package org.eclipse.californium.scandium.dtls.x509;

import j$.util.DesugarCollections;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.elements.util.SslContextUtil;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.CertificateVerificationResult;
import org.eclipse.californium.scandium.dtls.ConnectionId;
import org.eclipse.californium.scandium.dtls.DTLSSession;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler;
import org.eclipse.californium.scandium.dtls.rpkstore.TrustedRpkStore;
import org.eclipse.californium.scandium.util.ServerNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes.dex */
public class BridgeCertificateVerifier implements NewAdvancedCertificateVerifier {
    protected final Logger LOGGER = LoggerFactory.getLogger(getClass());
    private final List<CertificateType> supportedCertificateTypes;
    private final CertificateVerifier x509verifier;

    /* loaded from: classes.dex */
    public static class Builder {
        protected List<CertificateType> supportedCertificateTypes;
        protected CertificateVerifier x509verifier;

        public NewAdvancedCertificateVerifier build() {
            init();
            return new BridgeCertificateVerifier(this.x509verifier, null, this.supportedCertificateTypes);
        }

        protected void init() {
            ArrayList arrayList = new ArrayList();
            if (this.x509verifier != null) {
                arrayList.add(CertificateType.X_509);
            }
            this.supportedCertificateTypes = DesugarCollections.unmodifiableList(arrayList);
        }

        public Builder setCertificateVerifier(CertificateVerifier certificateVerifier) {
            this.x509verifier = certificateVerifier;
            return this;
        }

        public Builder setTrustedCertificates(Certificate[] certificateArr) {
            if (certificateArr == null) {
                this.x509verifier = null;
                return this;
            }
            if (certificateArr.length == 0) {
                this.x509verifier = new StaticCertificateVerifier(new X509Certificate[0]);
                return this;
            }
            X509Certificate[] asX509Certificates = SslContextUtil.asX509Certificates(certificateArr);
            SslContextUtil.ensureUniqueCertificates(asX509Certificates);
            this.x509verifier = new StaticCertificateVerifier(asX509Certificates);
            return this;
        }
    }

    protected BridgeCertificateVerifier(CertificateVerifier certificateVerifier, TrustedRpkStore trustedRpkStore, List<CertificateType> list) {
        if (certificateVerifier == null && trustedRpkStore == null) {
            throw new IllegalArgumentException("no verifier provided!");
        }
        if (list == null) {
            throw new NullPointerException("list of supported certificate types must not be null!");
        }
        this.x509verifier = certificateVerifier;
        this.supportedCertificateTypes = list;
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public List<X500Principal> getAcceptedIssuers() {
        X509Certificate[] acceptedIssuers = this.x509verifier.getAcceptedIssuers();
        return acceptedIssuers != null ? CertPathUtil.toSubjects(Arrays.asList(acceptedIssuers)) : CertPathUtil.toSubjects(null);
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public List<CertificateType> getSupportedCertificateType() {
        return this.supportedCertificateTypes;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public void setResultHandler(HandshakeResultHandler handshakeResultHandler) {
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public CertificateVerificationResult verifyCertificate(ConnectionId connectionId, ServerNames serverNames, Boolean bool, boolean z2, CertificateMessage certificateMessage, DTLSSession dTLSSession) {
        try {
            CertPath certificateChain = certificateMessage.getCertificateChain();
            if (certificateChain == null) {
                throw new HandshakeException("RPK verification not enabled!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR, dTLSSession.getPeer()));
            }
            CertificateVerifier certificateVerifier = this.x509verifier;
            if (certificateVerifier == null) {
                throw new HandshakeException("x509 verification not enabled!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR, dTLSSession.getPeer()));
            }
            if (certificateVerifier instanceof AdvancedCertificateVerifier) {
                certificateChain = ((AdvancedCertificateVerifier) certificateVerifier).verifyCertificate(bool, z2, certificateMessage, dTLSSession);
            } else {
                if (bool != null && !certificateMessage.isEmpty()) {
                    Certificate certificate = certificateChain.getCertificates().get(0);
                    if ((certificate instanceof X509Certificate) && !CertPathUtil.canBeUsedForAuthentication((X509Certificate) certificate, bool.booleanValue())) {
                        throw new HandshakeException("Key Usage doesn't match!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, dTLSSession.getPeer()));
                    }
                }
                this.x509verifier.verifyCertificate(certificateMessage, dTLSSession);
            }
            return new CertificateVerificationResult(connectionId, certificateChain, (Object) null);
        } catch (HandshakeException e2) {
            this.LOGGER.debug("Certificate validation failed!", (Throwable) e2);
            return new CertificateVerificationResult(connectionId, e2, (Object) null);
        }
    }
}
