package org.eclipse.leshan.server.bootstrap;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.eclipse.leshan.core.SecurityMode;
import org.eclipse.leshan.core.node.InvalidLwM2mPathException;
import org.eclipse.leshan.core.node.LwM2mPath;
import org.eclipse.leshan.core.oscore.InvalidOscoreSettingException;
import org.eclipse.leshan.core.oscore.OscoreSetting;
import org.eclipse.leshan.core.oscore.OscoreValidator;
import org.eclipse.leshan.core.util.SecurityUtil;
import org.eclipse.leshan.core.util.StringUtils;
import org.eclipse.leshan.server.bootstrap.BootstrapConfig;

/* loaded from: input_file:org/eclipse/leshan/server/bootstrap/ConfigurationChecker.class */
public class ConfigurationChecker {
    private OscoreValidator oscoreValidator = new OscoreValidator();

    /* renamed from: org.eclipse.leshan.server.bootstrap.ConfigurationChecker$1, reason: invalid class name */
    /* loaded from: input_file:org/eclipse/leshan/server/bootstrap/ConfigurationChecker$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$eclipse$leshan$core$SecurityMode = new int[SecurityMode.values().length];

        static {
            try {
                $SwitchMap$org$eclipse$leshan$core$SecurityMode[SecurityMode.NO_SEC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$eclipse$leshan$core$SecurityMode[SecurityMode.PSK.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$eclipse$leshan$core$SecurityMode[SecurityMode.RPK.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$eclipse$leshan$core$SecurityMode[SecurityMode.X509.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$eclipse$leshan$core$SecurityMode[SecurityMode.EST.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public void verify(BootstrapConfig bootstrapConfig) throws InvalidConfigurationException {
        validatePath(bootstrapConfig.toDelete);
        for (Map.Entry<Integer, BootstrapConfig.ServerSecurity> entry : bootstrapConfig.security.entrySet()) {
            BootstrapConfig.ServerSecurity value = entry.getValue();
            switch (AnonymousClass1.$SwitchMap$org$eclipse$leshan$core$SecurityMode[value.securityMode.ordinal()]) {
                case 1:
                    checkNoSec(value);
                    break;
                case 2:
                    checkPSK(value);
                    break;
                case 3:
                    checkRPK(value);
                    break;
                case 4:
                    checkX509(value);
                    break;
                case 5:
                    throw new InvalidConfigurationException("EST is not currently supported.", entry);
            }
            validateMandatoryField(value);
            validateOscoreObjectExist(value, bootstrapConfig);
        }
        Iterator<BootstrapConfig.OscoreObject> it = bootstrapConfig.oscore.values().iterator();
        while (it.hasNext()) {
            checkOscore(it.next());
        }
        validateOneSecurityByServer(bootstrapConfig);
    }

    protected void checkNoSec(BootstrapConfig.ServerSecurity serverSecurity) throws InvalidConfigurationException {
        assertIf(!isEmpty(serverSecurity.secretKey), "NO-SEC mode, secret key must be empty");
        assertIf(!isEmpty(serverSecurity.publicKeyOrId), "NO-SEC mode, public key or ID must be empty");
        assertIf(!isEmpty(serverSecurity.serverPublicKey), "NO-SEC mode, server public key must be empty");
    }

    protected void checkPSK(BootstrapConfig.ServerSecurity serverSecurity) throws InvalidConfigurationException {
        assertIf(isEmpty(serverSecurity.secretKey), "pre-shared-key mode, secret key must not be empty");
        assertIf(isEmpty(serverSecurity.publicKeyOrId), "pre-shared-key mode, public key or id must not be empty");
        assertIf(!Arrays.equals(serverSecurity.publicKeyOrId, new String(serverSecurity.publicKeyOrId, StandardCharsets.UTF_8).getBytes()), "pre-shared-key mode, public key or id must not be an utf8 string");
    }

    protected void checkRPK(BootstrapConfig.ServerSecurity serverSecurity) throws InvalidConfigurationException {
        assertIf(isEmpty(serverSecurity.secretKey), "raw-public-key mode, secret key must not be empty");
        assertIf(decodeRfc5958PrivateKey(serverSecurity.secretKey) == null, "raw-public-key mode, secret key must be RFC5958 encoded private key");
        assertIf(isEmpty(serverSecurity.publicKeyOrId), "raw-public-key mode, public key or id must not be empty");
        assertIf(decodeRfc7250PublicKey(serverSecurity.publicKeyOrId) == null, "raw-public-key mode, public key or id must be RFC7250 encoded public key");
        assertIf(isEmpty(serverSecurity.serverPublicKey), "raw-public-key mode, server public key must not be empty");
        assertIf(decodeRfc7250PublicKey(serverSecurity.serverPublicKey) == null, "raw-public-key mode, server public key must be RFC7250 encoded public key");
    }

