package org.eclipse.californium.scandium.dtls;

import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.Principal;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.ScheduledExecutorService;
import javax.crypto.SecretKey;
import javax.security.auth.DestroyFailedException;
import org.eclipse.californium.elements.auth.RawPublicKeyIdentity;
import org.eclipse.californium.elements.auth.X509CertPath;
import org.eclipse.californium.elements.util.NoPublicAPI;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateRequest;
import org.eclipse.californium.scandium.dtls.SupportedPointFormatsExtension;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuiteParameters;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuiteSelector;
import org.eclipse.californium.scandium.dtls.cipher.PseudoRandomFunction;
import org.eclipse.californium.scandium.dtls.cipher.XECDHECryptography;
import org.eclipse.californium.scandium.util.SecretUtil;

@NoPublicAPI
/* loaded from: input_file:org/eclipse/californium/scandium/dtls/ServerHandshaker.class */
public class ServerHandshaker extends Handshaker {
    private static HandshakeState[] CLIENT_CERTIFICATE = {new HandshakeState(HandshakeType.CERTIFICATE), new HandshakeState(HandshakeType.CLIENT_KEY_EXCHANGE), new HandshakeState(HandshakeType.CERTIFICATE_VERIFY), new HandshakeState(ContentType.CHANGE_CIPHER_SPEC), new HandshakeState(HandshakeType.FINISHED)};
    private static HandshakeState[] EMPTY_CLIENT_CERTIFICATE = {new HandshakeState(HandshakeType.CERTIFICATE), new HandshakeState(HandshakeType.CLIENT_KEY_EXCHANGE), new HandshakeState(ContentType.CHANGE_CIPHER_SPEC), new HandshakeState(HandshakeType.FINISHED)};
    protected static HandshakeState[] NO_CLIENT_CERTIFICATE = {new HandshakeState(HandshakeType.CLIENT_KEY_EXCHANGE), new HandshakeState(ContentType.CHANGE_CIPHER_SPEC), new HandshakeState(HandshakeType.FINISHED)};
    private boolean useNoSessionId;
    private boolean clientAuthenticationWanted;
    private boolean clientAuthenticationRequired;
    private PublicKey clientPublicKey;
    private CipherSuiteSelector cipherSuiteSelector;
    private List<CipherSuite> supportedCipherSuites;
    protected final List<XECDHECryptography.SupportedGroup> supportedGroups;
    private final List<CertificateType> supportedClientCertificateTypes;
    private final List<CertificateType> supportedServerCertificateTypes;
    private final List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms;
    private CipherSuiteParameters selectedCipherSuiteParameters;
    private CertificateVerify certificateVerifyMessage;
    private PskPublicInformation preSharedKeyIdentity;
    private XECDHECryptography ecdhe;

    public ServerHandshaker(int i, DTLSSession dTLSSession, RecordLayer recordLayer, ScheduledExecutorService scheduledExecutorService, Connection connection, DtlsConnectorConfig dtlsConnectorConfig) {
        super(false, i, dTLSSession, recordLayer, scheduledExecutorService, connection, dtlsConnectorConfig);
        this.useNoSessionId = false;
        this.clientAuthenticationWanted = false;
        this.clientAuthenticationRequired = false;
        this.certificateVerifyMessage = null;
        this.cipherSuiteSelector = dtlsConnectorConfig.getCipherSuiteSelector();
        this.supportedCipherSuites = dtlsConnectorConfig.getSupportedCipherSuites();
        this.supportedGroups = dtlsConnectorConfig.getSupportedGroups();
        this.clientAuthenticationWanted = dtlsConnectorConfig.isClientAuthenticationWanted().booleanValue();
        this.clientAuthenticationRequired = dtlsConnectorConfig.isClientAuthenticationRequired().booleanValue();
        this.useNoSessionId = dtlsConnectorConfig.useNoServerSessionId().booleanValue();
        this.supportedClientCertificateTypes = dtlsConnectorConfig.getTrustCertificateTypes();
        this.supportedServerCertificateTypes = dtlsConnectorConfig.getIdentityCertificateTypes();
        this.supportedSignatureAndHashAlgorithms = dtlsConnectorConfig.getSupportedSignatureAlgorithms();
    }

