package tigase.extras.bcstarttls;

import java.io.IOException;
import java.util.Collection;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Vector;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.crypto.params.ECKeyParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.tls.Certificate;
import org.bouncycastle.tls.CertificateRequest;
import org.bouncycastle.tls.DefaultTlsServer;
import org.bouncycastle.tls.KeyExchangeAlgorithm;
import org.bouncycastle.tls.SignatureAndHashAlgorithm;
import org.bouncycastle.tls.SignatureScheme;
import org.bouncycastle.tls.TlsCredentialedDecryptor;
import org.bouncycastle.tls.TlsCredentialedSigner;
import org.bouncycastle.tls.TlsCredentials;
import org.bouncycastle.tls.TlsExtensionsUtils;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.TlsUtils;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.tls.crypto.TlsCryptoParameters;
import org.bouncycastle.tls.crypto.impl.bc.BcDefaultTlsCredentialedDecryptor;
import org.bouncycastle.tls.crypto.impl.bc.BcDefaultTlsCredentialedSigner;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCertificate;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;

/* loaded from: input_file:tigase/extras/bcstarttls/DefaultTls13Server.class */
public class DefaultTls13Server extends DefaultTlsServer {
    private static final Logger log = Logger.getLogger(DefaultTls13Server.class.getName());
    private final Collection<X500Name> acceptedIssuers;
    private final CredentialsProvider credentialsProvider;
    private final BcTlsCrypto crypto;
    private final HandshakeCompletedListener handshakeCompletedListener;
    private final boolean needClientAuth;
    private final boolean wantClientAuth;
    private List<X500Name> m_clientTrustedIssuers;
    private List<Integer> m_peerSigSchemes;
    private TlsCredentials m_selectedCredentials;
    private Certificate peerCertificate;

    private static boolean matchesIssuers(List<X500Name> list, X500Name x500Name) {
        Iterator<X500Name> it = list.iterator();
        while (it.hasNext()) {
            if (x500Name.equals(it.next())) {
                return true;
            }
        }
        return false;
    }

    public DefaultTls13Server(BcTlsCrypto bcTlsCrypto, boolean z, boolean z2, Collection<X500Name> collection, CredentialsProvider credentialsProvider, HandshakeCompletedListener handshakeCompletedListener) {
        super(bcTlsCrypto);
        this.m_clientTrustedIssuers = null;
        this.m_peerSigSchemes = null;
        this.m_selectedCredentials = null;
        this.crypto = bcTlsCrypto;
        this.handshakeCompletedListener = handshakeCompletedListener;
        this.credentialsProvider = credentialsProvider;
        this.needClientAuth = z;
        this.wantClientAuth = z2;
        this.acceptedIssuers = collection;
    }

    public CertificateRequest getCertificateRequest() throws IOException {
        if (!this.needClientAuth && !this.wantClientAuth) {
            return null;
        }
        short[] sArr = {1, 2, 64};
        Vector vector = null;
        if (TlsUtils.isSignatureAlgorithmsExtensionAllowed(this.context.getServerVersion())) {
            vector = TlsUtils.getDefaultSupportedSignatureAlgorithms(this.context);
        }
        Vector vector2 = new Vector();
        if (this.acceptedIssuers != null) {
            vector2.addAll(this.acceptedIssuers);
        }
        return new CertificateRequest(sArr, vector, vector2);
    }

    public TlsCredentials getCredentials() throws IOException {
        if (this.m_selectedCredentials != null) {
            return this.m_selectedCredentials;
        }
        throw new TlsFatalAlert((short) 80);
    }

    public Certificate getLocalCertificates() {
        return this.credentialsProvider.getCredentials(this.context).getCertificate();
    }

    public int getSelectedCipherSuite() throws IOException {
        this.m_peerSigSchemes = (List) this.context.getSecurityParameters().getClientSigAlgs().stream().map(SignatureScheme::from).collect(Collectors.toList());
        return super.getSelectedCipherSuite();
    }

    public void notifyClientCertificate(Certificate certificate) throws IOException {
        this.peerCertificate = certificate;
    }

    public void notifyHandshakeComplete() throws IOException {
        byte[] bArr;
        byte[] bArr2;
        super.notifyHandshakeComplete();
        try {
            bArr = this.context.exportChannelBinding(1);
        } catch (Exception e) {
            bArr = null;
        }
        try {
            bArr2 = this.context.exportChannelBinding(3);
        } catch (Exception e2) {
            bArr2 = null;
        }
        try {
            log.log(Level.SEVERE, "Handshake complete. tlsUnique=" + (bArr != null) + "; tlsExporter=" + (bArr2 != null) + "; peerCertificate=" + (this.peerCertificate != null));
            this.handshakeCompletedListener.onHandshakeComplete(this.peerCertificate, bArr, bArr2);
        } catch (Exception e3) {
            log.log(Level.WARNING, "Cannot handle handshakeCompleted handler", (Throwable) e3);
            throw new TlsFatalAlert((short) 80);
        }
    }

    public void processClientExtensions(Hashtable hashtable) throws IOException {
        super.processClientExtensions(hashtable);
        Vector certificateAuthoritiesExtension = TlsExtensionsUtils.getCertificateAuthoritiesExtension(hashtable);
        if (certificateAuthoritiesExtension == null) {
            return;
        }
        this.m_clientTrustedIssuers = certificateAuthoritiesExtension.stream().toList();
    }

