package pt.unl.fct.di.novasys.channel.secure.auth;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.EventLoopGroup;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.GenericFutureListener;
import io.netty.util.concurrent.Promise;
import java.io.IOException;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Properties;
import java.util.Queue;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Predicate;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.util.Supplier;
import org.bouncycastle.jce.ECNamedCurveTable;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Hex;
import pt.unl.fct.di.novasys.babel.core.BabelSecurity;
import pt.unl.fct.di.novasys.channel.secure.SecureChannelListener;
import pt.unl.fct.di.novasys.channel.secure.SecureSingleThreadedBiChannel;
import pt.unl.fct.di.novasys.channel.secure.auth.AuthSession;
import pt.unl.fct.di.novasys.channel.secure.events.SecureInConnectionDown;
import pt.unl.fct.di.novasys.channel.secure.events.SecureInConnectionUp;
import pt.unl.fct.di.novasys.channel.secure.events.SecureOutConnectionDown;
import pt.unl.fct.di.novasys.channel.secure.events.SecureOutConnectionFailed;
import pt.unl.fct.di.novasys.channel.secure.events.SecureOutConnectionUp;
import pt.unl.fct.di.novasys.channel.secure.exceptions.AuthenticationException;
import pt.unl.fct.di.novasys.channel.secure.exceptions.MessageAuthenticationException;
import pt.unl.fct.di.novasys.channel.secure.utils.ECPubKeySerializer;
import pt.unl.fct.di.novasys.channel.secure.utils.X509CertificateSerializer;
import pt.unl.fct.di.novasys.network.AttributeValidator;
import pt.unl.fct.di.novasys.network.Connection;
import pt.unl.fct.di.novasys.network.ISerializer;
import pt.unl.fct.di.novasys.network.NetworkManager;
import pt.unl.fct.di.novasys.network.data.Attributes;
import pt.unl.fct.di.novasys.network.data.Bytes;
import pt.unl.fct.di.novasys.network.data.Host;
import pt.unl.fct.di.novasys.network.exceptions.InvalidHandshakeAttributesException;
import pt.unl.fct.di.novasys.network.security.X509IKeyManager;
import pt.unl.fct.di.novasys.network.security.X509ITrustManager;

/* loaded from: classes5.dex */
public class AuthChannel<T> extends SecureSingleThreadedBiChannel<T, AuthenticatedMessage> implements AttributeValidator {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    public static final String ADDRESS_KEY = "address";
    static final String ASYM_KEY_ALG = "RSA";
    private static final String ATTRS_SIG_ATTR = "attrs_sig";
    private static final String CERT_ATTR = "certificate";
    public static final String CHANNELMAGIC_ATTR = "magic_number";
    public static final short CHANNEL_MAGIC_NUMBER = 21765;
    public static final int CONNECTION_IN = 1;
    public static final int CONNECTION_OUT = 0;
    public static final String CONNECT_TIMEOUT_KEY = "connect_timeout";
    public static final String DEFAULT_CONNECT_TIMEOUT = "1000";
    public static final String DEFAULT_HB_INTERVAL = "0";
    public static final String DEFAULT_HB_TOLERANCE = "0";
    public static final String DEFAULT_METRICS_INTERVAL = "-1";
    public static final String DEFAULT_PORT = "9573";
    private static final String DH_EC_NAME = "prime192v1";
    private static final String DH_PUB_ATTR = "dh_pub";
    private static final String EC_KDF_ALG = "ECCDHwithSHA256KDF";
    private static final String EXPECTED_ID_ATTR = "expected_identity";
    private static final int HANDSHAKE_STEPS = 3;
    public static final String HEARTBEAT_INTERVAL_KEY = "heartbeat_interval";
    public static final String HEARTBEAT_TOLERANCE_KEY = "heartbeat_tolerance";
    private static final String IV_ATTR = "iv";
    private static final String IV_SIG_ATTR = "iv_sig";
    public static final String LISTEN_ADDRESS_ATTR = "listen_address";
    static final String MAC_ALG = "HmacSHA256";
    static final int MAC_BYTES = 32;
    public static final String METRICS_INTERVAL_KEY = "metrics_interval";
    public static final String NAME = "AuthChannel";
    public static final String PORT_KEY = "port";
    static final String SYM_KEY_ALG = "AES";
    public static final String TRIGGER_SENT_KEY = "trigger_sent";
    public static final String WORKER_GROUP_KEY = "worker_group";
    private final Map<Long, AuthSession<T>> allSessions;
    private final Attributes baseAttributes;
    private final Map<Host, Bytes> defaultHostIds;
    private final Map<Host, Set<Bytes>> hostIds;
    private final Map<Bytes, Map<Long, AuthSession<T>>> inSessions;
    private final X509IKeyManager keyManager;
    private final SecureChannelListener<T> listener;
    private final boolean metrics;
    private final ISerializer<T> msgSerializer;
    private final NetworkManager<AuthenticatedMessage> network;
    private final Map<Bytes, AuthSession<T>> outSessions;
    private final Map<Host, AuthSession<T>> pendingOutSessionsWithoutId;
    private final SecureRandom rng;
    private final X509ITrustManager trustManager;
    private static final Logger logger = LogManager.getLogger((Class<?>) AuthChannel.class);
    static final Provider PROVIDER = new BouncyCastleProvider();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$1, reason: invalid class name */
    /* loaded from: classes5.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$pt$unl$fct$di$novasys$channel$secure$auth$AuthSession$State;

