package org.eclipse.californium.scandium.dtls;

import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.ScheduledExecutorService;
import javax.crypto.SecretKey;
import javax.security.auth.DestroyFailedException;
import org.eclipse.californium.elements.auth.RawPublicKeyIdentity;
import org.eclipse.californium.elements.auth.X509CertPath;
import org.eclipse.californium.elements.config.CertificateAuthenticationMode;
import org.eclipse.californium.elements.util.NoPublicAPI;
import org.eclipse.californium.scandium.config.DtlsConfig;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.SupportedPointFormatsExtension;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuiteParameters;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuiteSelector;
import org.eclipse.californium.scandium.dtls.cipher.PseudoRandomFunction;
import org.eclipse.californium.scandium.dtls.cipher.XECDHECryptography;
import org.eclipse.californium.scandium.util.SecretUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@NoPublicAPI
/* loaded from: input_file:org/eclipse/californium/scandium/dtls/ServerHandshaker.class */
public class ServerHandshaker extends Handshaker {
    private static final HandshakeState[] CLIENT_HELLO = {new HandshakeState(HandshakeType.CLIENT_HELLO)};
    private static final HandshakeState[] CLIENT_CERTIFICATE = {new HandshakeState(HandshakeType.CERTIFICATE), new HandshakeState(HandshakeType.CLIENT_KEY_EXCHANGE), new HandshakeState(HandshakeType.CERTIFICATE_VERIFY), new HandshakeState(ContentType.CHANGE_CIPHER_SPEC), new HandshakeState(HandshakeType.FINISHED)};
    private static final HandshakeState[] EMPTY_CLIENT_CERTIFICATE = {new HandshakeState(HandshakeType.CLIENT_KEY_EXCHANGE), new HandshakeState(ContentType.CHANGE_CIPHER_SPEC), new HandshakeState(HandshakeType.FINISHED)};
    protected static final HandshakeState[] NO_CLIENT_CERTIFICATE = {new HandshakeState(HandshakeType.CLIENT_KEY_EXCHANGE), new HandshakeState(ContentType.CHANGE_CIPHER_SPEC), new HandshakeState(HandshakeType.FINISHED)};
    private final Logger LOGGER_NEGOTIATION;
    private final boolean useSessionId;
    private final CertificateAuthenticationMode clientAuthenticationMode;
    private final boolean useHelloVerifyRequest;
    private final boolean useHelloVerifyRequestForPsk;
    private final CipherSuiteSelector cipherSuiteSelector;
    private final List<CipherSuite> supportedCipherSuites;
    private final List<XECDHECryptography.SupportedGroup> supportedGroups;
    private final List<CertificateType> supportedClientCertificateTypes;
    private final List<CertificateType> supportedServerCertificateTypes;
    private final List<SignatureAndHashAlgorithm> supportedSignatureAndHashAlgorithms;
    private final List<CipherSuite.CertificateKeyAlgorithm> supportedCertificateKeyAlgorithms;
    private final boolean supportDeprecatedCid;
    private CipherSuiteParameters cipherSuiteParameters;
    private ClientHello pendingClientHello;
    private CertificateVerify certificateVerifyMessage;
    private PskPublicInformation preSharedKeyIdentity;
    private XECDHECryptography ecdhe;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.eclipse.californium.scandium.dtls.ServerHandshaker$1, reason: invalid class name */
    /* loaded from: input_file:org/eclipse/californium/scandium/dtls/ServerHandshaker$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType = new int[HandshakeType.values().length];