    public PskPublicInformation getPreSharedKeyIdentity() {
        return this.preSharedKeyIdentity;
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected void doProcessMessage(HandshakeMessage handshakeMessage) throws HandshakeException, GeneralSecurityException {
        switch (handshakeMessage.getMessageType()) {
            case CLIENT_HELLO:
                receivedClientHello((ClientHello) handshakeMessage);
                return;
            case CERTIFICATE:
                receivedClientCertificate((CertificateMessage) handshakeMessage);
                return;
            case CLIENT_KEY_EXCHANGE:
                switch (this.session.getKeyExchange()) {
                    case PSK:
                        PskSecretResult receivedClientKeyExchange = receivedClientKeyExchange((PSKClientKeyExchange) handshakeMessage);
                        if (receivedClientKeyExchange != null) {
                            processPskSecretResult(receivedClientKeyExchange);
                            return;
                        }
                        return;
                    case ECDHE_PSK:
                        PskSecretResult receivedClientKeyExchange2 = receivedClientKeyExchange((EcdhPskClientKeyExchange) handshakeMessage);
                        if (receivedClientKeyExchange2 != null) {
                            processPskSecretResult(receivedClientKeyExchange2);
                            return;
                        }
                        return;
                    case EC_DIFFIE_HELLMAN:
                        processMasterSecret(receivedClientKeyExchange((ECDHClientKeyExchange) handshakeMessage));
                        return;
                    default:
                        throw new HandshakeException(String.format("Unsupported key exchange algorithm %s", this.session.getKeyExchange().name()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, handshakeMessage.getPeer()));
                }
            case CERTIFICATE_VERIFY:
                receivedCertificateVerify((CertificateVerify) handshakeMessage);
                if (this.masterSecret == null || !this.certificateVerfied) {
                    return;
                }
                expectChangeCipherSpecMessage();
                return;
            case FINISHED:
                receivedClientFinished((Finished) handshakeMessage);
                return;
            default:
                throw new HandshakeException(String.format("Received unexpected %s message from peer %s", handshakeMessage.getMessageType(), handshakeMessage.getPeer()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNEXPECTED_MESSAGE, handshakeMessage.getPeer()));
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected void processMasterSecret(SecretKey secretKey) {
        applyMasterSecret(secretKey);
        SecretUtil.destroy(secretKey);
        if (this.states == NO_CLIENT_CERTIFICATE || (this.states == EMPTY_CLIENT_CERTIFICATE && this.certificateVerfied)) {
            expectChangeCipherSpecMessage();
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected void processCertificateVerified() {
        if (this.certificateVerifyMessage != null) {
            if (this.peerCertPath != null) {
                this.session.setPeerIdentity(new X509CertPath(this.peerCertPath));
            } else {
                this.session.setPeerIdentity(new RawPublicKeyIdentity(this.clientPublicKey));
            }
        }
        if ((this.states == EMPTY_CLIENT_CERTIFICATE || this.certificateVerifyMessage != null) && this.masterSecret != null) {
            expectChangeCipherSpecMessage();
        }
    }

    private void receivedClientCertificate(CertificateMessage certificateMessage) throws HandshakeException {
        this.clientPublicKey = certificateMessage.getPublicKey();
        if (this.clientAuthenticationRequired && this.clientPublicKey == null) {
            this.LOGGER.debug("Client authentication failed: missing certificate!");
            throw new HandshakeException("Client Certificate required!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, this.session.getPeer()));
        }
        if (this.clientPublicKey == null) {
            this.states = EMPTY_CLIENT_CERTIFICATE;
        }
        verifyCertificate(certificateMessage);
    }

