package org.eclipse.californium.scandium.dtls.x509;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicInteger;
import javax.net.ssl.X509KeyManager;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.elements.util.Asn1DerDecoder;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.elements.util.JceProviderUtil;
import org.eclipse.californium.scandium.dtls.CertificateIdentityResult;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.ConnectionId;
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler;
import org.eclipse.californium.scandium.dtls.SignatureAndHashAlgorithm;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
import org.eclipse.californium.scandium.dtls.cipher.XECDHECryptography;
import org.eclipse.californium.scandium.util.ListUtils;
import org.eclipse.californium.scandium.util.ServerName;
import org.eclipse.californium.scandium.util.ServerNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/californium/scandium/dtls/x509/KeyManagerCertificateProvider.class */
public class KeyManagerCertificateProvider implements CertificateProvider, ConfigurationHelperSetup {
    private static final Logger LOGGER = LoggerFactory.getLogger(KeyManagerCertificateProvider.class);
    private static AtomicInteger ID = new AtomicInteger();
    private static final Map<String, String> BC_SERVER_KEY_TYPES_MAP = new HashMap();
    private static final List<String> ALL_KEY_TYPES;
    private final String defaultAlias;
    private final X509KeyManager keyManager;
    private final int id;
    private final List<CertificateType> supportedCertificateTypes;
    private final List<CipherSuite.CertificateKeyAlgorithm> supportedCertificateKeyAlgorithms;
    private boolean verifyKeyPairs;

    public KeyManagerCertificateProvider(X509KeyManager x509KeyManager, CertificateType... certificateTypeArr) {
        this((String) null, x509KeyManager, asList(certificateTypeArr));
    }

    public KeyManagerCertificateProvider(X509KeyManager x509KeyManager, List<CertificateType> list) {
        this((String) null, x509KeyManager, list);
    }

    public KeyManagerCertificateProvider(String str, X509KeyManager x509KeyManager, CertificateType... certificateTypeArr) {
        this(str, x509KeyManager, asList(certificateTypeArr));
    }

    public KeyManagerCertificateProvider(String str, X509KeyManager x509KeyManager, List<CertificateType> list) {
        this.verifyKeyPairs = true;
        if (x509KeyManager == null) {
            throw new NullPointerException("KeyManager must not be null!");
        }
        if (list != null) {
            if (list.isEmpty()) {
                throw new IllegalArgumentException("Certificate types must not be empty!");
            }
            for (CertificateType certificateType : list) {
                if (!certificateType.isSupported()) {
                    throw new IllegalArgumentException("Certificate type " + certificateType + " is not supported!");
                }
            }
        }
        this.id = ID.incrementAndGet();
        this.defaultAlias = str;
        this.keyManager = x509KeyManager;
        if (list == null) {
            list = new ArrayList(1);
            list.add(CertificateType.X_509);
        }
        this.supportedCertificateTypes = Collections.unmodifiableList(list);
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = getAliases(false, ALL_KEY_TYPES, null).iterator();
        while (it.hasNext()) {
            setup(it.next(), arrayList);
        }
        Iterator<String> it2 = getAliases(true, ALL_KEY_TYPES, null).iterator();
        while (it2.hasNext()) {
            setup(it2.next(), arrayList);
        }
        this.supportedCertificateKeyAlgorithms = Collections.unmodifiableList(arrayList);
    }

    public KeyManagerCertificateProvider setVerifyKeyPairs(boolean z) {
        this.verifyKeyPairs = z;
        return this;
    }

    private void setup(String str, List<CipherSuite.CertificateKeyAlgorithm> list) {
        X509Certificate[] certificateChain = this.keyManager.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length <= 0) {
            return;
        }
        ListUtils.addIfAbsent(list, CipherSuite.CertificateKeyAlgorithm.getAlgorithm(certificateChain[0].getPublicKey()));
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.ConfigurationHelperSetup
    public void setupConfigurationHelper(CertificateConfigurationHelper certificateConfigurationHelper) {
        if (certificateConfigurationHelper == null) {
            throw new NullPointerException("Certificate configuration helper must not be null!");
        }
        Iterator<String> it = getAliases(false, ALL_KEY_TYPES, null).iterator();
        while (it.hasNext()) {
            setupConfigurationHelperForAlias(certificateConfigurationHelper, it.next());
        }
        Iterator<String> it2 = getAliases(true, ALL_KEY_TYPES, null).iterator();
        while (it2.hasNext()) {
            setupConfigurationHelperForAlias(certificateConfigurationHelper, it2.next());
        }
    }

