package org.eclipse.californium.scandium.dtls.x509;

import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.elements.auth.RawPublicKeyIdentity;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.elements.util.SslContextUtil;
import org.eclipse.californium.elements.util.StringUtil;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.CertificateVerificationResult;
import org.eclipse.californium.scandium.dtls.ConnectionId;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler;
import org.eclipse.californium.scandium.util.ServerName;
import org.eclipse.californium.scandium.util.ServerNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/californium/scandium/dtls/x509/StaticNewAdvancedCertificateVerifier.class */
public class StaticNewAdvancedCertificateVerifier implements NewAdvancedCertificateVerifier, ConfigurationHelperSetup {
    private static final X509Certificate[] X509_TRUST_ALL = new X509Certificate[0];
    private static final RawPublicKeyIdentity[] RPK_TRUST_ALL = new RawPublicKeyIdentity[0];

    @Deprecated
    protected final Logger LOGGER;
    private final X509Certificate[] trustedCertificates;
    private final Set<RawPublicKeyIdentity> trustedRPKs;
    private final List<CertificateType> supportedCertificateTypes;
    private final boolean useEmptyAcceptedIssuers;

    /* loaded from: input_file:org/eclipse/californium/scandium/dtls/x509/StaticNewAdvancedCertificateVerifier$Builder.class */
    public static class Builder {
        protected X509Certificate[] trustedCertificates;
        protected RawPublicKeyIdentity[] trustedRPKs;
        protected List<CertificateType> supportedCertificateTypes;
        protected boolean useEmptyAcceptedIssuers;

        public Builder setTrustedCertificates(Certificate... certificateArr) {
            if (certificateArr == null) {
                this.trustedCertificates = null;
            } else if (certificateArr.length == 0) {
                this.trustedCertificates = StaticNewAdvancedCertificateVerifier.X509_TRUST_ALL;
            } else {
                X509Certificate[] asX509Certificates = SslContextUtil.asX509Certificates(certificateArr);
                SslContextUtil.ensureUniqueCertificates(asX509Certificates);
                this.trustedCertificates = asX509Certificates;
            }
            return this;
        }

        public Builder setTrustAllCertificates() {
            this.trustedCertificates = StaticNewAdvancedCertificateVerifier.X509_TRUST_ALL;
            return this;
        }

        public Builder setTrustedRPKs(RawPublicKeyIdentity... rawPublicKeyIdentityArr) {
            HashSet hashSet = new HashSet();
            for (RawPublicKeyIdentity rawPublicKeyIdentity : rawPublicKeyIdentityArr) {
                if (!hashSet.add(rawPublicKeyIdentity)) {
                    throw new IllegalArgumentException("Truststore contains raw public key certificates duplicates: " + rawPublicKeyIdentity.getName());
                }
            }
            this.trustedRPKs = rawPublicKeyIdentityArr;
            return this;
        }

        public Builder setTrustAllRPKs() {
            this.trustedRPKs = StaticNewAdvancedCertificateVerifier.RPK_TRUST_ALL;
            return this;
        }

        public Builder setSupportedCertificateTypes(List<CertificateType> list) {
            this.supportedCertificateTypes = list;
            return this;
        }

        public Builder setUseEmptyAcceptedIssuers(boolean z) {
            this.useEmptyAcceptedIssuers = z;
            return this;
        }

        public boolean hasTrusts() {
            return (this.trustedCertificates == null && this.trustedRPKs == null) ? false : true;
        }

        public NewAdvancedCertificateVerifier build() {
            return new StaticNewAdvancedCertificateVerifier(this.trustedCertificates, this.trustedRPKs, this.supportedCertificateTypes, this.useEmptyAcceptedIssuers);
        }
    }

    public StaticNewAdvancedCertificateVerifier(X509Certificate[] x509CertificateArr, RawPublicKeyIdentity[] rawPublicKeyIdentityArr, List<CertificateType> list) {
        this(x509CertificateArr, rawPublicKeyIdentityArr, list, false);
    }

