package org.eclipse.californium.scandium.dtls;

import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.PublicKey;
import java.security.cert.CertPath;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.eclipse.californium.scandium.auth.PreSharedKeyIdentity;
import org.eclipse.californium.scandium.auth.RawPublicKeyIdentity;
import org.eclipse.californium.scandium.auth.X509CertPath;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateRequest;
import org.eclipse.californium.scandium.dtls.CertificateTypeExtension;
import org.eclipse.californium.scandium.dtls.SupportedPointFormatsExtension;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
import org.eclipse.californium.scandium.dtls.cipher.ECDHECryptography;
import org.eclipse.californium.scandium.dtls.pskstore.PskStore;
import org.eclipse.californium.scandium.util.ByteArrayUtils;
import org.eclipse.californium.scandium.util.ServerNames;

/* loaded from: input_file:org/eclipse/californium/scandium/dtls/ServerHandshaker.class */
public class ServerHandshaker extends Handshaker {
    private static final Logger LOGGER = Logger.getLogger(ServerHandshaker.class.getName());
    private DTLSFlight lastFlight;
    private boolean clientAuthenticationRequired;
    private PublicKey clientPublicKey;
    private CertPath peerCertPath;
    private List<CipherSuite> supportedCipherSuites;
    private List<CertificateTypeExtension.CertificateType> supportedClientCertificateTypes;
    private List<CertificateTypeExtension.CertificateType> supportedServerCertificateTypes;
    private CertificateTypeExtension.CertificateType negotiatedClientCertificateType;
    private CertificateTypeExtension.CertificateType negotiatedServerCertificateType;
    private ECDHECryptography.SupportedGroup negotiatedSupportedGroup;
    private SignatureAndHashAlgorithm signatureAndHashAlgorithm;
    private ServerNames indicatedServerNames;
    protected CertificateMessage clientCertificate;
    protected ClientKeyExchange clientKeyExchange;
    protected CertificateVerify certificateVerify;
    protected final PskStore pskStore;

    public ServerHandshaker(DTLSSession dTLSSession, RecordLayer recordLayer, SessionListener sessionListener, DtlsConnectorConfig dtlsConnectorConfig, int i) throws HandshakeException {
        this(0, dTLSSession, recordLayer, sessionListener, dtlsConnectorConfig, i);
    }

