package org.atalk.impl.neomedia.transform.dtls;

import android.text.TextUtils;
import java.io.IOException;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Date;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import org.atalk.android.R;
import org.atalk.android.aTalkApp;
import org.atalk.impl.neomedia.AbstractRTPConnector;
import org.atalk.service.libjitsi.LibJitsi;
import org.atalk.service.neomedia.AbstractSrtpControl;
import org.atalk.service.neomedia.DtlsControl;
import org.atalk.service.neomedia.SrtpControlType;
import org.atalk.service.neomedia.event.SrtpListener;
import org.atalk.util.ConfigUtils;
import org.atalk.util.MediaType;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.Certificate;
import org.bouncycastle.cert.bc.BcX509v3CertificateBuilder;
import org.bouncycastle.crypto.AsymmetricCipherKeyPair;
import org.bouncycastle.crypto.ExtendedDigest;
import org.bouncycastle.crypto.generators.ECKeyPairGenerator;
import org.bouncycastle.crypto.generators.RSAKeyPairGenerator;
import org.bouncycastle.crypto.params.ECDomainParameters;
import org.bouncycastle.crypto.params.ECKeyGenerationParameters;
import org.bouncycastle.crypto.params.RSAKeyGenerationParameters;
import org.bouncycastle.crypto.params.RSAKeyParameters;
import org.bouncycastle.jce.ECNamedCurveTable;
import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.bc.BcDefaultDigestProvider;
import org.bouncycastle.operator.bc.BcECContentSignerBuilder;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.bouncycastle.tls.AlertDescription;
import org.bouncycastle.tls.TlsPeer;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCertificate;
import org.bouncycastle.tls.crypto.impl.bc.BcTlsCrypto;
import org.jivesoftware.smackx.jingle_rtp.element.SrtpFingerprint;
import timber.log.Timber;

/* loaded from: classes3.dex */
public class DtlsControlImpl extends AbstractSrtpControl<DtlsTransformEngine> implements DtlsControl {
    private static final long CERT_CACHE_EXPIRE_TIME;
    public static final String CERT_CACHE_EXPIRE_TIME_PNAME = "neomedia.transform.dtls.CERT_CACHE_EXPIRE_TIME";
    public static final String CERT_TLS_SIGNATURE_ALGORITHM = "neomedia.transform.dtls.SIGNATURE_ALGORITHM";
    private static final long DEFAULT_CERT_CACHE_EXPIRE_TIME = 86400000;
    public static final int DEFAULT_RSA_KEY_SIZE = 2048;
    public static final int DEFAULT_RSA_KEY_SIZE_CERTAINTY = 80;
    public static final String DEFAULT_SIGNATURE_AND_HASH_ALGORITHM = "SHA256withECDSA";
    private static final Map<String, String[]> HASH_FUNCTION_UPGRADES;
    private static final char[] HEX_ENCODE_TABLE;
    private static final long ONE_DAY = 86400000;
    public static final BigInteger RSA_KEY_PUBLIC_EXPONENT;
    public static final int RSA_KEY_SIZE;
    public static final int RSA_KEY_SIZE_CERTAINTY;
    public static final String RSA_KEY_SIZE_CERTAINTY_PNAME = "neomedia.transform.dtls.RSA_KEY_SIZE_CERTAINTY";
    public static final String RSA_KEY_SIZE_PNAME = "neomedia.transform.dtls.RSA_KEY_SIZE";
    static final int[] SRTP_PROTECTION_PROFILES;
    private static final boolean VERIFY_AND_VALIDATE_CERTIFICATE;
    private static final String VERIFY_AND_VALIDATE_CERTIFICATE_PNAME = "neomedia.transform.dtls.verifyAndValidateCertificate";
    private static CertificateInfo certificateInfoCache;
    private static String mSignatureAlgorithm;
    private boolean disposed;
    private final CertificateInfo mCertificateInfo;
    private final Properties mProperties;
    private boolean mSecurityState;
    private Map<String, String> remoteFingerprints;