        static {
            int[] iArr = new int[AuthSession.State.values().length];
            $SwitchMap$pt$unl$fct$di$novasys$channel$secure$auth$AuthSession$State = iArr;
            try {
                iArr[AuthSession.State.CONNECTED.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$pt$unl$fct$di$novasys$channel$secure$auth$AuthSession$State[AuthSession.State.CONNECTING.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$pt$unl$fct$di$novasys$channel$secure$auth$AuthSession$State[AuthSession.State.DISCONNECTING.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
        }
    }

    public AuthChannel(ISerializer<T> iSerializer, SecureChannelListener<T> secureChannelListener, Properties properties, X509IKeyManager x509IKeyManager, X509ITrustManager x509ITrustManager) throws IOException {
        super(NAME);
        SecureRandom secureRandom;
        try {
            secureRandom = SecureRandom.getInstance(BabelSecurity.PRNG_ALG, PROVIDER);
        } catch (NoSuchAlgorithmException unused) {
            logger.warn("Failed to get \"DEFAULT\" secure random");
            secureRandom = new SecureRandom();
        }
        this.rng = secureRandom;
        this.msgSerializer = iSerializer;
        this.listener = secureChannelListener;
        this.keyManager = x509IKeyManager;
        this.trustManager = x509ITrustManager;
        this.hostIds = new HashMap();
        this.defaultHostIds = new HashMap();
        this.inSessions = new HashMap();
        this.outSessions = new HashMap();
        this.allSessions = new HashMap();
        this.pendingOutSessionsWithoutId = new HashMap();
        if (!properties.containsKey("address")) {
            throw new IllegalArgumentException("AuthChannel requires binding address");
        }
        InetAddress byName = Inet4Address.getByName(properties.getProperty("address"));
        int parseInt = Integer.parseInt(properties.getProperty("port", DEFAULT_PORT));
        int parseInt2 = Integer.parseInt(properties.getProperty("heartbeat_interval", "0"));
        int parseInt3 = Integer.parseInt(properties.getProperty("heartbeat_tolerance", "0"));
        int parseInt4 = Integer.parseInt(properties.getProperty("connect_timeout", "1000"));
        int parseInt5 = Integer.parseInt(properties.getProperty("metrics_interval", "-1"));
        boolean z = parseInt5 > 0;
        this.metrics = z;
        Host host = new Host(byName, parseInt);
        EventLoopGroup createNewWorkerGroup = properties.containsKey("worker_group") ? (EventLoopGroup) properties.get("worker_group") : NetworkManager.createNewWorkerGroup();
        Attributes attributes = new Attributes();
        this.baseAttributes = attributes;
        attributes.putShort("magic_number", CHANNEL_MAGIC_NUMBER);
        attributes.putHost("listen_address", host);
        NetworkManager<AuthenticatedMessage> networkManager = new NetworkManager<>(3, AuthenticatedMessage.getSerializer(32), this, parseInt2, parseInt3, parseInt4, createNewWorkerGroup);
        this.network = networkManager;
        networkManager.createServerSocket(this, host, attributes, this, createNewWorkerGroup);
        if (z) {
            long j = parseInt5;
            this.loop.scheduleAtFixedRate(new Runnable() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda1
                @Override // java.lang.Runnable
                public final void run() {
                    AuthChannel.this.triggerMetricsEvent();
                }
            }, j, j, TimeUnit.MILLISECONDS);
        }
    }

    private void addHostId(final Host host, final Bytes bytes) {
        this.hostIds.computeIfAbsent(host, new Function() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda4
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                Set lambda$addHostId$6;
                lambda$addHostId$6 = AuthChannel.this.lambda$addHostId$6(host, bytes, (Host) obj);
                return lambda$addHostId$6;
            }
        }).add(bytes);
    }

