package org.eclipse.milo.opcua.stack.core.channel;

import com.google.common.primitives.Bytes;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.channel.ChannelSecurity;
import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
import org.eclipse.milo.opcua.stack.core.types.builtin.ByteString;
import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
import org.eclipse.milo.opcua.stack.core.util.DigestUtil;

/* loaded from: input_file:org/eclipse/milo/opcua/stack/core/channel/SecureChannel.class */
public interface SecureChannel {
    KeyPair getKeyPair();

    X509Certificate getLocalCertificate();

    List<X509Certificate> getLocalCertificateChain();

    X509Certificate getRemoteCertificate();

    List<X509Certificate> getRemoteCertificateChain();

    SecurityPolicy getSecurityPolicy();

    MessageSecurityMode getMessageSecurityMode();

    long getChannelId();

    ChannelSecurity getChannelSecurity();

    ChannelSecurity.SecretKeys getEncryptionKeys(ChannelSecurity.SecuritySecrets securitySecrets);

    ChannelSecurity.SecretKeys getDecryptionKeys(ChannelSecurity.SecuritySecrets securitySecrets);

    ByteString getLocalNonce();

    ByteString getRemoteNonce();

    default ByteString getLocalCertificateBytes() throws UaException {
        try {
            return getLocalCertificate() != null ? ByteString.of(getLocalCertificate().getEncoded()) : ByteString.NULL_VALUE;
        } catch (CertificateEncodingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }

    default ByteString getLocalCertificateChainBytes() throws UaException {
        List<X509Certificate> localCertificateChain = getLocalCertificateChain();
        return localCertificateChain != null ? ByteString.of((byte[]) localCertificateChain.stream().map(x509Certificate -> {
            try {
                return x509Certificate.getEncoded();
            } catch (CertificateEncodingException e) {
                return new byte[0];
            }
        }).reduce(new byte[0], (bArr, bArr2) -> {
            return Bytes.concat(new byte[]{bArr, bArr2});
        })) : ByteString.NULL_VALUE;
    }

    default ByteString getLocalCertificateThumbprint() throws UaException {
        try {
            return getLocalCertificate() != null ? ByteString.of(DigestUtil.sha1(getLocalCertificate().getEncoded())) : ByteString.NULL_VALUE;
        } catch (CertificateEncodingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }

    default ByteString getRemoteCertificateBytes() throws UaException {
        try {
            return getRemoteCertificate() != null ? ByteString.of(getRemoteCertificate().getEncoded()) : ByteString.NULL_VALUE;
        } catch (CertificateEncodingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }

    default ByteString getRemoteCertificateChainBytes() throws UaException {
        List<X509Certificate> remoteCertificateChain = getRemoteCertificateChain();
        return remoteCertificateChain != null ? ByteString.of((byte[]) remoteCertificateChain.stream().map(x509Certificate -> {
            try {
                return x509Certificate.getEncoded();
            } catch (CertificateEncodingException e) {
                return new byte[0];
            }
        }).reduce(new byte[0], (bArr, bArr2) -> {
            return Bytes.concat(new byte[]{bArr, bArr2});
        })) : ByteString.NULL_VALUE;
    }

    default ByteString getRemoteCertificateThumbprint() throws UaException {
        try {
            return getRemoteCertificate() != null ? ByteString.of(DigestUtil.sha1(getRemoteCertificate().getEncoded())) : ByteString.NULL_VALUE;
        } catch (CertificateEncodingException e) {
            throw new UaException(StatusCodes.Bad_CertificateInvalid, e);
        }
    }

    default int getLocalAsymmetricCipherTextBlockSize() {
        if (!isAsymmetricEncryptionEnabled()) {
            return 1;
        }
        switch (getSecurityPolicy().getAsymmetricEncryptionAlgorithm()) {
            case Rsa15:
            case RsaOaep:
                return (getAsymmetricKeyLength(getLocalCertificate()) + 1) / 8;
            default:
                return 1;
        }
    }

    default int getRemoteAsymmetricCipherTextBlockSize() {
        if (!isAsymmetricEncryptionEnabled()) {
            return 1;
        }
        switch (getSecurityPolicy().getAsymmetricEncryptionAlgorithm()) {
            case Rsa15:
            case RsaOaep:
                return (getAsymmetricKeyLength(getRemoteCertificate()) + 1) / 8;
            default:
                return 1;
        }
    }

