package org.eclipse.californium.scandium.dtls;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.concurrent.ScheduledExecutorService;
import org.eclipse.californium.elements.category.Medium;
import org.eclipse.californium.elements.rule.ThreadsRule;
import org.eclipse.californium.elements.util.ClockUtil;
import org.eclipse.californium.elements.util.DatagramWriter;
import org.eclipse.californium.elements.util.TestScheduledExecutorService;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.cipher.CipherSuite;
import org.eclipse.californium.scandium.dtls.cipher.XECDHECryptography;
import org.eclipse.californium.scandium.dtls.pskstore.AdvancedSinglePskStore;
import org.eclipse.californium.scandium.dtls.x509.StaticNewAdvancedCertificateVerifier;
import org.eclipse.californium.scandium.util.ServerName;
import org.eclipse.californium.scandium.util.ServerNames;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({Medium.class})
/* loaded from: input_file:org/eclipse/californium/scandium/dtls/ServerHandshakerTest.class */
public class ServerHandshakerTest {
    static final CipherSuite SERVER_CIPHER_SUITE = CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8;
    static final int ETHERNET_MTU = 1500;
    static PrivateKey privateKey;
    static X509Certificate[] certificateChain;
    static X509Certificate[] trustedCertificates;
    DtlsConnectorConfig config;
    ServerHandshaker handshaker;
    DTLSSession session;
    InetSocketAddress endpoint;
    byte[] supportedClientCiphers;
    byte[] random;
    byte[] clientHelloMsg;
    SimpleRecordLayer recordLayer;
    ScheduledExecutorService timer;

    @Rule
    public ThreadsRule cleanup = new ThreadsRule(new String[0]);
    byte[] sessionId = {10, 11, 12, 13, 14, 15};

    @BeforeClass
    public static void loadKeys() throws IOException, GeneralSecurityException {
        privateKey = DtlsTestTools.getPrivateKey();
        certificateChain = DtlsTestTools.getServerCertificateChain();
        trustedCertificates = DtlsTestTools.getTrustedCertificates();
    }

    @Before
    public void setup() throws Exception {
        this.timer = new TestScheduledExecutorService();
        this.endpoint = new InetSocketAddress(InetAddress.getLoopbackAddress(), 0);
        this.session = new DTLSSession(this.endpoint);
        this.recordLayer = new SimpleRecordLayer();
        this.config = DtlsConnectorConfig.builder().setAddress(this.endpoint).setSniEnabled(true).setIdentity(privateKey, certificateChain, new CertificateType[]{CertificateType.X_509}).setAdvancedCertificateVerifier(StaticNewAdvancedCertificateVerifier.builder().setTrustedCertificates(trustedCertificates).build()).setSupportedCipherSuites(new CipherSuite[]{SERVER_CIPHER_SUITE}).build();
        this.handshaker = newHandshaker(this.config, this.session);
        DatagramWriter datagramWriter = new DatagramWriter();
        datagramWriter.writeLong(Math.round((float) (new Date().getTime() / 1000)), 32);
        for (int i = 0; i < 28; i++) {
            datagramWriter.write(i, 8);
        }
        this.random = datagramWriter.toByteArray();
        this.supportedClientCiphers = new byte[]{-1, -88, -64, -88, -64, -82, -64, 35};
    }

    @After
    public void tearDown() {
        this.timer.shutdown();
        this.timer = null;
    }

    @Test
    public void testReceiveClientHelloProcessesMaxFragmentLengthExtension() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newMaxFragmentLengthExtension(1));
        processClientHello(0, linkedList);
        Assert.assertTrue(this.session.getMaxFragmentLength() <= 512);
        Assert.assertThat(this.recordLayer.getSentFlight(), CoreMatchers.is(CoreMatchers.notNullValue()));
        MaxFragmentLengthExtension maxFragmentLength = this.recordLayer.getSentFlight().get(0).getFragment().getMaxFragmentLength();
        Assert.assertThat(maxFragmentLength, CoreMatchers.is(CoreMatchers.notNullValue()));
        Assert.assertThat(Integer.valueOf(maxFragmentLength.getFragmentLength().length()), CoreMatchers.is(512));
    }

    @Test
    public void testReceiveClientHelloProcessesServerNameExtension() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newServerNameExtension("iot.eclipse.org"));
        processClientHello(0, linkedList);
        ServerNames serverNames = this.handshaker.getSession().getServerNames();
        Assert.assertNotNull(serverNames);
        Assert.assertThat(new String(serverNames.get(ServerName.NameType.HOST_NAME)), CoreMatchers.is("iot.eclipse.org"));
    }