    private void setupConfigurationHelperForAlias(CertificateConfigurationHelper certificateConfigurationHelper, String str) {
        X509Certificate[] certificateChain = this.keyManager.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length <= 0) {
            return;
        }
        try {
            certificateConfigurationHelper.verifyKeyPair(this.keyManager.getPrivateKey(str), certificateChain[0].getPublicKey());
        } catch (IllegalArgumentException e) {
            if (this.verifyKeyPairs) {
                throw new IllegalStateException(e.getMessage());
            }
            LOGGER.warn("Mismatching key-pair, causing failure when used!", e);
        }
        if (this.supportedCertificateTypes.contains(CertificateType.X_509)) {
            certificateConfigurationHelper.addConfigurationDefaultsFor(Arrays.asList(certificateChain));
        } else if (this.supportedCertificateTypes.contains(CertificateType.RAW_PUBLIC_KEY)) {
            certificateConfigurationHelper.addConfigurationDefaultsFor(certificateChain[0].getPublicKey());
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public List<CipherSuite.CertificateKeyAlgorithm> getSupportedCertificateKeyAlgorithms() {
        return this.supportedCertificateKeyAlgorithms;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public List<CertificateType> getSupportedCertificateTypes() {
        return this.supportedCertificateTypes;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r18v1 */
    /* JADX WARN: Type inference failed for: r18v10 */
    /* JADX WARN: Type inference failed for: r18v11 */
    /* JADX WARN: Type inference failed for: r18v12 */
    /* JADX WARN: Type inference failed for: r18v4 */
    /* JADX WARN: Type inference failed for: r18v9 */
    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public CertificateIdentityResult requestCertificateIdentity(ConnectionId connectionId, boolean z, List<X500Principal> list, ServerNames serverNames, List<CipherSuite.CertificateKeyAlgorithm> list2, List<SignatureAndHashAlgorithm> list3, List<XECDHECryptography.SupportedGroup> list4) {
        String str = z ? "Client" : "Server";
        Logger logger = LOGGER;
        Object[] objArr = new Object[3];
        objArr[0] = Integer.valueOf(this.id);
        objArr[1] = str;
        objArr[2] = serverNames == null ? "<n.a.>" : serverNames;
        logger.debug("[{}]: {} certificate for {}", objArr);
        if (list != null && !list.isEmpty()) {
            LOGGER.debug("[{}]: {} certificate issued by {}", new Object[]{Integer.valueOf(this.id), str, list});
        }
        Principal[] principalArr = list == null ? null : (Principal[]) list.toArray(new Principal[list.size()]);
        ArrayList arrayList = new ArrayList();
        if (list2 != null) {
            for (CipherSuite.CertificateKeyAlgorithm certificateKeyAlgorithm : list2) {
                if (certificateKeyAlgorithm != CipherSuite.CertificateKeyAlgorithm.NONE) {
                    ListUtils.addIfAbsent(arrayList, certificateKeyAlgorithm.name());
                }
            }
        }
        if (list3 == null || list3.isEmpty()) {
            if (arrayList.isEmpty()) {
                arrayList.add("EC");
            }
        } else if (arrayList.isEmpty()) {
            if (SignatureAndHashAlgorithm.isSupportedAlgorithm(list3, "EC")) {
                ListUtils.addIfAbsent(arrayList, "EC");
            }
            if (SignatureAndHashAlgorithm.isSupportedAlgorithm(list3, "RSA")) {
                ListUtils.addIfAbsent(arrayList, "RSA");
            }
            addEdDsaSupport(arrayList, list3);
        } else if (arrayList.contains("EC")) {
            addEdDsaSupport(arrayList, list3);
        }
        LOGGER.debug("[{}]: {} certificate public key types {}", new Object[]{Integer.valueOf(this.id), str, arrayList});
        if (list3 != null && !list3.isEmpty()) {
            LOGGER.debug("[{}]: {} certificate signed with {}", new Object[]{Integer.valueOf(this.id), str, list3});
        }
        if (list4 != null && !list4.isEmpty()) {
            LOGGER.debug("[{}]: {} certificate using {}", new Object[]{Integer.valueOf(this.id), str, list4});
        }
        List<String> aliases = getAliases(z, arrayList, principalArr);
        if (aliases.isEmpty()) {
            LOGGER.debug("[{}]: no matching credentials", Integer.valueOf(this.id));
        } else {
            ArrayList arrayList2 = new ArrayList();
            ArrayList arrayList3 = new ArrayList();
            ArrayList arrayList4 = new ArrayList();
            ArrayList arrayList5 = new ArrayList();
            int i = 1;
            for (String str2 : aliases) {
                LOGGER.debug("[{}]: {} apply select {} - {} of {}", new Object[]{Integer.valueOf(this.id), str, str2, Integer.valueOf(i), Integer.valueOf(aliases.size())});
                X509Certificate[] certificateChain = this.keyManager.getCertificateChain(str2);
                X509Certificate x509Certificate = certificateChain[0];
                List<X509Certificate> asList = Arrays.asList(certificateChain);
                if (serverNames != null && matchServerNames(serverNames, x509Certificate)) {
                    arrayList2.add(str2);
                }
                if (list3 != null && matchNodeSignatureAndHashAlgorithms(list3, x509Certificate)) {
                    arrayList3.add(str2);
                }
                if (list3 != null && matchChainSignatureAndHashAlgorithms(list3, asList)) {
                    arrayList4.add(str2);
                }
                if (list4 != null && matchCurves(list4, asList)) {
                    arrayList5.add(str2);
                }
                i++;
            }
            if (!arrayList2.isEmpty()) {
                LOGGER.debug("[{}]: {} selected {} by {}", new Object[]{Integer.valueOf(this.id), str, Integer.valueOf(arrayList2.size()), serverNames});
                aliases.retainAll(arrayList2);
            }
            ?? r18 = aliases;
            if (list3 != null) {
                LOGGER.debug("[{}]: {} selected {} by the node's signature and hash algorithms", new Object[]{Integer.valueOf(this.id), str, Integer.valueOf(arrayList3.size())});
                LOGGER.debug("[{}]: {} selected {} by the chain signature and hash algorithms", new Object[]{Integer.valueOf(this.id), str, Integer.valueOf(arrayList4.size())});
                aliases.retainAll(arrayList3);
                r18 = aliases;
                if (this.supportedCertificateTypes.contains(CertificateType.X_509)) {
                    ArrayList arrayList6 = this.supportedCertificateTypes.contains(CertificateType.RAW_PUBLIC_KEY) ? new ArrayList(aliases) : null;
                    aliases.retainAll(arrayList4);
                    boolean isEmpty = aliases.isEmpty();
                    r18 = aliases;
                    if (isEmpty) {
                        r18 = aliases;
                        if (arrayList6 != null) {
                            r18 = arrayList6;
                        }
                    }
                }
            }
            if (list4 != null) {
                LOGGER.debug("[{}]: {} selected {} by curves", new Object[]{Integer.valueOf(this.id), str, Integer.valueOf(arrayList5.size())});
                (r18 == true ? 1 : 0).retainAll(arrayList5);
            }
            if ((r18 == true ? 1 : 0).size() > 0) {
                int size = (r18 == true ? 1 : 0).size();
                List<String> list5 = r18;
                if (size > 1) {
                    list5 = r18;
                    if (list3 != null) {
                        list5 = r18;
                        if (list3.size() > 1) {
                            list5 = selectPriorized(r18 == true ? 1 : 0, list3);
                        }
                    }
                }
                String str3 = (list5.size() <= 1 || this.defaultAlias == null || !list5.contains(this.defaultAlias)) ? list5.get(0) : this.defaultAlias;
                return new CertificateIdentityResult(connectionId, this.keyManager.getPrivateKey(str3), (List<X509Certificate>) Arrays.asList(this.keyManager.getCertificateChain(str3)), str3);
            }
            LOGGER.debug("[{}]: {} no matching credentials left!", Integer.valueOf(this.id), str);
        }
        return new CertificateIdentityResult(connectionId, null);
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public void setResultHandler(HandshakeResultHandler handshakeResultHandler) {
    }

