package org.eclipse.californium.scandium.dtls.x509;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.eclipse.californium.elements.util.Asn1DerDecoder;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.scandium.dtls.SignatureAndHashAlgorithm;
import org.eclipse.californium.scandium.dtls.cipher.XECDHECryptography;
import org.eclipse.californium.scandium.util.ListUtils;

/* loaded from: classes17.dex */
public class CertificateConfigurationHelper {
    private boolean clientUsage;
    private boolean serverUsage;
    private final List<PublicKey> keys = new ArrayList();
    private final List<List<X509Certificate>> chains = new ArrayList();
    private final List<X509Certificate> trusts = new ArrayList();
    private final List<String> supportedKeyAlgorithms = new ArrayList();
    private final List<SignatureAndHashAlgorithm> defaultSignatureAndHashAlgorithms = new ArrayList();
    private final List<XECDHECryptography.SupportedGroup> defaultSupportedGroups = new ArrayList();

    public void addConfigurationDefaultsFor(PublicKey publicKey) {
        String algorithm = publicKey.getAlgorithm();
        if (!Asn1DerDecoder.isSupported(algorithm)) {
            StringBuilder sb = new StringBuilder("Public key algorithm ");
            sb.append(algorithm);
            sb.append(" is not supported!");
            throw new IllegalArgumentException(sb.toString());
        }
        XECDHECryptography.SupportedGroup fromPublicKey = XECDHECryptography.SupportedGroup.fromPublicKey(publicKey);
        if (fromPublicKey == null) {
            throw new IllegalArgumentException("Public key's ec-group must be supported!");
        }
        ListUtils.addIfAbsent(this.supportedKeyAlgorithms, Asn1DerDecoder.EC);
        ListUtils.addIfAbsent(this.defaultSupportedGroups, fromPublicKey);
        SignatureAndHashAlgorithm.ensureSignatureAlgorithm(this.defaultSignatureAndHashAlgorithms, publicKey);
        ListUtils.addIfAbsent(this.keys, publicKey);
    }

    public void addConfigurationDefaultsFor(List<X509Certificate> list) {
        if (list.isEmpty()) {
            return;
        }
        X509Certificate x509Certificate = list.get(0);
        addConfigurationDefaultsFor(x509Certificate.getPublicKey());
        if (CertPathUtil.canBeUsedForAuthentication(x509Certificate, false)) {
            this.serverUsage = true;
        }
        if (CertPathUtil.canBeUsedForAuthentication(x509Certificate, true)) {
            this.clientUsage = true;
        }
        ListUtils.addIfAbsent((List) this.defaultSignatureAndHashAlgorithms, (List) SignatureAndHashAlgorithm.getSignatureAlgorithms(list));
        for (int i = 1; i < list.size(); i++) {
            PublicKey publicKey = list.get(i).getPublicKey();
            if (Asn1DerDecoder.isSupported(publicKey.getAlgorithm())) {
                XECDHECryptography.SupportedGroup fromPublicKey = XECDHECryptography.SupportedGroup.fromPublicKey(publicKey);
                if (fromPublicKey == null) {
                    throw new IllegalArgumentException("CA's public key ec-group must be supported!");
                }
                ListUtils.addIfAbsent(this.defaultSupportedGroups, fromPublicKey);
            }
        }
        this.chains.add(list);
    }

    public void addConfigurationDefaultsForTrusts(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr != null) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                PublicKey publicKey = x509Certificate.getPublicKey();
                SignatureAndHashAlgorithm.ensureSignatureAlgorithm(this.defaultSignatureAndHashAlgorithms, publicKey);
                if (Asn1DerDecoder.isSupported(publicKey.getAlgorithm())) {
                    XECDHECryptography.SupportedGroup fromPublicKey = XECDHECryptography.SupportedGroup.fromPublicKey(publicKey);
                    if (fromPublicKey == null) {
                        throw new IllegalArgumentException("CA's public key ec-group must be supported!");
                    }
                    ListUtils.addIfAbsent(this.defaultSupportedGroups, fromPublicKey);
                }
                this.trusts.add(x509Certificate);
            }
        }
    }

    public boolean canBeUsedForAuthentication(boolean z) {
        if (this.chains.isEmpty()) {
            return true;
        }
        return z ? this.clientUsage : this.serverUsage;
    }

    public List<SignatureAndHashAlgorithm> getDefaultSignatureAndHashAlgorithms() {
        return this.defaultSignatureAndHashAlgorithms;
    }

    public List<XECDHECryptography.SupportedGroup> getDefaultSupportedGroups() {
        return this.defaultSupportedGroups;
    }

    public List<String> getSupportedKeyAlgorithms() {
        return this.supportedKeyAlgorithms;
    }

    public void verifySignatureAndHashAlgorithmsConfiguration(List<SignatureAndHashAlgorithm> list) {
        Iterator<PublicKey> it = this.keys.iterator();
        while (it.hasNext()) {
            if (SignatureAndHashAlgorithm.getSupportedSignatureAlgorithm(list, it.next()) == null) {
                throw new IllegalStateException("supported signature and hash algorithms doesn't match the public key!");
            }
        }
        Iterator<List<X509Certificate>> it2 = this.chains.iterator();
        while (it2.hasNext()) {
            if (!SignatureAndHashAlgorithm.isSignedWithSupportedAlgorithms(list, it2.next())) {
                throw new IllegalStateException("supported signature and hash algorithms doesn't match the certificate chain!");
            }
        }
        Iterator<X509Certificate> it3 = this.trusts.iterator();
        while (it3.hasNext()) {
            PublicKey publicKey = it3.next().getPublicKey();
            if (SignatureAndHashAlgorithm.getSupportedSignatureAlgorithm(list, publicKey) == null) {
                StringBuilder sb = new StringBuilder("supported signature and hash algorithms doesn't match the trust's public key ");
                sb.append(publicKey.getAlgorithm());
                sb.append("!");
                throw new IllegalStateException(sb.toString());
            }
        }
    }

    public void verifySupportedGroupsConfiguration(List<XECDHECryptography.SupportedGroup> list) {
        for (XECDHECryptography.SupportedGroup supportedGroup : this.defaultSupportedGroups) {
            if (!supportedGroup.isUsable()) {
                StringBuilder sb = new StringBuilder("public key used with unsupported group (curve) ");
                sb.append(supportedGroup.name());
                sb.append("!");
                throw new IllegalStateException(sb.toString());
            }
            if (!list.contains(supportedGroup)) {
                StringBuilder sb2 = new StringBuilder("public key used with not configured group (curve) ");
                sb2.append(supportedGroup.name());
                sb2.append("!");
                throw new IllegalStateException(sb2.toString());
            }
        }
    }
}