    @Test
    public void testReceiveClientHelloIncludesUnknownCiphersInHandshakeHashGeneration() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newSupportedEllipticCurvesExtension(getArbitrarySupportedGroup().getId()));
        processClientHello(0, linkedList);
        Assert.assertArrayEquals(this.clientHelloMsg, ((HandshakeMessage) this.handshaker.handshakeMessages.get(0)).toByteArray());
    }

    @Test
    public void testReceiveClientHelloDoesNotNegotiateNullCipher() throws Exception {
        this.supportedClientCiphers = new byte[]{0, 0};
        try {
            processClientHello(0, null);
            Assert.fail("Server should have aborted cipher negotiation");
        } catch (HandshakeException e) {
            Assert.assertEquals(AlertMessage.AlertLevel.FATAL, e.getAlert().getLevel());
            Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(CipherSuite.TLS_NULL_WITH_NULL_NULL));
        }
    }

    @Test
    public void testNegotiateCipherSuiteConsidersSupportedCertType() throws Exception {
        this.config = DtlsConnectorConfig.builder().setAddress(this.endpoint).setIdentity(privateKey, DtlsTestTools.getPublicKey()).setSupportedCipherSuites(new CipherSuite[]{CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, CipherSuite.TLS_PSK_WITH_AES_128_CCM_8}).setAdvancedPskStore(new AdvancedSinglePskStore("client", "secret".getBytes())).setAdvancedCertificateVerifier(StaticNewAdvancedCertificateVerifier.builder().setTrustAllRPKs().build()).build();
        this.handshaker = newHandshaker(this.config, this.session);
        this.supportedClientCiphers = new byte[]{-64, -82, -64, -88};
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newSupportedEllipticCurvesExtension(getArbitrarySupportedGroup().getId()));
        processClientHello(0, linkedList);
        Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(CipherSuite.TLS_PSK_WITH_AES_128_CCM_8));
        Assert.assertThat(this.handshaker.getNegotiatedServerCertificateType(), CoreMatchers.is(CoreMatchers.nullValue()));
    }

    @Test
    public void testReceiveClientHelloAbortsOnUnknownClientCertificateType() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newClientCertificateTypesExtension(5));
        try {
            processClientHello(0, linkedList);
            Assert.fail("Should have thrown " + HandshakeException.class.getSimpleName());
        } catch (HandshakeException e) {
            Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(CipherSuite.TLS_NULL_WITH_NULL_NULL));
            Assert.assertThat(this.handshaker.getNegotiatedClientCertificateType(), CoreMatchers.is(CoreMatchers.nullValue()));
        }
    }

    @Test
    public void testReceiveClientHelloAbortsOnNonMatchingClientCertificateTypes() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newClientCertificateTypesExtension(CertificateType.OPEN_PGP.getCode()));
        try {
            processClientHello(0, linkedList);
            Assert.fail("Should have thrown " + HandshakeException.class.getSimpleName());
        } catch (HandshakeException e) {
            Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(CipherSuite.TLS_NULL_WITH_NULL_NULL));
            Assert.assertThat(this.handshaker.getNegotiatedClientCertificateType(), CoreMatchers.is(CoreMatchers.nullValue()));
        }
    }

    @Test
    public void testReceiveClientHelloNegotiatesSupportedCertificateType() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newSupportedEllipticCurvesExtension(getArbitrarySupportedGroup().getId()));
        linkedList.add(DtlsTestTools.newClientCertificateTypesExtension(CertificateType.OPEN_PGP.getCode(), CertificateType.X_509.getCode()));
        processClientHello(0, linkedList);
        Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(SERVER_CIPHER_SUITE));
        Assert.assertThat(this.handshaker.getNegotiatedClientCertificateType(), CoreMatchers.is(CertificateType.X_509));
        Assert.assertThat(this.handshaker.getNegotiatedServerCertificateType(), CoreMatchers.is(CertificateType.X_509));
    }

    @Test
    public void testReceiveClientHelloAbortsOnUnknownServerCertificateType() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newServerCertificateTypesExtension(5));
        try {
            processClientHello(0, linkedList);
            Assert.fail("Should have thrown " + HandshakeException.class.getSimpleName());
        } catch (HandshakeException e) {
            Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(CipherSuite.TLS_NULL_WITH_NULL_NULL));
            Assert.assertThat(this.handshaker.getNegotiatedServerCertificateType(), CoreMatchers.is(CoreMatchers.nullValue()));
        }
    }