    public StaticNewAdvancedCertificateVerifier(X509Certificate[] x509CertificateArr, RawPublicKeyIdentity[] rawPublicKeyIdentityArr, List<CertificateType> list, boolean z) {
        this.LOGGER = LoggerFactory.getLogger(getClass());
        if (x509CertificateArr == null && rawPublicKeyIdentityArr == null) {
            throw new IllegalArgumentException("no trusts provided!");
        }
        if (list == null) {
            list = new ArrayList(2);
            if (rawPublicKeyIdentityArr != null) {
                list.add(CertificateType.RAW_PUBLIC_KEY);
            }
            if (x509CertificateArr != null) {
                list.add(CertificateType.X_509);
            }
        } else {
            if (list.isEmpty()) {
                throw new IllegalArgumentException("list of supported certificate types must not be empty!");
            }
            if (list.contains(CertificateType.RAW_PUBLIC_KEY) && rawPublicKeyIdentityArr == null) {
                throw new IllegalArgumentException("RPK support requires RPK trusts!");
            }
            if (list.contains(CertificateType.X_509) && x509CertificateArr == null) {
                throw new IllegalArgumentException("x509support requires x509 trusts!");
            }
        }
        this.trustedCertificates = x509CertificateArr == null ? null : (X509Certificate[]) Arrays.copyOf(x509CertificateArr, x509CertificateArr.length);
        this.trustedRPKs = rawPublicKeyIdentityArr == null ? null : new HashSet(Arrays.asList(rawPublicKeyIdentityArr));
        this.supportedCertificateTypes = Collections.unmodifiableList(list);
        this.useEmptyAcceptedIssuers = z;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.ConfigurationHelperSetup
    public void setupConfigurationHelper(CertificateConfigurationHelper certificateConfigurationHelper) {
        certificateConfigurationHelper.addConfigurationDefaultsForTrusts(this.trustedCertificates);
        if (this.trustedRPKs != null) {
            Iterator<RawPublicKeyIdentity> it = this.trustedRPKs.iterator();
            while (it.hasNext()) {
                certificateConfigurationHelper.addConfigurationDefaultsForTrusts(it.next().getKey());
            }
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public List<CertificateType> getSupportedCertificateTypes() {
        return this.supportedCertificateTypes;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public CertificateVerificationResult verifyCertificate(ConnectionId connectionId, ServerNames serverNames, InetSocketAddress inetSocketAddress, boolean z, boolean z2, boolean z3, CertificateMessage certificateMessage) {
        this.LOGGER.debug("Verify for SNI: {}, IP: {}", serverNames, StringUtil.toLog(inetSocketAddress));
        try {
            CertPath certificateChain = certificateMessage.getCertificateChain();
            if (certificateChain == null) {
                if (this.trustedRPKs == null) {
                    throw new HandshakeException("RPK verification not enabled!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNSUPPORTED_CERTIFICATE));
                }
                PublicKey publicKey = certificateMessage.getPublicKey();
                if (!this.trustedRPKs.isEmpty()) {
                    if (!this.trustedRPKs.contains(new RawPublicKeyIdentity(publicKey))) {
                        this.LOGGER.debug("Certificate validation failed: Raw public key is not trusted");
                        throw new HandshakeException("Raw public key is not trusted!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
                    }
                }
                return new CertificateVerificationResult(connectionId, publicKey, (Object) null);
            }
            if (this.trustedCertificates == null) {
                throw new HandshakeException("x509 verification not enabled!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNSUPPORTED_CERTIFICATE));
            }
            try {
                if (!certificateMessage.isEmpty()) {
                    Certificate certificate = certificateChain.getCertificates().get(0);
                    if (certificate instanceof X509Certificate) {
                        X509Certificate x509Certificate = (X509Certificate) certificate;
                        if (!CertPathUtil.canBeUsedForAuthentication(x509Certificate, z)) {
                            this.LOGGER.debug("Certificate validation failed: key usage doesn't match");
                            throw new HandshakeException("Key Usage doesn't match!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
                        }
                        if (z2) {
                            verifyCertificatesSubject(serverNames, inetSocketAddress, x509Certificate);
                        }
                    }
                    certificateChain = CertPathUtil.validateCertificatePathWithIssuer(z3, certificateChain, this.trustedCertificates);
                }
                return new CertificateVerificationResult(connectionId, certificateChain, (Object) null);
            } catch (CertPathValidatorException e) {
                Throwable cause = e.getCause();
                if (cause instanceof CertificateExpiredException) {
                    this.LOGGER.debug("Certificate expired: {}", cause.getMessage());
                    throw new HandshakeException("Certificate expired", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.CERTIFICATE_EXPIRED));
                }
                if (cause != null) {
                    this.LOGGER.debug("Certificate validation failed: {}/{}", e.getMessage(), cause.getMessage());
                } else {
                    this.LOGGER.debug("Certificate validation failed: {}", e.getMessage());
                }
                throw new HandshakeException("Certificate chain could not be validated", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE), e);
            } catch (GeneralSecurityException e2) {
                if (this.LOGGER.isTraceEnabled()) {
                    this.LOGGER.trace("Certificate validation failed", e2);
                } else if (this.LOGGER.isDebugEnabled()) {
                    this.LOGGER.debug("Certificate validation failed due to {}", e2.getMessage());
                }
                throw new HandshakeException("Certificate chain could not be validated", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.DECRYPT_ERROR), e2);
            }
        } catch (HandshakeException e3) {
            this.LOGGER.debug("Certificate validation failed!", e3);
            return new CertificateVerificationResult(connectionId, e3, (Object) null);
        }
    }

