package org.apache.plc4x.java.opcua.context;

import java.io.ByteArrayInputStream;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Signature;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.plc4x.java.api.authentication.PlcAuthentication;
import org.apache.plc4x.java.api.authentication.PlcUsernamePasswordAuthentication;
import org.apache.plc4x.java.api.exceptions.PlcRuntimeException;
import org.apache.plc4x.java.opcua.config.OpcuaConfiguration;
import org.apache.plc4x.java.opcua.readwrite.ActivateSessionRequest;
import org.apache.plc4x.java.opcua.readwrite.ActivateSessionResponse;
import org.apache.plc4x.java.opcua.readwrite.AnonymousIdentityToken;
import org.apache.plc4x.java.opcua.readwrite.ApplicationDescription;
import org.apache.plc4x.java.opcua.readwrite.ApplicationType;
import org.apache.plc4x.java.opcua.readwrite.BinaryPayload;
import org.apache.plc4x.java.opcua.readwrite.ChannelSecurityToken;
import org.apache.plc4x.java.opcua.readwrite.ChunkType;
import org.apache.plc4x.java.opcua.readwrite.CloseSecureChannelRequest;
import org.apache.plc4x.java.opcua.readwrite.CloseSessionRequest;
import org.apache.plc4x.java.opcua.readwrite.CloseSessionResponse;
import org.apache.plc4x.java.opcua.readwrite.CreateSessionRequest;
import org.apache.plc4x.java.opcua.readwrite.CreateSessionResponse;
import org.apache.plc4x.java.opcua.readwrite.EndpointDescription;
import org.apache.plc4x.java.opcua.readwrite.ExpandedNodeId;
import org.apache.plc4x.java.opcua.readwrite.ExtensiblePayload;
import org.apache.plc4x.java.opcua.readwrite.ExtensionObject;
import org.apache.plc4x.java.opcua.readwrite.ExtensionObjectDefinition;
import org.apache.plc4x.java.opcua.readwrite.ExtensionObjectEncodingMask;
import org.apache.plc4x.java.opcua.readwrite.GetEndpointsRequest;
import org.apache.plc4x.java.opcua.readwrite.GetEndpointsResponse;
import org.apache.plc4x.java.opcua.readwrite.LocalizedText;
import org.apache.plc4x.java.opcua.readwrite.MessageSecurityMode;
import org.apache.plc4x.java.opcua.readwrite.NodeIdFourByte;
import org.apache.plc4x.java.opcua.readwrite.OpcuaCloseRequest;
import org.apache.plc4x.java.opcua.readwrite.OpcuaConstants;
import org.apache.plc4x.java.opcua.readwrite.OpcuaNodeIdServicesObject;
import org.apache.plc4x.java.opcua.readwrite.OpcuaOpenRequest;
import org.apache.plc4x.java.opcua.readwrite.OpcuaOpenResponse;
import org.apache.plc4x.java.opcua.readwrite.OpenChannelMessageRequest;
import org.apache.plc4x.java.opcua.readwrite.OpenSecureChannelRequest;
import org.apache.plc4x.java.opcua.readwrite.OpenSecureChannelResponse;
import org.apache.plc4x.java.opcua.readwrite.PascalByteString;
import org.apache.plc4x.java.opcua.readwrite.PascalString;
import org.apache.plc4x.java.opcua.readwrite.Payload;
import org.apache.plc4x.java.opcua.readwrite.RequestHeader;
import org.apache.plc4x.java.opcua.readwrite.SecurityHeader;
import org.apache.plc4x.java.opcua.readwrite.SecurityTokenRequestType;
import org.apache.plc4x.java.opcua.readwrite.SequenceHeader;
import org.apache.plc4x.java.opcua.readwrite.ServiceFault;
import org.apache.plc4x.java.opcua.readwrite.SignatureData;
import org.apache.plc4x.java.opcua.readwrite.UserIdentityToken;
import org.apache.plc4x.java.opcua.readwrite.UserNameIdentityToken;
import org.apache.plc4x.java.opcua.readwrite.UserTokenPolicy;
import org.apache.plc4x.java.opcua.readwrite.UserTokenType;
import org.apache.plc4x.java.opcua.security.SecurityPolicy;
import org.apache.plc4x.java.spi.generation.ByteOrder;
import org.apache.plc4x.java.spi.generation.ParseException;
import org.apache.plc4x.java.spi.generation.ReadBuffer;
import org.apache.plc4x.java.spi.generation.ReadBufferByteBased;
import org.apache.plc4x.java.spi.transaction.RequestTransactionManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/plc4x/java/opcua/context/SecureChannel.class */
public class SecureChannel {
    private static final String PASSWORD_ENCRYPTION_ALGORITHM = "http://www.w3.org/2001/04/xmlenc#rsa-oaep";
    private final PascalByteString localCertificateString;
    private final PascalByteString remoteCertificateThumbprint;
    private PascalString policyId;
    private UserTokenType tokenType;
    private final PascalString endpoint;
    private final String username;
    private final String password;
    private final RequestTransactionManager tm;
    private final OpcuaConfiguration configuration;
    private final OpcuaDriverContext driverContext;
    private final Conversation conversation;
    private ScheduledFuture<?> keepAlive;
    private double sessionTimeout;
    private long revisedLifetime;
    private static volatile /* synthetic */ int[] $SWITCH_TABLE$org$apache$plc4x$java$opcua$readwrite$UserTokenType;
    private static final Logger LOGGER = LoggerFactory.getLogger(SecureChannel.class);
    public static final PascalString NULL_STRING = new PascalString("");
    public static final PascalByteString NULL_BYTE_STRING = new PascalByteString(-1, null);
    public static final Pattern INET_ADDRESS_PATTERN = Pattern.compile("(.(?<transportCode>tcp|https?))?://(?<transportHost>[\\w.-]+)(:(?<transportPort>\\d*))?");
    public static final Pattern URI_PATTERN = Pattern.compile("^(?<protocolCode>opc)" + INET_ADDRESS_PATTERN + "(?<transportEndpoint>[\\w/=]*)[?]?");
    private static final PascalString APPLICATION_URI = new PascalString("urn:apache:plc4x:client");
    private static final PascalString PRODUCT_URI = new PascalString("urn:apache:plc4x:client");
    private static final PascalString APPLICATION_TEXT = new PascalString("OPCUA client for the Apache PLC4X:PLC4J project");
    public static final ScheduledExecutorService KEEP_ALIVE_EXECUTOR = Executors.newSingleThreadScheduledExecutor(runnable -> {
        return new Thread(runnable, "plc4x-opcua-keep-alive");
    });
    private final String sessionName = "UaSession:" + APPLICATION_TEXT.getStringValue() + ":" + RandomStringUtils.random(20, true, true);
    private final List<String> endpoints = new ArrayList();

