package org.eclipse.californium.scandium.dtls.x509;

import java.security.Principal;
import java.security.PublicKey;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.elements.util.Asn1DerDecoder;
import org.eclipse.californium.scandium.dtls.CertificateIdentityResult;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.ConnectionId;
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler;
import org.eclipse.californium.scandium.dtls.SignatureAndHashAlgorithm;
import org.eclipse.californium.scandium.dtls.cipher.XECDHECryptography;
import org.eclipse.californium.scandium.util.ListUtils;
import org.eclipse.californium.scandium.util.ServerName;
import org.eclipse.californium.scandium.util.ServerNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes17.dex */
public class KeyManagerCertificateProvider implements CertificateProvider, ConfigurationHelperSetup {
    private final String defaultAlias;
    private final X509ExtendedKeyManager keyManager;
    private final List<CertificateType> supportedCertificateTypes;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) KeyManagerCertificateProvider.class);
    private static final String[] KEY_TYPE_EC = {Asn1DerDecoder.EC};
    private static final String[] KEY_TYPE_EC_EDDSA = {Asn1DerDecoder.EC, Asn1DerDecoder.EDDSA};

    public KeyManagerCertificateProvider(String str, X509ExtendedKeyManager x509ExtendedKeyManager, List<CertificateType> list) {
        if (x509ExtendedKeyManager == null) {
            throw new NullPointerException("KeyManager must not be null!");
        }
        if (list != null) {
            if (list.isEmpty()) {
                throw new IllegalArgumentException("Certificate types must not be empty!");
            }
            for (CertificateType certificateType : list) {
                if (!certificateType.isSupported()) {
                    StringBuilder sb = new StringBuilder("Certificate type ");
                    sb.append(certificateType);
                    sb.append(" is not supported!");
                    throw new IllegalArgumentException(sb.toString());
                }
            }
        }
        this.defaultAlias = str;
        this.keyManager = x509ExtendedKeyManager;
        if (list == null) {
            list = new ArrayList<>(1);
            list.add(CertificateType.X_509);
        }
        this.supportedCertificateTypes = Collections.unmodifiableList(list);
    }

    public KeyManagerCertificateProvider(String str, X509ExtendedKeyManager x509ExtendedKeyManager, CertificateType... certificateTypeArr) {
        this(str, x509ExtendedKeyManager, asList(certificateTypeArr));
    }

    public KeyManagerCertificateProvider(X509ExtendedKeyManager x509ExtendedKeyManager, List<CertificateType> list) {
        this((String) null, x509ExtendedKeyManager, list);
    }

    public KeyManagerCertificateProvider(X509ExtendedKeyManager x509ExtendedKeyManager, CertificateType... certificateTypeArr) {
        this((String) null, x509ExtendedKeyManager, asList(certificateTypeArr));
    }

    private static List<CertificateType> asList(CertificateType[] certificateTypeArr) {
        if (certificateTypeArr == null || certificateTypeArr.length == 0) {
            return null;
        }
        return Arrays.asList(certificateTypeArr);
    }

    private List<String> getAliases(boolean z, String[] strArr, Principal[] principalArr) {
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            String[] clientAliases = z ? this.keyManager.getClientAliases(str, principalArr) : this.keyManager.getServerAliases(str, principalArr);
            if (clientAliases != null) {
                LOGGER.debug("found {} {} keys", Integer.valueOf(clientAliases.length), str);
                ListUtils.addIfAbsent((List) arrayList, Arrays.asList(clientAliases));
            }
        }
        return arrayList;
    }

    private boolean matchCurves(List<XECDHECryptography.SupportedGroup> list, List<X509Certificate> list2) {
        XECDHECryptography.SupportedGroup fromPublicKey;
        Iterator<X509Certificate> it = list2.iterator();
        while (it.hasNext()) {
            PublicKey publicKey = it.next().getPublicKey();
            if (Asn1DerDecoder.isSupported(publicKey.getAlgorithm()) && ((fromPublicKey = XECDHECryptography.SupportedGroup.fromPublicKey(publicKey)) == null || !list.contains(fromPublicKey))) {
                return false;
            }
        }
        return true;
    }

    private boolean matchServerNames(ServerNames serverNames, X509Certificate x509Certificate) {
        String nameAsString = serverNames.getServerName(ServerName.NameType.HOST_NAME).getNameAsString();
        try {
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    int intValue = ((Integer) list.get(0)).intValue();
                    String str = (String) list.get(1);
                    if (intValue == 2 || intValue == 7) {
                        if (nameAsString.equalsIgnoreCase(str)) {
                            return true;
                        }
                    }
                }
            }
        } catch (ClassCastException | CertificateParsingException unused) {
        }
        return !nameAsString.contains("CN=") && x509Certificate.getSubjectX500Principal().getName().endsWith("CN=".concat(String.valueOf(nameAsString)));
    }

