package org.eclipse.californium.scandium.dtls;

import java.io.ByteArrayInputStream;
import java.net.InetSocketAddress;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.util.DatagramReader;
import org.eclipse.californium.scandium.util.DatagramWriter;

/* loaded from: classes16.dex */
public final class CertificateMessage extends HandshakeMessage {
    private static final int CERTIFICATE_LENGTH_BITS = 24;
    private static final int CERTIFICATE_LIST_LENGTH = 24;
    private static final String CERTIFICATE_TYPE_X509 = "X.509";
    private static final Logger LOGGER = Logger.getLogger(CertificateMessage.class.getCanonicalName());
    private X509Certificate[] certificateChain;
    private List<byte[]> encodedChain;
    private int length;
    private byte[] rawPublicKeyBytes;

    public CertificateMessage(byte[] bArr, InetSocketAddress inetSocketAddress) {
        super(inetSocketAddress);
        this.length = 3;
        if (bArr == null) {
            throw new NullPointerException("Raw public key byte array must not be null");
        }
        this.rawPublicKeyBytes = Arrays.copyOf(bArr, bArr.length);
        this.length += this.rawPublicKeyBytes.length;
    }

    public CertificateMessage(Certificate[] certificateArr, InetSocketAddress inetSocketAddress) {
        super(inetSocketAddress);
        this.length = 3;
        if (certificateArr == null) {
            throw new NullPointerException("Certificate chain must not be null");
        }
        setCertificateChain(certificateArr);
        calculateLength(certificateArr);
    }

    private void calculateLength(Certificate[] certificateArr) {
        if (certificateArr == null || this.encodedChain != null) {
            return;
        }
        this.encodedChain = new ArrayList(certificateArr.length);
        try {
            for (Certificate certificate : certificateArr) {
                byte[] encoded = certificate.getEncoded();
                this.encodedChain.add(encoded);
                this.length += encoded.length + 3;
            }
        } catch (CertificateEncodingException e) {
            this.encodedChain = null;
            LOGGER.log(Level.SEVERE, "Could not encode certificate chain", (Throwable) e);
        }
    }

    public static CertificateMessage fromByteArray(byte[] bArr, boolean z, InetSocketAddress inetSocketAddress) throws HandshakeException {
        DatagramReader datagramReader = new DatagramReader(bArr);
        if (!z) {
            return readX509CertificateMessage(datagramReader, inetSocketAddress);
        }
        LOGGER.log(Level.FINER, "Parsing RawPublicKey CERTIFICATE message");
        return new CertificateMessage(datagramReader.readBytes(datagramReader.read(24)), inetSocketAddress);
    }

    private static Set<TrustAnchor> getTrustAnchors(Certificate[] certificateArr) {
        HashSet hashSet = new HashSet();
        if (certificateArr != null) {
            for (Certificate certificate : certificateArr) {
                if (CERTIFICATE_TYPE_X509.equals(certificate.getType())) {
                    hashSet.add(new TrustAnchor((X509Certificate) certificate, null));
                } else {
                    LOGGER.log(Level.INFO, "List of trusted CA certificates contains non-X.509 certificate of type [{0}]", certificate.getType());
                }
            }
        }
        return hashSet;
    }

    private static CertificateMessage readX509CertificateMessage(DatagramReader datagramReader, InetSocketAddress inetSocketAddress) throws HandshakeException {
        LOGGER.log(Level.FINER, "Parsing X.509 CERTIFICATE message");
        int read = datagramReader.read(24);
        ArrayList arrayList = new ArrayList();
        CertificateFactory certificateFactory = null;
        while (read > 0) {
            int read2 = datagramReader.read(24);
            byte[] readBytes = datagramReader.readBytes(read2);
            read -= read2 + 3;
            if (certificateFactory == null) {
                try {
                    certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE_X509);
                } catch (CertificateException e) {
                    throw new HandshakeException("Cannot parse X.509 certificate chain provided by peer", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, inetSocketAddress), e);
                }
            }
            arrayList.add(certificateFactory.generateCertificate(new ByteArrayInputStream(readBytes)));
        }
        return new CertificateMessage((Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]), inetSocketAddress);
    }