    protected void checkX509(BootstrapConfig.ServerSecurity serverSecurity) throws InvalidConfigurationException {
        assertIf(isEmpty(serverSecurity.secretKey), "x509 mode, secret key must not be empty");
        assertIf(decodeRfc5958PrivateKey(serverSecurity.secretKey) == null, "x509 mode, secret key must be RFC5958 encoded private key");
        assertIf(isEmpty(serverSecurity.publicKeyOrId), "x509 mode, public key or id must not be empty");
        assertIf(decodeCertificate(serverSecurity.publicKeyOrId) == null, "x509 mode, public key or id must be DER encoded X.509 certificate");
        assertIf(isEmpty(serverSecurity.serverPublicKey), "x509 mode, server public key must not be empty");
        assertIf(decodeCertificate(serverSecurity.serverPublicKey) == null, "x509 mode, server public key must be DER encoded X.509 certificate");
    }

    protected void checkOscore(BootstrapConfig.OscoreObject oscoreObject) throws InvalidConfigurationException {
        OscoreSetting oscoreSetting = new OscoreSetting(oscoreObject.oscoreSenderId, oscoreObject.oscoreRecipientId, oscoreObject.oscoreMasterSecret, oscoreObject.oscoreAeadAlgorithm, oscoreObject.oscoreHmacAlgorithm, oscoreObject.oscoreMasterSalt);
        try {
            this.oscoreValidator.validateOscoreSetting(oscoreSetting);
        } catch (InvalidOscoreSettingException e) {
            throw new InvalidConfigurationException(e, "oscore mode, invalid %s : %s", oscoreSetting, e.getMessage());
        }
    }

    protected void validateOscoreObjectExist(BootstrapConfig.ServerSecurity serverSecurity, BootstrapConfig bootstrapConfig) throws InvalidConfigurationException {
        if (serverSecurity.oscoreSecurityMode != null) {
            assertIf(isNull(bootstrapConfig.oscore.get(serverSecurity.oscoreSecurityMode)), "oscore mode, no oscore Object with instance " + serverSecurity.oscoreSecurityMode);
        }
    }

    protected void validatePath(List<String> list) throws InvalidConfigurationException {
        for (String str : list) {
            try {
                new LwM2mPath(str);
            } catch (InvalidLwM2mPathException e) {
                throw new InvalidConfigurationException(String.format(" %s is not a valid path", str), (Throwable) e);
            }
        }
    }

    protected void validateMandatoryField(BootstrapConfig.ServerSecurity serverSecurity) throws InvalidConfigurationException {
        if (StringUtils.isEmpty(serverSecurity.uri)) {
            throw new InvalidConfigurationException("LwM2M Server URI is mandatory");
        }
        if (serverSecurity.securityMode == null) {
            throw new InvalidConfigurationException("Security Mode is mandatory");
        }
    }

    protected void validateOneSecurityByServer(BootstrapConfig bootstrapConfig) throws InvalidConfigurationException {
        for (Map.Entry<Integer, BootstrapConfig.ServerConfig> entry : bootstrapConfig.servers.entrySet()) {
            BootstrapConfig.ServerConfig value = entry.getValue();
            if (value.shortId == 0) {
                throw new InvalidConfigurationException("short ID must not be 0");
            }
            BootstrapConfig.ServerSecurity securityEntry = getSecurityEntry(bootstrapConfig, value.shortId);
            if (securityEntry == null) {
                throw new InvalidConfigurationException("no security entry for server instance: " + entry.getKey());
            }
            if (securityEntry.bootstrapServer) {
                throw new InvalidConfigurationException("the security entry for server  " + entry.getKey() + " should not be a bootstrap server");
            }
        }
    }

    protected PrivateKey decodeRfc5958PrivateKey(byte[] bArr) throws InvalidConfigurationException {
        try {
            return (PrivateKey) SecurityUtil.privateKey.decode(bArr);
        } catch (IOException | GeneralSecurityException e) {
            throw new InvalidConfigurationException("Failed to decode RFC5958 private key", e);
        }
    }

    protected PublicKey decodeRfc7250PublicKey(byte[] bArr) throws InvalidConfigurationException {
        try {
            return (PublicKey) SecurityUtil.publicKey.decode(bArr);
        } catch (IOException | GeneralSecurityException e) {
            throw new InvalidConfigurationException("Failed to decode RFC7250 public key", e);
        }
    }

    protected Certificate decodeCertificate(byte[] bArr) throws InvalidConfigurationException {
        try {
            return (Certificate) SecurityUtil.certificate.decode(bArr);
        } catch (IOException | GeneralSecurityException e) {
            throw new InvalidConfigurationException("Failed to decode X.509 certificate", e);
        }
    }

    protected static void assertIf(boolean z, String str) throws InvalidConfigurationException {
        if (z) {
            throw new InvalidConfigurationException(str);
        }
    }

    protected static boolean isEmpty(byte[] bArr) {
        return bArr == null || bArr.length == 0;
    }

    protected static boolean isNull(Object obj) {
        return obj == null;
    }

    protected static BootstrapConfig.ServerSecurity getSecurityEntry(BootstrapConfig bootstrapConfig, int i) {
        for (Map.Entry<Integer, BootstrapConfig.ServerSecurity> entry : bootstrapConfig.security.entrySet()) {
            if (!entry.getValue().bootstrapServer && entry.getValue().serverId.intValue() == i) {
                return entry.getValue();
            }
        }
        return null;
    }
}