    protected TlsCredentialedDecryptor getRSAEncryptionCredentials() {
        Credentials credentials = this.credentialsProvider.getCredentials(this.context);
        return new BcDefaultTlsCredentialedDecryptor(this.crypto, credentials.getCertificate(), credentials.getPrivateKey());
    }

    protected TlsCredentialedSigner getRSASignerCredentials() {
        TlsCryptoParameters tlsCryptoParameters = new TlsCryptoParameters(this.context);
        SignatureAndHashAlgorithm signatureAndHashAlgorithm = new SignatureAndHashAlgorithm((short) 2, (short) 1);
        Credentials credentials = this.credentialsProvider.getCredentials(this.context);
        return new BcDefaultTlsCredentialedSigner(tlsCryptoParameters, this.crypto, credentials.getPrivateKey(), credentials.getCertificate(), signatureAndHashAlgorithm);
    }

    protected boolean selectCipherSuite(int i) throws IOException {
        TlsCredentials tlsCredentials = null;
        int keyExchangeAlgorithm = TlsUtils.getKeyExchangeAlgorithm(i);
        if (!KeyExchangeAlgorithm.isAnonymous(keyExchangeAlgorithm)) {
            tlsCredentials = selectCredentials(keyExchangeAlgorithm);
            if (null == tlsCredentials) {
                return false;
            }
        }
        boolean selectCipherSuite = super.selectCipherSuite(i);
        if (selectCipherSuite) {
            this.m_selectedCredentials = tlsCredentials;
        }
        return selectCipherSuite;
    }

    private TlsCredentials createCredentialedSigner13(SignatureAndHashAlgorithm signatureAndHashAlgorithm) {
        if (this.crypto == null) {
            throw new RuntimeException("Crypto in not BcTlsCrypto");
        }
        log.finest(() -> {
            return "selected peer sig schema " + signatureAndHashAlgorithm;
        });
        Credentials credentials = this.credentialsProvider.getCredentials(this.context);
        return new BcDefaultTlsCredentialedSigner(new TlsCryptoParameters(this.context), this.crypto, credentials.getPrivateKey(), credentials.getCertificate(), signatureAndHashAlgorithm);
    }

    private boolean isSuitableCredentials(SignatureAndHashAlgorithm signatureAndHashAlgorithm) throws IOException {
        Credentials credentials = this.credentialsProvider.getCredentials(this.context);
        Certificate certificate = credentials.getCertificate();
        if (certificate.isEmpty()) {
            return false;
        }
        int from = SignatureScheme.from(signatureAndHashAlgorithm);
        if (((!SignatureScheme.isRSAPSS(from) || !(credentials.getPrivateKey() instanceof RSAKeyParameters)) && (!SignatureScheme.isECDSA(from) || !(credentials.getPrivateKey() instanceof ECKeyParameters))) || !certificate.getCertificateAt(0).supportsSignatureAlgorithm(SignatureScheme.getSignatureAlgorithm(from))) {
            return false;
        }
        if (this.m_clientTrustedIssuers == null || this.m_clientTrustedIssuers.isEmpty()) {
            return true;
        }
        TlsCertificate[] certificateList = certificate.getCertificateList();
        int length = certificateList.length;
        do {
            length--;
            if (length < 0) {
                BcTlsCertificate convert = BcTlsCertificate.convert(this.crypto, certificateList[0]);
                BasicConstraints basicConstraints = BasicConstraints.getInstance(convert);
                return basicConstraints != null && basicConstraints.getPathLenConstraint().longValue() > 0 && matchesIssuers(this.m_clientTrustedIssuers, convert.getCertificate().getSubject());
            }
        } while (!matchesIssuers(this.m_clientTrustedIssuers, BcTlsCertificate.convert(this.crypto, certificateList[length]).getCertificate().getIssuer()));
        return true;
    }

    private TlsCredentials selectCredentials(int i) throws IOException {
        switch (i) {
            case 0:
                return selectServerCredentials13();
            case 1:
                return getRSAEncryptionCredentials();
            case 2:
            case 4:
            case 6:
            case 7:
            case 8:
            case 9:
            case 10:
            case 11:
            case 12:
            case 13:
            case 14:
            case 15:
            case 16:
            case 18:
            default:
                return null;
            case 3:
                return getDSASignerCredentials();
            case 5:
            case 19:
                return getRSASignerCredentials();
            case 17:
                return getECDSASignerCredentials();
        }
    }

    private TlsCredentials selectServerCredentials13() throws IOException {
        if (log.isLoggable(Level.FINEST)) {
            log.finest(() -> {
                return "selecting peer sig schema from " + this.m_peerSigSchemes.stream().map((v0) -> {
                    return SignatureScheme.getSignatureAndHashAlgorithm(v0);
                }).toList();
            });
        }
        SignatureAndHashAlgorithm signatureAndHashAlgorithm = null;
        Iterator<Integer> it = this.m_peerSigSchemes.iterator();
        while (it.hasNext()) {
            SignatureAndHashAlgorithm signatureAndHashAlgorithm2 = SignatureScheme.getSignatureAndHashAlgorithm(it.next().intValue());
            if (signatureAndHashAlgorithm2 != null && isSuitableCredentials(signatureAndHashAlgorithm2)) {
                signatureAndHashAlgorithm = signatureAndHashAlgorithm2;
            }
        }
        if (signatureAndHashAlgorithm != null) {
            return createCredentialedSigner13(signatureAndHashAlgorithm);
        }
        return null;
    }
}
