finishedMessage.verifyData;
            }
            clientHandshakeContext.conContext.consumers.remove(Byte.valueOf(ContentType.CHANGE_CIPHER_SPEC.id));
            clientHandshakeContext.handshakeHash.update();
            SSLKeyDerivation sSLKeyDerivation = clientHandshakeContext.handshakeKeyDerivation;
            if (sSLKeyDerivation == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
            }
            SSLTrafficKeyDerivation valueOf = SSLTrafficKeyDerivation.valueOf(clientHandshakeContext.negotiatedProtocol);
            if (valueOf == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + ((Object) clientHandshakeContext.negotiatedProtocol));
            }
            if (!clientHandshakeContext.isResumption && clientHandshakeContext.handshakeSession.isRejoinable()) {
                ((SSLSessionContextImpl) clientHandshakeContext.sslContext.engineGetClientSessionContext()).put(clientHandshakeContext.handshakeSession);
            }
            try {
                SecretKey deriveKey = sSLKeyDerivation.deriveKey("TlsSaltSecret", null);
                CipherSuite.HashAlg hashAlg = clientHandshakeContext.negotiatedCipherSuite.hashAlg;
                SSLSecretDerivation sSLSecretDerivation = new SSLSecretDerivation(clientHandshakeContext, new HKDF(hashAlg.name).extract(deriveKey, new SecretKeySpec(new byte[hashAlg.hashLength], "TlsZeroSecret"), "TlsMasterSecret"));
                SecretKey deriveKey2 = sSLSecretDerivation.deriveKey("TlsServerAppTrafficSecret", null);
                SSLKeyDerivation createKeyDerivation = valueOf.createKeyDerivation(clientHandshakeContext, deriveKey2);
                SSLCipher.SSLReadCipher createReadCipher = clientHandshakeContext.negotiatedCipherSuite.bulkCipher.createReadCipher(Authenticator.valueOf(clientHandshakeContext.negotiatedProtocol), clientHandshakeContext.negotiatedProtocol, createKeyDerivation.deriveKey("TlsKey", null), new IvParameterSpec(createKeyDerivation.deriveKey("TlsIv", null).getEncoded()), clientHandshakeContext.sslContext.getSecureRandom());
                if (createReadCipher == null) {
                    throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Illegal cipher suite (" + ((Object) clientHandshakeContext.negotiatedCipherSuite) + ") and protocol version (" + ((Object) clientHandshakeContext.negotiatedProtocol) + ")");
                }
                clientHandshakeContext.baseReadSecret = deriveKey2;
                clientHandshakeContext.conContext.inputRecord.changeReadCiphers(createReadCipher);
                clientHandshakeContext.handshakeKeyDerivation = sSLSecretDerivation;
                clientHandshakeContext.handshakeProducers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                for (SSLHandshake sSLHandshake : new SSLHandshake[]{SSLHandshake.CERTIFICATE, SSLHandshake.CERTIFICATE_VERIFY, SSLHandshake.FINISHED}) {
                    HandshakeProducer remove = clientHandshakeContext.handshakeProducers.remove(Byte.valueOf(sSLHandshake.id));
                    if (remove != null) {
                        remove.produce(clientHandshakeContext, null);
                    }
                }
            } catch (GeneralSecurityException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failure to derive application secrets", e);
            }
        }