    public void verifyCertificatesSubject(ServerNames serverNames, InetSocketAddress inetSocketAddress, X509Certificate x509Certificate) throws HandshakeException {
        ServerName serverName;
        if (x509Certificate == null) {
            throw new NullPointerException("Certficate must not be null!");
        }
        if (serverNames == null && inetSocketAddress == null) {
            return;
        }
        String str = null;
        String str2 = null;
        if (inetSocketAddress != null) {
            str2 = StringUtil.toHostString(inetSocketAddress);
            InetAddress address = inetSocketAddress.getAddress();
            if (address != null) {
                str = address.getHostAddress();
            }
        }
        if (serverNames != null && (serverName = serverNames.getServerName(ServerName.NameType.HOST_NAME)) != null) {
            str2 = serverName.getNameAsString();
        }
        if (str2 != null && str2.equals(str)) {
            str2 = null;
        }
        if (str2 != null) {
            if (CertPathUtil.matchDestination(x509Certificate, str2)) {
                return;
            }
            String subjectsCn = CertPathUtil.getSubjectsCn(x509Certificate);
            this.LOGGER.debug("Certificate {} validation failed: destination doesn't match", subjectsCn);
            throw new HandshakeException("Certificate " + subjectsCn + ": Destination '" + str2 + "' doesn't match!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
        }
        if (CertPathUtil.matchLiteralIP(x509Certificate, str)) {
            return;
        }
        String subjectsCn2 = CertPathUtil.getSubjectsCn(x509Certificate);
        this.LOGGER.debug("Certificate {} validation failed: literal IP doesn't match", subjectsCn2);
        throw new HandshakeException("Certificate " + subjectsCn2 + ": Literal IP " + str + " doesn't match!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public List<X500Principal> getAcceptedIssuers() {
        return (this.useEmptyAcceptedIssuers || this.trustedCertificates == null) ? CertPathUtil.toSubjects(null) : CertPathUtil.toSubjects(Arrays.asList(this.trustedCertificates));
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public void setResultHandler(HandshakeResultHandler handshakeResultHandler) {
    }

    public static Builder builder() {
        return new Builder();
    }
}