    static {
        HashMap hashMap = new HashMap();
        HASH_FUNCTION_UPGRADES = hashMap;
        HEX_ENCODE_TABLE = new char[]{'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};
        RSA_KEY_PUBLIC_EXPONENT = new BigInteger("10001", 16);
        SRTP_PROTECTION_PROFILES = new int[]{1, 2};
        VERIFY_AND_VALIDATE_CERTIFICATE = ConfigUtils.getBoolean(LibJitsi.getConfigurationService(), VERIFY_AND_VALIDATE_CERTIFICATE_PNAME, true);
        RSA_KEY_SIZE = ConfigUtils.getInt(LibJitsi.getConfigurationService(), RSA_KEY_SIZE_PNAME, 2048);
        RSA_KEY_SIZE_CERTAINTY = ConfigUtils.getInt(LibJitsi.getConfigurationService(), RSA_KEY_SIZE_CERTAINTY_PNAME, 80);
        CERT_CACHE_EXPIRE_TIME = ConfigUtils.getLong(LibJitsi.getConfigurationService(), CERT_CACHE_EXPIRE_TIME_PNAME, 86400000L);
        hashMap.put("sha-1", new String[]{"sha-224", "sha-256", "sha-384", "sha-512"});
    }

    public DtlsControlImpl() {
        this(false);
    }

    public DtlsControlImpl(boolean z) {
        super(SrtpControlType.DTLS_SRTP);
        CertificateInfo certificateInfo;
        this.mSecurityState = false;
        this.disposed = false;
        synchronized (DtlsControlImpl.class) {
            certificateInfo = certificateInfoCache;
            if (certificateInfo == null || certificateInfo.timestamp + CERT_CACHE_EXPIRE_TIME < System.currentTimeMillis()) {
                certificateInfo = generateCertificateInfo();
                certificateInfoCache = certificateInfo;
            }
        }
        this.mCertificateInfo = certificateInfo;
        this.mProperties = new Properties(z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int chooseSRTPProtectionProfile(int... iArr) {
        if (iArr != null) {
            for (int i : iArr) {
                for (int i2 : SRTP_PROTECTION_PROFILES) {
                    if (i == i2) {
                        return i;
                    }
                }
            }
        }
        return 0;
    }

    private static String computeFingerprint(Certificate certificate, String str) {
        try {
            ExtendedDigest extendedDigest = BcDefaultDigestProvider.INSTANCE.get(new DefaultDigestAlgorithmIdentifierFinder().find(str.toUpperCase()));
            byte[] encoded = certificate.getEncoded(ASN1Encoding.DER);
            byte[] bArr = new byte[extendedDigest.getDigestSize()];
            extendedDigest.update(encoded, 0, encoded.length);
            extendedDigest.doFinal(bArr, 0);
            return toHex(bArr);
        } catch (Throwable th) {
            if (th instanceof ThreadDeath) {
                throw ((ThreadDeath) th);
            }
            Timber.e(th, "Failed to generate certificate fingerprint!", new Object[0]);
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            throw new RuntimeException(th);
        }
    }

    private static String findHashFunction(Certificate certificate) {
        try {
            return BcDefaultDigestProvider.INSTANCE.get(new DefaultDigestAlgorithmIdentifierFinder().find(certificate.getSignatureAlgorithm())).getAlgorithmName().toLowerCase();
        } catch (Throwable th) {
            if (th instanceof ThreadDeath) {
                throw ((ThreadDeath) th);
            }
            Timber.w(th, "Failed to find the hash function of the signature algorithm of a certificate!", new Object[0]);
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            throw new RuntimeException(th);
        }
    }