    public ServerHandshaker(int i, DTLSSession dTLSSession, RecordLayer recordLayer, SessionListener sessionListener, DtlsConnectorConfig dtlsConnectorConfig, int i2) {
        super(false, i, dTLSSession, recordLayer, sessionListener, dtlsConnectorConfig.getTrustStore(), i2);
        this.clientAuthenticationRequired = false;
        this.clientCertificate = null;
        this.certificateVerify = null;
        this.supportedCipherSuites = Arrays.asList(dtlsConnectorConfig.getSupportedCipherSuites());
        this.pskStore = dtlsConnectorConfig.getPskStore();
        this.privateKey = dtlsConnectorConfig.getPrivateKey();
        this.certificateChain = dtlsConnectorConfig.getCertificateChain();
        this.publicKey = dtlsConnectorConfig.getPublicKey();
        this.clientAuthenticationRequired = dtlsConnectorConfig.isClientAuthenticationRequired();
        this.supportedClientCertificateTypes = new ArrayList();
        this.supportedClientCertificateTypes.add(CertificateTypeExtension.CertificateType.RAW_PUBLIC_KEY);
        if (this.rootCertificates != null && this.rootCertificates.length > 0) {
            this.supportedClientCertificateTypes.add(CertificateTypeExtension.CertificateType.X_509);
        }
        this.supportedServerCertificateTypes = new ArrayList();
        if (this.privateKey == null || this.publicKey == null) {
            return;
        }
        if (this.certificateChain == null || this.certificateChain.length == 0) {
            this.supportedServerCertificateTypes.add(CertificateTypeExtension.CertificateType.RAW_PUBLIC_KEY);
        } else if (dtlsConnectorConfig.isSendRawKey()) {
            this.supportedServerCertificateTypes.add(CertificateTypeExtension.CertificateType.RAW_PUBLIC_KEY);
            this.supportedServerCertificateTypes.add(CertificateTypeExtension.CertificateType.X_509);
        } else {
            this.supportedServerCertificateTypes.add(CertificateTypeExtension.CertificateType.X_509);
            this.supportedServerCertificateTypes.add(CertificateTypeExtension.CertificateType.RAW_PUBLIC_KEY);
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected synchronized void doProcessMessage(DTLSMessage dTLSMessage) throws HandshakeException, GeneralSecurityException {
        if (this.lastFlight != null) {
            LOGGER.log(Level.FINER, "Received client's ({0}) FINISHED message again, retransmitting last flight...", getPeerAddress());
            this.recordLayer.sendFlight(this.lastFlight);
            return;
        }
        if (LOGGER.isLoggable(Level.FINE)) {
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append(String.format("Processing %s message from peer [%s]", dTLSMessage.getContentType(), dTLSMessage.getPeer()));
            if (LOGGER.isLoggable(Level.FINEST)) {
                stringBuffer.append(":").append(System.lineSeparator()).append(dTLSMessage);
            }
            LOGGER.fine(stringBuffer.toString());
        }
        switch (dTLSMessage.getContentType()) {
            case CHANGE_CIPHER_SPEC:
                setCurrentReadState();
                LOGGER.log(Level.FINE, "Processed {1} message from peer [{0}]", new Object[]{dTLSMessage.getPeer(), dTLSMessage.getContentType()});
                return;
            case HANDSHAKE:
                HandshakeMessage handshakeMessage = (HandshakeMessage) dTLSMessage;
                switch (handshakeMessage.getMessageType()) {
                    case CLIENT_HELLO:
                        receivedClientHello((ClientHello) handshakeMessage);
                        break;
                    case CERTIFICATE:
                        receivedClientCertificate((CertificateMessage) handshakeMessage);
                        break;
                    case CLIENT_KEY_EXCHANGE:
                        switch (getKeyExchangeAlgorithm()) {
                            case PSK:
                                generateKeys(receivedClientKeyExchange((PSKClientKeyExchange) handshakeMessage));
                                break;
                            case EC_DIFFIE_HELLMAN:
                                generateKeys(receivedClientKeyExchange((ECDHClientKeyExchange) handshakeMessage));
                                break;
                            case NULL:
                                generateKeys(receivedClientKeyExchange((NULLClientKeyExchange) handshakeMessage));
                                break;
                            default:
                                throw new HandshakeException(String.format("Unsupported key exchange algorithm %s", getKeyExchangeAlgorithm().name()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, handshakeMessage.getPeer()));
                        }
                        this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, this.clientKeyExchange.getRawMessage());
                        if (!this.clientAuthenticationRequired || getKeyExchangeAlgorithm() != CipherSuite.KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN) {
                            expectChangeCipherSpecMessage();
                            break;
                        }
                        break;
                    case CERTIFICATE_VERIFY:
                        receivedCertificateVerify((CertificateVerify) handshakeMessage);
                        expectChangeCipherSpecMessage();
                        break;
                    case FINISHED:
                        receivedClientFinished((Finished) handshakeMessage);
                        break;
                    default:
                        throw new HandshakeException(String.format("Received unexpected %s message from peer %s", handshakeMessage.getMessageType(), handshakeMessage.getPeer()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNEXPECTED_MESSAGE, handshakeMessage.getPeer()));
                }
                incrementNextReceiveSeq();
                LOGGER.log(Level.FINE, "Processed {1} message with message sequence no [{2}] from peer [{0}]", new Object[]{dTLSMessage.getPeer(), handshakeMessage.getMessageType(), Integer.valueOf(handshakeMessage.getMessageSeq())});
                return;
            default:
                throw new HandshakeException(String.format("Received unexpected %s message from peer %s", dTLSMessage.getContentType(), dTLSMessage.getPeer()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, dTLSMessage.getPeer()));
        }
    }

    private void receivedClientCertificate(CertificateMessage certificateMessage) throws HandshakeException {
        if (this.clientCertificate == null || this.clientCertificate.getMessageSeq() != certificateMessage.getMessageSeq()) {
            this.clientCertificate = certificateMessage;
            this.clientCertificate.verifyCertificate(this.rootCertificates);
            this.clientPublicKey = this.clientCertificate.getPublicKey();
            this.peerCertPath = certificateMessage.getCertificateChain();
            this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, this.clientCertificate.getRawMessage());
        }
    }

