package org.eclipse.leshan.client.californium.endpoint.coaps;

import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
import java.security.Principal;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.core.coap.Message;
import org.eclipse.californium.core.coap.Request;
import org.eclipse.californium.core.network.CoapEndpoint;
import org.eclipse.californium.core.network.Endpoint;
import org.eclipse.californium.elements.AddressEndpointContext;
import org.eclipse.californium.elements.Connector;
import org.eclipse.californium.elements.DtlsEndpointContext;
import org.eclipse.californium.elements.EndpointContext;
import org.eclipse.californium.elements.EndpointContextMatcher;
import org.eclipse.californium.elements.MapBasedEndpointContext;
import org.eclipse.californium.elements.PrincipalEndpointContextMatcher;
import org.eclipse.californium.elements.auth.PreSharedKeyIdentity;
import org.eclipse.californium.elements.auth.RawPublicKeyIdentity;
import org.eclipse.californium.elements.auth.X509CertPath;
import org.eclipse.californium.elements.config.Configuration;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.scandium.DTLSConnector;
import org.eclipse.californium.scandium.config.DtlsConfig;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.DtlsHandshakeTimeoutException;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
import org.eclipse.californium.scandium.dtls.pskstore.AdvancedSinglePskStore;
import org.eclipse.californium.scandium.dtls.x509.SingleCertificateProvider;
import org.eclipse.californium.scandium.dtls.x509.StaticNewAdvancedCertificateVerifier;
import org.eclipse.leshan.client.californium.CaliforniumConnectionController;
import org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory;
import org.eclipse.leshan.client.endpoint.ClientEndpointToolbox;
import org.eclipse.leshan.client.security.CertificateVerifierFactory;
import org.eclipse.leshan.client.servers.LwM2mServer;
import org.eclipse.leshan.client.servers.ServerInfo;
import org.eclipse.leshan.core.SecurityMode;
import org.eclipse.leshan.core.californium.DefaultExceptionTranslator;
import org.eclipse.leshan.core.californium.ExceptionTranslator;
import org.eclipse.leshan.core.californium.identity.IdentityHandler;
import org.eclipse.leshan.core.californium.security.LwM2mCertificateVerifier;
import org.eclipse.leshan.core.endpoint.EndpointUriUtil;
import org.eclipse.leshan.core.endpoint.Protocol;
import org.eclipse.leshan.core.peer.IpPeer;
import org.eclipse.leshan.core.peer.LwM2mPeer;
import org.eclipse.leshan.core.peer.PskIdentity;
import org.eclipse.leshan.core.peer.RpkIdentity;
import org.eclipse.leshan.core.peer.X509Identity;
import org.eclipse.leshan.core.request.exception.TimeoutException;
import org.eclipse.leshan.core.security.certificate.util.X509CertUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/leshan/client/californium/endpoint/coaps/CoapsClientEndpointFactory.class */
public class CoapsClientEndpointFactory extends CoapClientEndpointFactory {
    private static final Logger LOG = LoggerFactory.getLogger(CoapsClientEndpointFactory.class);
    protected final String loggingTagPrefix;
    protected final CertificateVerifierFactory certificateVerifierFactory;

    public CoapsClientEndpointFactory() {
        this("LWM2M Client");
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory, org.eclipse.leshan.client.californium.endpoint.CaliforniumClientEndpointFactory
    public String getEndpointDescription() {
        return "CoAP over DTLS endpoint based on Californium/Scandium library";
    }

    public CoapsClientEndpointFactory(String str) {
        this.certificateVerifierFactory = new CertificateVerifierFactory();
        this.loggingTagPrefix = str;
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory, org.eclipse.leshan.client.californium.endpoint.CaliforniumClientEndpointFactory
    public Protocol getProtocol() {
        return Protocol.COAPS;
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory
    protected String getLoggingTag(URI uri) {
        return this.loggingTagPrefix != null ? String.format("[%s-%s]", this.loggingTagPrefix, uri) : String.format("[%s]", uri);
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory, org.eclipse.leshan.client.californium.endpoint.CaliforniumClientEndpointFactory
    public CoapEndpoint createCoapEndpoint(InetAddress inetAddress, Configuration configuration, ServerInfo serverInfo, boolean z, List<Certificate> list, ClientEndpointToolbox clientEndpointToolbox) {
        if (!serverInfo.isSecure()) {
            return null;
        }
        try {
            return createEndpointBuilder(createEffectiveDtlsConnectorConfigBuilder(new InetSocketAddress(inetAddress, 0), serverInfo, createRootDtlsConnectorConfigBuilder(configuration), configuration, z, list).build(), configuration).build();
        } catch (IllegalStateException e) {
            LOG.warn("Unable to create DTLS config to create endpont to connect to {}.", serverInfo.getFullUri(), e);
            return null;
        }
    }

    protected DtlsConnectorConfig.Builder createRootDtlsConnectorConfigBuilder(Configuration configuration) {
        return new DtlsConnectorConfig.Builder(configuration);
    }

