package org.thingsboard.server.transport.lwm2m.secure;

import jakarta.annotation.PostConstruct;
import java.beans.ConstructorProperties;
import java.net.InetSocketAddress;
import java.security.cert.CertPath;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import javax.security.auth.x500.X500Principal;
import org.eclipse.californium.elements.auth.RawPublicKeyIdentity;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.CertificateVerificationResult;
import org.eclipse.californium.scandium.dtls.ConnectionId;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.eclipse.californium.scandium.dtls.HandshakeResultHandler;
import org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier;
import org.eclipse.californium.scandium.dtls.x509.StaticNewAdvancedCertificateVerifier;
import org.eclipse.californium.scandium.util.ServerNames;
import org.eclipse.leshan.server.security.NonUniqueSecurityInfoException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.thingsboard.common.util.JacksonUtil;
import org.thingsboard.server.common.data.DeviceProfile;
import org.thingsboard.server.common.data.StringUtils;
import org.thingsboard.server.common.data.device.credentials.lwm2m.LwM2MSecurityMode;
import org.thingsboard.server.common.data.device.credentials.lwm2m.X509ClientCredential;
import org.thingsboard.server.common.msg.EncryptionUtil;
import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
import org.thingsboard.server.common.transport.util.SslUtil;
import org.thingsboard.server.queue.util.TbLwM2mTransportComponent;
import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportServerConfig;
import org.thingsboard.server.transport.lwm2m.secure.credentials.LwM2MClientCredentials;
import org.thingsboard.server.transport.lwm2m.server.client.LwM2MAuthException;
import org.thingsboard.server.transport.lwm2m.server.store.TbLwM2MDtlsSessionStore;
import org.thingsboard.server.transport.lwm2m.server.store.TbMainSecurityStore;
import org.thingsboard.server.transport.lwm2m.server.uplink.LwM2mTypeServer;

@TbLwM2mTransportComponent
@Component
/* loaded from: input_file:org/thingsboard/server/transport/lwm2m/secure/TbLwM2MDtlsCertificateVerifier.class */
public class TbLwM2MDtlsCertificateVerifier implements NewAdvancedCertificateVerifier {
    private static final Logger log = LoggerFactory.getLogger(TbLwM2MDtlsCertificateVerifier.class);
    private final TbLwM2MDtlsSessionStore sessionStorage;
    private final LwM2MTransportServerConfig config;
    private final LwM2mCredentialsSecurityInfoValidator securityInfoValidator;
    private final TbMainSecurityStore securityStore;
    private StaticNewAdvancedCertificateVerifier staticCertificateVerifier;

    @Value("${transport.lwm2m.server.security.skip_validity_check_for_client_cert:false}")
    private boolean skipValidityCheckForClientCert;

    public List<CertificateType> getSupportedCertificateTypes() {
        return Arrays.asList(CertificateType.X_509, CertificateType.RAW_PUBLIC_KEY);
    }

    @PostConstruct
    public void init() {
        try {
            if (this.config.getTrustSslCredentials() != null) {
                this.staticCertificateVerifier = new StaticNewAdvancedCertificateVerifier(this.config.getTrustSslCredentials().getTrustedCertificates(), new RawPublicKeyIdentity[0], (List) null);
            }
        } catch (Exception e) {
            log.warn("Failed to initialize the LwM2M certificate verifier", e);
        }
    }