    private boolean matchSignatureAndHashAlgorithms(List<SignatureAndHashAlgorithm> list, List<X509Certificate> list2) {
        return SignatureAndHashAlgorithm.getSupportedSignatureAlgorithm(list, list2.get(0).getPublicKey()) != null && SignatureAndHashAlgorithm.isSignedWithSupportedAlgorithms(list, list2);
    }

    private List<String> selectPriorized(List<String> list, List<SignatureAndHashAlgorithm> list2) {
        ArrayList arrayList = new ArrayList();
        for (SignatureAndHashAlgorithm signatureAndHashAlgorithm : list2) {
            for (String str : list) {
                LOGGER.debug("select sign {} - {}", str, signatureAndHashAlgorithm.getJcaName());
                if (signatureAndHashAlgorithm.isSupported(this.keyManager.getCertificateChain(str)[0].getPublicKey())) {
                    arrayList.add(str);
                }
            }
            if (!arrayList.isEmpty()) {
                break;
            }
        }
        return arrayList;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public List<CertificateType> getSupportedCertificateTypes() {
        return this.supportedCertificateTypes;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public CertificateIdentityResult requestCertificateIdentity(ConnectionId connectionId, boolean z, List<X500Principal> list, ServerNames serverNames, List<SignatureAndHashAlgorithm> list2, List<XECDHECryptography.SupportedGroup> list3) {
        String str;
        Principal[] principalArr = list == null ? null : (Principal[]) list.toArray(new Principal[list.size()]);
        List<String> aliases = (list2.contains(SignatureAndHashAlgorithm.INTRINSIC_WITH_ED25519) || list2.contains(SignatureAndHashAlgorithm.INTRINSIC_WITH_ED448)) ? getAliases(z, KEY_TYPE_EC_EDDSA, principalArr) : getAliases(z, KEY_TYPE_EC, principalArr);
        if (aliases.isEmpty()) {
            LOGGER.debug("no matching credentials");
        } else {
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            ArrayList arrayList3 = new ArrayList();
            for (String str2 : aliases) {
                LOGGER.debug("try {} of {}", str2, Integer.valueOf(aliases.size()));
                X509Certificate[] certificateChain = this.keyManager.getCertificateChain(str2);
                List<X509Certificate> asList = Arrays.asList(certificateChain);
                if (serverNames != null && matchServerNames(serverNames, certificateChain[0])) {
                    arrayList.add(str2);
                }
                if (list2 != null && matchSignatureAndHashAlgorithms(list2, asList)) {
                    arrayList2.add(str2);
                }
                if (list3 != null && matchCurves(list3, asList)) {
                    arrayList3.add(str2);
                }
            }
            if (!arrayList.isEmpty()) {
                LOGGER.debug("{} selected by {}", Integer.valueOf(arrayList.size()), serverNames);
                aliases.retainAll(arrayList);
            }
            if (list2 != null) {
                LOGGER.debug("{} selected by signature and hash algorithms", Integer.valueOf(arrayList2.size()));
                aliases.retainAll(arrayList2);
            }
            if (list3 != null) {
                LOGGER.debug("{} selected by curves", Integer.valueOf(arrayList3.size()));
                aliases.retainAll(arrayList3);
            }
            if (aliases.size() > 0) {
                if (aliases.size() > 1 && list2 != null && list2.size() > 1) {
                    aliases = selectPriorized(aliases, list2);
                }
                String str3 = (aliases.size() <= 1 || (str = this.defaultAlias) == null || !aliases.contains(str)) ? aliases.get(0) : this.defaultAlias;
                return new CertificateIdentityResult(connectionId, this.keyManager.getPrivateKey(str3), (List<X509Certificate>) Arrays.asList(this.keyManager.getCertificateChain(str3)), str3);
            }
        }
        return new CertificateIdentityResult(connectionId, null);
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.CertificateProvider
    public void setResultHandler(HandshakeResultHandler handshakeResultHandler) {
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.ConfigurationHelperSetup
    public void setupConfigurationHelper(CertificateConfigurationHelper certificateConfigurationHelper) {
        Iterator<String> it = getAliases(false, KEY_TYPE_EC_EDDSA, null).iterator();
        while (it.hasNext()) {
            certificateConfigurationHelper.addConfigurationDefaultsFor(Arrays.asList(this.keyManager.getCertificateChain(it.next())));
        }
        Iterator<String> it2 = getAliases(true, KEY_TYPE_EC_EDDSA, null).iterator();
        while (it2.hasNext()) {
            certificateConfigurationHelper.addConfigurationDefaultsFor(Arrays.asList(this.keyManager.getCertificateChain(it2.next())));
        }
    }
}