    private static String findHashFunctionUpgrade(String str, Map<String, String> map) {
        String[] strArr = HASH_FUNCTION_UPGRADES.get(str);
        if (strArr == null) {
            return null;
        }
        for (String str2 : strArr) {
            if (map.get(str2) != null) {
                return str2.toLowerCase();
            }
        }
        return null;
    }

    private static X500Name generateCN() {
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        char[] cArr = new char[32];
        for (int i = 0; i < 16; i++) {
            byte b = bArr[i];
            int i2 = i * 2;
            char[] cArr2 = HEX_ENCODE_TABLE;
            cArr[i2] = cArr2[(b & 255) >>> 4];
            cArr[i2 + 1] = cArr2[b & 15];
        }
        x500NameBuilder.addRDN(BCStyle.CN, new String(cArr).toLowerCase());
        return x500NameBuilder.build();
    }

    private static CertificateInfo generateCertificateInfo() {
        AsymmetricCipherKeyPair generateKeyPair = generateKeyPair();
        Certificate generateX509Certificate = generateX509Certificate(generateCN(), generateKeyPair);
        org.bouncycastle.tls.Certificate certificate = new org.bouncycastle.tls.Certificate(new TlsCertificate[]{new BcTlsCertificate(new BcTlsCrypto(new SecureRandom()), generateX509Certificate)});
        String findHashFunction = findHashFunction(generateX509Certificate);
        return new CertificateInfo(generateKeyPair, certificate, findHashFunction, computeFingerprint(generateX509Certificate, findHashFunction), System.currentTimeMillis());
    }

    private static AsymmetricCipherKeyPair generateKeyPair() {
        if (mSignatureAlgorithm.toUpperCase(Locale.ROOT).endsWith("RSA")) {
            RSAKeyPairGenerator rSAKeyPairGenerator = new RSAKeyPairGenerator();
            rSAKeyPairGenerator.init(new RSAKeyGenerationParameters(RSA_KEY_PUBLIC_EXPONENT, new SecureRandom(), RSA_KEY_SIZE, RSA_KEY_SIZE_CERTAINTY));
            return rSAKeyPairGenerator.generateKeyPair();
        }
        if (!mSignatureAlgorithm.toUpperCase(Locale.ROOT).endsWith("ECDSA")) {
            throw new IllegalArgumentException("Unknown signature algorithm: " + mSignatureAlgorithm);
        }
        ECKeyPairGenerator eCKeyPairGenerator = new ECKeyPairGenerator();
        ECNamedCurveParameterSpec parameterSpec = ECNamedCurveTable.getParameterSpec("secp256r1");
        eCKeyPairGenerator.init(new ECKeyGenerationParameters(new ECDomainParameters(parameterSpec.getCurve(), parameterSpec.getG(), parameterSpec.getN(), parameterSpec.getH(), parameterSpec.getSeed()), new SecureRandom()));
        return eCKeyPairGenerator.generateKeyPair();
    }

    private static Certificate generateX509Certificate(X500Name x500Name, AsymmetricCipherKeyPair asymmetricCipherKeyPair) {
        Timber.d("Signature algorithm: %s", mSignatureAlgorithm);
        try {
            long currentTimeMillis = System.currentTimeMillis();
            BcX509v3CertificateBuilder bcX509v3CertificateBuilder = new BcX509v3CertificateBuilder(x500Name, BigInteger.valueOf(currentTimeMillis), new Date(currentTimeMillis - 86400000), new Date(518400000 + currentTimeMillis + CERT_CACHE_EXPIRE_TIME), x500Name, asymmetricCipherKeyPair.getPublic());
            AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(mSignatureAlgorithm);
            AlgorithmIdentifier find2 = new DefaultDigestAlgorithmIdentifierFinder().find(find);
            return bcX509v3CertificateBuilder.build(asymmetricCipherKeyPair.getPrivate() instanceof RSAKeyParameters ? new BcRSAContentSignerBuilder(find, find2).build(asymmetricCipherKeyPair.getPrivate()) : new BcECContentSignerBuilder(find, find2).build(asymmetricCipherKeyPair.getPrivate())).toASN1Structure();
        } catch (Throwable th) {
            if (th instanceof ThreadDeath) {
                throw ((ThreadDeath) th);
            }
            Timber.e(th, "Failed to generate self-signed X.509 certificate", new Object[0]);
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            throw new RuntimeException(th);
        }
    }