    private List<String> getAliases(boolean z, List<String> list, Principal[] principalArr) {
        String[] serverAliases;
        String str;
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (z) {
                serverAliases = this.keyManager.getClientAliases(next, principalArr);
            } else {
                serverAliases = this.keyManager.getServerAliases(next, principalArr);
                if (serverAliases == null && JceProviderUtil.usesBouncyCastle() && (str = BC_SERVER_KEY_TYPES_MAP.get(next)) != null) {
                    serverAliases = this.keyManager.getServerAliases(str, principalArr);
                    if (serverAliases != null) {
                        next = str;
                    }
                }
            }
            if (serverAliases != null) {
                Logger logger = LOGGER;
                Object[] objArr = new Object[4];
                objArr[0] = Integer.valueOf(this.id);
                objArr[1] = z ? "client" : "server";
                objArr[2] = Integer.valueOf(serverAliases.length);
                objArr[3] = next;
                logger.debug("[{}]: {} found {} {} keys", objArr);
                ListUtils.addIfAbsent((List) arrayList, Arrays.asList(serverAliases));
            } else {
                Logger logger2 = LOGGER;
                Object[] objArr2 = new Object[3];
                objArr2[0] = Integer.valueOf(this.id);
                objArr2[1] = z ? "client" : "server";
                objArr2[2] = next;
                logger2.debug("[{}]: {} found no {} keys", objArr2);
            }
        }
        return arrayList;
    }

