package com.android.internal.net.eap.crypto;

import android.net.ssl.SSLEngines;
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.net.eap.EapAuthenticator;
import com.android.internal.net.eap.EapResult;
import com.android.internal.net.eap.exceptions.EapInvalidRequestException;
import java.io.IOException;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.nio.BufferOverflowException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Provider;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/android/internal/net/eap/crypto/TlsSession.class */
public class TlsSession {
    public static final int TLS_STATUS_TUNNEL_ESTABLISHED = 0;
    public static final int TLS_STATUS_SUCCESS = 1;
    public static final int TLS_STATUS_FAILURE = 2;
    public static final int TLS_STATUS_CLOSED = 3;
    private static final String CERT_PATH_ALGO_PKIX = "PKIX";
    private static final String KEY_STORE_TYPE_PKCS12 = "PKCS12";
    private static final String TTLS_EXPORTER_LABEL = "ttls keying material";
    private static final int TTLS_KEYING_MATERIAL_LEN = 128;
    private final SSLContext mSslContext;
    private final SSLSession mSslSession;
    private final SSLEngine mSslEngine;
    private final SecureRandom mSecureRandom;

    @VisibleForTesting
    SSLEngineResult.HandshakeStatus mHandshakeStatus;

    @VisibleForTesting
    boolean mHandshakeComplete = false;
    private TrustManager[] mTrustManagers;
    private ByteBuffer mApplicationData;
    private ByteBuffer mPacketData;
    private static final String TAG = TlsSession.class.getSimpleName();
    private static final String[] ENABLED_TLS_PROTOCOLS = {"TLSv1.2"};
    private static final Provider TRUST_MANAGER_PROVIDER = Security.getProvider("HarmonyJSSE");

    /* renamed from: com.android.internal.net.eap.crypto.TlsSession$1, reason: invalid class name */
    /* loaded from: input_file:com/android/internal/net/eap/crypto/TlsSession$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus = new int[SSLEngineResult.HandshakeStatus.values().length];

        static {
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_UNWRAP.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_TASK.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[SSLEngineResult.HandshakeStatus.NEED_WRAP.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:com/android/internal/net/eap/crypto/TlsSession$EapTtlsKeyingMaterial.class */
    public class EapTtlsKeyingMaterial {
        public final byte[] msk;
        public final byte[] emsk;
        public final EapResult.EapError eapError;

        public EapTtlsKeyingMaterial(byte[] bArr, byte[] bArr2) {
            this.msk = bArr;
            this.emsk = bArr2;
            this.eapError = null;
        }

        public EapTtlsKeyingMaterial(EapResult.EapError eapError) {
            this.msk = null;
            this.emsk = null;
            this.eapError = eapError;
        }

        public boolean isSuccessful() {
            return this.eapError == null;
        }
    }

    /* loaded from: input_file:com/android/internal/net/eap/crypto/TlsSession$TlsResult.class */
    public class TlsResult {
        public final byte[] data;
        public final int status;

        public TlsResult(byte[] bArr, int i) {
            this.data = bArr;
            this.status = i;
        }

        public TlsResult(TlsSession tlsSession, int i) {
            this(new byte[0], i);
        }
    }

    @Retention(RetentionPolicy.SOURCE)
    /* loaded from: input_file:com/android/internal/net/eap/crypto/TlsSession$TlsStatus.class */
    public @interface TlsStatus {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TlsSession(X509Certificate x509Certificate, SecureRandom secureRandom) throws GeneralSecurityException, IOException {
        this.mSecureRandom = secureRandom;
        initTrustManagers(x509Certificate);
        this.mSslContext = SSLContext.getInstance("TLSv1.2");
        this.mSslContext.init(null, this.mTrustManagers, secureRandom);
        this.mSslEngine = this.mSslContext.createSSLEngine();
        this.mSslEngine.setEnabledProtocols(ENABLED_TLS_PROTOCOLS);
        this.mSslEngine.setUseClientMode(true);
        this.mSslSession = this.mSslEngine.getSession();
        this.mApplicationData = ByteBuffer.allocate(this.mSslSession.getApplicationBufferSize());
        this.mPacketData = ByteBuffer.allocate(this.mSslSession.getPacketBufferSize());
    }