    default int getLocalAsymmetricPlainTextBlockSize() {
        if (!isAsymmetricEncryptionEnabled()) {
            return 1;
        }
        switch (getSecurityPolicy().getAsymmetricEncryptionAlgorithm()) {
            case Rsa15:
                return ((getAsymmetricKeyLength(getLocalCertificate()) + 1) / 8) - 11;
            case RsaOaep:
                return ((getAsymmetricKeyLength(getLocalCertificate()) + 1) / 8) - 42;
            default:
                return 1;
        }
    }

    default int getRemoteAsymmetricPlainTextBlockSize() {
        if (!isAsymmetricEncryptionEnabled()) {
            return 1;
        }
        switch (getSecurityPolicy().getAsymmetricEncryptionAlgorithm()) {
            case Rsa15:
                return ((getAsymmetricKeyLength(getRemoteCertificate()) + 1) / 8) - 11;
            case RsaOaep:
                return ((getAsymmetricKeyLength(getRemoteCertificate()) + 1) / 8) - 42;
            default:
                return 1;
        }
    }

    default int getLocalAsymmetricSignatureSize() {
        switch (getSecurityPolicy().getAsymmetricSignatureAlgorithm()) {
            case RsaSha1:
            case RsaSha256:
                return (getAsymmetricKeyLength(getLocalCertificate()) + 1) / 8;
            default:
                return 0;
        }
    }

    default int getRemoteAsymmetricSignatureSize() {
        switch (getSecurityPolicy().getAsymmetricSignatureAlgorithm()) {
            case RsaSha1:
            case RsaSha256:
                return (getAsymmetricKeyLength(getRemoteCertificate()) + 1) / 8;
            default:
                return 0;
        }
    }

    default boolean isAsymmetricSigningEnabled() {
        return (getSecurityPolicy() == SecurityPolicy.None || getLocalCertificate() == null) ? false : true;
    }

    default boolean isAsymmetricEncryptionEnabled() {
        return (getSecurityPolicy() == SecurityPolicy.None || getLocalCertificate() == null || getRemoteCertificate() == null) ? false : true;
    }

    default int getSymmetricCipherTextBlockSize() {
        if (!isSymmetricEncryptionEnabled()) {
            return 1;
        }
        switch (getSecurityPolicy().getSymmetricEncryptionAlgorithm()) {
            case Aes128:
            case Aes256:
                return 16;
            default:
                return 1;
        }
    }

    default int getSymmetricPlainTextBlockSize() {
        if (!isSymmetricEncryptionEnabled()) {
            return 1;
        }
        switch (getSecurityPolicy().getSymmetricEncryptionAlgorithm()) {
            case Aes128:
            case Aes256:
                return 16;
            default:
                return 1;
        }
    }

    default int getSymmetricSignatureSize() {
        switch (getSecurityPolicy().getSymmetricSignatureAlgorithm()) {
            case HmacSha1:
                return 20;
            case HmacSha256:
                return 32;
            default:
                return 0;
        }
    }

    default int getSymmetricSignatureKeySize() {
        switch (getSecurityPolicy()) {
            case None:
                return 0;
            case Basic128Rsa15:
                return 16;
            case Basic256:
                return 24;
            case Basic256Sha256:
                return 32;
            default:
                return 0;
        }
    }

    default int getSymmetricEncryptionKeySize() {
        switch (getSecurityPolicy()) {
            case None:
                return 0;
            case Basic128Rsa15:
                return 16;
            case Basic256:
            case Basic256Sha256:
                return 32;
            default:
                return 0;
        }
    }

    default boolean isSymmetricSigningEnabled() {
        return (getLocalCertificate() == null || getSecurityPolicy() == SecurityPolicy.None || (getMessageSecurityMode() != MessageSecurityMode.Sign && getMessageSecurityMode() != MessageSecurityMode.SignAndEncrypt)) ? false : true;
    }

    default boolean isSymmetricEncryptionEnabled() {
        return (getRemoteCertificate() == null || getSecurityPolicy() == SecurityPolicy.None || getMessageSecurityMode() != MessageSecurityMode.SignAndEncrypt) ? false : true;
    }

    static int getAsymmetricKeyLength(Certificate certificate) {
        PublicKey publicKey = certificate != null ? certificate.getPublicKey() : null;
        if (publicKey instanceof RSAPublicKey) {
            return ((RSAPublicKey) publicKey).getModulus().bitLength();
        }
        return 0;
    }
}