        static {
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType[HandshakeType.CLIENT_HELLO.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType[HandshakeType.CERTIFICATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType[HandshakeType.CLIENT_KEY_EXCHANGE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType[HandshakeType.CERTIFICATE_VERIFY.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType[HandshakeType.FINISHED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$org$eclipse$californium$scandium$dtls$cipher$CipherSuite$KeyExchangeAlgorithm = new int[CipherSuite.KeyExchangeAlgorithm.values().length];
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$cipher$CipherSuite$KeyExchangeAlgorithm[CipherSuite.KeyExchangeAlgorithm.PSK.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$cipher$CipherSuite$KeyExchangeAlgorithm[CipherSuite.KeyExchangeAlgorithm.ECDHE_PSK.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$eclipse$californium$scandium$dtls$cipher$CipherSuite$KeyExchangeAlgorithm[CipherSuite.KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    public ServerHandshaker(long j, int i, RecordLayer recordLayer, ScheduledExecutorService scheduledExecutorService, Connection connection, DtlsConnectorConfig dtlsConnectorConfig) {
        super(j, i, recordLayer, scheduledExecutorService, connection, dtlsConnectorConfig);
        this.LOGGER_NEGOTIATION = LoggerFactory.getLogger(this.LOGGER.getName() + ".negotiation");
        this.cipherSuiteSelector = dtlsConnectorConfig.getCipherSuiteSelector();
        this.supportedCipherSuites = dtlsConnectorConfig.getSupportedCipherSuites();
        this.supportedGroups = dtlsConnectorConfig.getSupportedGroups();
        this.clientAuthenticationMode = (CertificateAuthenticationMode) dtlsConnectorConfig.get(DtlsConfig.DTLS_CLIENT_AUTHENTICATION_MODE);
        this.useSessionId = ((Boolean) dtlsConnectorConfig.get(DtlsConfig.DTLS_SERVER_USE_SESSION_ID)).booleanValue();
        this.useHelloVerifyRequest = ((Boolean) dtlsConnectorConfig.get(DtlsConfig.DTLS_USE_HELLO_VERIFY_REQUEST)).booleanValue();
        this.useHelloVerifyRequestForPsk = this.useHelloVerifyRequest && ((Boolean) dtlsConnectorConfig.get(DtlsConfig.DTLS_USE_HELLO_VERIFY_REQUEST_FOR_PSK)).booleanValue();
        this.supportedClientCertificateTypes = dtlsConnectorConfig.getTrustCertificateTypes();
        this.supportedServerCertificateTypes = dtlsConnectorConfig.getIdentityCertificateTypes();
        this.supportedSignatureAndHashAlgorithms = dtlsConnectorConfig.getSupportedSignatureAlgorithms();
        this.supportedCertificateKeyAlgorithms = dtlsConnectorConfig.getSupportedCertificateKeyAlgorithm();
        this.supportDeprecatedCid = ((Boolean) dtlsConnectorConfig.get(DtlsConfig.DTLS_SUPPORT_DEPRECATED_CID)).booleanValue();
        setExpectedStates(CLIENT_HELLO);
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected boolean isClient() {
        return false;
    }

    public PskPublicInformation getPreSharedKeyIdentity() {
        return this.preSharedKeyIdentity;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    public void doProcessMessage(HandshakeMessage handshakeMessage) throws HandshakeException {
        switch (AnonymousClass1.$SwitchMap$org$eclipse$californium$scandium$dtls$HandshakeType[handshakeMessage.getMessageType().ordinal()]) {
            case 1:
                handshakeStarted();
                receivedClientHello((ClientHello) handshakeMessage);
                return;
            case 2:
                receivedClientCertificate((CertificateMessage) handshakeMessage);
                return;
            case 3:
                switch (getSession().getKeyExchange()) {
                    case PSK:
                        receivedClientKeyExchange((PSKClientKeyExchange) handshakeMessage);
                        return;
                    case ECDHE_PSK:
                        receivedClientKeyExchange((EcdhPskClientKeyExchange) handshakeMessage);
                        return;
                    case EC_DIFFIE_HELLMAN:
                        SecretKey receivedClientKeyExchange = receivedClientKeyExchange((ECDHClientKeyExchange) handshakeMessage);
                        applyMasterSecret(receivedClientKeyExchange);
                        SecretUtil.destroy(receivedClientKeyExchange);
                        processMasterSecret();
                        return;
                    default:
                        return;
                }
            case DtlsConfig.DEFAULT_MAX_RETRANSMISSIONS /* 4 */:
                receivedCertificateVerify((CertificateVerify) handshakeMessage);
                if (hasMasterSecret() && this.otherPeersCertificateVerified) {
                    expectChangeCipherSpecMessage();
                    return;
                }
                return;
            case 5:
                receivedClientFinished((Finished) handshakeMessage);
                return;
            default:
                throw new HandshakeException(String.format("Received unexpected %s message from peer %s", handshakeMessage.getMessageType(), this.peerToLog), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNEXPECTED_MESSAGE));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void startInitialTimeout() {
        DTLSFlight createFlight = createFlight();
        createFlight.setResponseStarted();
        sendFlight(createFlight);
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected void processMasterSecret() {
        if (isExpectedStates(NO_CLIENT_CERTIFICATE) || isExpectedStates(EMPTY_CLIENT_CERTIFICATE) || (isExpectedStates(CLIENT_CERTIFICATE) && this.otherPeersCertificateVerified && this.certificateVerifyMessage != null)) {
            expectChangeCipherSpecMessage();
        }
    }