    public SecureChannel(Conversation conversation, RequestTransactionManager requestTransactionManager, OpcuaDriverContext opcuaDriverContext, OpcuaConfiguration opcuaConfiguration, PlcAuthentication plcAuthentication) {
        this.conversation = conversation;
        this.tm = requestTransactionManager;
        this.configuration = opcuaConfiguration;
        this.driverContext = opcuaDriverContext;
        this.endpoint = new PascalString(opcuaDriverContext.getEndpoint());
        this.sessionTimeout = opcuaConfiguration.getSessionTimeout();
        if (plcAuthentication == null) {
            this.username = opcuaConfiguration.getUsername();
            this.password = opcuaConfiguration.getPassword();
        } else {
            if (!(plcAuthentication instanceof PlcUsernamePasswordAuthentication)) {
                throw new PlcRuntimeException("This type of connection only supports username-password authentication");
            }
            this.username = ((PlcUsernamePasswordAuthentication) plcAuthentication).getUsername();
            this.password = ((PlcUsernamePasswordAuthentication) plcAuthentication).getPassword();
        }
        try {
            InetAddress byName = InetAddress.getByName(opcuaDriverContext.getHost());
            this.endpoints.add(byName.getHostAddress());
            this.endpoints.add(byName.getHostName());
            this.endpoints.add(byName.getCanonicalHostName());
        } catch (UnknownHostException e) {
            LOGGER.warn("Unable to resolve host name. Using original host from connection string which may cause issues connecting to server");
            this.endpoints.add(opcuaDriverContext.getHost());
        }
        if (conversation.getSecurityPolicy() == SecurityPolicy.NONE) {
            this.localCertificateString = NULL_BYTE_STRING;
            this.remoteCertificateThumbprint = NULL_BYTE_STRING;
            return;
        }
        CertificateKeyPair certificateKeyPair = opcuaDriverContext.getCertificateKeyPair();
        this.remoteCertificateThumbprint = opcuaDriverContext.getThumbprint();
        try {
            byte[] encoded = certificateKeyPair.getCertificate().getEncoded();
            this.localCertificateString = new PascalByteString(encoded.length, encoded);
        } catch (CertificateEncodingException e2) {
            throw new PlcRuntimeException("Could not decode certificate", e2);
        }
    }