    private void receivedCertificateVerify(CertificateVerify certificateVerify) throws HandshakeException {
        this.certificateVerify = certificateVerify;
        certificateVerify.verifySignature(this.clientPublicKey, this.handshakeMessages);
        if (this.peerCertPath != null) {
            this.session.setPeerIdentity(new X509CertPath(this.peerCertPath));
        } else {
            this.session.setPeerIdentity(new RawPublicKeyIdentity(this.clientPublicKey));
        }
    }

    private void receivedClientFinished(Finished finished) throws HandshakeException {
        if (this.lastFlight != null) {
            return;
        }
        if (CipherSuite.KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN.equals(getKeyExchangeAlgorithm()) && this.clientAuthenticationRequired && (this.clientCertificate == null || this.certificateVerify == null)) {
            throw new HandshakeException("Client did not send required authentication messages.", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, this.session.getPeer()));
        }
        DTLSFlight dTLSFlight = new DTLSFlight(getSession());
        if (this.clientCertificate != null) {
            this.md.update(this.clientCertificate.getRawMessage());
        }
        this.md.update(this.clientKeyExchange.getRawMessage());
        if (this.certificateVerify != null) {
            this.md.update(this.certificateVerify.getRawMessage());
        }
        MessageDigest messageDigest = null;
        try {
            messageDigest = (MessageDigest) this.md.clone();
            messageDigest.update(finished.toByteArray());
        } catch (CloneNotSupportedException e) {
            LOGGER.log(Level.SEVERE, "Cannot compute digest for server's Finish handshake message", (Throwable) e);
        }
        finished.verifyData(getMasterSecret(), true, this.md.digest());
        dTLSFlight.addMessage(wrapMessage(new ChangeCipherSpecMessage(this.session.getPeer())));
        setCurrentWriteState();
        dTLSFlight.addMessage(wrapMessage(new Finished(getMasterSecret(), this.isClient, messageDigest.digest(), this.session.getPeer())));
        this.state = HandshakeType.FINISHED.getCode();
        dTLSFlight.setRetransmissionNeeded(false);
        this.lastFlight = dTLSFlight;
        this.recordLayer.sendFlight(dTLSFlight);
        sessionEstablished();
    }

    private void receivedClientHello(ClientHello clientHello) throws HandshakeException {
        handshakeStarted();
        DTLSFlight dTLSFlight = new DTLSFlight(getSession());
        this.md.update(clientHello.getRawMessage());
        this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, clientHello.getRawMessage());
        createServerHello(clientHello, dTLSFlight);
        createCertificateMessage(clientHello, dTLSFlight);
        createServerKeyExchange(clientHello, dTLSFlight);
        createCertificateRequest(clientHello, dTLSFlight);
        ServerHelloDone serverHelloDone = new ServerHelloDone(this.session.getPeer());
        dTLSFlight.addMessage(wrapMessage(serverHelloDone));
        this.md.update(serverHelloDone.toByteArray());
        this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, serverHelloDone.toByteArray());
        this.recordLayer.sendFlight(dTLSFlight);
    }