    private void receivedClientCertificate(CertificateMessage certificateMessage) throws HandshakeException {
        if (!certificateMessage.isEmpty()) {
            verifyCertificate(certificateMessage, false);
        } else {
            if (this.clientAuthenticationMode == CertificateAuthenticationMode.NEEDED) {
                this.LOGGER.debug("Client authentication failed: missing certificate!");
                throw new HandshakeException("Client Certificate required!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
            }
            setExpectedStates(EMPTY_CLIENT_CERTIFICATE);
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected void processCertificateVerified() {
        if (!hasMasterSecret() || this.certificateVerifyMessage == null) {
            return;
        }
        expectChangeCipherSpecMessage();
    }

    private void receivedCertificateVerify(CertificateVerify certificateVerify) throws HandshakeException {
        this.certificateVerifyMessage = certificateVerify;
        this.handshakeMessages.remove(this.handshakeMessages.size() - 1);
        certificateVerify.verifySignature(this.otherPeersPublicKey, this.handshakeMessages);
        this.handshakeMessages.add(certificateVerify);
        if (setOtherPeersSignatureVerified() && hasMasterSecret()) {
            expectChangeCipherSpecMessage();
        }
    }

    private void receivedClientFinished(Finished finished) throws HandshakeException {
        if (this.clientAuthenticationMode == CertificateAuthenticationMode.NEEDED && isExpectedStates(EMPTY_CLIENT_CERTIFICATE)) {
            throw new HandshakeException("Client did not send required authentication messages.", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
        }
        this.flightNumber += 2;
        DTLSFlight createFlight = createFlight();
        MessageDigest handshakeMessageDigest = getHandshakeMessageDigest();
        MessageDigest cloneMessageDigest = cloneMessageDigest(handshakeMessageDigest);
        verifyFinished(finished, handshakeMessageDigest.digest());
        wrapMessage(createFlight, new ChangeCipherSpecMessage());
        setCurrentWriteState();
        cloneMessageDigest.update(finished.toByteArray());
        wrapMessage(createFlight, createFinishedMessage(cloneMessageDigest.digest()));
        sendLastFlight(createFlight);
        contextEstablished();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void receivedClientHello(ClientHello clientHello) throws HandshakeException {
        negotiateProtocolVersion(clientHello.getProtocolVersion());
        if (!clientHello.getCompressionMethods().contains(CompressionMethod.NULL)) {
            throw new HandshakeException("Client does not support NULL compression method", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE));
        }
        List<CipherSuite> commonCipherSuites = getCommonCipherSuites(clientHello);
        if (commonCipherSuites.isEmpty()) {
            this.LOGGER.trace("Server cipher suites: {}", this.supportedCipherSuites);
            throw new HandshakeException("Client does not propose a common cipher suite", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE));
        }
        if (this.useHelloVerifyRequest && !this.useHelloVerifyRequestForPsk && !clientHello.hasCookie()) {
            SessionId sessionIdentifier = getSession().getSessionIdentifier();
            if (sessionIdentifier.isEmpty() || !sessionIdentifier.equals(clientHello.getSessionId())) {
                ArrayList arrayList = new ArrayList();
                for (CipherSuite cipherSuite : commonCipherSuites) {
                    if (cipherSuite.isPskBased()) {
                        arrayList.add(cipherSuite);
                    }
                }
                commonCipherSuites = arrayList;
            }
        }
        List<CertificateType> commonServerCertificateTypes = getCommonServerCertificateTypes(clientHello.getServerCertificateTypeExtension());
        List<CertificateType> commonClientCertificateTypes = getCommonClientCertificateTypes(clientHello.getClientCertificateTypeExtension());
        List<XECDHECryptography.SupportedGroup> commonSupportedGroups = getCommonSupportedGroups(clientHello.getSupportedEllipticCurvesExtension());
        List<SignatureAndHashAlgorithm> commonSignatureAndHashAlgorithms = getCommonSignatureAndHashAlgorithms(clientHello.getSupportedSignatureAlgorithmsExtension());
        SupportedPointFormatsExtension.ECPointFormat negotiateECPointFormat = negotiateECPointFormat(clientHello.getSupportedPointFormatsExtension());
        ServerNameExtension serverNameExtension = clientHello.getServerNameExtension();
        if (serverNameExtension != null) {
            if (this.sniEnabled) {
                DTLSSession session = getSession();
                session.setServerNames(serverNameExtension.getServerNames());
                session.setSniSupported(true);
                this.LOGGER.debug("using server name indication received from peer [{}]", this.peerToLog);
            } else {
                this.LOGGER.debug("client [{}] included SNI in HELLO but SNI support is disabled", this.peerToLog);
            }
        }
        this.cipherSuiteParameters = new CipherSuiteParameters(null, null, this.clientAuthenticationMode, commonCipherSuites, commonServerCertificateTypes, commonClientCertificateTypes, commonSupportedGroups, commonSignatureAndHashAlgorithms, negotiateECPointFormat);
        if (!CipherSuite.containsCipherSuiteRequiringCertExchange(commonCipherSuites)) {
            processClientHello(clientHello);
            return;
        }
        this.pendingClientHello = clientHello;
        if (requestCertificateIdentity(null, getServerNames(), CipherSuite.getCertificateKeyAlgorithms(commonCipherSuites), commonSignatureAndHashAlgorithms, commonSupportedGroups)) {
            startInitialTimeout();
        }
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker
    protected void processCertificateIdentityAvailable() throws HandshakeException {
        this.cipherSuiteParameters = new CipherSuiteParameters(this.publicKey, this.certificateChain, this.cipherSuiteParameters);
        ClientHello clientHello = this.pendingClientHello;
        this.pendingClientHello = null;
        processClientHello(clientHello);
    }