    private void receivedCertificateVerify(CertificateVerify certificateVerify) throws HandshakeException {
        this.certificateVerifyMessage = certificateVerify;
        this.handshakeMessages.remove(this.handshakeMessages.size() - 1);
        certificateVerify.verifySignature(this.clientPublicKey, this.handshakeMessages);
        this.handshakeMessages.add(certificateVerify);
        if (this.certificateVerfied) {
            if (this.peerCertPath != null) {
                this.session.setPeerIdentity(new X509CertPath(this.peerCertPath));
            } else {
                this.session.setPeerIdentity(new RawPublicKeyIdentity(this.clientPublicKey));
            }
        }
    }

    private void receivedClientFinished(Finished finished) throws HandshakeException {
        if (this.clientAuthenticationRequired && this.states == EMPTY_CLIENT_CERTIFICATE) {
            throw new HandshakeException("Client did not send required authentication messages.", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, this.session.getPeer()));
        }
        this.flightNumber += 2;
        DTLSFlight createFlight = createFlight();
        MessageDigest handshakeMessageDigest = getHandshakeMessageDigest();
        try {
            MessageDigest messageDigest = (MessageDigest) handshakeMessageDigest.clone();
            finished.verifyData(this.session.getCipherSuite().getThreadLocalPseudoRandomFunctionMac(), this.masterSecret, true, handshakeMessageDigest.digest());
            wrapMessage(createFlight, new ChangeCipherSpecMessage(this.session.getPeer()));
            setCurrentWriteState();
            messageDigest.update(finished.toByteArray());
            wrapMessage(createFlight, new Finished(this.session.getCipherSuite().getThreadLocalPseudoRandomFunctionMac(), this.masterSecret, this.isClient, messageDigest.digest(), this.session.getPeer()));
            sendLastFlight(createFlight);
            sessionEstablished();
        } catch (CloneNotSupportedException e) {
            throw new HandshakeException("Cannot create FINISHED message hash", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR, finished.getPeer()));
        }
    }

    private void receivedClientHello(ClientHello clientHello) throws HandshakeException {
        handshakeStarted();
        byte[] cookie = clientHello.getCookie();
        this.flightNumber = (cookie == null || cookie.length <= 0) ? 2 : 4;
        DTLSFlight createFlight = createFlight();
        createServerHello(clientHello, createFlight);
        createCertificateMessage(clientHello, createFlight);
        createServerKeyExchange(clientHello, createFlight);
        if (createCertificateRequest(clientHello, createFlight)) {
            this.states = CLIENT_CERTIFICATE;
        } else {
            this.states = NO_CLIENT_CERTIFICATE;
        }
        this.statesIndex = -1;
        wrapMessage(createFlight, new ServerHelloDone(this.session.getPeer()));
        sendFlight(createFlight);
    }

    private void createServerHello(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        ProtocolVersion negotiateProtocolVersion = negotiateProtocolVersion(clientHello.getClientVersion());
        this.clientRandom = clientHello.getRandom();
        this.serverRandom = new Random();
        SessionId emptySessionId = this.useNoSessionId ? SessionId.emptySessionId() : new SessionId();
        this.session.setSessionIdentifier(emptySessionId);
        if (!clientHello.getCompressionMethods().contains(CompressionMethod.NULL)) {
            throw new HandshakeException("Client does not support NULL compression method", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, clientHello.getPeer()));
        }
        this.session.setCompressionMethod(CompressionMethod.NULL);
        HelloExtensions helloExtensions = new HelloExtensions();
        negotiateCipherSuite(clientHello, helloExtensions);
        processHelloExtensions(clientHello, helloExtensions);
        wrapMessage(dTLSFlight, new ServerHello(negotiateProtocolVersion, this.serverRandom, emptySessionId, this.session.getCipherSuite(), this.session.getCompressionMethod(), helloExtensions, this.session.getPeer()));
    }