    @Test
    public void testReceiveClientHelloAbortsOnUnsupportedEcCurveIds() throws Exception {
        LinkedList linkedList = new LinkedList();
        linkedList.add(DtlsTestTools.newSupportedEllipticCurvesExtension(0));
        try {
            processClientHello(0, linkedList);
            Assert.fail("Should have thrown " + HandshakeException.class.getSimpleName());
        } catch (HandshakeException e) {
            Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(CipherSuite.TLS_NULL_WITH_NULL_NULL));
            Assert.assertThat(this.handshaker.getNegotiatedSupportedGroup(), CoreMatchers.nullValue());
        }
    }

    @Test
    public void testReceiveClientHelloNegotiatesSupportedEcCurveId() throws Exception {
        LinkedList linkedList = new LinkedList();
        XECDHECryptography.SupportedGroup arbitrarySupportedGroup = getArbitrarySupportedGroup();
        linkedList.add(DtlsTestTools.newSupportedEllipticCurvesExtension(0, arbitrarySupportedGroup.getId()));
        processClientHello(0, linkedList);
        Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(SERVER_CIPHER_SUITE));
        Assert.assertThat(this.handshaker.getNegotiatedSupportedGroup(), CoreMatchers.is(arbitrarySupportedGroup));
    }

    @Test
    public void testReceiveClientHelloPicksCurveIfClientOmitsSupportedCurveExtension() throws Exception {
        processClientHello(0, null);
        Assert.assertThat(this.session.getCipherSuite(), CoreMatchers.is(SERVER_CIPHER_SUITE));
        Assert.assertThat(this.handshaker.getNegotiatedSupportedGroup(), CoreMatchers.notNullValue());
    }

    @Test
    public void testDoProcessMessageProcessesQueuedMessages() throws Exception {
        Record givenAHandshakerWithAQueuedMessage = givenAHandshakerWithAQueuedMessage();
        try {
            givenAHandshakerWithAQueuedMessage.applySession(this.handshaker.getSession());
            this.handshaker.processMessage(givenAHandshakerWithAQueuedMessage);
        } catch (HandshakeException e) {
            HandshakerTest.failedHandshake(e);
        }
        assertThatAllMessagesHaveBeenProcessedInOrder();
    }

    private ServerHandshaker newHandshaker(DtlsConnectorConfig dtlsConnectorConfig, DTLSSession dTLSSession) throws HandshakeException {
        Connection connection = new Connection(dTLSSession.getPeer(), new SyncSerialExecutor());
        connection.setConnectionId(new ConnectionId(new byte[]{1, 2, 3, 4}));
        Handshaker serverHandshaker = new ServerHandshaker(0, dTLSSession, this.recordLayer, this.timer, connection, dtlsConnectorConfig);
        this.recordLayer.setHandshaker(serverHandshaker);
        return serverHandshaker;
    }

    private Record givenAHandshakerWithAQueuedMessage() throws Exception {
        InetSocketAddress inetSocketAddress = new InetSocketAddress(5000);
        processClientHello(0, null);
        Assert.assertThat(Integer.valueOf(this.handshaker.getNextReceiveMessageSequenceNumber()), CoreMatchers.is(1));
        CertificateMessage certificateMessage = new CertificateMessage(Arrays.asList(DtlsTestTools.getClientCertificateChain()), this.endpoint);
        certificateMessage.setMessageSeq(1);
        Record recordForMessage = DtlsTestTools.getRecordForMessage(0, 1, certificateMessage, inetSocketAddress);
        ECDHClientKeyExchange eCDHClientKeyExchange = new ECDHClientKeyExchange(new XECDHECryptography((XECDHECryptography.SupportedGroup) XECDHECryptography.SupportedGroup.getPreferredGroups().get(0)).getEncodedPoint(), this.endpoint);
        eCDHClientKeyExchange.setMessageSeq(2);
        Record recordForMessage2 = DtlsTestTools.getRecordForMessage(0, 2, eCDHClientKeyExchange, inetSocketAddress);
        recordForMessage2.applySession(this.handshaker.getSession());
        this.handshaker.processMessage(recordForMessage2);
        Assert.assertThat(Integer.valueOf(this.handshaker.handshakeMessages.size()), CoreMatchers.is(6));
        Assert.assertFalse("Client's KEY_EXCHANGE message should have been queued", this.handshaker.isInboundMessageProcessed());
        return recordForMessage;
    }