    protected void processClientHello(ClientHello clientHello) throws HandshakeException {
        negotiateCipherSuite(clientHello);
        this.flightNumber = clientHello.hasCookie() ? 4 : 2;
        DTLSFlight createFlight = createFlight();
        createServerHello(clientHello, createFlight);
        createCertificateMessage(createFlight);
        createServerKeyExchange(createFlight);
        setExpectedStates(createCertificateRequest(createFlight) ? CLIENT_CERTIFICATE : NO_CLIENT_CERTIFICATE);
        wrapMessage(createFlight, new ServerHelloDone());
        sendFlight(createFlight);
    }

    private void createServerHello(ClientHello clientHello, DTLSFlight dTLSFlight) throws HandshakeException {
        ProtocolVersion negotiateProtocolVersion = negotiateProtocolVersion(clientHello.getProtocolVersion());
        this.clientRandom = clientHello.getRandom();
        DTLSSession session = getSession();
        boolean z = this.useSessionId;
        if (this.extendedMasterSecretMode.is(ExtendedMasterSecretMode.ENABLED) && !clientHello.hasExtendedMasterSecretExtension()) {
            z = false;
        }
        SessionId sessionId = z ? new SessionId() : SessionId.emptySessionId();
        session.setSessionIdentifier(sessionId);
        session.setProtocolVersion(negotiateProtocolVersion);
        session.setCompressionMethod(CompressionMethod.NULL);
        ServerHello serverHello = new ServerHello(negotiateProtocolVersion, sessionId, session.getCipherSuite(), session.getCompressionMethod());
        addHelloExtensions(clientHello, serverHello);
        if (serverHello.getCipherSuite().isEccBased()) {
            expectEcc();
        }
        wrapMessage(dTLSFlight, serverHello);
        this.serverRandom = serverHello.getRandom();
    }

    private void createCertificateMessage(DTLSFlight dTLSFlight) {
        CertificateMessage certificateMessage;
        DTLSSession session = getSession();
        if (session.getCipherSuite().requiresServerCertificateMessage()) {
            CertificateType sendCertificateType = session.sendCertificateType();
            if (CertificateType.RAW_PUBLIC_KEY == sendCertificateType) {
                certificateMessage = new CertificateMessage(this.cipherSuiteParameters.getPublicKey());
            } else {
                if (CertificateType.X_509 != sendCertificateType) {
                    throw new IllegalArgumentException("Certificate type " + sendCertificateType + " not supported!");
                }
                certificateMessage = new CertificateMessage(this.cipherSuiteParameters.getCertificateChain());
            }
            wrapMessage(dTLSFlight, certificateMessage);
        }
    }