    private void createCertificateMessage(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        CertificateMessage certificateMessage;
        if (this.session.getCipherSuite().requiresServerCertificateMessage()) {
            if (CertificateType.RAW_PUBLIC_KEY == this.session.sendCertificateType()) {
                certificateMessage = new CertificateMessage(this.publicKey, this.session.getPeer());
            } else {
                if (CertificateType.X_509 != this.session.sendCertificateType()) {
                    throw new IllegalArgumentException("Certificate type " + this.session.sendCertificateType() + " not supported!");
                }
                certificateMessage = new CertificateMessage(this.certificateChain, this.session.getPeer());
            }
            wrapMessage(dTLSFlight, certificateMessage);
        }
    }

    private void createServerKeyExchange(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        DTLSMessage dTLSMessage = null;
        switch (this.session.getKeyExchange()) {
            case ECDHE_PSK:
                try {
                    this.ecdhe = new XECDHECryptography(this.selectedCipherSuiteParameters.getSelectedSupportedGroup());
                    dTLSMessage = new EcdhPskServerKeyExchange(PskPublicInformation.EMPTY, this.ecdhe, this.session.getPeer());
                    break;
                } catch (GeneralSecurityException e) {
                    throw new HandshakeException(String.format("Error performing EC Diffie Hellman key exchange: %s", e.getMessage()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR, getPeerAddress()));
                }
            case EC_DIFFIE_HELLMAN:
                try {
                    this.ecdhe = new XECDHECryptography(this.selectedCipherSuiteParameters.getSelectedSupportedGroup());
                    dTLSMessage = new EcdhEcdsaServerKeyExchange(this.session.getSignatureAndHashAlgorithm(), this.ecdhe, this.privateKey, this.clientRandom, this.serverRandom, this.session.getPeer());
                    break;
                } catch (GeneralSecurityException e2) {
                    throw new HandshakeException(String.format("Error performing EC Diffie Hellman key exchange: %s", e2.getMessage()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR, getPeerAddress()));
                }
        }
        if (dTLSMessage != null) {
            wrapMessage(dTLSFlight, dTLSMessage);
        }
    }

    private boolean createCertificateRequest(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        if ((!this.clientAuthenticationWanted && !this.clientAuthenticationRequired) || !this.session.getCipherSuite().requiresServerCertificateMessage() || this.selectedCipherSuiteParameters.getSelectedClientCertificateType() == null) {
            return false;
        }
        CertificateRequest certificateRequest = new CertificateRequest(this.session.getPeer());
        certificateRequest.addCertificateType(CertificateRequest.ClientCertificateType.ECDSA_SIGN);
        if (this.session.receiveCertificateType() == CertificateType.X_509) {
            certificateRequest.addSignatureAlgorithms(this.supportedSignatureAndHashAlgorithms);
            if (this.certificateVerifier != null) {
                certificateRequest.addCerticiateAuthorities(this.certificateVerifier.getAcceptedIssuers());
            }
        } else if (this.session.receiveCertificateType() == CertificateType.RAW_PUBLIC_KEY) {
            certificateRequest.addSignatureAlgorithms(SignatureAndHashAlgorithm.getEcdsaCompatibleSignatureAlgorithms(this.supportedSignatureAndHashAlgorithms));
        }
        wrapMessage(dTLSFlight, certificateRequest);
        return true;
    }

    private SecretKey receivedClientKeyExchange(ECDHClientKeyExchange eCDHClientKeyExchange) throws GeneralSecurityException {
        SecretKey generateSecret = this.ecdhe.generateSecret(eCDHClientKeyExchange.getEncodedPoint());
        SecretKey generateMasterSecret = PseudoRandomFunction.generateMasterSecret(this.session.getCipherSuite().getThreadLocalPseudoRandomFunctionMac(), generateSecret, generateRandomSeed());
        SecretUtil.destroy(generateSecret);
        return generateMasterSecret;
    }

    private PskSecretResult receivedClientKeyExchange(PSKClientKeyExchange pSKClientKeyExchange) throws HandshakeException {
        this.preSharedKeyIdentity = pSKClientKeyExchange.getIdentity();
        return requestPskSecretResult(this.preSharedKeyIdentity, null);
    }