    private void createServerHello(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        ProtocolVersion negotiateProtocolVersion = negotiateProtocolVersion(clientHello.getClientVersion());
        this.clientRandom = clientHello.getRandom();
        this.serverRandom = new Random();
        SessionId sessionId = new SessionId();
        this.session.setSessionIdentifier(sessionId);
        if (!clientHello.getCompressionMethods().contains(CompressionMethod.NULL)) {
            throw new HandshakeException("Client does not support NULL compression method", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, clientHello.getPeer()));
        }
        this.session.setCompressionMethod(CompressionMethod.NULL);
        HelloExtensions helloExtensions = new HelloExtensions();
        negotiateCipherSuite(clientHello, helloExtensions);
        MaxFragmentLengthExtension maxFragmentLengthExtension = clientHello.getMaxFragmentLengthExtension();
        if (maxFragmentLengthExtension != null) {
            this.session.setMaxFragmentLength(maxFragmentLengthExtension.getFragmentLength().length());
            helloExtensions.addExtension(maxFragmentLengthExtension);
            LOGGER.log(Level.FINE, "Negotiated max. fragment length [{0} bytes] with peer [{1}]", new Object[]{Integer.valueOf(maxFragmentLengthExtension.getFragmentLength().length()), clientHello.getPeer()});
        }
        ServerNameExtension serverNameExtension = clientHello.getServerNameExtension();
        if (serverNameExtension != null) {
            this.indicatedServerNames = serverNameExtension.getServerNames();
            helloExtensions.addExtension(ServerNameExtension.emptyServerNameIndication());
            LOGGER.log(Level.FINE, "Using server name indication received from peer [{1}]", clientHello.getPeer());
        }
        ServerHello serverHello = new ServerHello(negotiateProtocolVersion, this.serverRandom, sessionId, this.session.getCipherSuite(), this.session.getCompressionMethod(), helloExtensions, this.session.getPeer());
        dTLSFlight.addMessage(wrapMessage(serverHello));
        this.md.update(serverHello.toByteArray());
        this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, serverHello.toByteArray());
    }

    private void createCertificateMessage(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        if (this.session.getCipherSuite().requiresServerCertificateMessage()) {
            CertificateMessage certificateMessage = this.session.sendRawPublicKey() ? new CertificateMessage(this.publicKey.getEncoded(), this.session.getPeer()) : new CertificateMessage(this.certificateChain, this.session.getPeer());
            dTLSFlight.addMessage(wrapMessage(certificateMessage));
            this.md.update(certificateMessage.toByteArray());
            this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, certificateMessage.toByteArray());
        }
    }

    private void createServerKeyExchange(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        ECDHServerKeyExchange eCDHServerKeyExchange = null;
        switch (getKeyExchangeAlgorithm()) {
            case EC_DIFFIE_HELLMAN:
                this.signatureAndHashAlgorithm = new SignatureAndHashAlgorithm(CertificateRequest.HashAlgorithm.SHA256, CertificateRequest.SignatureAlgorithm.ECDSA);
                try {
                    this.ecdhe = new ECDHECryptography(this.negotiatedSupportedGroup.getEcParams());
                    eCDHServerKeyExchange = new ECDHServerKeyExchange(this.signatureAndHashAlgorithm, this.ecdhe, this.privateKey, this.clientRandom, this.serverRandom, this.negotiatedSupportedGroup.getId(), this.session.getPeer());
                    break;
                } catch (GeneralSecurityException e) {
                    throw new HandshakeException(String.format("Error performing EC Diffie Hellman key exchange: %s", e.getMessage()), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR, getPeerAddress()));
                }
        }
        if (eCDHServerKeyExchange != null) {
            dTLSFlight.addMessage(wrapMessage(eCDHServerKeyExchange));
            this.md.update(eCDHServerKeyExchange.toByteArray());
            this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, eCDHServerKeyExchange.toByteArray());
        }
    }

    private void createCertificateRequest(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        if (!this.clientAuthenticationRequired || this.signatureAndHashAlgorithm == null) {
            return;
        }
        CertificateRequest certificateRequest = new CertificateRequest(this.session.getPeer());
        certificateRequest.addCertificateType(CertificateRequest.ClientCertificateType.ECDSA_SIGN);
        certificateRequest.addSignatureAlgorithm(new SignatureAndHashAlgorithm(this.signatureAndHashAlgorithm.getHash(), this.signatureAndHashAlgorithm.getSignature()));
        certificateRequest.addCertificateAuthorities(this.rootCertificates);
        dTLSFlight.addMessage(wrapMessage(certificateRequest));
        this.md.update(certificateRequest.toByteArray());
        this.handshakeMessages = ByteArrayUtils.concatenate(this.handshakeMessages, certificateRequest.toByteArray());
    }

    private byte[] receivedClientKeyExchange(ECDHClientKeyExchange eCDHClientKeyExchange) {
        this.clientKeyExchange = eCDHClientKeyExchange;
        return this.ecdhe.getSecret(eCDHClientKeyExchange.getEncodedPoint()).getEncoded();
    }