    public static void setTlsCertificateSA(String str) {
        String str2 = mSignatureAlgorithm;
        if (str2 != null && !str2.equals(str)) {
            certificateInfoCache = null;
        }
        mSignatureAlgorithm = str;
    }

    private static String toHex(byte[] bArr) {
        if (bArr.length == 0) {
            throw new IllegalArgumentException(SrtpFingerprint.ELEMENT);
        }
        char[] cArr = new char[(bArr.length * 3) - 1];
        int length = bArr.length - 1;
        int i = 0;
        for (int i2 = 0; i2 <= length; i2++) {
            byte b = bArr[i2];
            char[] cArr2 = HEX_ENCODE_TABLE;
            cArr[i] = cArr2[(b & 255) >>> 4];
            int i3 = i + 2;
            cArr[i + 1] = cArr2[b & 15];
            if (i2 != length) {
                i += 3;
                cArr[i3] = ':';
            } else {
                i = i3;
            }
        }
        return new String(cArr);
    }

    private void verifyAndValidateCertificate(Certificate certificate) throws Exception {
        String str;
        String findHashFunctionUpgrade;
        String findHashFunction = findHashFunction(certificate);
        synchronized (this) {
            if (this.disposed) {
                throw new IllegalStateException("disposed");
            }
            Map<String, String> map = this.remoteFingerprints;
            if (map == null) {
                throw new IOException("No fingerprints declared over the signaling path!");
            }
            str = map.get(findHashFunction);
            if (str == null && (findHashFunctionUpgrade = findHashFunctionUpgrade(findHashFunction, map)) != null && !findHashFunctionUpgrade.equalsIgnoreCase(findHashFunction) && (str = map.get(findHashFunctionUpgrade)) != null) {
                findHashFunction = findHashFunctionUpgrade;
            }
        }
        if (str == null) {
            throw new IOException("No fingerprint declared over the signaling path with hash function: " + findHashFunction + "!");
        }
        String computeFingerprint = computeFingerprint(certificate, findHashFunction);
        if (!str.equals(computeFingerprint)) {
            throw new IOException("Fingerprint " + str + " does not match the " + findHashFunction + "-hashed certificate " + computeFingerprint + "!");
        }
        Timber.log(10, "Fingerprint %s matches the %s-hashed certificate.", str, findHashFunction);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.atalk.service.neomedia.AbstractSrtpControl
    public DtlsTransformEngine createTransformEngine() {
        return new DtlsTransformEngine(this);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.atalk.service.neomedia.AbstractSrtpControl
    public void doCleanup() {
        super.doCleanup();
        setConnector(null);
        synchronized (this) {
            this.disposed = true;
            notifyAll();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateInfo getCertificateInfo() {
        return this.mCertificateInfo;
    }

    @Override // org.atalk.service.neomedia.DtlsControl
    public String getLocalFingerprint() {
        return getCertificateInfo().localFingerprint;
    }

    @Override // org.atalk.service.neomedia.DtlsControl
    public String getLocalFingerprintHashFunction() {
        return getCertificateInfo().localFingerprintHashFunction;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Properties getProperties() {
        return this.mProperties;
    }