    public CompletableFuture<ActivateSessionResponse> onConnect() {
        LOGGER.debug("Opcua Driver running in ACTIVE mode.");
        return this.conversation.requestHello().thenCompose(opcuaAcknowledgeResponse -> {
            return onConnectOpenSecureChannel(SecurityTokenRequestType.securityTokenRequestTypeIssue);
        }).thenCompose((Function<? super U, ? extends CompletionStage<U>>) openSecureChannelResponse -> {
            return onConnectCreateSessionRequest(openSecureChannelResponse);
        }).thenCompose(createSessionResponse -> {
            return onConnectActivateSessionRequest(createSessionResponse);
        }).thenApply(activateSessionResponse -> {
            keepAlive();
            return activateSessionResponse;
        });
    }

    public CompletableFuture<OpenSecureChannelResponse> onConnectOpenSecureChannel(SecurityTokenRequestType securityTokenRequestType) {
        OpenSecureChannelRequest openSecureChannelRequest;
        LOGGER.debug("Sending open secure channel message to {}", this.driverContext.getEndpoint());
        RequestHeader createRequestHeader = this.conversation.createRequestHeader(this.configuration.getNegotiationTimeout(), 0);
        if (this.conversation.getSecurityPolicy() != SecurityPolicy.NONE) {
            byte[] localNonce = this.conversation.getLocalNonce();
            openSecureChannelRequest = new OpenSecureChannelRequest(createRequestHeader, OpcuaConstants.PROTOCOLVERSION.shortValue(), securityTokenRequestType, this.configuration.getMessageSecurity().getMode(), new PascalByteString(localNonce.length, localNonce), this.configuration.getChannelLifetime());
        } else {
            openSecureChannelRequest = new OpenSecureChannelRequest(createRequestHeader, OpcuaConstants.PROTOCOLVERSION.shortValue(), securityTokenRequestType, MessageSecurityMode.messageSecurityModeNone, NULL_BYTE_STRING, this.configuration.getChannelLifetime());
        }
        ExtensionObject extensionObject = new ExtensionObject(new ExpandedNodeId(false, false, new NodeIdFourByte((short) 0, Integer.parseInt(openSecureChannelRequest.getIdentifier())), null, null), null, openSecureChannelRequest);
        return this.conversation.requestChannelOpen(callContext -> {
            LOGGER.debug("Submitting OpenSecureChannel with id of {}", Integer.valueOf(callContext.getRequestId()));
            return new OpcuaOpenRequest(ChunkType.FINAL, new OpenChannelMessageRequest(0, new PascalString(this.conversation.getSecurityPolicy().getSecurityPolicyUri()), this.localCertificateString, this.remoteCertificateThumbprint), new ExtensiblePayload(new SequenceHeader(callContext.getNextSequenceNumber(), callContext.getRequestId()), extensionObject));
        }).thenApply(opcuaOpenResponse -> {
            LOGGER.info("Received open channel response {}, parsing it", Integer.valueOf(opcuaOpenResponse.getMessage().getSequenceHeader().getRequestId()));
            return opcuaOpenResponse;
        }).thenApply((Function<? super U, ? extends U>) this::onOpenResponse).thenApply(openSecureChannelResponse -> {
            ChannelSecurityToken channelSecurityToken = (ChannelSecurityToken) openSecureChannelResponse.getSecurityToken();
            LOGGER.debug("Opened secure response id: {}, channel id:{}, token:{} lifetime:{}", new Object[]{openSecureChannelResponse.getIdentifier(), Long.valueOf(channelSecurityToken.getChannelId()), Long.valueOf(channelSecurityToken.getTokenId()), Long.valueOf(channelSecurityToken.getRevisedLifetime())});
            this.conversation.setSecurityHeader(new SecurityHeader(channelSecurityToken.getChannelId(), channelSecurityToken.getTokenId()));
            this.revisedLifetime = channelSecurityToken.getRevisedLifetime();
            return openSecureChannelResponse;
        });
    }