    private Attributes createFirstHandshakeAttributes(ECPublicKey eCPublicKey, byte[] bArr, String str, Optional<byte[]> optional) throws CertificateEncodingException, IOException, InvalidKeyException, SignatureException {
        try {
            final Attributes shallowClone = this.baseAttributes.shallowClone();
            shallowClone.putBytes("identity", this.keyManager.getAliasId(str));
            X509Certificate x509Certificate = this.keyManager.getCertificateChain(str)[0];
            shallowClone.putObject(CERT_ATTR, x509Certificate, X509CertificateSerializer.INSTANCE);
            shallowClone.putObject(DH_PUB_ATTR, eCPublicKey, ECPubKeySerializer.INSTANCE);
            optional.ifPresent(new Consumer() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda8
                @Override // java.util.function.Consumer
                public final void accept(Object obj) {
                    Attributes.this.putBytes("expected_identity", (byte[]) obj);
                }
            });
            shallowClone.putBytes(IV_ATTR, bArr);
            ByteBuf buffer = Unpooled.buffer();
            Attributes.serializer.serialize(shallowClone, buffer);
            Signature signature = Signature.getInstance(x509Certificate.getSigAlgName(), PROVIDER);
            signature.initSign(this.keyManager.getPrivateKey(str));
            signature.update(buffer.array());
            shallowClone.putBytes(ATTRS_SIG_ATTR, signature.sign());
            return shallowClone;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private AuthSession<T> createOutSession(Host host, Optional<byte[]> optional) throws CertificateEncodingException, InvalidKeyException, SignatureException, IOException, InvalidAlgorithmParameterException {
        String chooseClientAlias = this.keyManager.chooseClientAlias(new String[]{ASYM_KEY_ALG}, null, null);
        KeyPair generateECKeyPair = generateECKeyPair();
        byte[] generateIv = generateIv(32);
        Connection<AuthenticatedMessage> createConnection = this.network.createConnection(host, createFirstHandshakeAttributes((ECPublicKey) generateECKeyPair.getPublic(), generateIv, chooseClientAlias, optional), this, this);
        AuthSession<T> startOutSession = AuthSession.startOutSession(host, createConnection, this.msgSerializer, chooseClientAlias, generateECKeyPair, generateIv, optional);
        this.allSessions.put(Long.valueOf(createConnection.getConnectionId()), startOutSession);
        return startOutSession;
    }

    private Attributes createSecondHandshakeAttributes(String str, ECPublicKey eCPublicKey, byte[] bArr, byte[] bArr2) throws CertificateEncodingException, IOException, InvalidKeyException, SignatureException {
        try {
            Attributes shallowClone = this.baseAttributes.shallowClone();
            shallowClone.putBytes("identity", this.keyManager.getAliasId(str));
            X509Certificate x509Certificate = this.keyManager.getCertificateChain(str)[0];
            shallowClone.putObject(CERT_ATTR, x509Certificate, X509CertificateSerializer.INSTANCE);
            shallowClone.putBytes(IV_SIG_ATTR, signWithCert(x509Certificate, this.keyManager.getPrivateKey(str), bArr2));
            shallowClone.putObject(DH_PUB_ATTR, eCPublicKey, ECPubKeySerializer.INSTANCE);
            shallowClone.putBytes(IV_ATTR, bArr);
            ByteBuf buffer = Unpooled.buffer();
            Attributes.serializer.serialize(shallowClone, buffer);
            Signature signature = Signature.getInstance(x509Certificate.getSigAlgName(), PROVIDER);
            signature.initSign(this.keyManager.getPrivateKey(str));
            signature.update(buffer.array());
            shallowClone.putBytes(ATTRS_SIG_ATTR, signature.sign());
            return shallowClone;
        } catch (NullPointerException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private SecretKey generateAESFromECKeys(PrivateKey privateKey, PublicKey publicKey) throws InvalidKeyException {
        try {
            Logger logger2 = logger;
            Instant now = logger2.isDebugEnabled() ? Instant.now() : null;
            KeyAgreement keyAgreement = KeyAgreement.getInstance(EC_KDF_ALG, PROVIDER);
            keyAgreement.init(privateKey, this.rng);
            keyAgreement.doPhase(publicKey, true);
            SecretKey generateSecret = keyAgreement.generateSecret(SYM_KEY_ALG);
            if (logger2.isDebugEnabled()) {
                Instant now2 = Instant.now();
                logger2.debug("Generated {} secret key from ECDH in {}ms ({}ns): {}", SYM_KEY_ALG, Long.valueOf(ChronoUnit.MILLIS.between(now, now2)), Long.valueOf(ChronoUnit.NANOS.between(now, now2)), new String(Hex.encode(generateSecret.getEncoded())));
            }
            return generateSecret;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private KeyPair generateECKeyPair() {
        try {
            final Instant now = Instant.now();
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", PROVIDER);
            keyPairGenerator.initialize(ECNamedCurveTable.getParameterSpec(DH_EC_NAME), this.rng);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            Logger logger2 = logger;
            if (logger2.isDebugEnabled()) {
                final Instant now2 = Instant.now();
                logger2.debug(new Supplier() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda2
                    @Override // org.apache.logging.log4j.util.Supplier
                    public final Object get() {
                        Object formatted;
                        formatted = "Generated EC key pair in %sms (%sns)".formatted(Long.valueOf(ChronoUnit.MILLIS.between(r0, r1)), Long.valueOf(ChronoUnit.NANOS.between(now, now2)));
                        return formatted;
                    }
                });
            }
            return generateKeyPair;
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private byte[] generateIv(int i) {
        byte[] bArr = new byte[i];
        this.rng.nextBytes(bArr);
        return bArr;
    }