        private void onConsumeFinished(ServerHandshakeContext serverHandshakeContext, ByteBuffer byteBuffer) throws IOException {
            if (!serverHandshakeContext.isResumption && (serverHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CERTIFICATE.id)) || serverHandshakeContext.handshakeConsumers.containsKey(Byte.valueOf(SSLHandshake.CERTIFICATE_VERIFY.id)))) {
                throw serverHandshakeContext.conContext.fatal(Alert.UNEXPECTED_MESSAGE, "Unexpected Finished handshake message");
            }
            FinishedMessage finishedMessage = new FinishedMessage(serverHandshakeContext, byteBuffer);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Consuming client Finished handshake message", finishedMessage);
            }
            if (serverHandshakeContext.conContext.secureRenegotiation) {
                serverHandshakeContext.conContext.clientVerifyData = finishedMessage.verifyData;
            }
            SSLKeyDerivation sSLKeyDerivation = serverHandshakeContext.handshakeKeyDerivation;
            if (sSLKeyDerivation == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
            }
            SSLTrafficKeyDerivation valueOf = SSLTrafficKeyDerivation.valueOf(serverHandshakeContext.negotiatedProtocol);
            if (valueOf == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + ((Object) serverHandshakeContext.negotiatedProtocol));
            }
            try {
                SecretKey deriveKey = sSLKeyDerivation.deriveKey("TlsClientAppTrafficSecret", null);
                SSLKeyDerivation createKeyDerivation = valueOf.createKeyDerivation(serverHandshakeContext, deriveKey);
                SSLCipher.SSLReadCipher createReadCipher = serverHandshakeContext.negotiatedCipherSuite.bulkCipher.createReadCipher(Authenticator.valueOf(serverHandshakeContext.negotiatedProtocol), serverHandshakeContext.negotiatedProtocol, createKeyDerivation.deriveKey("TlsKey", null), new IvParameterSpec(createKeyDerivation.deriveKey("TlsIv", null).getEncoded()), serverHandshakeContext.sslContext.getSecureRandom());
                if (createReadCipher == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Illegal cipher suite (" + ((Object) serverHandshakeContext.negotiatedCipherSuite) + ") and protocol version (" + ((Object) serverHandshakeContext.negotiatedProtocol) + ")");
                }
                serverHandshakeContext.baseReadSecret = deriveKey;
                serverHandshakeContext.conContext.inputRecord.changeReadCiphers(createReadCipher);
                serverHandshakeContext.handshakeHash.update();
                serverHandshakeContext.handshakeSession.setResumptionMasterSecret(((SSLSecretDerivation) sSLKeyDerivation).forContext(serverHandshakeContext).deriveKey("TlsResumptionMasterSecret", null));
                serverHandshakeContext.conContext.conSession = serverHandshakeContext.handshakeSession.finish();
                serverHandshakeContext.conContext.protocolVersion = serverHandshakeContext.negotiatedProtocol;
                serverHandshakeContext.handshakeFinished = true;
                if (!serverHandshakeContext.sslContext.isDTLS()) {
                    serverHandshakeContext.conContext.finishHandshake();
                }
                Finished.recordEvent(serverHandshakeContext.conContext.conSession);
                NewSessionTicket.t13PosthandshakeProducer.produce(serverHandshakeContext);
            } catch (GeneralSecurityException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failure to derive application secrets", e);
            }
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T13FinishedProducer.class */
    private static final class T13FinishedProducer implements HandshakeProducer {
        private T13FinishedProducer() {
        }

        @Override // sun.security.ssl.HandshakeProducer
        public byte[] produce(ConnectionContext connectionContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            return ((HandshakeContext) connectionContext).sslConfig.isClientMode ? onProduceFinished((ClientHandshakeContext) connectionContext, handshakeMessage) : onProduceFinished((ServerHandshakeContext) connectionContext, handshakeMessage);
        }

        private byte[] onProduceFinished(ClientHandshakeContext clientHandshakeContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            clientHandshakeContext.handshakeHash.update();
            FinishedMessage finishedMessage = new FinishedMessage(clientHandshakeContext);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced client Finished handshake message", finishedMessage);
            }
            finishedMessage.write(clientHandshakeContext.handshakeOutput);
            clientHandshakeContext.handshakeOutput.flush();
            if (clientHandshakeContext.conContext.secureRenegotiation) {
                clientHandshakeContext.conContext.clientVerifyData = finishedMessage.verifyData;
            }
            SSLKeyDerivation sSLKeyDerivation = clientHandshakeContext.handshakeKeyDerivation;
            if (sSLKeyDerivation == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
            }
            SSLTrafficKeyDerivation valueOf = SSLTrafficKeyDerivation.valueOf(clientHandshakeContext.negotiatedProtocol);
            if (valueOf == null) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + ((Object) clientHandshakeContext.negotiatedProtocol));
            }
            try {
                SecretKey deriveKey = sSLKeyDerivation.deriveKey("TlsClientAppTrafficSecret", null);
                SSLKeyDerivation createKeyDerivation = valueOf.createKeyDerivation(clientHandshakeContext, deriveKey);
                SSLCipher.SSLWriteCipher createWriteCipher = clientHandshakeContext.negotiatedCipherSuite.bulkCipher.createWriteCipher(Authenticator.valueOf(clientHandshakeContext.negotiatedProtocol), clientHandshakeContext.negotiatedProtocol, createKeyDerivation.deriveKey("TlsKey", null), new IvParameterSpec(createKeyDerivation.deriveKey("TlsIv", null).getEncoded()), clientHandshakeContext.sslContext.getSecureRandom());
                if (createWriteCipher == null) {
                    throw clientHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Illegal cipher suite (" + ((Object) clientHandshakeContext.negotiatedCipherSuite) + ") and protocol version (" + ((Object) clientHandshakeContext.negotiatedProtocol) + ")");
                }
                clientHandshakeContext.baseWriteSecret = deriveKey;
                clientHandshakeContext.conContext.outputRecord.changeWriteCiphers(createWriteCipher, false);
                clientHandshakeContext.handshakeSession.setResumptionMasterSecret(((SSLSecretDerivation) sSLKeyDerivation).forContext(clientHandshakeContext).deriveKey("TlsResumptionMasterSecret", null));
                clientHandshakeContext.conContext.conSession = clientHandshakeContext.handshakeSession.finish();
                clientHandshakeContext.conContext.protocolVersion = clientHandshakeContext.negotiatedProtocol;
                clientHandshakeContext.handshakeFinished = true;
                clientHandshakeContext.conContext.finishHandshake();
                Finished.recordEvent(clientHandshakeContext.conContext.conSession);
                return null;
            } catch (GeneralSecurityException e) {
                throw clientHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failure to derive application secrets", e);
            }
        }