    private PskSecretResult receivedClientKeyExchange(EcdhPskClientKeyExchange ecdhPskClientKeyExchange) throws HandshakeException, GeneralSecurityException {
        this.preSharedKeyIdentity = ecdhPskClientKeyExchange.getIdentity();
        SecretKey generateSecret = this.ecdhe.generateSecret(ecdhPskClientKeyExchange.getEncodedPoint());
        PskSecretResult requestPskSecretResult = requestPskSecretResult(this.preSharedKeyIdentity, generateSecret);
        SecretUtil.destroy(generateSecret);
        return requestPskSecretResult;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void processHelloExtensions(ClientHello clientHello, HelloExtensions helloExtensions) {
        ConnectionIdExtension connectionIdExtension;
        MaxFragmentLengthExtension maxFragmentLengthExtension;
        RecordSizeLimitExtension recordSizeLimitExtension = clientHello.getRecordSizeLimitExtension();
        if (recordSizeLimitExtension != null) {
            this.session.setRecordSizeLimit(recordSizeLimitExtension.getRecordSizeLimit());
            int maxFragmentLength = this.recordSizeLimit == null ? this.session.getMaxFragmentLength() : this.recordSizeLimit.intValue();
            helloExtensions.addExtension(new RecordSizeLimitExtension(maxFragmentLength));
            this.LOGGER.debug("Received record size limit [{} bytes] from peer [{}]", Integer.valueOf(maxFragmentLength), clientHello.getPeer());
        }
        if (recordSizeLimitExtension == null && (maxFragmentLengthExtension = clientHello.getMaxFragmentLengthExtension()) != null) {
            this.session.setMaxFragmentLength(maxFragmentLengthExtension.getFragmentLength().length());
            helloExtensions.addExtension(maxFragmentLengthExtension);
            this.LOGGER.debug("Negotiated max. fragment length [{} bytes] with peer [{}]", Integer.valueOf(maxFragmentLengthExtension.getFragmentLength().length()), clientHello.getPeer());
        }
        ServerNameExtension serverNameExtension = clientHello.getServerNameExtension();
        if (serverNameExtension != null) {
            if (this.sniEnabled) {
                this.session.setServerNames(serverNameExtension.getServerNames());
                helloExtensions.addExtension(ServerNameExtension.emptyServerNameIndication());
                this.session.setSniSupported(true);
                this.LOGGER.debug("using server name indication received from peer [{}]", clientHello.getPeer());
            } else {
                this.LOGGER.debug("client [{}] included SNI in HELLO but SNI support is disabled", clientHello.getPeer());
            }
        }
        if (this.connectionIdGenerator == null || (connectionIdExtension = clientHello.getConnectionIdExtension()) == null) {
            return;
        }
        this.session.setWriteConnectionId(connectionIdExtension.getConnectionId());
        ConnectionId readConnectionId = getReadConnectionId();
        this.session.setReadConnectionId(readConnectionId);
        helloExtensions.addExtension(ConnectionIdExtension.fromConnectionId(readConnectionId));
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    public void startHandshake() throws HandshakeException {
        throw new HandshakeException("starting an handshake is not supported for server handshaker!", null);
    }