    public CertificateVerificationResult verifyCertificate(ConnectionId connectionId, ServerNames serverNames, InetSocketAddress inetSocketAddress, boolean z, boolean z2, boolean z3, CertificateMessage certificateMessage) {
        TbLwM2MSecurityInfo tbLwM2MSecurityInfo;
        String certificateString;
        String sha3Hash;
        ValidateDeviceCredentialsResponse msg;
        CertPath certificateChain = certificateMessage.getCertificateChain();
        if (certificateChain == null) {
            return new CertificateVerificationResult(connectionId, certificateMessage.getPublicKey(), (Object) null);
        }
        try {
            boolean z4 = false;
            X509Certificate[] x509CertificateArr = (X509Certificate[]) certificateChain.getCertificates().toArray(new X509Certificate[0]);
            int length = x509CertificateArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                X509Certificate x509Certificate = x509CertificateArr[i];
                try {
                    if (!this.skipValidityCheckForClientCert) {
                        x509Certificate.checkValidity();
                    }
                    tbLwM2MSecurityInfo = null;
                    if (this.staticCertificateVerifier != null) {
                        HandshakeException exception = this.staticCertificateVerifier.verifyCertificate(connectionId, serverNames, inetSocketAddress, z, z2, z3, certificateMessage).getException();
                        if (exception == null) {
                            try {
                                String valueFromSubjectNameByKey = this.config.getTrustSslCredentials().getValueFromSubjectNameByKey(x509Certificate.getSubjectX500Principal().getName(), "CN");
                                if (StringUtils.isNotEmpty(valueFromSubjectNameByKey)) {
                                    tbLwM2MSecurityInfo = this.securityInfoValidator.getEndpointSecurityInfoByCredentialsId(valueFromSubjectNameByKey, LwM2mTypeServer.CLIENT);
                                }
                            } catch (LwM2MAuthException e) {
                                log.trace("Certificate trust validation failed.", e);
                            }
                        } else {
                            log.trace("Certificate trust validation failed.", exception);
                        }
                    }
                    certificateString = SslUtil.getCertificateString(x509Certificate);
                    sha3Hash = EncryptionUtil.getSha3Hash(certificateString);
                    if (tbLwM2MSecurityInfo == null || tbLwM2MSecurityInfo.getMsg() == null) {
                        try {
                            tbLwM2MSecurityInfo = this.securityInfoValidator.getEndpointSecurityInfoByCredentialsId(sha3Hash, LwM2mTypeServer.CLIENT);
                        } catch (LwM2MAuthException e2) {
                            log.trace("Failed find security info: {}", sha3Hash, e2);
                        }
                    }
                    msg = tbLwM2MSecurityInfo != null ? tbLwM2MSecurityInfo.getMsg() : null;
                } catch (CertificateEncodingException | CertificateExpiredException | CertificateNotYetValidException e3) {
                    log.error(e3.getMessage(), e3);
                }
                if (msg != null && StringUtils.isNotEmpty(msg.getCredentials())) {
                    LwM2MClientCredentials lwM2MClientCredentials = (LwM2MClientCredentials) JacksonUtil.fromString(msg.getCredentials(), LwM2MClientCredentials.class);
                    if (lwM2MClientCredentials.getClient().getSecurityConfigClientMode().equals(LwM2MSecurityMode.X509)) {
                        X509ClientCredential client = lwM2MClientCredentials.getClient();
                        String cert = client.getCert();
                        String endpoint = client.getEndpoint();
                        if (StringUtils.isBlank(cert) || certificateString.equals(cert)) {
                            z4 = true;
                            DeviceProfile deviceProfile = msg.getDeviceProfile();
                            if (msg.hasDeviceInfo() && deviceProfile != null) {
                                this.sessionStorage.put(endpoint, new TbX509DtlsSessionInfo(x509Certificate.getSubjectX500Principal().getName(), msg));
                                try {
                                    this.securityStore.putX509(tbLwM2MSecurityInfo);
                                } catch (NonUniqueSecurityInfoException e4) {
                                    log.trace("Failed to add security info: {}", tbLwM2MSecurityInfo, e4);
                                }
                                break;
                            }
                        } else {
                            log.trace("[{}][{}] Certificate mismatch. Expected: {}, Actual: {}", new Object[]{endpoint, sha3Hash, certificateString, cert});
                        }
                    } else {
                        i++;
                    }
                }
                i++;
            }
            if (z4) {
                return new CertificateVerificationResult(connectionId, certificateChain, (Object) null);
            }
            throw new HandshakeException("x509 verification not enabled!", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.INTERNAL_ERROR));
        } catch (HandshakeException e5) {
            log.trace("Certificate validation failed!", e5);
            return new CertificateVerificationResult(connectionId, e5, (Object) null);
        }
    }

    public List<X500Principal> getAcceptedIssuers() {
        return CertPathUtil.toSubjects((List) null);
    }

    public void setResultHandler(HandshakeResultHandler handshakeResultHandler) {
    }

    @ConstructorProperties({"sessionStorage", "config", "securityInfoValidator", "securityStore"})
    public TbLwM2MDtlsCertificateVerifier(TbLwM2MDtlsSessionStore tbLwM2MDtlsSessionStore, LwM2MTransportServerConfig lwM2MTransportServerConfig, LwM2mCredentialsSecurityInfoValidator lwM2mCredentialsSecurityInfoValidator, TbMainSecurityStore tbMainSecurityStore) {
        this.sessionStorage = tbLwM2MDtlsSessionStore;
        this.config = lwM2MTransportServerConfig;
        this.securityInfoValidator = lwM2mCredentialsSecurityInfoValidator;
        this.securityStore = tbMainSecurityStore;
    }
}
