package org.eclipse.leshan.client.californium;

import java.net.InetSocketAddress;
import java.security.GeneralSecurityException;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import org.eclipse.californium.scandium.dtls.AlertMessage;
import org.eclipse.californium.scandium.dtls.CertificateMessage;
import org.eclipse.californium.scandium.dtls.HandshakeException;
import org.eclipse.leshan.core.util.Validate;

/* loaded from: input_file:org/eclipse/leshan/client/californium/TrustAnchorAssertionCertificateVerifier.class */
public class TrustAnchorAssertionCertificateVerifier extends BaseCertificateVerifier {
    private final X509Certificate[] trustAnchor;

    public TrustAnchorAssertionCertificateVerifier(X509Certificate x509Certificate) {
        Validate.notNull(x509Certificate);
        this.trustAnchor = new X509Certificate[]{x509Certificate};
    }

    @Override // org.eclipse.leshan.client.californium.BaseCertificateVerifier
    public CertPath verifyCertificate(boolean z, CertificateMessage certificateMessage, InetSocketAddress inetSocketAddress) throws HandshakeException {
        CertPath certificateChain = certificateMessage.getCertificateChain();
        validateCertificateChainNotEmpty(certificateChain);
        X509Certificate validateReceivedCertificateIsSupported = validateReceivedCertificateIsSupported(certificateChain);
        try {
            CertPath applyPKIXValidation = X509Util.applyPKIXValidation(certificateChain, this.trustAnchor);
            validateSubject(inetSocketAddress, validateReceivedCertificateIsSupported);
            return applyPKIXValidation;
        } catch (GeneralSecurityException e) {
            throw new HandshakeException("Certificate chain could not be validated : server cert chain is empty", new AlertMessage(AlertMessage.AlertLevel.FATAL, AlertMessage.AlertDescription.BAD_CERTIFICATE));
        }
    }
}