    private ProtocolVersion negotiateProtocolVersion(ProtocolVersion protocolVersion) throws HandshakeException {
        if (protocolVersion.compareTo(ProtocolVersion.VERSION_DTLS_1_2) >= 0) {
            return ProtocolVersion.VERSION_DTLS_1_2;
        }
        ProtocolVersion protocolVersion2 = protocolVersion;
        if (protocolVersion2.compareTo(ProtocolVersion.VERSION_DTLS_1_0) < 0) {
            protocolVersion2 = ProtocolVersion.VERSION_DTLS_1_0;
        }
        throw new HandshakeException("The server only supports DTLS v1.2, not " + protocolVersion + "!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.PROTOCOL_VERSION, protocolVersion2, this.session.getPeer()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void negotiateCipherSuite(ClientHello clientHello, HelloExtensions helloExtensions) throws HandshakeException {
        CipherSuiteParameters cipherSuiteParameters = new CipherSuiteParameters(this.publicKey, this.certificateChain, this.clientAuthenticationRequired, this.clientAuthenticationWanted, getCommonCipherSuites(clientHello), getCommonServerCertificateTypes(clientHello), getCommonClientCertificateTypes(clientHello), getCommonSupportedGroups(clientHello), getCommonSignatureAndHashAlgorithms(clientHello), negotiateECPointFormat(clientHello));
        if (!this.cipherSuiteSelector.select(cipherSuiteParameters)) {
            throw new HandshakeException("Client proposed unsupported cipher suites only", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, this.session.getPeer()));
        }
        this.selectedCipherSuiteParameters = cipherSuiteParameters;
        CipherSuite selectedCipherSuite = cipherSuiteParameters.getSelectedCipherSuite();
        this.session.setCipherSuite(selectedCipherSuite);
        if (selectedCipherSuite.requiresServerCertificateMessage()) {
            this.session.setSignatureAndHashAlgorithm(cipherSuiteParameters.getSelectedSignature());
            this.session.setSendCertificateType(cipherSuiteParameters.getSelectedServerCertificateType());
            CertificateType selectedClientCertificateType = cipherSuiteParameters.getSelectedClientCertificateType();
            if (this.clientAuthenticationRequired || (this.clientAuthenticationWanted && selectedClientCertificateType != null)) {
                this.session.setReceiveCertificateType(cipherSuiteParameters.getSelectedClientCertificateType());
            }
        }
        addServerHelloExtensions(selectedCipherSuite, clientHello, helloExtensions);
        this.session.setParameterAvailable();
        this.LOGGER.debug("Negotiated cipher suite [{}] with peer [{}]", selectedCipherSuite.name(), getPeerAddress());
    }

    private void addServerHelloExtensions(CipherSuite cipherSuite, ClientHello clientHello, HelloExtensions helloExtensions) {
        CertificateType receiveCertificateType;
        ClientCertificateTypeExtension clientCertificateTypeExtension;
        ServerCertificateTypeExtension serverCertificateTypeExtension;
        if (cipherSuite.requiresServerCertificateMessage()) {
            if ((this.clientAuthenticationRequired || this.clientAuthenticationWanted) && (receiveCertificateType = this.session.receiveCertificateType()) != null && (clientCertificateTypeExtension = clientHello.getClientCertificateTypeExtension()) != null && clientCertificateTypeExtension.getCertificateTypes().contains(receiveCertificateType)) {
                helloExtensions.addExtension(new ClientCertificateTypeExtension(receiveCertificateType));
            }
            CertificateType sendCertificateType = this.session.sendCertificateType();
            if (sendCertificateType != null && (serverCertificateTypeExtension = clientHello.getServerCertificateTypeExtension()) != null && serverCertificateTypeExtension.getCertificateTypes().contains(sendCertificateType)) {
                helloExtensions.addExtension(new ServerCertificateTypeExtension(sendCertificateType));
            }
        }
        if (!cipherSuite.isEccBased() || clientHello.getSupportedPointFormatsExtension() == null) {
            return;
        }
        helloExtensions.addExtension(SupportedPointFormatsExtension.DEFAULT_POINT_FORMATS_EXTENSION);
    }

    private List<XECDHECryptography.SupportedGroup> getCommonSupportedGroups(ClientHello clientHello) {
        ArrayList arrayList = new ArrayList();
        SupportedEllipticCurvesExtension supportedEllipticCurvesExtension = clientHello.getSupportedEllipticCurvesExtension();
        if (supportedEllipticCurvesExtension == null) {
            arrayList.addAll(this.supportedGroups);
        } else {
            for (XECDHECryptography.SupportedGroup supportedGroup : supportedEllipticCurvesExtension.getSupportedGroups()) {
                if (this.supportedGroups.contains(supportedGroup)) {
                    arrayList.add(supportedGroup);
                }
            }
        }
        return arrayList;
    }