    public CompletableFuture<CreateSessionResponse> onConnectCreateSessionRequest(OpenSecureChannelResponse openSecureChannelResponse) {
        LOGGER.debug("Sending create session request to {}", this.driverContext.getEndpoint());
        RequestHeader createRequestHeader = this.conversation.createRequestHeader();
        ApplicationDescription applicationDescription = new ApplicationDescription((PascalString) this.driverContext.getApplicationUri().map(PascalString::new).orElse(APPLICATION_URI), PRODUCT_URI, new LocalizedText(true, true, new PascalString("en"), APPLICATION_TEXT), ApplicationType.applicationTypeClient, NULL_STRING, NULL_STRING, -1, new ArrayList(0));
        ChannelSecurityToken channelSecurityToken = (ChannelSecurityToken) openSecureChannelResponse.getSecurityToken();
        LOGGER.debug("Opened secure response id: {}, channel id:{}, token:{} lifetime:{}", new Object[]{openSecureChannelResponse.getIdentifier(), Long.valueOf(channelSecurityToken.getChannelId()), Long.valueOf(channelSecurityToken.getTokenId()), Long.valueOf(channelSecurityToken.getRevisedLifetime())});
        this.conversation.setRemoteNonce(openSecureChannelResponse.getServerNonce().getStringValue());
        byte[] createNonce = this.conversation.createNonce(32);
        return this.conversation.submit(new CreateSessionRequest(createRequestHeader, applicationDescription, NULL_STRING, this.endpoint, new PascalString(this.sessionName), this.conversation.getSecurityPolicy() == SecurityPolicy.NONE ? NULL_BYTE_STRING : createPascalString(createNonce), this.conversation.getSecurityPolicy() == SecurityPolicy.NONE ? NULL_BYTE_STRING : this.localCertificateString, this.sessionTimeout, 0L), CreateSessionResponse.class).thenApply(createSessionResponse -> {
            if (this.conversation.getSecurityPolicy() != SecurityPolicy.NONE) {
                SignatureData extractSignatureData = extractSignatureData(createSessionResponse.getServerSignature());
                if (extractSignatureData == null) {
                    throw new IllegalArgumentException("Returned signature data is not valid");
                }
                String stringValue = extractSignatureData.getAlgorithm().getStringValue();
                SecurityPolicy.SignatureAlgorithm asymmetricSignatureAlgorithm = this.conversation.getSecurityPolicy().getAsymmetricSignatureAlgorithm();
                if (!asymmetricSignatureAlgorithm.getUri().equals(stringValue)) {
                    throw new IllegalArgumentException("Invalid signature algorithm. Expected " + asymmetricSignatureAlgorithm.getUri());
                }
                try {
                    int stringLength = this.localCertificateString.getStringLength();
                    byte[] bArr = new byte[stringLength + 32];
                    System.arraycopy(this.localCertificateString.getStringValue(), 0, bArr, 0, stringLength);
                    System.arraycopy(createNonce, 0, bArr, stringLength, 32);
                    X509Certificate remoteCertificate = this.conversation.getRemoteCertificate();
                    this.driverContext.getCertificateVerifier().checkCertificateTrusted(remoteCertificate);
                    Signature signature = asymmetricSignatureAlgorithm.getSignature();
                    signature.initVerify(remoteCertificate.getPublicKey());
                    signature.update(bArr);
                    if (!signature.verify(extractSignatureData.getSignature().getStringValue())) {
                        throw new IllegalArgumentException("Could not verify server signature");
                    }
                } catch (GeneralSecurityException e) {
                    throw new RuntimeException(e);
                }
            }
            return createSessionResponse;
        }).thenApply(createSessionResponse2 -> {
            this.conversation.setAuthenticationToken(createSessionResponse2.getAuthenticationToken().getNodeId());
            this.sessionTimeout = createSessionResponse2.getRevisedSessionTimeout();
            return createSessionResponse2;
        });
    }