    private Bytes getPeerId(Connection<?> connection) {
        Attributes peerAttributes = connection.getPeerAttributes();
        byte[] bytes = peerAttributes != null ? peerAttributes.getBytes("identity") : null;
        if (bytes == null) {
            bytes = connection.getSelfAttributes().getBytes("expected_identity");
        }
        return Bytes.of(bytes);
    }

    private AuthSession<T> getSessionToSend(Bytes bytes, int i) {
        if (i == 1) {
            Map<Long, AuthSession<T>> map = this.inSessions.get(bytes);
            if (map != null) {
                return map.values().stream().findAny().orElse(null);
            }
        } else if (i <= 0) {
            return this.outSessions.get(bytes);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ Set lambda$addHostId$6(Host host, Bytes bytes, Host host2) {
        this.defaultHostIds.put(host, bytes);
        return new HashSet();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static /* synthetic */ Map lambda$onGetSecondHandshakeAttributes$3(Bytes bytes) {
        return new HashMap();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ boolean lambda$onOpenConnection$5(Bytes bytes) {
        return this.outSessions.containsKey(bytes);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public /* synthetic */ void lambda$sendWithListener$8(Object obj, Host host, byte[] bArr, Future future) throws Exception {
        if (future.isSuccess()) {
            this.listener.messageSent(obj, host, bArr);
        } else {
            if (future.isSuccess()) {
                return;
            }
            this.listener.messageFailed(obj, Optional.of(host), bArr, future.cause());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* renamed from: onGetSecondHandshakeAttributes, reason: merged with bridge method [inline-methods] */
    public Attributes lambda$getSecondHandshakeAttributes$2(long j, Attributes attributes, Attributes attributes2) throws InvalidHandshakeAttributesException {
        String idAlias;
        Logger logger2 = logger;
        logger2.debug("Validating in connection attribute and creating reply attributes...");
        try {
            Host host = attributes.getHost("listen_address");
            byte[] bytes = attributes.getBytes(IV_ATTR);
            if (!validateAttributes(attributes) || host == null || bytes == null) {
                throw new InvalidHandshakeAttributesException(attributes, "First handshake: missing attributes");
            }
            X509Certificate x509Certificate = (X509Certificate) attributes.getObject(CERT_ATTR, X509CertificateSerializer.INSTANCE);
            PublicKey publicKey = x509Certificate.getPublicKey();
            byte[] extractIdFromCertificate = this.trustManager.extractIdFromCertificate(x509Certificate);
            if (!Arrays.equals(extractIdFromCertificate, attributes.getBytes("identity"))) {
                logger2.debug("In connection attribute validation failed: peer id in attributes ({}) differs from the one extracted from certificate ({})", Bytes.of(extractIdFromCertificate), Bytes.of(attributes.getBytes("identity")));
                throw new InvalidHandshakeAttributesException(attributes, 1);
            }
            this.trustManager.checkClientTrusted(new X509Certificate[]{x509Certificate}, x509Certificate.getPublicKey().getAlgorithm());
            if (!verifyAttrSignature(attributes, publicKey, x509Certificate.getSigAlgName())) {
                logger2.debug("In connection attribute validation failed: Invalid attributes signature");
                throw new InvalidHandshakeAttributesException(attributes, 1);
            }
            ECPublicKey eCPublicKey = (ECPublicKey) attributes.getObject(DH_PUB_ATTR, ECPubKeySerializer.INSTANCE);
            byte[] bytes2 = attributes.getBytes("expected_identity");
            if (bytes2 == null) {
                idAlias = this.keyManager.chooseServerAlias(ASYM_KEY_ALG, null, null);
            } else {
                idAlias = this.keyManager.getIdAlias(bytes2);
                if (idAlias == null) {
                    idAlias = this.keyManager.chooseServerAlias(ASYM_KEY_ALG, null, null);
                }
            }
            String str = idAlias;
            KeyPair generateECKeyPair = generateECKeyPair();
            SecretKey generateAESFromECKeys = generateAESFromECKeys(generateECKeyPair.getPrivate(), eCPublicKey);
            byte[] generateIv = generateIv(32);
            Attributes createSecondHandshakeAttributes = createSecondHandshakeAttributes(str, (ECPublicKey) generateECKeyPair.getPublic(), generateIv, bytes);
            AuthSession<T> startInSession = AuthSession.startInSession(host, this.msgSerializer, str, generateECKeyPair, generateAESFromECKeys, generateIv, extractIdFromCertificate, bytes);
            this.allSessions.put(Long.valueOf(j), startInSession);
            this.inSessions.computeIfAbsent(Bytes.of(extractIdFromCertificate), new Function() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda9
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    return AuthChannel.lambda$onGetSecondHandshakeAttributes$3((Bytes) obj);
                }
            }).put(Long.valueOf(j), startInSession);
            return createSecondHandshakeAttributes;
        } catch (IOException | NullPointerException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | CertificateException e) {
            logger.debug("In connection attribute validation failed with exception: " + e);
            throw new InvalidHandshakeAttributesException(attributes, 1, e);
        }
    }