    @VisibleForTesting
    public TlsSession(SSLContext sSLContext, SSLEngine sSLEngine, SSLSession sSLSession, SecureRandom secureRandom) {
        this.mSslContext = sSLContext;
        this.mSslEngine = sSLEngine;
        this.mSecureRandom = secureRandom;
        this.mSslSession = sSLSession;
        this.mApplicationData = ByteBuffer.allocate(this.mSslSession.getApplicationBufferSize());
        this.mPacketData = ByteBuffer.allocate(this.mSslSession.getPacketBufferSize());
    }

    private void initTrustManagers(X509Certificate x509Certificate) throws GeneralSecurityException, IOException {
        KeyStore keyStore = null;
        if (x509Certificate != null) {
            keyStore = KeyStore.getInstance(KEY_STORE_TYPE_PKCS12);
            keyStore.load(null);
            keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName() + x509Certificate.hashCode(), x509Certificate);
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERT_PATH_ALGO_PKIX, TRUST_MANAGER_PROVIDER);
        trustManagerFactory.init(keyStore);
        this.mTrustManagers = trustManagerFactory.getTrustManagers();
        for (TrustManager trustManager : this.mTrustManagers) {
            if (trustManager instanceof X509TrustManager) {
                return;
            }
        }
        throw new ProviderException("X509TrustManager is not supported by provider " + TRUST_MANAGER_PROVIDER);
    }

    public TlsResult startHandshake() {
        clearAndGrowApplicationBufferIfNeeded();
        clearAndGrowPacketBufferIfNeeded();
        try {
            this.mHandshakeStatus = this.mSslEngine.wrap(this.mApplicationData, this.mPacketData).getHandshakeStatus();
            return new TlsResult(getByteArrayFromBuffer(this.mPacketData), 1);
        } catch (SSLException e) {
            EapAuthenticator.LOG.e(TAG, "Failed to initiate handshake", e);
            return new TlsResult(this, 2);
        }
    }

    public TlsResult processHandshakeData(byte[] bArr, byte[] bArr2) {
        clearAndGrowApplicationBufferIfNeeded();
        clearAndGrowPacketBufferIfNeeded();
        try {
            this.mApplicationData.put(bArr2);
            this.mPacketData.put(bArr);
            this.mApplicationData.flip();
            this.mPacketData.flip();
            TlsResult tlsResult = new TlsResult(this, 2);
            while (true) {
                switch (AnonymousClass1.$SwitchMap$javax$net$ssl$SSLEngineResult$HandshakeStatus[this.mHandshakeStatus.ordinal()]) {
                    case 1:
                        tlsResult = doUnwrap();
                        break;
                    case 2:
                        this.mSslEngine.getDelegatedTask().run();
                        this.mHandshakeStatus = this.mSslEngine.getHandshakeStatus();
                        break;
                    case 3:
                        this.mPacketData.clear();
                        tlsResult = doWrap();
                        if (this.mHandshakeStatus == SSLEngineResult.HandshakeStatus.FINISHED) {
                            this.mHandshakeComplete = true;
                            this.mHandshakeStatus = this.mSslEngine.getHandshakeStatus();
                            break;
                        }
                        break;
                }
            }
            return tlsResult;
        } catch (BufferOverflowException e) {
            EapAuthenticator.LOG.e(TAG, "Buffer overflow while attempting to process handshake message. Attempting to close connection.", e);
            return closeConnection();
        }
    }

    public TlsResult processIncomingData(byte[] bArr) {
        clearAndGrowApplicationBufferIfNeeded();
        this.mPacketData = ByteBuffer.wrap(bArr);
        return doUnwrap();
    }

    public TlsResult processOutgoingData(byte[] bArr) {
        clearAndGrowPacketBufferIfNeeded();
        this.mApplicationData = ByteBuffer.wrap(bArr);
        return doWrap();
    }

    private TlsResult doUnwrap() {
        try {
            SSLEngineResult unwrap = this.mSslEngine.unwrap(this.mPacketData, this.mApplicationData);
            this.mHandshakeStatus = unwrap.getHandshakeStatus();
            return unwrap.getStatus() != SSLEngineResult.Status.OK ? closeConnection() : new TlsResult(getByteArrayFromBuffer(this.mApplicationData), 1);
        } catch (SSLException e) {
            EapAuthenticator.LOG.e(TAG, "Encountered an issue while unwrapping data. Connection will be closed.", e);
            return closeConnection();
        }
    }