    private SignatureData extractSignatureData(ExtensionObjectDefinition extensionObjectDefinition) {
        if (extensionObjectDefinition instanceof SignatureData) {
            return (SignatureData) extensionObjectDefinition;
        }
        return null;
    }

    private CompletableFuture<ActivateSessionResponse> onConnectActivateSessionRequest(CreateSessionResponse createSessionResponse) {
        LOGGER.debug("Sending activate session request to {}", this.driverContext.getEndpoint());
        this.conversation.setRemoteCertificate(getX509Certificate(createSessionResponse.getServerCertificate().getStringValue()));
        this.conversation.setRemoteNonce(createSessionResponse.getServerNonce().getStringValue());
        String[] strArr = new String[3];
        try {
            InetAddress byName = InetAddress.getByName(this.driverContext.getHost());
            strArr[0] = "opc.tcp://" + byName.getHostAddress() + ":" + this.driverContext.getPort() + this.driverContext.getTransportEndpoint();
            strArr[1] = "opc.tcp://" + byName.getHostName() + ":" + this.driverContext.getPort() + this.driverContext.getTransportEndpoint();
            strArr[2] = "opc.tcp://" + byName.getCanonicalHostName() + ":" + this.driverContext.getPort() + this.driverContext.getTransportEndpoint();
        } catch (UnknownHostException e) {
            LOGGER.debug("error getting host", e);
        }
        selectEndpoint(createSessionResponse);
        if (this.policyId == null) {
            throw new PlcRuntimeException("Unable to find endpoint - " + strArr[1]);
        }
        ExtensionObject identityToken = getIdentityToken(this.tokenType, this.policyId.getStringValue());
        RequestHeader createRequestHeader = this.conversation.createRequestHeader();
        SignatureData signatureData = new SignatureData(NULL_STRING, NULL_BYTE_STRING);
        if (this.conversation.getSecurityPolicy() != SecurityPolicy.NONE) {
            try {
                signatureData = this.conversation.createClientSignature();
            } catch (GeneralSecurityException e2) {
                throw new PlcRuntimeException("Could not create client signature", e2);
            }
        }
        return this.conversation.submit(new ActivateSessionRequest(createRequestHeader, signatureData, 0, null, 0, null, identityToken, signatureData), ActivateSessionResponse.class).thenApply(activateSessionResponse -> {
            this.conversation.setRemoteNonce(activateSessionResponse.getServerNonce().getStringValue());
            return activateSessionResponse;
        });
    }

    public void onDisconnect() {
        LOGGER.info("Disconnecting");
        if (this.keepAlive != null) {
            this.keepAlive.cancel(true);
            this.keepAlive = null;
        }
        this.conversation.submit(new CloseSessionRequest(this.conversation.createRequestHeader(50000L), true), CloseSessionResponse.class).thenAccept(closeSessionResponse -> {
            LOGGER.trace("Got Close Session Response Connection Response" + closeSessionResponse);
            onDisconnectCloseSecureChannel();
        });
    }