    private void pruneHostId(final Host host, Bytes bytes) {
        Set<Bytes> set;
        if (this.outSessions.containsKey(bytes) && host.equals(this.outSessions.get(bytes).getPeerSocket())) {
            return;
        }
        if ((this.inSessions.containsKey(bytes) && this.inSessions.get(bytes).values().stream().anyMatch(new Predicate() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda0
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean equals;
                equals = ((AuthSession) obj).getPeerSocket().equals(Host.this);
                return equals;
            }
        })) || (set = this.hostIds.get(host)) == null) {
            return;
        }
        set.remove(bytes);
        if (bytes.equals(this.defaultHostIds.get(host))) {
            if (set.size() > 0) {
                this.defaultHostIds.put(host, set.iterator().next());
            } else {
                this.defaultHostIds.remove(host);
                this.hostIds.remove(host);
            }
        }
    }

    private void sendWithListener(AuthSession<T> authSession, final T t, final Host host, final byte[] bArr) {
        Promise<Void> newPromise = this.loop.newPromise();
        newPromise.addListener(new GenericFutureListener() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda7
            @Override // io.netty.util.concurrent.GenericFutureListener
            public final void operationComplete(Future future) {
                AuthChannel.this.lambda$sendWithListener$8(t, host, bArr, future);
            }
        });
        try {
            authSession.macAndSend(t, newPromise);
        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException e) {
            logger.warn("Message MAC failed.");
            this.listener.messageFailed(t, Optional.of(host), bArr, e);
        }
    }

    private byte[] signWithCert(X509Certificate x509Certificate, PrivateKey privateKey, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        Signature signature = Signature.getInstance(x509Certificate.getSigAlgName(), PROVIDER);
        signature.initSign(privateKey);
        signature.update(bArr);
        return signature.sign();
    }

    private boolean verifyAttrSignature(Attributes attributes, PublicKey publicKey, String str) throws NoSuchAlgorithmException, IOException {
        try {
            Attributes shallowClone = attributes.shallowClone();
            shallowClone.remove(ATTRS_SIG_ATTR);
            Signature signature = Signature.getInstance(str, PROVIDER);
            signature.initVerify(publicKey);
            ByteBuf buffer = Unpooled.buffer();
            Attributes.serializer.serialize(shallowClone, buffer);
            signature.update(buffer.array());
            return signature.verify(attributes.getBytes(ATTRS_SIG_ATTR));
        } catch (InvalidKeyException | SignatureException unused) {
            return false;
        }
    }

    private boolean verifySignature(X509Certificate x509Certificate, byte[] bArr, byte[] bArr2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        Signature signature = Signature.getInstance(x509Certificate.getSigAlgName(), PROVIDER);
        signature.initVerify(x509Certificate);
        signature.update(bArr2);
        return signature.verify(bArr);
    }

    @Override // pt.unl.fct.di.novasys.network.AttributeValidator
    public Attributes getNthHandshakeAttributes(final long j, final int i, final List<Attributes> list, final List<Attributes> list2) throws InvalidHandshakeAttributesException {
        try {
            return (Attributes) this.loop.submit((Callable) new Callable() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda6
                @Override // java.util.concurrent.Callable
                public final Object call() {
                    Attributes lambda$getNthHandshakeAttributes$4;
                    lambda$getNthHandshakeAttributes$4 = AuthChannel.this.lambda$getNthHandshakeAttributes$4(j, i, list, list2);
                    return lambda$getNthHandshakeAttributes$4;
                }
            }).get();
        } catch (InterruptedException e) {
            throw new InvalidHandshakeAttributesException(list.get(list.size() - 1), 1, e);
        } catch (ExecutionException e2) {
            throw ((InvalidHandshakeAttributesException) e2.getCause());
        }
    }

    @Override // pt.unl.fct.di.novasys.network.AttributeValidator
    public Attributes getSecondHandshakeAttributes(final long j, final Attributes attributes, final Attributes attributes2) throws InvalidHandshakeAttributesException {
        try {
            return (Attributes) this.loop.submit((Callable) new Callable() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda3
                @Override // java.util.concurrent.Callable
                public final Object call() {
                    Attributes lambda$getSecondHandshakeAttributes$2;
                    lambda$getSecondHandshakeAttributes$2 = AuthChannel.this.lambda$getSecondHandshakeAttributes$2(j, attributes, attributes2);
                    return lambda$getSecondHandshakeAttributes$2;
                }
            }).get();
        } catch (InterruptedException e) {
            throw new InvalidHandshakeAttributesException(attributes, 1, e);
        } catch (ExecutionException e2) {
            throw ((InvalidHandshakeAttributesException) e2.getCause());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedChannel
    /* renamed from: onCloseConnection */
    public void lambda$closeConnection$1(Host host, int i) {
        Bytes bytes = this.defaultHostIds.get(host);
        if (bytes == null) {
            logger.debug("onCloseConnection ignored: No open connection to {}", host);
        } else {
            lambda$closeConnection$1(bytes.array(), i);
        }
    }