    private TlsResult doWrap() {
        try {
            SSLEngineResult wrap = this.mSslEngine.wrap(this.mApplicationData, this.mPacketData);
            this.mHandshakeStatus = wrap.getHandshakeStatus();
            if (wrap.getStatus() != SSLEngineResult.Status.OK) {
                return closeConnection();
            }
            return new TlsResult(getByteArrayFromBuffer(this.mPacketData), this.mHandshakeStatus == SSLEngineResult.HandshakeStatus.FINISHED ? 0 : 1);
        } catch (SSLException e) {
            EapAuthenticator.LOG.e(TAG, "Encountered an issue while wrapping data. Connection will be closed.", e);
            return closeConnection();
        }
    }

    public TlsResult closeConnection() {
        try {
            this.mSslEngine.closeInbound();
        } catch (SSLException e) {
            EapAuthenticator.LOG.e(TAG, "Error occurred when trying to close inbound.", e);
        }
        this.mSslEngine.closeOutbound();
        this.mHandshakeStatus = this.mSslEngine.getHandshakeStatus();
        if (this.mHandshakeStatus != SSLEngineResult.HandshakeStatus.NEED_WRAP) {
            return new TlsResult(this, 3);
        }
        clearAndGrowPacketBufferIfNeeded();
        clearAndGrowApplicationBufferIfNeeded();
        while (this.mHandshakeStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
            try {
                SSLEngineResult wrap = this.mSslEngine.wrap(this.mApplicationData, this.mPacketData);
                this.mHandshakeStatus = wrap.getHandshakeStatus();
                if (wrap.getStatus() == SSLEngineResult.Status.BUFFER_OVERFLOW || wrap.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW) {
                    EapAuthenticator.LOG.e(TAG, "Experienced an overflow or underflow while trying to close the TLS connection.");
                    return new TlsResult(this, 2);
                }
            } catch (SSLException e2) {
                EapAuthenticator.LOG.e(TAG, "Wrap operation failed whilst attempting to flush out data during a close.", e2);
                return new TlsResult(this, 2);
            }
        }
        return new TlsResult(getByteArrayFromBuffer(this.mPacketData), 3);
    }

    public EapTtlsKeyingMaterial generateKeyingMaterial() {
        if (!this.mHandshakeComplete) {
            return new EapTtlsKeyingMaterial(new EapResult.EapError(new EapInvalidRequestException("Keying material can only be generated once the handshake is complete.")));
        }
        try {
            ByteBuffer wrap = ByteBuffer.wrap(SSLEngines.exportKeyingMaterial(this.mSslEngine, TTLS_EXPORTER_LABEL, null, 128));
            byte[] bArr = new byte[64];
            byte[] bArr2 = new byte[64];
            wrap.get(bArr);
            wrap.get(bArr2);
            return new EapTtlsKeyingMaterial(bArr, bArr2);
        } catch (SSLException e) {
            EapAuthenticator.LOG.e(TAG, "Failed to generate EAP-TTLS keying material", e);
            return new EapTtlsKeyingMaterial(new EapResult.EapError(e));
        }
    }

    private void clearAndGrowPacketBufferIfNeeded() {
        this.mPacketData.clear();
        if (this.mPacketData.capacity() < this.mSslSession.getPacketBufferSize()) {
            this.mPacketData = ByteBuffer.allocate(this.mSslSession.getPacketBufferSize());
        }
    }

    private void clearAndGrowApplicationBufferIfNeeded() {
        this.mApplicationData.clear();
        if (this.mApplicationData.capacity() < this.mSslSession.getApplicationBufferSize()) {
            this.mApplicationData = ByteBuffer.allocate(this.mSslSession.getApplicationBufferSize());
        }
    }

    @VisibleForTesting
    public static byte[] getByteArrayFromBuffer(ByteBuffer byteBuffer) {
        return Arrays.copyOfRange(byteBuffer.array(), 0, byteBuffer.position());
    }
}