    private void assertThatAllMessagesHaveBeenProcessedInOrder() {
        Assert.assertThat(Integer.valueOf(this.handshaker.getNextReceiveMessageSequenceNumber()), CoreMatchers.is(3));
        Assert.assertThat("Client's CERTIFICATE message should have been processed", getHandshakeMessage(6, HandshakeType.CERTIFICATE), CoreMatchers.notNullValue());
        Assert.assertThat("Client's KEY_EXCHANGE message should have been processed", getHandshakeMessage(7, HandshakeType.CLIENT_KEY_EXCHANGE), CoreMatchers.notNullValue());
        Assert.assertTrue("All (processed) messages should have been removed from inbound messages queue", this.handshaker.isInboundMessageProcessed());
    }

    private void processClientHello(int i, List<byte[]> list) throws Exception {
        processClientHello(0, 0L, i, null, this.supportedClientCiphers, list);
    }

    private void processClientHello(int i, long j, int i2, byte[] bArr, byte[] bArr2, List<byte[]> list) throws Exception {
        this.clientHelloMsg = newHandshakeMessage(HandshakeType.CLIENT_HELLO, i2, newClientHelloFragment(bArr, bArr2, list));
        List<Record> fromByteArray = DtlsTestTools.fromByteArray(DtlsTestTools.newDTLSRecord(ContentType.HANDSHAKE.getCode(), i, j, this.clientHelloMsg), this.endpoint, null, ClockUtil.nanoRealtime());
        Assert.assertFalse("Should be able to deserialize DTLS Record from byte array", fromByteArray.isEmpty());
        Record record = fromByteArray.get(0);
        record.applySession(this.handshaker.getSession());
        this.handshaker.processMessage(record);
    }

    private static byte[] newHandshakeMessage(HandshakeType handshakeType, int i, byte[] bArr) {
        DatagramWriter datagramWriter = new DatagramWriter();
        datagramWriter.write(handshakeType.getCode(), 8);
        datagramWriter.write(bArr.length, 24);
        datagramWriter.write(i, 16);
        datagramWriter.write(0, 24);
        datagramWriter.write(bArr.length, 24);
        datagramWriter.writeBytes(bArr);
        return datagramWriter.toByteArray();
    }

    private byte[] newClientHelloFragment(byte[] bArr, byte[] bArr2, List<byte[]> list) {
        DatagramWriter datagramWriter = new DatagramWriter();
        datagramWriter.write(254, 8);
        datagramWriter.write(253, 8);
        datagramWriter.writeBytes(this.random);
        datagramWriter.write(this.sessionId.length, 8);
        datagramWriter.writeBytes(this.sessionId);
        if (bArr == null) {
            datagramWriter.write(0, 8);
        } else {
            datagramWriter.write(bArr.length, 8);
            datagramWriter.writeBytes(bArr);
        }
        datagramWriter.write(bArr2.length, 16);
        datagramWriter.writeBytes(bArr2);
        datagramWriter.write(1, 8);
        datagramWriter.writeByte((byte) 0);
        if (list != null && !list.isEmpty()) {
            DatagramWriter datagramWriter2 = new DatagramWriter();
            Iterator<byte[]> it = list.iterator();
            while (it.hasNext()) {
                datagramWriter2.writeBytes(it.next());
            }
            byte[] byteArray = datagramWriter2.toByteArray();
            datagramWriter.write(byteArray.length, 16);
            datagramWriter.writeBytes(byteArray);
        }
        return datagramWriter.toByteArray();
    }

    public HandshakeMessage getHandshakeMessage(int i, HandshakeType handshakeType) {
        HandshakeMessage handshakeMessage = (HandshakeMessage) this.handshaker.handshakeMessages.get(i);
        if (handshakeMessage.getMessageType() == handshakeType) {
            return handshakeMessage;
        }
        return null;
    }

    private static XECDHECryptography.SupportedGroup getArbitrarySupportedGroup() {
        List preferredGroups = XECDHECryptography.SupportedGroup.getPreferredGroups();
        return !preferredGroups.isEmpty() ? (XECDHECryptography.SupportedGroup) preferredGroups.get(0) : XECDHECryptography.SupportedGroup.secp256r1;
    }
}