    private void onDisconnectCloseSecureChannel() {
        CloseSecureChannelRequest closeSecureChannelRequest = new CloseSecureChannelRequest(this.conversation.createRequestHeader());
        ExpandedNodeId expandedNodeId = new ExpandedNodeId(false, false, new NodeIdFourByte((short) 0, Integer.parseInt(closeSecureChannelRequest.getIdentifier())), null, null);
        this.conversation.requestChannelClose(callContext -> {
            return new OpcuaCloseRequest(ChunkType.FINAL, callContext.getSecurityHeader(), new ExtensiblePayload(new SequenceHeader(callContext.getNextSequenceNumber(), callContext.getRequestId()), new ExtensionObject(expandedNodeId, null, closeSecureChannelRequest)));
        });
    }

    public CompletableFuture<EndpointDescription> onDiscover() {
        LOGGER.debug("Opcua Driver running in ACTIVE mode, discovering endpoints");
        return this.conversation.requestHello().thenCompose(opcuaAcknowledgeResponse -> {
            return onConnectOpenSecureChannel(SecurityTokenRequestType.securityTokenRequestTypeIssue);
        }).thenCompose((Function<? super U, ? extends CompletionStage<U>>) openSecureChannelResponse -> {
            return onDiscoverGetEndpointsRequest(openSecureChannelResponse);
        }).thenApply(endpointDescription -> {
            LOGGER.info("Finished discovery of communication endpoint");
            return endpointDescription;
        });
    }

    public CompletableFuture<EndpointDescription> onDiscoverGetEndpointsRequest(OpenSecureChannelResponse openSecureChannelResponse) {
        return this.conversation.submit(new GetEndpointsRequest(this.conversation.createRequestHeader(), this.endpoint, 0, null, 0, null), GetEndpointsResponse.class).thenApply(getEndpointsResponse -> {
            List<ExtensionObjectDefinition> endpoints = getEndpointsResponse.getEndpoints();
            MessageSecurityMode mode = this.configuration.getSecurityPolicy() == SecurityPolicy.NONE ? MessageSecurityMode.messageSecurityModeNone : this.configuration.getMessageSecurity().getMode();
            Iterator<ExtensionObjectDefinition> it = endpoints.iterator();
            while (it.hasNext()) {
                EndpointDescription endpointDescription = (EndpointDescription) it.next();
                boolean equals = endpointDescription.getEndpointUrl().getStringValue().equals(this.endpoint.getStringValue());
                boolean equals2 = endpointDescription.getSecurityPolicyUri().getStringValue().equals(this.configuration.getSecurityPolicy().getSecurityPolicyUri());
                boolean equals3 = endpointDescription.getSecurityMode().equals(mode);
                LOGGER.debug("Validate OPC UA endpoint {} during discovery phase.Expected {}. Endpoint policy {} looking for {}. Message security {}, looking for {}", new Object[]{endpointDescription.getEndpointUrl().getStringValue(), this.endpoint.getStringValue(), endpointDescription.getSecurityPolicyUri().getStringValue(), this.configuration.getSecurityPolicy().getSecurityPolicyUri(), endpointDescription.getSecurityMode(), this.configuration.getMessageSecurity().getMode()});
                if (equals && equals2 && equals3) {
                    LOGGER.info("Found OPC UA endpoint {}", this.endpoint.getStringValue());
                    return endpointDescription;
                }
            }
            throw new IllegalArgumentException("Could not find endpoint matching client configuration. Tested " + endpoints.size() + " endpoints. None matched " + this.endpoint.getStringValue() + " " + this.configuration.getSecurityPolicy().getSecurityPolicyUri() + " " + this.configuration.getMessageSecurity().getMode());
        });
    }