    private boolean matchServerNames(ServerNames serverNames, X509Certificate x509Certificate) {
        ServerName serverName = serverNames.getServerName(ServerName.NameType.HOST_NAME);
        if (serverName != null) {
            return CertPathUtil.matchDestination(x509Certificate, serverName.getNameAsString());
        }
        return false;
    }

    private boolean matchChainSignatureAndHashAlgorithms(List<SignatureAndHashAlgorithm> list, List<X509Certificate> list2) {
        return SignatureAndHashAlgorithm.isSignedWithSupportedAlgorithms(list, list2);
    }

    private boolean matchNodeSignatureAndHashAlgorithms(List<SignatureAndHashAlgorithm> list, X509Certificate x509Certificate) {
        return SignatureAndHashAlgorithm.getSupportedSignatureAlgorithm(list, x509Certificate.getPublicKey()) != null;
    }

    private boolean matchCurves(List<XECDHECryptography.SupportedGroup> list, List<X509Certificate> list2) {
        XECDHECryptography.SupportedGroup fromPublicKey;
        Iterator<X509Certificate> it = list2.iterator();
        while (it.hasNext()) {
            PublicKey publicKey = it.next().getPublicKey();
            if (Asn1DerDecoder.isEcBased(publicKey.getAlgorithm()) && ((fromPublicKey = XECDHECryptography.SupportedGroup.fromPublicKey(publicKey)) == null || !list.contains(fromPublicKey))) {
                return false;
            }
        }
        return true;
    }

    private List<String> selectPriorized(List<String> list, List<SignatureAndHashAlgorithm> list2) {
        ArrayList arrayList = new ArrayList();
        for (SignatureAndHashAlgorithm signatureAndHashAlgorithm : list2) {
            for (String str : list) {
                X509Certificate[] certificateChain = this.keyManager.getCertificateChain(str);
                if (certificateChain != null && certificateChain.length > 0) {
                    String algorithm = certificateChain[0].getPublicKey().getAlgorithm();
                    if (signatureAndHashAlgorithm.isSupported(algorithm)) {
                        arrayList.add(str);
                        LOGGER.debug("Select by signature {} - {} == {}", new Object[]{str, signatureAndHashAlgorithm.getJcaName(), algorithm});
                    } else {
                        LOGGER.debug("Signature doesn't match {} - {} != {}", new Object[]{str, signatureAndHashAlgorithm.getJcaName(), algorithm});
                    }
                }
            }
            if (!arrayList.isEmpty()) {
                break;
            }
        }
        return arrayList;
    }

    private static void addEdDsaSupport(List<String> list, List<SignatureAndHashAlgorithm> list2) {
        if (list2.contains(SignatureAndHashAlgorithm.INTRINSIC_WITH_ED25519)) {
            ListUtils.addIfAbsent(list, "EdDSA");
            ListUtils.addIfAbsent(list, "Ed25519");
        }
        if (list2.contains(SignatureAndHashAlgorithm.INTRINSIC_WITH_ED448)) {
            ListUtils.addIfAbsent(list, "EdDSA");
            ListUtils.addIfAbsent(list, "Ed448");
        }
    }

    private static List<CertificateType> asList(CertificateType[] certificateTypeArr) {
        if (certificateTypeArr == null || certificateTypeArr.length == 0) {
            return null;
        }
        return Arrays.asList(certificateTypeArr);
    }

    static {
        BC_SERVER_KEY_TYPES_MAP.put("EC", "ECDHE_ECDSA");
        BC_SERVER_KEY_TYPES_MAP.put("RSA", "ECDHE_RSA");
        ALL_KEY_TYPES = Arrays.asList("EC", "RSA", "EdDSA", "Ed25519", "Ed448");
    }
}