    protected DtlsConnectorConfig.Builder createEffectiveDtlsConnectorConfigBuilder(InetSocketAddress inetSocketAddress, ServerInfo serverInfo, DtlsConnectorConfig.Builder builder, Configuration configuration, boolean z, List<Certificate> list) {
        if (!serverInfo.isSecure()) {
            return null;
        }
        DtlsConnectorConfig incompleteConfig = builder.getIncompleteConfig();
        DtlsConnectorConfig.Builder builder2 = DtlsConnectorConfig.builder(incompleteConfig);
        builder2.setAddress(inetSocketAddress);
        if (serverInfo.secureMode == SecurityMode.PSK) {
            builder2.setAdvancedPskStore(new AdvancedSinglePskStore(serverInfo.pskId, serverInfo.pskKey));
            filterCipherSuites(builder2, incompleteConfig.getSupportedCipherSuites(), true, false);
        } else if (serverInfo.secureMode == SecurityMode.RPK) {
            SingleCertificateProvider singleCertificateProvider = new SingleCertificateProvider(serverInfo.privateKey, serverInfo.publicKey);
            singleCertificateProvider.setVerifyKeyPair(false);
            builder2.setCertificateIdentityProvider(singleCertificateProvider);
            builder2.setAdvancedCertificateVerifier(new StaticNewAdvancedCertificateVerifier.Builder().setTrustedRPKs(new RawPublicKeyIdentity[]{new RawPublicKeyIdentity(serverInfo.serverPublicKey)}).build());
            filterCipherSuites(builder2, incompleteConfig.getSupportedCipherSuites(), false, true);
        } else {
            if (serverInfo.secureMode != SecurityMode.X509) {
                throw new RuntimeException("Unable to create connector : unsupported security mode");
            }
            SingleCertificateProvider singleCertificateProvider2 = new SingleCertificateProvider(serverInfo.privateKey, new Certificate[]{serverInfo.clientCertificate}, new CertificateType[0]);
            singleCertificateProvider2.setVerifyKeyPair(false);
            builder2.setCertificateIdentityProvider(singleCertificateProvider2);
            builder2.setAdvancedCertificateVerifier(new LwM2mCertificateVerifier(this.certificateVerifierFactory.create(serverInfo, list)));
            filterCipherSuites(builder2, incompleteConfig.getSupportedCipherSuites(), false, true);
        }
        if (serverInfo.sni != null) {
            builder2.set(DtlsConfig.DTLS_USE_SERVER_NAME_INDICATION, true);
        }
        if (((DtlsConfig.DtlsRole) incompleteConfig.getConfiguration().get(DtlsConfig.DTLS_ROLE)) == null) {
            if (serverInfo.bootstrap) {
                builder2.set(DtlsConfig.DTLS_ROLE, DtlsConfig.DtlsRole.CLIENT_ONLY);
            } else if (z) {
                builder2.set(DtlsConfig.DTLS_ROLE, DtlsConfig.DtlsRole.CLIENT_ONLY);
            } else {
                builder2.set(DtlsConfig.DTLS_ROLE, DtlsConfig.DtlsRole.BOTH);
            }
        }
        if (incompleteConfig.getConfiguration().get(DtlsConfig.DTLS_ROLE) == DtlsConfig.DtlsRole.BOTH && serverInfo.secureMode == SecurityMode.X509) {
            X509Certificate x509Certificate = (X509Certificate) serverInfo.clientCertificate;
            if (CertPathUtil.canBeUsedForAuthentication(x509Certificate, true) && !CertPathUtil.canBeUsedForAuthentication(x509Certificate, false)) {
                builder2.set(DtlsConfig.DTLS_ROLE, DtlsConfig.DtlsRole.CLIENT_ONLY);
                LOG.warn("Client certificate does not allow Server Authentication usage.\nThis will prevent a LWM2M server to initiate DTLS connection to this client.\nSee : https://github.com/eclipse/leshan/wiki/Server-Failover#about-connections");
            }
        }
        return builder2;
    }

    private void filterCipherSuites(DtlsConnectorConfig.Builder builder, List<CipherSuite> list, boolean z, boolean z2) {
        if (list == null) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        for (CipherSuite cipherSuite : list) {
            if (z && cipherSuite.isPskBased()) {
                arrayList.add(cipherSuite);
            } else if (z2 && cipherSuite.requiresServerCertificateMessage()) {
                arrayList.add(cipherSuite);
            }
        }
        builder.set(DtlsConfig.DTLS_CIPHER_SUITES, arrayList);
    }

    protected CoapEndpoint.Builder createEndpointBuilder(DtlsConnectorConfig dtlsConnectorConfig, Configuration configuration) {
        CoapEndpoint.Builder builder = new CoapEndpoint.Builder();
        builder.setConnector(createSecuredConnector(dtlsConnectorConfig));
        builder.setConfiguration(configuration);
        builder.setLoggingTag(getLoggingTag(EndpointUriUtil.createUri(getProtocol().getUriScheme(), dtlsConnectorConfig.getAddress())));
        builder.setEndpointContextMatcher(createSecuredContextMatcher());
        return builder;
    }