    private byte[] receivedClientKeyExchange(PSKClientKeyExchange pSKClientKeyExchange) throws HandshakeException {
        this.clientKeyExchange = pSKClientKeyExchange;
        String identity = pSKClientKeyExchange.getIdentity();
        LOGGER.log(Level.FINER, "Client [{0}] uses PSK identity [{1}]", new Object[]{getPeerAddress(), identity});
        byte[] key = getIndicatedServerNames() == null ? this.pskStore.getKey(identity) : this.pskStore.getKey(getIndicatedServerNames(), identity);
        if (key == null) {
            throw new HandshakeException(String.format("Cannot authenticate client, identity [%s] is unknown", identity), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, this.session.getPeer()));
        }
        this.session.setPeerIdentity(new PreSharedKeyIdentity(identity));
        return generatePremasterSecretFromPSK(key);
    }

    private byte[] receivedClientKeyExchange(NULLClientKeyExchange nULLClientKeyExchange) {
        this.clientKeyExchange = nULLClientKeyExchange;
        return new byte[0];
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    public void startHandshake() throws HandshakeException {
        HelloRequest helloRequest = new HelloRequest(this.session.getPeer());
        DTLSFlight dTLSFlight = new DTLSFlight(getSession());
        dTLSFlight.addMessage(wrapMessage(helloRequest));
        this.recordLayer.sendFlight(dTLSFlight);
    }

    private ProtocolVersion negotiateProtocolVersion(ProtocolVersion protocolVersion) throws HandshakeException {
        if (protocolVersion.compareTo(new ProtocolVersion()) >= 0) {
            return new ProtocolVersion();
        }
        throw new HandshakeException("The server only supports DTLS v1.2", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.PROTOCOL_VERSION, this.session.getPeer()));
    }

    private void negotiateCipherSuite(ClientHello clientHello, HelloExtensions helloExtensions) throws HandshakeException {
        CertificateTypeExtension.CertificateType supportedServerCertificateType = getSupportedServerCertificateType(clientHello);
        CertificateTypeExtension.CertificateType supportedClientCertificateType = getSupportedClientCertificateType(clientHello);
        ECDHECryptography.SupportedGroup negotiateNamedCurve = negotiateNamedCurve(clientHello);
        for (CipherSuite cipherSuite : clientHello.getCipherSuites()) {
            if (cipherSuite != CipherSuite.TLS_NULL_WITH_NULL_NULL && this.supportedCipherSuites.contains(cipherSuite) && isEligible(cipherSuite, supportedServerCertificateType, supportedClientCertificateType, negotiateNamedCurve)) {
                this.negotiatedServerCertificateType = supportedServerCertificateType;
                this.negotiatedClientCertificateType = supportedClientCertificateType;
                this.negotiatedSupportedGroup = negotiateNamedCurve;
                this.session.setCipherSuite(cipherSuite);
                addServerHelloExtensions(cipherSuite, helloExtensions);
                LOGGER.log(Level.FINER, "Negotiated cipher suite [{0}] with peer [{1}]", new Object[]{cipherSuite.name(), getPeerAddress()});
                return;
            }
        }
        throw new HandshakeException("Client proposed unsupported cipher suites only", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE, this.session.getPeer()));
    }

    private boolean isEligible(CipherSuite cipherSuite, CertificateTypeExtension.CertificateType certificateType, CertificateTypeExtension.CertificateType certificateType2, ECDHECryptography.SupportedGroup supportedGroup) {
        boolean z = true;
        if (cipherSuite.isEccBased()) {
            z = true & (supportedGroup != null);
        }
        if (cipherSuite.requiresServerCertificateMessage()) {
            z &= certificateType != null;
            if (this.clientAuthenticationRequired) {
                z &= certificateType2 != null;
            }
        }
        return z;
    }