    @Override // pt.unl.fct.di.novasys.channel.secure.SecureSingleThreadedBiChannel
    /* renamed from: onCloseConnection */
    public void lambda$closeConnection$1(byte[] bArr, int i) {
        Bytes of = Bytes.of(bArr);
        AuthSession<T> authSession = this.outSessions.get(of);
        if (authSession == null) {
            logger.debug("onCloseConnection ignored: No out connection to {}", of);
            return;
        }
        logger.debug("onCloseConnection: {} ({})", authSession.getPeerSocket(), of);
        authSession.disconect();
        this.outSessions.remove(of);
        this.allSessions.remove(Long.valueOf(authSession.getConnectionId()));
        pruneHostId(authSession.getPeerSocket(), of);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedChannel
    /* renamed from: onDeliverMessage */
    public /* bridge */ /* synthetic */ void lambda$deliverMessage$2(Object obj, Connection connection) {
        onDeliverMessage((AuthenticatedMessage) obj, (Connection<AuthenticatedMessage>) connection);
    }

    protected void onDeliverMessage(AuthenticatedMessage authenticatedMessage, Connection<AuthenticatedMessage> connection) {
        Bytes of = Bytes.of(connection.getPeerAttributes().getBytes("identity"));
        if (of == null) {
            try {
                logger.error("onDeliverMessage error: No identity associated with connection to host {}. Dropping recvd msg: {}", connection.getPeer(), this.msgSerializer.deserialize(Unpooled.wrappedBuffer(authenticatedMessage.getData())));
            } catch (IOException unused) {
                logger.error("onDeliverMessage error: No identity associated with connection to host {}", connection.getPeer());
            }
            connection.disconnect();
            return;
        }
        AuthSession<T> authSession = this.allSessions.get(Long.valueOf(connection.getConnectionId()));
        if (authSession == null) {
            try {
                logger.error("onDeliverMessage error: No session with peer {}. Dropping recvd msg: {}", connection.getPeer(), this.msgSerializer.deserialize(Unpooled.wrappedBuffer(authenticatedMessage.getData())));
            } catch (IOException unused2) {
                logger.error("onDeliverMessage error: No session with peer {}", connection.getPeer());
            }
            connection.disconnect();
            return;
        }
        Host peerSocket = authSession.getPeerSocket();
        try {
            T receiveMessage = authSession.receiveMessage(authenticatedMessage);
            logger.debug("onDeliverMessage from: {} ({})", peerSocket, of);
            this.listener.deliverMessage(receiveMessage, peerSocket, of.array());
        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | MessageAuthenticationException e) {
            logger.error("onDeliverMessage error: Exception on receiving message from {} ({})", peerSocket, of);
            e.printStackTrace();
        }
    }