    private OpenSecureChannelResponse onOpenResponse(OpcuaOpenResponse opcuaOpenResponse) {
        try {
            opcuaOpenResponse.getClass();
            ExtensionObject staticParse = ExtensionObject.staticParse((ReadBuffer) toBuffer(opcuaOpenResponse::getMessage), (Boolean) false);
            if (staticParse.getBody() instanceof ServiceFault) {
                throw new PlcRuntimeException(Conversation.toProtocolException((ServiceFault) staticParse.getBody()));
            }
            LOGGER.debug("Received valid answer for open secure channel request, forwarding it to call initiator");
            return (OpenSecureChannelResponse) staticParse.getBody();
        } catch (ParseException e) {
            throw new IllegalArgumentException("Could not handle response", e);
        }
    }

    private void keepAlive() {
        long ceil = (long) Math.ceil(((float) this.revisedLifetime) * 0.75f);
        LOGGER.debug("Scheduling session keep alive to happen within {}s", Long.valueOf(TimeUnit.MILLISECONDS.toSeconds(ceil)));
        this.keepAlive = KEEP_ALIVE_EXECUTOR.schedule(() -> {
            RequestTransactionManager.RequestTransaction startRequest = this.tm.startRequest();
            startRequest.submit(() -> {
                onConnectOpenSecureChannel(SecurityTokenRequestType.securityTokenRequestTypeRenew).whenComplete((openSecureChannelResponse, th) -> {
                    if (th != null) {
                        startRequest.failRequest(th);
                    } else {
                        startRequest.endRequest();
                    }
                });
            });
        }, ceil, TimeUnit.MILLISECONDS);
    }

    private static ReadBufferByteBased toBuffer(Supplier<Payload> supplier) {
        Payload payload = supplier.get();
        if (payload instanceof BinaryPayload) {
            return new ReadBufferByteBased(((BinaryPayload) payload).getPayload(), ByteOrder.LITTLE_ENDIAN);
        }
        throw new IllegalArgumentException("Unexpected payload kind");
    }

    private void selectEndpoint(CreateSessionResponse createSessionResponse) throws PlcRuntimeException {
        createSessionResponse.getServerEndpoints().stream().map(extensionObjectDefinition -> {
            return (EndpointDescription) extensionObjectDefinition;
        }).filter(this::isEndpoint).forEach(endpointDescription -> {
            hasIdentity((UserTokenPolicy[]) endpointDescription.getUserIdentityTokens().stream().map(extensionObjectDefinition2 -> {
                return (UserTokenPolicy) extensionObjectDefinition2;
            }).toArray(i -> {
                return new UserTokenPolicy[i];
            }));
        });
        if (this.policyId == null) {
            throw new PlcRuntimeException("Unable to find endpoint - " + this.endpoints.get(0));
        }
        if (this.tokenType == null) {
            throw new PlcRuntimeException("Unable to find Security Policy for endpoint - " + this.endpoints.get(0));
        }
    }

    private boolean isEndpoint(EndpointDescription endpointDescription) throws PlcRuntimeException {
        String stringValue = endpointDescription.getEndpointUrl().getStringValue();
        Matcher matcher = URI_PATTERN.matcher(stringValue);
        if (!matcher.matches()) {
            throw new PlcRuntimeException("Endpoint " + stringValue + "  returned from the server doesn't match the format '{protocol-code}:({transport-code})?//{transport-host}(:{transport-port})(/{transport-endpoint})'");
        }
        LOGGER.trace("Using Endpoint {} {} {}", new Object[]{matcher.group("transportHost"), matcher.group("transportPort"), matcher.group("transportEndpoint")});
        if (this.configuration.isDiscovery() || !StringUtils.isBlank(this.driverContext.getTransportEndpoint())) {
            return (!this.configuration.isDiscovery() || this.endpoints.contains(matcher.group("transportHost"))) && this.driverContext.getPort().equals(matcher.group("transportPort")) && this.driverContext.getTransportEndpoint().equals(matcher.group("transportEndpoint"));
        }
        this.driverContext.setTransportEndpoint(matcher.group("transportEndpoint"));
        return true;
    }