    private void createServerKeyExchange(DTLSFlight dTLSFlight) throws HandshakeException {
        DTLSSession session = getSession();
        CipherSuite.KeyExchangeAlgorithm keyExchange = session.getKeyExchange();
        if (CipherSuite.KeyExchangeAlgorithm.ECDHE_PSK == keyExchange || CipherSuite.KeyExchangeAlgorithm.EC_DIFFIE_HELLMAN == keyExchange) {
            try {
                XECDHECryptography.SupportedGroup selectedSupportedGroup = this.cipherSuiteParameters.getSelectedSupportedGroup();
                this.ecdhe = new XECDHECryptography(selectedSupportedGroup);
                session.setEcGroup(selectedSupportedGroup);
            } catch (GeneralSecurityException e) {
                throw new HandshakeException("Cannot process handshake message, caused by " + e.getMessage(), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.ILLEGAL_PARAMETER), e);
            }
        }
        HandshakeMessage handshakeMessage = null;
        switch (keyExchange) {
            case ECDHE_PSK:
                handshakeMessage = new EcdhPskServerKeyExchange(PskPublicInformation.EMPTY, this.ecdhe);
                break;
            case EC_DIFFIE_HELLMAN:
                handshakeMessage = new EcdhSignedServerKeyExchange(session.getSignatureAndHashAlgorithm(), this.ecdhe, this.privateKey, this.clientRandom, this.serverRandom);
                break;
        }
        if (handshakeMessage != null) {
            wrapMessage(dTLSFlight, handshakeMessage);
        }
    }

    private boolean createCertificateRequest(DTLSFlight dTLSFlight) {
        DTLSSession session = getSession();
        CertificateType receiveCertificateType = session.receiveCertificateType();
        if (!this.clientAuthenticationMode.useCertificateRequest() || !session.getCipherSuite().requiresServerCertificateMessage() || receiveCertificateType == null) {
            return false;
        }
        CertificateRequest certificateRequest = new CertificateRequest();
        List<SignatureAndHashAlgorithm> list = this.supportedSignatureAndHashAlgorithms;
        List<CipherSuite.CertificateKeyAlgorithm> list2 = this.supportedCertificateKeyAlgorithms;
        if (CertificateType.X_509 == receiveCertificateType) {
            certificateRequest.addSignatureAlgorithms(list);
            if (this.certificateVerifier != null) {
                certificateRequest.addCerticiateAuthorities(this.certificateVerifier.getAcceptedIssuers());
            }
        } else if (CertificateType.RAW_PUBLIC_KEY == receiveCertificateType) {
            CipherSuite.CertificateKeyAlgorithm algorithm = CipherSuite.CertificateKeyAlgorithm.getAlgorithm(this.publicKey);
            if (list2.get(0) != algorithm && list2.contains(algorithm)) {
                list2 = new ArrayList(list2);
                list2.remove(algorithm);
                list2.add(0, algorithm);
            }
            list = SignatureAndHashAlgorithm.getCompatibleSignatureAlgorithms(list, list2);
            certificateRequest.addSignatureAlgorithms(list);
        }
        this.LOGGER.trace("Certificate Type: {}", receiveCertificateType);
        this.LOGGER.trace("Signature and hash algorithms {}/{}", list, this.supportedSignatureAndHashAlgorithms);
        this.LOGGER.trace("Certificate key algorithms {}/{}", list2, this.supportedCertificateKeyAlgorithms);
        for (CipherSuite.CertificateKeyAlgorithm certificateKeyAlgorithm : list2) {
            if (SignatureAndHashAlgorithm.isSupportedAlgorithm(list, certificateKeyAlgorithm)) {
                certificateRequest.addCertificateType(certificateKeyAlgorithm);
            }
        }
        wrapMessage(dTLSFlight, certificateRequest);
        return true;
    }