    @Override // org.atalk.service.neomedia.SrtpControl
    public boolean getSecureCommunicationStatus() {
        return this.mSecurityState;
    }

    public DtlsControl.Setup getSetup() {
        return getProperties().getSetup();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void notifyAlertRaised(TlsPeer tlsPeer, short s, short s2, String str, Throwable th) {
        SrtpListener srtpListener = getSrtpListener();
        String name = AlertDescription.getName(s2);
        int i = 0;
        int i2 = 2;
        if (2 != s) {
            i2 = 1;
            if (1 != s) {
                i2 = 0;
            }
        }
        if (TextUtils.isEmpty(str)) {
            if (s2 == 0) {
                str = aTalkApp.getResString(R.string.media_security_encryption_ended, name);
                srtpListener.securityMessageReceived(name, str, i);
            }
            str = aTalkApp.getResString(R.string.media_security_internal_protocol_error, name);
        }
        i = i2;
        srtpListener.securityMessageReceived(name, str, i);
    }

    @Override // org.atalk.service.neomedia.SrtpControl
    public boolean requiresSecureSignalingTransport() {
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void secureOnOff(boolean z) {
        SrtpListener srtpListener = getSrtpListener();
        MediaType mediaType = (MediaType) this.mProperties.get(Properties.MEDIA_TYPE_PNAME);
        this.mSecurityState = z;
        if (z) {
            srtpListener.securityTurnedOn(mediaType, getSrtpControlType().toString(), this);
        } else {
            srtpListener.securityTurnedOff(mediaType);
        }
    }

    @Override // org.atalk.service.neomedia.SrtpControl
    public void setConnector(AbstractRTPConnector abstractRTPConnector) {
        this.mProperties.put(Properties.CONNECTOR_PNAME, abstractRTPConnector);
    }

    @Override // org.atalk.service.neomedia.DtlsControl
    public void setRemoteFingerprints(Map<String, String> map) {
        String value;
        if (map == null) {
            throw new NullPointerException("remoteFingerprints");
        }
        if (map.isEmpty()) {
            return;
        }
        HashMap hashMap = new HashMap(map.size());
        for (Map.Entry<String, String> entry : map.entrySet()) {
            String key = entry.getKey();
            if (key != null && (value = entry.getValue()) != null) {
                hashMap.put(key.toLowerCase(), value);
            }
        }
        this.remoteFingerprints = hashMap;
    }

    @Override // org.atalk.service.neomedia.DtlsControl
    public void setRtcpmux(boolean z) {
        this.mProperties.put(Properties.RTCPMUX_PNAME, Boolean.valueOf(z));
    }

    @Override // org.atalk.service.neomedia.DtlsControl
    public void setSetup(DtlsControl.Setup setup) {
        this.mProperties.put(Properties.SETUP_PNAME, setup);
    }

    @Override // org.atalk.service.neomedia.SrtpControl
    public void start(MediaType mediaType) {
        this.mProperties.put(Properties.MEDIA_TYPE_PNAME, mediaType);
    }

    public void verifyAndValidateCertificate(org.bouncycastle.tls.Certificate certificate) throws Exception {
        try {
            if (certificate.isEmpty()) {
                throw new IllegalArgumentException("certificate.certificateList");
            }
            for (TlsCertificate tlsCertificate : certificate.getCertificateList()) {
                verifyAndValidateCertificate(Certificate.getInstance(tlsCertificate.getEncoded()));
            }
        } catch (Exception e) {
            String message = e.getMessage();
            if (VERIFY_AND_VALIDATE_CERTIFICATE) {
                if (message == null || message.length() == 0) {
                    Timber.e(e, "%s", "Failed to verify and/or validate a certificate offered over the media path against fingerprints declared over the signaling path!");
                } else {
                    Timber.e("%s %s", "Failed to verify and/or validate a certificate offered over the media path against fingerprints declared over the signaling path!", message);
                }
                throw e;
            }
            if (message == null || message.length() == 0) {
                Timber.w(e, "%s", "Failed to verify and/or validate a certificate offered over the media path against fingerprints declared over the signaling path!");
            } else {
                Timber.w("%s %s", "Failed to verify and/or validate a certificate offered over the media path against fingerprints declared over the signaling path!", message);
            }
        }
    }
}
