package org.eclipse.leshan.client.californium;

import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.DTLSSession;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.eclipse.leshan.core.util.Validate;

/* loaded from: input_file:org/eclipse/leshan/client/californium/ServiceCertificateConstraintCertificateVerifier.class */
public class ServiceCertificateConstraintCertificateVerifier extends BaseCertificateVerifier {
    private final Certificate serviceCertificate;
    private final X509Certificate[] trustedCertificates;

    public ServiceCertificateConstraintCertificateVerifier(Certificate certificate, X509Certificate[] x509CertificateArr) {
        Validate.notNull(certificate);
        Validate.notNull(x509CertificateArr);
        Validate.notEmpty(x509CertificateArr);
        this.serviceCertificate = certificate;
        this.trustedCertificates = x509CertificateArr;
    }

    @Override // org.eclipse.leshan.client.californium.BaseCertificateVerifier
    public CertPath verifyCertificate(Boolean bool, CertificateMessage certificateMessage, DTLSSession dTLSSession) throws HandshakeException {
        CertPath certificateChain = certificateMessage.getCertificateChain();
        validateCertificateChainNotEmpty(certificateChain, dTLSSession.getPeer());
        X509Certificate validateReceivedCertificateIsSupported = validateReceivedCertificateIsSupported(certificateChain, dTLSSession.getPeer());
        try {
            CertPath applyPKIXValidation = X509Util.applyPKIXValidation(certificateChain, this.trustedCertificates);
            if (!this.serviceCertificate.equals(validateReceivedCertificateIsSupported)) {
                throw new HandshakeException("Certificate chain could not be validated", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, dTLSSession.getPeer()));
            }
            validateSubject(dTLSSession, validateReceivedCertificateIsSupported);
            return applyPKIXValidation;
        } catch (GeneralSecurityException e) {
            throw new HandshakeException("Certificate chain could not be validated", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE, dTLSSession.getPeer()), e);
        }
    }
}
