package org.eclipse.milo.opcua.sdk.server.identity;

import com.google.common.primitives.Bytes;
import java.security.cert.X509Certificate;
import java.util.function.Predicate;
import org.eclipse.milo.opcua.sdk.server.Session;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.channel.SecureChannel;
import org.eclipse.milo.opcua.stack.core.channel.ServerSecureChannel;
import org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm;
import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
import org.eclipse.milo.opcua.stack.core.types.structured.SignatureData;
import org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy;
import org.eclipse.milo.opcua.stack.core.types.structured.X509IdentityToken;
import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
import org.eclipse.milo.opcua.stack.core.util.SignatureUtil;

/* loaded from: input_file:org/eclipse/milo/opcua/sdk/server/identity/X509IdentityValidator.class */
public class X509IdentityValidator extends AbstractIdentityValidator {
    private final Predicate<X509Certificate> predicate;

    public X509IdentityValidator(Predicate<X509Certificate> predicate) {
        this.predicate = predicate;
    }

    @Override // org.eclipse.milo.opcua.sdk.server.identity.AbstractIdentityValidator
    public Object validateX509Token(ServerSecureChannel serverSecureChannel, Session session, X509IdentityToken x509IdentityToken, UserTokenPolicy userTokenPolicy, SignatureData signatureData) throws UaException {
        X509Certificate decodeCertificate = CertificateUtil.decodeCertificate(x509IdentityToken.getCertificateData().bytesOrEmpty());
        if (userTokenPolicy.getSecurityPolicyUri() != null) {
            if (!SecurityPolicy.fromUri(userTokenPolicy.getSecurityPolicyUri()).getAsymmetricSignatureAlgorithm().getUri().equals(signatureData.getAlgorithm())) {
                throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "algorithm in token signature did not match algorithm specified by token policy");
            }
        } else if (!serverSecureChannel.getSecurityPolicy().getAsymmetricSignatureAlgorithm().getUri().equals(signatureData.getAlgorithm())) {
            throw new UaException(StatusCodes.Bad_SecurityChecksFailed, "algorithm in token signature did not match algorithm specified by secure channel");
        }
        SecurityAlgorithm fromUri = SecurityAlgorithm.fromUri(signatureData.getAlgorithm());
        if (fromUri != SecurityAlgorithm.None) {
            verifySignature(serverSecureChannel, session, signatureData, decodeCertificate, fromUri);
        }
        if (this.predicate.test(decodeCertificate)) {
            return decodeCertificate;
        }
        throw new UaException(StatusCodes.Bad_UserAccessDenied);
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [byte[], byte[][]] */
    private void verifySignature(SecureChannel secureChannel, Session session, SignatureData signatureData, X509Certificate x509Certificate, SecurityAlgorithm securityAlgorithm) throws UaException {
        SignatureUtil.verify(securityAlgorithm, x509Certificate, Bytes.concat(new byte[]{secureChannel.getLocalCertificateBytes().bytesOrEmpty(), session.getLastNonce().bytesOrEmpty()}), signatureData.getSignature().bytesOrEmpty());
    }
}