    private SecretKey receivedClientKeyExchange(ECDHClientKeyExchange eCDHClientKeyExchange) throws HandshakeException {
        try {
            DTLSSession session = getSession();
            SecretKey generateSecret = this.ecdhe.generateSecret(eCDHClientKeyExchange.getEncodedPoint());
            SecretKey generateMasterSecret = PseudoRandomFunction.generateMasterSecret(session.getCipherSuite().getThreadLocalPseudoRandomFunctionMac(), generateSecret, generateMasterSecretSeed(), session.useExtendedMasterSecret());
            SecretUtil.destroy(generateSecret);
            return generateMasterSecret;
        } catch (GeneralSecurityException e) {
            throw new HandshakeException("Cannot process handshake message, caused by " + e.getMessage(), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.ILLEGAL_PARAMETER), e);
        }
    }

    private void receivedClientKeyExchange(PSKClientKeyExchange pSKClientKeyExchange) throws HandshakeException {
        this.preSharedKeyIdentity = pSKClientKeyExchange.getIdentity();
        requestPskSecretResult(this.preSharedKeyIdentity, null, generateMasterSecretSeed());
    }

    private void receivedClientKeyExchange(EcdhPskClientKeyExchange ecdhPskClientKeyExchange) throws HandshakeException {
        SecretKey secretKey = null;
        try {
            try {
                this.preSharedKeyIdentity = ecdhPskClientKeyExchange.getIdentity();
                secretKey = this.ecdhe.generateSecret(ecdhPskClientKeyExchange.getEncodedPoint());
                requestPskSecretResult(this.preSharedKeyIdentity, secretKey, generateMasterSecretSeed());
                SecretUtil.destroy(secretKey);
            } catch (GeneralSecurityException e) {
                throw new HandshakeException("Cannot process handshake message, caused by " + e.getMessage(), new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.ILLEGAL_PARAMETER), e);
            }
        } catch (Throwable th) {
            SecretUtil.destroy(secretKey);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void addHelloExtensions(ClientHello clientHello, ServerHello serverHello) throws HandshakeException {
        ConnectionIdExtension connectionIdExtension;
        MaxFragmentLengthExtension maxFragmentLengthExtension;
        ServerCertificateTypeExtension serverCertificateTypeExtension;
        CertificateType receiveCertificateType;
        ClientCertificateTypeExtension clientCertificateTypeExtension;
        DTLSSession session = getSession();
        if (clientHello.hasExtendedMasterSecretExtension()) {
            if (this.extendedMasterSecretMode != ExtendedMasterSecretMode.NONE) {
                session.setExtendedMasterSecret(true);
                serverHello.addExtension(ExtendedMasterSecretExtension.INSTANCE);
            }
        } else if (this.extendedMasterSecretMode == ExtendedMasterSecretMode.REQUIRED) {
            throw new HandshakeException("Extended Master Secret required!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE));
        }
        if (session.getCipherSuite().requiresServerCertificateMessage()) {
            if (this.clientAuthenticationMode.useCertificateRequest() && (receiveCertificateType = session.receiveCertificateType()) != null && (clientCertificateTypeExtension = clientHello.getClientCertificateTypeExtension()) != null && clientCertificateTypeExtension.contains(receiveCertificateType)) {
                serverHello.addExtension(new ClientCertificateTypeExtension(receiveCertificateType));
            }
            CertificateType sendCertificateType = session.sendCertificateType();
            if (sendCertificateType != null && (serverCertificateTypeExtension = clientHello.getServerCertificateTypeExtension()) != null && serverCertificateTypeExtension.contains(sendCertificateType)) {
                serverHello.addExtension(new ServerCertificateTypeExtension(sendCertificateType));
            }
        }
        if (session.getCipherSuite().isEccBased() && clientHello.getSupportedPointFormatsExtension() != null) {
            serverHello.addExtension(SupportedPointFormatsExtension.DEFAULT_POINT_FORMATS_EXTENSION);
        }
        RecordSizeLimitExtension recordSizeLimitExtension = clientHello.getRecordSizeLimitExtension();
        if (recordSizeLimitExtension != null) {
            session.setRecordSizeLimit(recordSizeLimitExtension.getRecordSizeLimit());
            int maxFragmentLength = this.recordSizeLimit == null ? session.getMaxFragmentLength() : this.recordSizeLimit.intValue();
            serverHello.addExtension(new RecordSizeLimitExtension(maxFragmentLength));
            this.LOGGER.debug("Received record size limit [{} bytes] from peer [{}]", Integer.valueOf(maxFragmentLength), this.peerToLog);
        }
        if (recordSizeLimitExtension == null && (maxFragmentLengthExtension = clientHello.getMaxFragmentLengthExtension()) != null) {
            session.setMaxFragmentLength(maxFragmentLengthExtension.getFragmentLength().length());
            serverHello.addExtension(maxFragmentLengthExtension);
            this.LOGGER.debug("Negotiated max. fragment length [{} bytes] with peer [{}]", Integer.valueOf(maxFragmentLengthExtension.getFragmentLength().length()), this.peerToLog);
        }
        if (clientHello.getServerNameExtension() != null && this.sniEnabled) {
            serverHello.addExtension(ServerNameExtension.emptyServerNameIndication());
        }
        if (!supportsConnectionId() || (connectionIdExtension = clientHello.getConnectionIdExtension()) == null) {
            return;
        }
        boolean useDeprecatedCid = connectionIdExtension.useDeprecatedCid();
        if (!useDeprecatedCid || this.supportDeprecatedCid) {
            ConnectionId readConnectionId = getReadConnectionId();
            serverHello.addExtension(ConnectionIdExtension.fromConnectionId(readConnectionId, connectionIdExtension.getType()));
            DTLSContext dtlsContext = getDtlsContext();
            dtlsContext.setWriteConnectionId(connectionIdExtension.getConnectionId());
            dtlsContext.setReadConnectionId(readConnectionId);
            dtlsContext.setDeprecatedCid(useDeprecatedCid);
        }
    }