    private void hasIdentity(UserTokenPolicy[] userTokenPolicyArr) {
        for (UserTokenPolicy userTokenPolicy : userTokenPolicyArr) {
            if (userTokenPolicy.getTokenType() == UserTokenType.userTokenTypeAnonymous && this.username == null) {
                this.policyId = userTokenPolicy.getPolicyId();
                this.tokenType = userTokenPolicy.getTokenType();
            } else if (userTokenPolicy.getTokenType() == UserTokenType.userTokenTypeUserName && this.username != null) {
                this.policyId = userTokenPolicy.getPolicyId();
                this.tokenType = userTokenPolicy.getTokenType();
            }
        }
    }

    private ExtensionObject getIdentityToken(UserTokenType userTokenType, String str) {
        switch ($SWITCH_TABLE$org$apache$plc4x$java$opcua$readwrite$UserTokenType()[userTokenType.ordinal()]) {
            case 1:
                return new ExtensionObject(new ExpandedNodeId(false, false, new NodeIdFourByte((short) 0, OpcuaNodeIdServicesObject.AnonymousIdentityToken_Encoding_DefaultBinary.getValue()), null, null), new ExtensionObjectEncodingMask(false, false, true), new UserIdentityToken(new PascalString(str), new AnonymousIdentityToken()));
            case 2:
                byte[] remoteNonce = this.conversation.getRemoteNonce();
                byte[] bytes = this.password == null ? new byte[0] : this.password.getBytes();
                ByteBuffer allocate = ByteBuffer.allocate(4 + bytes.length + remoteNonce.length);
                allocate.order(java.nio.ByteOrder.LITTLE_ENDIAN);
                allocate.putInt(bytes.length + remoteNonce.length);
                allocate.put(bytes);
                allocate.put(remoteNonce);
                byte[] bArr = new byte[4 + bytes.length + remoteNonce.length];
                allocate.position(0);
                allocate.get(bArr);
                byte[] encryptPassword = this.conversation.encryptPassword(bArr);
                return new ExtensionObject(new ExpandedNodeId(false, false, new NodeIdFourByte((short) 0, OpcuaNodeIdServicesObject.UserNameIdentityToken_Encoding_DefaultBinary.getValue()), null, null), new ExtensionObjectEncodingMask(false, false, true), new UserIdentityToken(new PascalString(str), new UserNameIdentityToken(new PascalString(this.username), new PascalByteString(encryptPassword.length, encryptPassword), new PascalString(PASSWORD_ENCRYPTION_ALGORITHM))));
            default:
                return null;
        }
    }

    public static X509Certificate getX509Certificate(byte[] bArr) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (Exception e) {
            LOGGER.error("Unable to get certificate from String {}", bArr);
            return null;
        }
    }

    private static PascalByteString createPascalString(byte[] bArr) {
        return bArr == null ? NULL_BYTE_STRING : new PascalByteString(bArr.length, bArr);
    }

    static /* synthetic */ int[] $SWITCH_TABLE$org$apache$plc4x$java$opcua$readwrite$UserTokenType() {
        int[] iArr = $SWITCH_TABLE$org$apache$plc4x$java$opcua$readwrite$UserTokenType;
        if (iArr != null) {
            return iArr;
        }
        int[] iArr2 = new int[UserTokenType.valuesCustom().length];
        try {
            iArr2[UserTokenType.userTokenTypeAnonymous.ordinal()] = 1;
        } catch (NoSuchFieldError unused) {
        }
        try {
            iArr2[UserTokenType.userTokenTypeCertificate.ordinal()] = 3;
        } catch (NoSuchFieldError unused2) {
        }
        try {
            iArr2[UserTokenType.userTokenTypeIssuedToken.ordinal()] = 4;
        } catch (NoSuchFieldError unused3) {
        }
        try {
            iArr2[UserTokenType.userTokenTypeUserName.ordinal()] = 2;
        } catch (NoSuchFieldError unused4) {
        }
        $SWITCH_TABLE$org$apache$plc4x$java$opcua$readwrite$UserTokenType = iArr2;
        return iArr2;
    }
}
