package org.eclipse.californium.elements.tcp.netty;

import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.handler.ssl.SslHandler;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.cert.X509Certificate;
import java.util.concurrent.CancellationException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.eclipse.californium.elements.EndpointContext;
import org.eclipse.californium.elements.EndpointContextMatcher;
import org.eclipse.californium.elements.RawData;
import org.eclipse.californium.elements.TlsEndpointContext;
import org.eclipse.californium.elements.auth.X509CertPath;
import org.eclipse.californium.elements.config.CertificateAuthenticationMode;
import org.eclipse.californium.elements.config.Configuration;
import org.eclipse.californium.elements.config.TcpConfig;
import org.eclipse.californium.elements.util.CertPathUtil;
import org.eclipse.californium.elements.util.JceProviderUtil;
import org.eclipse.californium.elements.util.SslContextUtil;
import org.eclipse.californium.elements.util.StringUtil;

/* loaded from: input_file:org/eclipse/californium/elements/tcp/netty/TlsClientConnector.class */
public class TlsClientConnector extends TcpClientConnector {
    private final SSLContext sslContext;
    private final String[] weakCipherSuites;
    private final int handshakeTimeoutMillis;
    private final boolean verifyServerSubject;

    public TlsClientConnector(SSLContext sSLContext, Configuration configuration) {
        super(configuration, new TlsContextUtil(CertificateAuthenticationMode.NEEDED));
        this.sslContext = sSLContext;
        this.handshakeTimeoutMillis = configuration.getTimeAsInt(TcpConfig.TLS_HANDSHAKE_TIMEOUT, TimeUnit.MILLISECONDS);
        this.verifyServerSubject = ((Boolean) configuration.get(TcpConfig.TLS_VERIFY_SERVER_CERTIFICATES_SUBJECT)).booleanValue();
        this.weakCipherSuites = JceProviderUtil.hasStrongEncryption() ? null : SslContextUtil.getWeakCipherSuites(sSLContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.californium.elements.tcp.netty.TcpClientConnector
    public void send(final Channel channel, final EndpointContextMatcher endpointContextMatcher, final RawData rawData) {
        SslHandler sslHandler = channel.pipeline().get(SslHandler.class);
        if (sslHandler == null) {
            rawData.onError(new IllegalStateException("Missing SslHandler"));
        } else {
            sslHandler.handshakeFuture().addListener(new GenericFutureListener<Future<Channel>>() { // from class: org.eclipse.californium.elements.tcp.netty.TlsClientConnector.1
                public void operationComplete(Future<Channel> future) throws Exception {
                    if (!future.isSuccess()) {
                        if (future.isCancelled()) {
                            rawData.onError(new CancellationException());
                            return;
                        } else {
                            rawData.onError(future.cause());
                            return;
                        }
                    }
                    EndpointContext buildEndpointContext = TlsClientConnector.this.contextUtil.buildEndpointContext(channel);
                    if (buildEndpointContext == null || buildEndpointContext.get(TlsEndpointContext.KEY_SESSION_ID) == null) {
                        rawData.onError(new IllegalStateException("Missing TlsEndpointContext " + buildEndpointContext));
                        return;
                    }
                    if (TlsClientConnector.this.verifyServerSubject) {
                        try {
                            X509CertPath peerIdentity = buildEndpointContext.getPeerIdentity();
                            if (peerIdentity instanceof X509CertPath) {
                                X509Certificate target = peerIdentity.getTarget();
                                TlsClientConnector.this.verifyCertificatesSubject(buildEndpointContext.getVirtualHost(), buildEndpointContext.getPeerAddress(), target);
                            }
                        } catch (SSLPeerUnverifiedException e) {
                            rawData.onError(e);
                            return;
                        }
                    }
                    TlsClientConnector.super.send((Channel) future.getNow(), endpointContextMatcher, rawData);
                }
            });
        }
    }

    @Override // org.eclipse.californium.elements.tcp.netty.TcpClientConnector
    protected void onNewChannelCreated(SocketAddress socketAddress, Channel channel) {
        SSLEngine createSllEngine = createSllEngine(socketAddress);
        createSllEngine.setUseClientMode(true);
        if (this.weakCipherSuites != null) {
            createSllEngine.setEnabledCipherSuites(this.weakCipherSuites);
        }
        ChannelHandler sslHandler = new SslHandler(createSllEngine);
        sslHandler.setHandshakeTimeoutMillis(this.handshakeTimeoutMillis);
        channel.pipeline().addFirst(new ChannelHandler[]{sslHandler});
    }

    @Override // org.eclipse.californium.elements.tcp.netty.TcpClientConnector
    public String getProtocol() {
        return "TLS";
    }

    private SSLEngine createSllEngine(SocketAddress socketAddress) {
        if (!(socketAddress instanceof InetSocketAddress)) {
            this.LOGGER.info("Connection to {}", StringUtil.toLog(socketAddress));
            return this.sslContext.createSSLEngine();
        }
        this.LOGGER.info("Connection to inet {}", StringUtil.toLog(socketAddress));
        InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
        return this.sslContext.createSSLEngine(inetSocketAddress.getAddress().getHostAddress(), inetSocketAddress.getPort());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void verifyCertificatesSubject(String str, InetSocketAddress inetSocketAddress, X509Certificate x509Certificate) throws SSLPeerUnverifiedException {
        if (x509Certificate == null) {
            throw new NullPointerException("Certficate must not be null!");
        }
        if (str == null && inetSocketAddress == null) {
            return;
        }
        String str2 = null;
        String str3 = str;
        if (inetSocketAddress != null) {
            InetAddress address = inetSocketAddress.getAddress();
            if (address != null) {
                str2 = address.getHostAddress();
            }
            if (str3 == null) {
                str3 = StringUtil.toHostString(inetSocketAddress);
            }
        }
        if (str3 != null && str3.equals(str2)) {
            str3 = null;
        }
        if (str3 != null) {
            if (CertPathUtil.matchDestination(x509Certificate, str3)) {
                return;
            }
            String subjectsCn = CertPathUtil.getSubjectsCn(x509Certificate);
            this.LOGGER.debug("Certificate {} validation failed: destination doesn't match", subjectsCn);
            throw new SSLPeerUnverifiedException("Certificate " + subjectsCn + ": Destination '" + str3 + "' doesn't match!");
        }
        if (CertPathUtil.matchLiteralIP(x509Certificate, str2)) {
            return;
        }
        String subjectsCn2 = CertPathUtil.getSubjectsCn(x509Certificate);
        this.LOGGER.debug("Certificate {} validation failed: literal IP doesn't match", subjectsCn2);
        throw new SSLPeerUnverifiedException("Certificate " + subjectsCn2 + ": Literal IP " + str2 + " doesn't match!");
    }
}