        private byte[] onProduceFinished(ServerHandshakeContext serverHandshakeContext, SSLHandshake.HandshakeMessage handshakeMessage) throws IOException {
            serverHandshakeContext.handshakeHash.update();
            FinishedMessage finishedMessage = new FinishedMessage(serverHandshakeContext);
            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                SSLLogger.fine("Produced server Finished handshake message", finishedMessage);
            }
            finishedMessage.write(serverHandshakeContext.handshakeOutput);
            serverHandshakeContext.handshakeOutput.flush();
            SSLKeyDerivation sSLKeyDerivation = serverHandshakeContext.handshakeKeyDerivation;
            if (sSLKeyDerivation == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
            }
            SSLTrafficKeyDerivation valueOf = SSLTrafficKeyDerivation.valueOf(serverHandshakeContext.negotiatedProtocol);
            if (valueOf == null) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Not supported key derivation: " + ((Object) serverHandshakeContext.negotiatedProtocol));
            }
            try {
                SecretKey deriveKey = sSLKeyDerivation.deriveKey("TlsSaltSecret", null);
                CipherSuite.HashAlg hashAlg = serverHandshakeContext.negotiatedCipherSuite.hashAlg;
                SSLSecretDerivation sSLSecretDerivation = new SSLSecretDerivation(serverHandshakeContext, new HKDF(hashAlg.name).extract(deriveKey, new SecretKeySpec(new byte[hashAlg.hashLength], "TlsZeroSecret"), "TlsMasterSecret"));
                SecretKey deriveKey2 = sSLSecretDerivation.deriveKey("TlsServerAppTrafficSecret", null);
                SSLKeyDerivation createKeyDerivation = valueOf.createKeyDerivation(serverHandshakeContext, deriveKey2);
                SSLCipher.SSLWriteCipher createWriteCipher = serverHandshakeContext.negotiatedCipherSuite.bulkCipher.createWriteCipher(Authenticator.valueOf(serverHandshakeContext.negotiatedProtocol), serverHandshakeContext.negotiatedProtocol, createKeyDerivation.deriveKey("TlsKey", null), new IvParameterSpec(createKeyDerivation.deriveKey("TlsIv", null).getEncoded()), serverHandshakeContext.sslContext.getSecureRandom());
                if (createWriteCipher == null) {
                    throw serverHandshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, "Illegal cipher suite (" + ((Object) serverHandshakeContext.negotiatedCipherSuite) + ") and protocol version (" + ((Object) serverHandshakeContext.negotiatedProtocol) + ")");
                }
                serverHandshakeContext.baseWriteSecret = deriveKey2;
                serverHandshakeContext.conContext.outputRecord.changeWriteCiphers(createWriteCipher, false);
                serverHandshakeContext.handshakeKeyDerivation = sSLSecretDerivation;
                if (serverHandshakeContext.conContext.secureRenegotiation) {
                    serverHandshakeContext.conContext.serverVerifyData = finishedMessage.verifyData;
                }
                serverHandshakeContext.handshakeSession.setContext((SSLSessionContextImpl) serverHandshakeContext.sslContext.engineGetServerSessionContext());
                serverHandshakeContext.conContext.conSession = serverHandshakeContext.handshakeSession.finish();
                serverHandshakeContext.handshakeConsumers.put(Byte.valueOf(SSLHandshake.FINISHED.id), SSLHandshake.FINISHED);
                return null;
            } catch (GeneralSecurityException e) {
                throw serverHandshakeContext.conContext.fatal(Alert.INTERNAL_ERROR, "Failure to derive application secrets", e);
            }
        }
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$T13VerifyDataGenerator.class */
    private static final class T13VerifyDataGenerator implements VerifyDataGenerator {
        private static final byte[] hkdfLabel = "tls13 finished".getBytes();
        private static final byte[] hkdfContext = new byte[0];