    private ProtocolVersion negotiateProtocolVersion(ProtocolVersion protocolVersion) throws HandshakeException {
        if (protocolVersion.compareTo(ProtocolVersion.VERSION_DTLS_1_2) >= 0) {
            return ProtocolVersion.VERSION_DTLS_1_2;
        }
        ProtocolVersion protocolVersion2 = protocolVersion;
        if (protocolVersion2.compareTo(ProtocolVersion.VERSION_DTLS_1_0) < 0) {
            protocolVersion2 = ProtocolVersion.VERSION_DTLS_1_0;
        }
        throw new HandshakeException("The server only supports DTLS v1.2, not " + protocolVersion + "!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.PROTOCOL_VERSION, protocolVersion2));
    }

    private void negotiateCipherSuite(ClientHello clientHello) throws HandshakeException {
        this.LOGGER.trace("Negotiate on: {}", this.cipherSuiteParameters);
        if (!this.cipherSuiteSelector.select(this.cipherSuiteParameters)) {
            if (this.LOGGER_NEGOTIATION.isDebugEnabled()) {
                this.LOGGER_NEGOTIATION.debug("{}", clientHello);
                this.LOGGER_NEGOTIATION.debug("{}", this.cipherSuiteParameters.getMismatchDescription());
                this.LOGGER_NEGOTIATION.trace("Parameters: {}", this.cipherSuiteParameters);
            }
            String mismatchSummary = this.cipherSuiteParameters.getMismatchSummary();
            if (mismatchSummary == null) {
                mismatchSummary = "Client proposed unsupported cipher suites or parameters only";
            }
            this.cipherSuiteParameters = null;
            throw new HandshakeException(mismatchSummary, new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.HANDSHAKE_FAILURE));
        }
        this.LOGGER.debug("Negotiated: {}", this.cipherSuiteParameters);
        DTLSSession session = getSession();
        CipherSuite selectedCipherSuite = this.cipherSuiteParameters.getSelectedCipherSuite();
        session.setCipherSuite(selectedCipherSuite);
        if (selectedCipherSuite.requiresServerCertificateMessage()) {
            session.setSignatureAndHashAlgorithm(this.cipherSuiteParameters.getSelectedSignature());
            CertificateType selectedServerCertificateType = this.cipherSuiteParameters.getSelectedServerCertificateType();
            if (selectedServerCertificateType == null) {
                throw new HandshakeException("No common server certificate type!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNSUPPORTED_CERTIFICATE));
            }
            session.setSendCertificateType(selectedServerCertificateType);
            CertificateType selectedClientCertificateType = this.cipherSuiteParameters.getSelectedClientCertificateType();
            if (this.clientAuthenticationMode == CertificateAuthenticationMode.NEEDED) {
                if (selectedClientCertificateType == null) {
                    throw new HandshakeException("No common client certificate type!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.UNSUPPORTED_CERTIFICATE));
                }
                session.setReceiveCertificateType(selectedClientCertificateType);
            } else if (this.clientAuthenticationMode == CertificateAuthenticationMode.WANTED && selectedClientCertificateType != null) {
                session.setReceiveCertificateType(selectedClientCertificateType);
            }
        }
        this.LOGGER.debug("Negotiated cipher suite [{}] with peer [{}]", selectedCipherSuite.name(), this.peerToLog);
    }