    private SupportedPointFormatsExtension.ECPointFormat negotiateECPointFormat(ClientHello clientHello) {
        SupportedPointFormatsExtension supportedPointFormatsExtension = clientHello.getSupportedPointFormatsExtension();
        if (supportedPointFormatsExtension == null || supportedPointFormatsExtension.contains(SupportedPointFormatsExtension.ECPointFormat.UNCOMPRESSED)) {
            return SupportedPointFormatsExtension.ECPointFormat.UNCOMPRESSED;
        }
        return null;
    }

    private List<SignatureAndHashAlgorithm> getCommonSignatureAndHashAlgorithms(ClientHello clientHello) {
        SignatureAlgorithmsExtension supportedSignatureAlgorithms = clientHello.getSupportedSignatureAlgorithms();
        if (supportedSignatureAlgorithms != null) {
            return SignatureAndHashAlgorithm.getCommonSignatureAlgorithms(supportedSignatureAlgorithms.getSupportedSignatureAndHashAlgorithms(), this.supportedSignatureAndHashAlgorithms);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(this.supportedSignatureAndHashAlgorithms);
        return arrayList;
    }

    private List<CipherSuite> getCommonCipherSuites(ClientHello clientHello) {
        List<CipherSuite> list = this.supportedCipherSuites;
        CipherSuite cipherSuite = this.session.getCipherSuite();
        if (!cipherSuite.equals(CipherSuite.TLS_NULL_WITH_NULL_NULL)) {
            list = Arrays.asList(cipherSuite);
        }
        ArrayList arrayList = new ArrayList();
        for (CipherSuite cipherSuite2 : clientHello.getCipherSuites()) {
            if (cipherSuite2 != CipherSuite.TLS_NULL_WITH_NULL_NULL && list.contains(cipherSuite2)) {
                arrayList.add(cipherSuite2);
            }
        }
        return arrayList;
    }

    private List<CertificateType> getCommonClientCertificateTypes(ClientHello clientHello) {
        List<CertificateType> list = this.supportedClientCertificateTypes;
        Principal peerIdentity = this.session.getPeerIdentity();
        if (peerIdentity != null) {
            list = new ArrayList();
            if (peerIdentity instanceof RawPublicKeyIdentity) {
                list.add(CertificateType.RAW_PUBLIC_KEY);
            } else if (peerIdentity instanceof X509CertPath) {
                list.add(CertificateType.X_509);
            }
        }
        return getCommonCertificateTypes(clientHello.getClientCertificateTypeExtension(), list);
    }

    private List<CertificateType> getCommonServerCertificateTypes(ClientHello clientHello) {
        return getCommonCertificateTypes(clientHello.getServerCertificateTypeExtension(), this.supportedServerCertificateTypes);
    }

    private static List<CertificateType> getCommonCertificateTypes(CertificateTypeExtension certificateTypeExtension, List<CertificateType> list) {
        ArrayList arrayList = new ArrayList();
        if (list != null) {
            if (certificateTypeExtension != null) {
                for (CertificateType certificateType : certificateTypeExtension.getCertificateTypes()) {
                    if (list.contains(certificateType)) {
                        arrayList.add(certificateType);
                    }
                }
            } else if (list.contains(CertificateType.X_509)) {
                arrayList.add(CertificateType.X_509);
            }
        }
        return arrayList;
    }

    final CertificateType getNegotiatedClientCertificateType() {
        if (this.selectedCipherSuiteParameters == null) {
            return null;
        }
        return this.selectedCipherSuiteParameters.getSelectedClientCertificateType();
    }

    final CertificateType getNegotiatedServerCertificateType() {
        if (this.selectedCipherSuiteParameters == null) {
            return null;
        }
        return this.selectedCipherSuiteParameters.getSelectedServerCertificateType();
    }

    final XECDHECryptography.SupportedGroup getNegotiatedSupportedGroup() {
        if (this.selectedCipherSuiteParameters == null) {
            return null;
        }
        return this.selectedCipherSuiteParameters.getSelectedSupportedGroup();
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker, javax.security.auth.Destroyable
    public void destroy() throws DestroyFailedException {
        SecretUtil.destroy(this.ecdhe);
        this.ecdhe = null;
    }
}