        private T13VerifyDataGenerator() {
        }

        @Override // sun.security.ssl.Finished.VerifyDataGenerator
        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            CipherSuite.HashAlg hashAlg = handshakeContext.negotiatedCipherSuite.hashAlg;
            SecretKey deriveKey = new SSLBasicKeyDerivation(z ? handshakeContext.baseReadSecret : handshakeContext.baseWriteSecret, hashAlg.name, hkdfLabel, hkdfContext, hashAlg.hashLength).deriveKey("TlsFinishedSecret", new SSLBasicKeyDerivation.SecretSizeSpec(hashAlg.hashLength));
            try {
                Mac mac = Mac.getInstance("Hmac" + hashAlg.name.replace(LanguageTag.SEP, ""));
                mac.init(deriveKey);
                return mac.doFinal(handshakeContext.handshakeHash.digest());
            } catch (InvalidKeyException | NoSuchAlgorithmException e) {
                throw new ProviderException("Failed to generate verify_data", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$VerifyDataGenerator.class */
    public interface VerifyDataGenerator {
        byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException;
    }

    /* loaded from: input_file:com/kohlschutter/jdk/home/modules/java.base/sun/security/ssl/Finished$VerifyDataScheme.class */
    enum VerifyDataScheme {
        SSL30("kdf_ssl30", new S30VerifyDataGenerator()),
        TLS10("kdf_tls10", new T10VerifyDataGenerator()),
        TLS12("kdf_tls12", new T12VerifyDataGenerator()),
        TLS13("kdf_tls13", new T13VerifyDataGenerator());

        final String name;
        final VerifyDataGenerator generator;

        VerifyDataScheme(String str, VerifyDataGenerator verifyDataGenerator) {
            this.name = str;
            this.generator = verifyDataGenerator;
        }

        static VerifyDataScheme valueOf(ProtocolVersion protocolVersion) {
            switch (protocolVersion) {
                case SSL30:
                    return SSL30;
                case TLS10:
                case TLS11:
                case DTLS10:
                    return TLS10;
                case TLS12:
                case DTLS12:
                    return TLS12;
                case TLS13:
                    return TLS13;
                default:
                    return null;
            }
        }

        public byte[] createVerifyData(HandshakeContext handshakeContext, boolean z) throws IOException {
            if (this.generator != null) {
                return this.generator.createVerifyData(handshakeContext, z);
            }
            throw new UnsupportedOperationException("Not supported yet.");
        }
    }

    Finished() {
    }

    private static void recordEvent(SSLSessionImpl sSLSessionImpl) {
        TLSHandshakeEvent tLSHandshakeEvent = new TLSHandshakeEvent();
        if (tLSHandshakeEvent.shouldCommit() || EventHelper.isLoggingSecurity()) {
            int i = 0;
            try {
                i = sSLSessionImpl.getCertificateChain()[0].hashCode();
            } catch (SSLPeerUnverifiedException e) {
            }
            long unsignedLong = Integer.toUnsignedLong(i);
            if (tLSHandshakeEvent.shouldCommit()) {
                tLSHandshakeEvent.peerHost = sSLSessionImpl.getPeerHost();
                tLSHandshakeEvent.peerPort = sSLSessionImpl.getPeerPort();
                tLSHandshakeEvent.cipherSuite = sSLSessionImpl.getCipherSuite();
                tLSHandshakeEvent.protocolVersion = sSLSessionImpl.getProtocol();
                tLSHandshakeEvent.certificateId = unsignedLong;
                tLSHandshakeEvent.commit();
            }
            if (EventHelper.isLoggingSecurity()) {
                EventHelper.logTLSHandshakeEvent(null, sSLSessionImpl.getPeerHost(), sSLSessionImpl.getPeerPort(), sSLSessionImpl.getCipherSuite(), sSLSessionImpl.getProtocol(), unsignedLong);
            }
        }
    }
}