    /* renamed from: onGetNthHandshakeAttributes, reason: merged with bridge method [inline-methods] */
    public Attributes lambda$getNthHandshakeAttributes$4(long j, int i, List<Attributes> list, List<Attributes> list2) throws InvalidHandshakeAttributesException {
        int i2 = i - 1;
        InvalidHandshakeAttributesException invalidHandshakeAttributesException = new InvalidHandshakeAttributesException(list.get(list.size() - 1), i2);
        if (!validateAttributes(list.get(list.size() - 1))) {
            throw invalidHandshakeAttributesException;
        }
        try {
            if (i != 3) {
                if (i != 4) {
                    throw invalidHandshakeAttributesException;
                }
                logger.trace("Validating 3rd handshake message...");
                if (verifySignature((X509Certificate) list.get(0).getObject(CERT_ATTR, X509CertificateSerializer.INSTANCE), list.get(list.size() - 1).getBytes(IV_SIG_ATTR), this.allSessions.get(Long.valueOf(j)).getMyLastMac())) {
                    return Attributes.EMPTY;
                }
                throw invalidHandshakeAttributesException;
            }
            logger.trace("Getting 3rd handshake message...");
            AuthSession<T> authSession = this.allSessions.get(Long.valueOf(j));
            Attributes attributes = list.get(list.size() - 1);
            X509Certificate x509Certificate = (X509Certificate) attributes.getObject(CERT_ATTR, X509CertificateSerializer.INSTANCE);
            Bytes of = Bytes.of(attributes.getBytes("identity"));
            byte[] bytes = attributes.getBytes("expected_identity");
            String algorithm = x509Certificate.getPublicKey().getAlgorithm();
            if (bytes == null) {
                this.trustManager.checkServerTrusted(new X509Certificate[]{x509Certificate}, algorithm);
            } else {
                if (!of.equals(bytes)) {
                    throw new AuthenticationException("Expected peer id %s, but got peerId %s".formatted(Bytes.of(bytes), of));
                }
                this.trustManager.checkServerTrusted(new X509Certificate[]{x509Certificate}, bytes, algorithm);
            }
            verifyAttrSignature(attributes, x509Certificate.getPublicKey(), x509Certificate.getSigAlgName());
            if (!verifySignature(x509Certificate, attributes.getBytes(IV_SIG_ATTR), authSession.getMyLastMac())) {
                throw invalidHandshakeAttributesException;
            }
            byte[] bytes2 = attributes.getBytes(IV_ATTR);
            authSession.completeOutSessionSetup(of.array(), generateAESFromECKeys(authSession.getDhKeyPair().getPrivate(), (ECPublicKey) attributes.getObject(DH_PUB_ATTR, ECPubKeySerializer.INSTANCE)), bytes2);
            Attributes shallowClone = this.baseAttributes.shallowClone();
            shallowClone.putBytes(IV_SIG_ATTR, signWithCert(this.keyManager.getCertificateChain(authSession.getMyIdAlias())[0], this.keyManager.getPrivateKey(authSession.getMyIdAlias()), bytes2));
            return shallowClone;
        } catch (IOException | NullPointerException | InvalidKeyException | NoSuchAlgorithmException | SignatureException | CertificateException | AuthenticationException e) {
            throw new InvalidHandshakeAttributesException(list.get(list.size() - 1), i2, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onInboundConnectionDown */
    public void lambda$inboundConnectionDown$1(Connection<AuthenticatedMessage> connection, Throwable th) {
        Host peer;
        Bytes peerId = getPeerId(connection);
        try {
            peer = connection.getPeerAttributes().getHost("listen_address");
        } catch (IOException unused) {
            peer = connection.getPeer();
        }
        logger.debug("Inbound connection down with {} ({})", peer, peerId);
        this.inSessions.remove(peerId);
        this.allSessions.remove(Long.valueOf(connection.getConnectionId()));
        pruneHostId(peer, peerId);
        this.listener.deliverEvent(new SecureInConnectionDown(peer, peerId, th));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onInboundConnectionUp */
    public void lambda$inboundConnectionUp$0(Connection<AuthenticatedMessage> connection) {
        AuthSession<T> authSession = this.allSessions.get(Long.valueOf(connection.getConnectionId()));
        if (authSession == null) {
            logger.warn("InboundConnectionUp with no prepared session.");
            connection.disconnect();
        }
        authSession.completeInSessionSetup(connection);
        authSession.setState(AuthSession.State.CONNECTED);
        Host peerSocket = authSession.getPeerSocket();
        Bytes of = Bytes.of(authSession.getPeerId());
        logger.debug("InboundConnectionUp with {} ({})", peerSocket, of);
        addHostId(peerSocket, of);
        this.listener.deliverEvent(new SecureInConnectionUp(peerSocket, authSession.getPeerId()));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedChannel
    /* renamed from: onOpenConnection */
    public void lambda$openConnection$3(Host host, int i) {
        Set<Bytes> set = this.hostIds.get(host);
        if (this.pendingOutSessionsWithoutId.containsKey(host) || (set != null && set.stream().anyMatch(new Predicate() { // from class: pt.unl.fct.di.novasys.channel.secure.auth.AuthChannel$$ExternalSyntheticLambda5
            @Override // java.util.function.Predicate
            public final boolean test(Object obj) {
                boolean lambda$onOpenConnection$5;
                lambda$onOpenConnection$5 = AuthChannel.this.lambda$onOpenConnection$5((Bytes) obj);
                return lambda$onOpenConnection$5;
            }
        }))) {
            logger.debug("onOpenConnection ignored: A default connection for {} already exists", host);
        } else {
            lambda$openConnection$2(host, null, i);
        }
    }