    protected EndpointContextMatcher createSecuredContextMatcher() {
        return new PrincipalEndpointContextMatcher() { // from class: org.eclipse.leshan.client.californium.endpoint.coaps.CoapsClientEndpointFactory.1
            protected boolean matchPrincipals(Principal principal, Principal principal2) {
                return true;
            }
        };
    }

    protected Connector createSecuredConnector(DtlsConnectorConfig dtlsConnectorConfig) {
        return new DTLSConnector(dtlsConnectorConfig);
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory, org.eclipse.leshan.client.californium.endpoint.CaliforniumClientEndpointFactory
    public IdentityHandler createIdentityHandler() {
        return new IdentityHandler() { // from class: org.eclipse.leshan.client.californium.endpoint.coaps.CoapsClientEndpointFactory.2
            public LwM2mPeer getIdentity(Message message) {
                EndpointContext sourceContext = message.getSourceContext();
                InetSocketAddress peerAddress = sourceContext.getPeerAddress();
                PreSharedKeyIdentity peerIdentity = sourceContext.getPeerIdentity();
                if (peerIdentity == null) {
                    return null;
                }
                if (peerIdentity instanceof PreSharedKeyIdentity) {
                    return new IpPeer(peerAddress, new PskIdentity(peerIdentity.getIdentity()));
                }
                if (peerIdentity instanceof RawPublicKeyIdentity) {
                    return new IpPeer(peerAddress, new RpkIdentity(((RawPublicKeyIdentity) peerIdentity).getKey()));
                }
                if ((peerIdentity instanceof X500Principal) || (peerIdentity instanceof X509CertPath)) {
                    return new IpPeer(peerAddress, new X509Identity(X509CertUtil.extractCN(peerIdentity.getName())));
                }
                throw new IllegalStateException(String.format("Unable to extract sender identity : unexpected type of Principal %s [%s]", peerIdentity.getClass(), peerIdentity.toString()));
            }

            public EndpointContext createEndpointContext(LwM2mPeer lwM2mPeer, boolean z) {
                PreSharedKeyIdentity x500Principal;
                if (lwM2mPeer.getIdentity() instanceof PskIdentity) {
                    x500Principal = new PreSharedKeyIdentity(lwM2mPeer.getIdentity().getPskIdentity());
                } else if (lwM2mPeer.getIdentity() instanceof RpkIdentity) {
                    x500Principal = new RawPublicKeyIdentity(lwM2mPeer.getIdentity().getPublicKey());
                } else {
                    if (!(lwM2mPeer.getIdentity() instanceof X509Identity)) {
                        throw new IllegalStateException(String.format("Unsupported Identity : %s", lwM2mPeer.getIdentity()));
                    }
                    x500Principal = new X500Principal("CN=" + lwM2mPeer.getIdentity().getX509CommonName());
                }
                if (!(lwM2mPeer instanceof IpPeer)) {
                    throw new IllegalStateException(String.format("Unsupported peer : %s", lwM2mPeer));
                }
                IpPeer ipPeer = (IpPeer) lwM2mPeer;
                return (x500Principal == null || !z) ? new AddressEndpointContext(ipPeer.getSocketAddress(), ipPeer.getVirtualHost(), x500Principal) : new MapBasedEndpointContext(ipPeer.getSocketAddress(), ipPeer.getVirtualHost(), x500Principal, new MapBasedEndpointContext.Attributes().add(DtlsEndpointContext.KEY_HANDSHAKE_MODE, "auto"));
            }
        };
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory, org.eclipse.leshan.client.californium.endpoint.CaliforniumClientEndpointFactory
    public CaliforniumConnectionController createConnectionController() {
        return new CaliforniumConnectionController() { // from class: org.eclipse.leshan.client.californium.endpoint.coaps.CoapsClientEndpointFactory.3
            @Override // org.eclipse.leshan.client.californium.CaliforniumConnectionController
            public void forceReconnection(Endpoint endpoint, LwM2mServer lwM2mServer, boolean z) {
                DTLSConnector connector = ((CoapEndpoint) endpoint).getConnector();
                if (connector instanceof DTLSConnector) {
                    if (z) {
                        CoapsClientEndpointFactory.LOG.info("Clear DTLS session for resumption for server {}", lwM2mServer.getUri());
                        connector.forceResumeAllSessions();
                    } else {
                        CoapsClientEndpointFactory.LOG.info("Clear DTLS session for server {}", lwM2mServer.getUri());
                        connector.clearConnectionState();
                    }
                }
            }
        };
    }

    @Override // org.eclipse.leshan.client.californium.endpoint.coap.CoapClientEndpointFactory, org.eclipse.leshan.client.californium.endpoint.CaliforniumClientEndpointFactory
    public ExceptionTranslator createExceptionTranslator() {
        return new DefaultExceptionTranslator() { // from class: org.eclipse.leshan.client.californium.endpoint.coaps.CoapsClientEndpointFactory.4
            public Exception translate(Request request, Throwable th) {
                return th instanceof DtlsHandshakeTimeoutException ? new TimeoutException(TimeoutException.Type.DTLS_HANDSHAKE_TIMEOUT, th, "Request %s timeout : dtls handshake timeout", new Object[]{request.getURI()}) : super.translate(request, th);
            }
        };
    }
}