    private void addServerHelloExtensions(CipherSuite cipherSuite, HelloExtensions helloExtensions) {
        if (this.negotiatedClientCertificateType != null) {
            this.session.setReceiveRawPublicKey(CertificateTypeExtension.CertificateType.RAW_PUBLIC_KEY.equals(this.negotiatedClientCertificateType));
            ClientCertificateTypeExtension clientCertificateTypeExtension = new ClientCertificateTypeExtension(false);
            clientCertificateTypeExtension.addCertificateType(this.negotiatedClientCertificateType);
            helloExtensions.addExtension(clientCertificateTypeExtension);
        }
        if (this.negotiatedServerCertificateType != null) {
            this.session.setSendRawPublicKey(CertificateTypeExtension.CertificateType.RAW_PUBLIC_KEY.equals(this.negotiatedServerCertificateType));
            ServerCertificateTypeExtension serverCertificateTypeExtension = new ServerCertificateTypeExtension(false);
            serverCertificateTypeExtension.addCertificateType(this.negotiatedServerCertificateType);
            helloExtensions.addExtension(serverCertificateTypeExtension);
        }
        if (cipherSuite.isEccBased()) {
            helloExtensions.addExtension(new SupportedPointFormatsExtension(Arrays.asList(SupportedPointFormatsExtension.ECPointFormat.UNCOMPRESSED)));
        }
    }

    private static ECDHECryptography.SupportedGroup negotiateNamedCurve(ClientHello clientHello) {
        ECDHECryptography.SupportedGroup supportedGroup = null;
        List<ECDHECryptography.SupportedGroup> preferredGroups = ECDHECryptography.SupportedGroup.getPreferredGroups();
        SupportedEllipticCurvesExtension supportedEllipticCurvesExtension = clientHello.getSupportedEllipticCurvesExtension();
        if (supportedEllipticCurvesExtension != null) {
            Iterator<Integer> it = supportedEllipticCurvesExtension.getSupportedGroupIds().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ECDHECryptography.SupportedGroup fromId = ECDHECryptography.SupportedGroup.fromId(it.next().intValue());
                if (fromId != null && fromId.isUsable() && preferredGroups.contains(fromId)) {
                    supportedGroup = fromId;
                    break;
                }
            }
        } else if (!preferredGroups.isEmpty()) {
            supportedGroup = preferredGroups.get(0);
        }
        return supportedGroup;
    }

    private CertificateTypeExtension.CertificateType getSupportedClientCertificateType(ClientHello clientHello) throws HandshakeException {
        ClientCertificateTypeExtension clientCertificateTypeExtension = clientHello.getClientCertificateTypeExtension();
        if (clientCertificateTypeExtension == null) {
            if (this.supportedClientCertificateTypes.contains(CertificateTypeExtension.CertificateType.X_509)) {
                return CertificateTypeExtension.CertificateType.X_509;
            }
            return null;
        }
        for (CertificateTypeExtension.CertificateType certificateType : clientCertificateTypeExtension.getCertificateTypes()) {
            if (this.supportedClientCertificateTypes.contains(certificateType)) {
                return certificateType;
            }
        }
        return null;
    }

    private CertificateTypeExtension.CertificateType getSupportedServerCertificateType(ClientHello clientHello) throws HandshakeException {
        ServerCertificateTypeExtension serverCertificateTypeExtension = clientHello.getServerCertificateTypeExtension();
        if (serverCertificateTypeExtension == null) {
            if (this.supportedServerCertificateTypes.contains(CertificateTypeExtension.CertificateType.X_509)) {
                return CertificateTypeExtension.CertificateType.X_509;
            }
            return null;
        }
        for (CertificateTypeExtension.CertificateType certificateType : serverCertificateTypeExtension.getCertificateTypes()) {
            if (this.supportedServerCertificateTypes.contains(certificateType)) {
                return certificateType;
            }
        }
        return null;
    }

    final CertificateTypeExtension.CertificateType getNegotiatedClientCertificateType() {
        return this.negotiatedClientCertificateType;
    }

    final CertificateTypeExtension.CertificateType getNegotiatedServerCertificateType() {
        return this.negotiatedServerCertificateType;
    }

    final ECDHECryptography.SupportedGroup getNegotiatedSupportedGroup() {
        return this.negotiatedSupportedGroup;
    }

    final ServerNames getIndicatedServerNames() {
        return this.indicatedServerNames;
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected boolean isFirstMessageReceived(HandshakeMessage handshakeMessage) {
        if (!HandshakeType.CLIENT_HELLO.equals(handshakeMessage.getMessageType())) {
            return false;
        }
        return Arrays.equals(this.clientRandom.getRandomBytes(), ((ClientHello) handshakeMessage).getRandom().getRandomBytes());
    }
}
