package org.eclipse.leshan.server.security;

import java.security.PublicKey;
import java.util.Iterator;
import java.util.List;
import org.eclipse.leshan.core.request.Identity;
import org.eclipse.leshan.core.util.Hex;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/leshan/server/security/SecurityChecker.class */
public class SecurityChecker {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SecurityChecker.class);

    public boolean checkSecurityInfos(String str, Identity identity, List<SecurityInfo> list) {
        if (!identity.isSecure()) {
            if (list == null || list.isEmpty()) {
                return true;
            }
            LOG.debug("Client '{}' must connect using DTLS", str);
            return false;
        }
        if (list == null || list.isEmpty()) {
            LOG.debug("Client '{}' without security info try to connect through the secure endpoint", str);
            return false;
        }
        Iterator<SecurityInfo> it = list.iterator();
        while (it.hasNext()) {
            if (checkSecurityInfo(str, identity, it.next())) {
                return true;
            }
        }
        return false;
    }

    public boolean checkSecurityInfo(String str, Identity identity, SecurityInfo securityInfo) {
        if (!identity.isSecure()) {
            if (securityInfo == null) {
                return true;
            }
            LOG.debug("Client '{}' must connect using DTLS", str);
            return false;
        }
        if (securityInfo == null) {
            LOG.debug("Client '{}' without security info try to connect through the secure endpoint", str);
            return false;
        }
        if (identity.isPSK()) {
            return checkPskIdentity(str, identity, securityInfo);
        }
        if (identity.isRPK()) {
            return checkRpkIdentity(str, identity, securityInfo);
        }
        if (identity.isX509()) {
            return checkX509Identity(str, identity, securityInfo);
        }
        LOG.debug("Unable to authenticate client '{}': unknown authentication mode", str);
        return false;
    }

    protected boolean checkPskIdentity(String str, Identity identity, SecurityInfo securityInfo) {
        if (!securityInfo.usePSK()) {
            LOG.debug("Client '{}' is not supposed to use PSK to authenticate", str);
            return false;
        }
        if (!matchPskIdentity(str, identity.getPskIdentity(), securityInfo.getIdentity())) {
            return false;
        }
        LOG.trace("Authenticated client '{}' using DTLS PSK", str);
        return true;
    }

    protected boolean matchPskIdentity(String str, String str2, String str3) {
        if (str2.equals(str3)) {
            return true;
        }
        LOG.debug("Invalid identity for client '{}': expected '{}' but was '{}'", str, str3, str2);
        return false;
    }

    protected boolean checkRpkIdentity(String str, Identity identity, SecurityInfo securityInfo) {
        if (!securityInfo.useRPK()) {
            LOG.debug("Client '{}' is not supposed to use RPK to authenticate", str);
            return false;
        }
        if (!matchRpkIdenity(str, identity.getRawPublicKey(), securityInfo.getRawPublicKey())) {
            return false;
        }
        LOG.trace("authenticated client '{}' using DTLS RPK", str);
        return true;
    }

    protected boolean matchRpkIdenity(String str, PublicKey publicKey, PublicKey publicKey2) {
        if (publicKey.equals(publicKey2)) {
            return true;
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug("Invalid rpk for client {}: expected \n'{}'\n but was \n'{}'", str, Hex.encodeHexString(publicKey2.getEncoded()), Hex.encodeHexString(publicKey.getEncoded()));
        return false;
    }

    protected boolean checkX509Identity(String str, Identity identity, SecurityInfo securityInfo) {
        if (!securityInfo.useX509Cert()) {
            LOG.debug("Client '{}' is not supposed to use X509 certificate to authenticate", str);
            return false;
        }
        if (!matchX509Identity(str, identity.getX509CommonName(), str)) {
            return false;
        }
        LOG.trace("authenticated client '{}' using DTLS X509 certificates", str);
        return true;
    }

    protected boolean matchX509Identity(String str, String str2, String str3) {
        if (str2.equals(str3)) {
            return true;
        }
        LOG.debug("Invalid certificate common name for client '{}': expected \n'{}'\n but was \n'{}'", str, str3, str2);
        return false;
    }
}
