package org.eclipse.californium.scandium.dtls;

import java.io.ByteArrayInputStream;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.util.DatagramReader;
import org.eclipse.californium.scandium.util.DatagramWriter;

/* loaded from: input_file:org/eclipse/californium/scandium/dtls/CertificateMessage.class */
public class CertificateMessage extends HandshakeMessage {
    private static final Logger LOGGER = Logger.getLogger(CertificateMessage.class.getCanonicalName());
    private static final int CERTIFICATE_LENGTH_BITS = 24;
    private static final int CERTIFICATE_LIST_LENGTH = 24;
    private Certificate[] certificateChain;
    private List<byte[]> encodedChain;
    private int messageLength;
    private byte[] rawPublicKeyBytes;

    public CertificateMessage(Certificate[] certificateArr) {
        this.rawPublicKeyBytes = null;
        this.certificateChain = certificateArr;
    }

    public CertificateMessage(byte[] bArr) {
        this.rawPublicKeyBytes = null;
        this.rawPublicKeyBytes = bArr;
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public HandshakeType getMessageType() {
        return HandshakeType.CERTIFICATE;
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public int getMessageLength() {
        if (this.rawPublicKeyBytes != null) {
            this.messageLength = 6 + this.rawPublicKeyBytes.length;
        } else if (this.encodedChain == null) {
            this.messageLength = 3;
            this.encodedChain = new ArrayList(this.certificateChain.length);
            for (Certificate certificate : this.certificateChain) {
                try {
                    byte[] encoded = certificate.getEncoded();
                    this.encodedChain.add(encoded);
                    this.messageLength += encoded.length + 3;
                } catch (CertificateEncodingException e) {
                    this.encodedChain = null;
                    LOGGER.log(Level.SEVERE, "Could not encode the certificate.", (Throwable) e);
                }
            }
        }
        return this.messageLength;
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append(super.toString());
        if (this.rawPublicKeyBytes == null) {
            sb.append("\t\tCertificates Length: " + (getMessageLength() - 3) + "\n");
            int i = 0;
            for (Certificate certificate : this.certificateChain) {
                sb.append("\t\t\tCertificate Length: " + this.encodedChain.get(i).length + "\n");
                sb.append("\t\t\tCertificate: " + certificate.toString() + "\n");
                i++;
            }
        } else {
            sb.append("\t\tRaw Public Key: ");
            sb.append(getPublicKey().toString());
            sb.append("\n");
        }
        return sb.toString();
    }

    public Certificate[] getCertificateChain() {
        return this.certificateChain;
    }

    public void verifyCertificate(Certificate[] certificateArr) throws HandshakeException {
        if (this.rawPublicKeyBytes == null) {
            boolean z = false;
            X509Certificate x509Certificate = (X509Certificate) this.certificateChain[0];
            try {
                x509Certificate.checkValidity();
                if (isSelfSigned(x509Certificate)) {
                    LOGGER.info("Peer used self-signed certificate.");
                    return;
                }
                try {
                    z = validateKeyChain(x509Certificate, this.certificateChain, certificateArr);
                } catch (Exception e) {
                    e.printStackTrace();
                }
                if (!z) {
                    throw new HandshakeException("Certificate could not be verified.", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
                }
            } catch (Exception e2) {
                throw new HandshakeException("Certificate not valid.", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.CERTIFICATE_EXPIRED));
            }
        }
    }

    public boolean validateKeyChain(X509Certificate x509Certificate, Certificate[] certificateArr, Certificate[] certificateArr2) {
        for (Certificate certificate : certificateArr) {
            X509Certificate x509Certificate2 = (X509Certificate) certificate;
            if (x509Certificate.getIssuerX500Principal().equals(x509Certificate2.getSubjectX500Principal())) {
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    if (!isSelfSigned(x509Certificate2) && !x509Certificate.equals(x509Certificate2)) {
                        return validateKeyChain(x509Certificate2, certificateArr, certificateArr2);
                    }
                } catch (Exception e) {
                }
            }
        }
        for (Certificate certificate2 : certificateArr2) {
            X509Certificate x509Certificate3 = (X509Certificate) certificate2;
            if (x509Certificate.getIssuerX500Principal().equals(x509Certificate3.getSubjectX500Principal())) {
                try {
                    x509Certificate.verify(x509Certificate3.getPublicKey());
                    if (isSelfSigned(x509Certificate3)) {
                        return true;
                    }
                    if (!x509Certificate.equals(x509Certificate3)) {
                        return validateKeyChain(x509Certificate3, certificateArr, certificateArr2);
                    }
                } catch (Exception e2) {
                }
            }
        }
        return false;
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.HandshakeMessage
    public byte[] fragmentToByteArray() {
        DatagramWriter datagramWriter = new DatagramWriter();
        if (this.rawPublicKeyBytes == null) {
            datagramWriter.write(getMessageLength() - 3, 24);
            for (byte[] bArr : this.encodedChain) {
                datagramWriter.write(bArr.length, 24);
                datagramWriter.writeBytes(bArr);
            }
        } else {
            datagramWriter.write(getMessageLength() - 3, 24);
            datagramWriter.write(this.rawPublicKeyBytes.length, 24);
            datagramWriter.writeBytes(this.rawPublicKeyBytes);
        }
        return datagramWriter.toByteArray();
    }

    public static HandshakeMessage fromByteArray(byte[] bArr, boolean z) {
        CertificateMessage certificateMessage;
        DatagramReader datagramReader = new DatagramReader(bArr);
        int read = datagramReader.read(24);
        if (z) {
            certificateMessage = new CertificateMessage(datagramReader.readBytes(datagramReader.read(24)));
        } else {
            ArrayList arrayList = new ArrayList();
            CertificateFactory certificateFactory = null;
            while (read > 0) {
                int read2 = datagramReader.read(24);
                byte[] readBytes = datagramReader.readBytes(read2);
                read -= 3 + read2;
                if (certificateFactory == null) {
                    try {
                        certificateFactory = CertificateFactory.getInstance("X.509");
                    } catch (CertificateException e) {
                        LOGGER.log(Level.SEVERE, "Could not generate the certificate.", (Throwable) e);
                    }
                }
                arrayList.add(certificateFactory.generateCertificate(new ByteArrayInputStream(readBytes)));
            }
            certificateMessage = new CertificateMessage((Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]));
        }
        return certificateMessage;
    }

    public PublicKey getPublicKey() {
        PublicKey publicKey = null;
        if (this.rawPublicKeyBytes == null) {
            publicKey = this.certificateChain[0].getPublicKey();
        } else {
            try {
                publicKey = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(this.rawPublicKeyBytes));
            } catch (Exception e) {
                LOGGER.log(Level.SEVERE, "Could not reconstruct the server's public key.", (Throwable) e);
            }
        }
        return publicKey;
    }
}