    private void setCertificateChain(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        X500Principal x500Principal = null;
        for (Certificate certificate : certificateArr) {
            if (!(certificate instanceof X509Certificate)) {
                throw new IllegalArgumentException("Certificate chain must consist of X.509 certificates only");
            }
            X509Certificate x509Certificate = (X509Certificate) certificate;
            LOGGER.log(Level.FINER, "Current Subject DN: {0}", x509Certificate.getSubjectX500Principal().getName());
            if (x500Principal != null && !x500Principal.equals(x509Certificate.getSubjectX500Principal())) {
                LOGGER.log(Level.FINER, "Actual Issuer DN: {0}", x509Certificate.getSubjectX500Principal().getName());
                throw new IllegalArgumentException("Given certificates do not form a chain");
            }
            if (!x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal())) {
                arrayList.add(x509Certificate);
                x500Principal = x509Certificate.getIssuerX500Principal();
                LOGGER.log(Level.FINER, "Expected Issuer DN: {0}", x500Principal.getName());
            }
        }
        this.certificateChain = (X509Certificate[]) arrayList.toArray(new X509Certificate[0]);
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public byte[] fragmentToByteArray() {
        DatagramWriter datagramWriter = new DatagramWriter();
        if (this.rawPublicKeyBytes == null) {
            datagramWriter.write(getMessageLength() - 3, 24);
            for (byte[] bArr : this.encodedChain) {
                datagramWriter.write(bArr.length, 24);
                datagramWriter.writeBytes(bArr);
            }
        } else {
            datagramWriter.write(this.rawPublicKeyBytes.length, 24);
            datagramWriter.writeBytes(this.rawPublicKeyBytes);
        }
        return datagramWriter.toByteArray();
    }

    public X509Certificate[] getCertificateChain() {
        if (this.certificateChain != null) {
            return (X509Certificate[]) Arrays.copyOf(this.certificateChain, this.certificateChain.length);
        }
        return null;
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public int getMessageLength() {
        return this.length;
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public HandshakeType getMessageType() {
        return HandshakeType.CERTIFICATE;
    }

    public PublicKey getPublicKey() {
        if (this.rawPublicKeyBytes == null) {
            if (this.certificateChain == null || this.certificateChain.length <= 0) {
                return null;
            }
            return this.certificateChain[0].getPublicKey();
        }
        try {
            return KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(this.rawPublicKeyBytes));
        } catch (GeneralSecurityException e) {
            LOGGER.log(Level.SEVERE, "Could not reconstruct the peer's public key", (Throwable) e);
            return null;
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append(super.toString());
        if (this.rawPublicKeyBytes == null && this.certificateChain != null) {
            sb.append("\t\tCertificate chain length: ").append(getMessageLength() - 3).append("\n");
            int i = 0;
            for (X509Certificate x509Certificate : this.certificateChain) {
                sb.append("\t\t\tCertificate Length: ").append(this.encodedChain.get(i).length).append("\n");
                sb.append("\t\t\tCertificate: ").append(x509Certificate).append("\n");
                i++;
            }
        } else if (this.rawPublicKeyBytes != null && this.certificateChain == null) {
            sb.append("\t\tRaw Public Key: ");
            sb.append(getPublicKey().toString());
            sb.append("\n");
        }
        return sb.toString();
    }

    public void verifyCertificate(Certificate[] certificateArr) throws HandshakeException {
        if (this.rawPublicKeyBytes == null) {
            Set<TrustAnchor> trustAnchors = getTrustAnchors(certificateArr);
            try {
                CertPath generateCertPath = CertificateFactory.getInstance(CERTIFICATE_TYPE_X509).generateCertPath(Arrays.asList(this.certificateChain));
                PKIXParameters pKIXParameters = new PKIXParameters(trustAnchors);
                pKIXParameters.setRevocationEnabled(false);
                CertPathValidator.getInstance("PKIX").validate(generateCertPath, pKIXParameters);
            } catch (GeneralSecurityException e) {
                if (LOGGER.isLoggable(Level.FINEST)) {
                    LOGGER.log(Level.FINEST, "Certificate validation failed", (Throwable) e);
                } else if (LOGGER.isLoggable(Level.FINE)) {
                    LOGGER.log(Level.FINE, "Certificate validation failed due to {0}", e.getMessage());
                }
                throw new HandshakeException("Certificate chain could not be validated", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, getPeer()));
            }
        }
    }
}
