package org.eclipse.leshan.client.californium;

import java.net.InetSocketAddress;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.CertificateVerificationResult;
import org.eclipse.californium.scandium.dtls.ConnectionId;
import org.eclipse.californium.scandium.dtls.DTLSSession;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler;
import org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier;
import org.eclipse.californium.scandium.util.ServerNames;
import org.eclipse.leshan.core.util.X509CertUtil;

/* loaded from: input_file:org/eclipse/leshan/client/californium/BaseCertificateVerifier.class */
public abstract class BaseCertificateVerifier implements NewAdvancedCertificateVerifier {
    private final List<CertificateType> supportedCertificateType = Arrays.asList(CertificateType.X_509);

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public List<CertificateType> getSupportedCertificateType() {
        return this.supportedCertificateType;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public void setResultHandler(HandshakeResultHandler handshakeResultHandler) {
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public List<X500Principal> getAcceptedIssuers() {
        return null;
    }

    @Override // org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier
    public CertificateVerificationResult verifyCertificate(ConnectionId connectionId, ServerNames serverNames, Boolean bool, boolean z, CertificateMessage certificateMessage, DTLSSession dTLSSession) {
        try {
            return new CertificateVerificationResult(connectionId, verifyCertificate(bool, certificateMessage, dTLSSession), (Object) null);
        } catch (HandshakeException e) {
            return new CertificateVerificationResult(connectionId, e, (Object) null);
        }
    }

    protected abstract CertPath verifyCertificate(Boolean bool, CertificateMessage certificateMessage, DTLSSession dTLSSession) throws HandshakeException;

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateCertificateChainNotEmpty(CertPath certPath, InetSocketAddress inetSocketAddress) throws HandshakeException {
        if (certPath.getCertificates().size() == 0) {
            throw new HandshakeException("Certificate chain could not be validated : server cert chain is empty", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, inetSocketAddress));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate validateReceivedCertificateIsSupported(CertPath certPath, InetSocketAddress inetSocketAddress) throws HandshakeException {
        Certificate certificate = certPath.getCertificates().get(0);
        if (certificate instanceof X509Certificate) {
            return (X509Certificate) certificate;
        }
        throw new HandshakeException("Certificate chain could not be validated - unknown certificate type", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNSUPPORTED_CERTIFICATE, inetSocketAddress));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateSubject(DTLSSession dTLSSession, X509Certificate x509Certificate) throws HandshakeException {
        InetSocketAddress peer = dTLSSession.getPeer();
        if (!X509CertUtil.matchSubjectDnsName(x509Certificate, peer.getHostName()) && !X509CertUtil.matchSubjectInetAddress(x509Certificate, peer.getAddress())) {
            throw new HandshakeException("Certificate chain could not be validated - server identity does not match certificate", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, dTLSSession.getPeer()));
        }
    }
}