    private List<XECDHECryptography.SupportedGroup> getCommonSupportedGroups(SupportedEllipticCurvesExtension supportedEllipticCurvesExtension) {
        ArrayList arrayList = new ArrayList();
        if (supportedEllipticCurvesExtension == null) {
            arrayList.addAll(this.supportedGroups);
        } else {
            for (XECDHECryptography.SupportedGroup supportedGroup : supportedEllipticCurvesExtension.getSupportedGroups()) {
                if (this.supportedGroups.contains(supportedGroup)) {
                    arrayList.add(supportedGroup);
                }
            }
        }
        return arrayList;
    }

    private SupportedPointFormatsExtension.ECPointFormat negotiateECPointFormat(SupportedPointFormatsExtension supportedPointFormatsExtension) {
        if (supportedPointFormatsExtension == null || supportedPointFormatsExtension.contains(SupportedPointFormatsExtension.ECPointFormat.UNCOMPRESSED)) {
            return SupportedPointFormatsExtension.ECPointFormat.UNCOMPRESSED;
        }
        return null;
    }

    private List<SignatureAndHashAlgorithm> getCommonSignatureAndHashAlgorithms(SignatureAlgorithmsExtension signatureAlgorithmsExtension) {
        return signatureAlgorithmsExtension == null ? new ArrayList(this.supportedSignatureAndHashAlgorithms) : SignatureAndHashAlgorithm.getCommonSignatureAlgorithms(signatureAlgorithmsExtension.getSupportedSignatureAndHashAlgorithms(), this.supportedSignatureAndHashAlgorithms);
    }

    private List<CipherSuite> getCommonCipherSuites(ClientHello clientHello) {
        List<CipherSuite> list = this.supportedCipherSuites;
        CipherSuite cipherSuite = getSession().getCipherSuite();
        if (cipherSuite.isValidForNegotiation()) {
            list = Arrays.asList(cipherSuite);
        }
        return clientHello.getCommonCipherSuites(list);
    }

    private List<CertificateType> getCommonClientCertificateTypes(ClientCertificateTypeExtension clientCertificateTypeExtension) {
        List<CertificateType> list = this.supportedClientCertificateTypes;
        Principal peerIdentity = getSession().getPeerIdentity();
        if (peerIdentity != null) {
            list = new ArrayList();
            if (peerIdentity instanceof RawPublicKeyIdentity) {
                list.add(CertificateType.RAW_PUBLIC_KEY);
            } else if (peerIdentity instanceof X509CertPath) {
                list.add(CertificateType.X_509);
            }
        }
        return getCommonCertificateTypes(clientCertificateTypeExtension, list);
    }

    private List<CertificateType> getCommonServerCertificateTypes(ServerCertificateTypeExtension serverCertificateTypeExtension) {
        return getCommonCertificateTypes(serverCertificateTypeExtension, this.supportedServerCertificateTypes);
    }

    private static List<CertificateType> getCommonCertificateTypes(CertificateTypeExtension certificateTypeExtension, List<CertificateType> list) {
        if (list != null) {
            if (certificateTypeExtension != null) {
                return certificateTypeExtension.getCommonCertificateTypes(list);
            }
            if (list.contains(CertificateType.X_509)) {
                return CertificateTypeExtension.DEFAULT_X509;
            }
        }
        return CertificateTypeExtension.EMPTY;
    }

    final CipherSuiteParameters getNegotiatedCipherSuiteParameters() {
        return this.cipherSuiteParameters;
    }

    @Override // org.eclipse.californium.scandium.dtls.Handshaker, javax.security.auth.Destroyable
    public void destroy() throws DestroyFailedException {
        SecretUtil.destroy(this.ecdhe);
        this.ecdhe = null;
    }
}