    @Override // pt.unl.fct.di.novasys.channel.secure.SecureSingleThreadedBiChannel
    /* renamed from: onOpenConnection */
    public void lambda$openConnection$2(Host host, byte[] bArr, int i) {
        try {
            Bytes of = Bytes.of(bArr);
            if (this.outSessions.containsKey(of)) {
                logger.debug("onOpenConnection ignored: Repeated connection to {} ({})", host, of);
                return;
            }
            logger.debug("onOpenConnection opening session to: {} ({})", host, bArr);
            AuthSession<T> createOutSession = createOutSession(host, Optional.ofNullable(bArr));
            if (bArr == null) {
                this.pendingOutSessionsWithoutId.put(host, createOutSession);
            } else {
                this.outSessions.put(of, createOutSession);
                addHostId(host, of);
            }
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | SignatureException | CertificateEncodingException e) {
            e.printStackTrace();
            lambda$outboundConnectionFailed$6(null, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onOutboundConnectionDown */
    public void lambda$outboundConnectionDown$5(Connection<AuthenticatedMessage> connection, Throwable th) {
        Bytes peerId = getPeerId(connection);
        logger.debug("OutboundConnectionDown with {} ({}).{}", connection.getPeer(), peerId, th == null ? "" : "\nCause: " + th);
        this.outSessions.remove(peerId);
        AuthSession<T> remove = this.allSessions.remove(Long.valueOf(connection.getConnectionId()));
        if (remove == null) {
            return;
        }
        if (remove.getState() == AuthSession.State.CONNECTING) {
            throw new AssertionError("ConnectionDown in CONNECTING session state: " + connection);
        }
        Host peer = connection.getPeer();
        pruneHostId(peer, peerId);
        this.listener.deliverEvent(new SecureOutConnectionDown(peer, peerId, th));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onOutboundConnectionFailed */
    public void lambda$outboundConnectionFailed$6(Connection<AuthenticatedMessage> connection, Throwable th) {
        AuthSession<T> remove = this.allSessions.remove(Long.valueOf(connection.getConnectionId()));
        if (remove == null) {
            logger.debug("OutboundConnectionFailed to {}.{}", connection.getPeer(), th != null ? "\nCause: " + th : "");
            this.listener.deliverEvent(new SecureOutConnectionFailed(connection.getPeer(), new byte[0], new LinkedList(), th));
            return;
        }
        Host peerSocket = remove.getPeerSocket();
        byte[] peerId = remove.getPeerId();
        if (peerId == null) {
            peerId = new byte[0];
        }
        Bytes of = Bytes.of(peerId);
        logger.debug("OutboundConnectionFailed to {} ({}).{}", peerSocket, of, th != null ? "\nCause: " + th : "");
        if (this.outSessions.remove(of) == null) {
            this.pendingOutSessionsWithoutId.remove(peerSocket);
        }
        this.listener.deliverEvent(new SecureOutConnectionFailed(peerSocket, peerId, remove.getMsgQueue(), th));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onOutboundConnectionUp */
    public void lambda$outboundConnectionUp$4(Connection<AuthenticatedMessage> connection) {
        AuthSession<T> authSession = this.allSessions.get(Long.valueOf(connection.getConnectionId()));
        if (authSession == null) {
            logger.warn("OutboundConnectionUp with no prepared session.");
            connection.disconnect();
            return;
        }
        Host peerSocket = authSession.getPeerSocket();
        Bytes of = Bytes.of(authSession.getPeerId());
        logger.debug("OutboundConnectionUp with {} ({})", peerSocket, of);
        if (!this.outSessions.containsKey(of)) {
            this.pendingOutSessionsWithoutId.remove(peerSocket);
            this.outSessions.put(of, authSession);
            addHostId(peerSocket, of);
        }
        Queue<T> msgQueue = authSession.getMsgQueue();
        while (!msgQueue.isEmpty()) {
            sendWithListener(authSession, msgQueue.remove(), peerSocket, of.array());
        }
        authSession.setState(AuthSession.State.CONNECTED);
        this.listener.deliverEvent(new SecureOutConnectionUp(peerSocket, of));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedChannel
    /* renamed from: onSendMessage */
    public void lambda$sendMessage$0(T t, Host host, int i) {
        Bytes bytes = this.defaultHostIds.get(host);
        if (bytes != null || i > 0) {
            onSendMessage((AuthChannel<T>) t, bytes.array(), i);
            return;
        }
        AuthSession<T> authSession = this.pendingOutSessionsWithoutId.get(host);
        if (authSession != null) {
            authSession.enqueue(t);
        } else {
            logger.debug("onSendMessage ignored: No connection to {}", host);
            this.listener.messageFailed(t, host, new IllegalStateException("No connection to " + host));
        }
    }

    @Override // pt.unl.fct.di.novasys.channel.secure.SecureSingleThreadedBiChannel
    public void onSendMessage(T t, byte[] bArr, int i) {
        Bytes of = Bytes.of(bArr);
        AuthSession<T> sessionToSend = getSessionToSend(of, i);
        if (sessionToSend == null) {
            logger.debug("onSendMessage: No session with peer {}. Dropping msg: {}", of, t);
            this.listener.messageFailed(t, Optional.empty(), bArr, new IllegalArgumentException("No connection to " + of));
            return;
        }
        Host peerSocket = sessionToSend.getPeerSocket();
        logger.debug("onSendMessage: Sending message {} to {} ({})", t, peerSocket, of);
        int i2 = AnonymousClass1.$SwitchMap$pt$unl$fct$di$novasys$channel$secure$auth$AuthSession$State[sessionToSend.getState().ordinal()];
        if (i2 == 1) {
            sendWithListener(sessionToSend, t, peerSocket, bArr);
        } else if (i2 == 2) {
            sessionToSend.getMsgQueue().add(t);
        } else {
            if (i2 != 3) {
                return;
            }
            this.listener.messageFailed(t, Optional.of(peerSocket), bArr, new IllegalStateException("Channel state was DISCONNECTING"));
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onServerSocketBind */
    public void lambda$serverSocketBind$2(boolean z, Throwable th) {
        if (z) {
            logger.debug("Server socket ready");
        } else {
            logger.error("Server socket bind failed: {}", th);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pt.unl.fct.di.novasys.channel.base.SingleThreadedBiChannel
    /* renamed from: onServerSocketClose */
    public void lambda$serverSocketClose$3(boolean z, Throwable th) {
        if (z) {
            logger.debug("Server socket closed.");
        } else {
            logger.error("Server socket closed. Cause: {}", th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void triggerMetricsEvent() {
    }

    @Override // pt.unl.fct.di.novasys.network.AttributeValidator
    public boolean validateAttributes(Attributes attributes) {
        Short sh = attributes.getShort("magic_number");
        return sh != null && sh.shortValue() == 21765;
    }
}
