package com.android.org.conscrypt;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/android/org/conscrypt/TrustManagerImpl.class */
public final class TrustManagerImpl implements X509TrustManager {
    private final KeyStore rootKeyStore;
    private CertPinManager pinManager;
    private final TrustedCertificateStore trustedCertificateStore;
    private final CertPathValidator validator;
    private final TrustedCertificateIndex trustedCertificateIndex;
    private final X509Certificate[] acceptedIssuers;
    private final Exception err;
    private final CertificateFactory factory;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/android/org/conscrypt/TrustManagerImpl$ExtendedKeyUsagePKIXCertPathChecker.class */
    public static class ExtendedKeyUsagePKIXCertPathChecker extends PKIXCertPathChecker {
        private static final String EKU_anyExtendedKeyUsage = "2.5.29.37.0";
        private static final String EKU_clientAuth = "1.3.6.1.5.5.7.3.2";
        private static final String EKU_serverAuth = "1.3.6.1.5.5.7.3.1";
        private static final String EKU_nsSGC = "2.16.840.1.113730.4.1";
        private static final String EKU_msSGC = "1.3.6.1.4.1.311.10.3.3";
        private final boolean clientAuth;
        private final X509Certificate leaf;
        private static final String EKU_OID = "2.5.29.37";
        private static final Set<String> SUPPORTED_EXTENSIONS = Collections.unmodifiableSet(new HashSet(Arrays.asList(EKU_OID)));

        private ExtendedKeyUsagePKIXCertPathChecker(boolean z, X509Certificate x509Certificate) {
            this.clientAuth = z;
            this.leaf = x509Certificate;
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public void init(boolean z) throws CertPathValidatorException {
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public boolean isForwardCheckingSupported() {
            return true;
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public Set<String> getSupportedExtensions() {
            return SUPPORTED_EXTENSIONS;
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
            if (certificate != this.leaf) {
                return;
            }
            try {
                List<String> extendedKeyUsage = this.leaf.getExtendedKeyUsage();
                if (extendedKeyUsage == null) {
                    return;
                }
                boolean z = false;
                Iterator<String> iterator2 = extendedKeyUsage.iterator2();
                while (true) {
                    if (!iterator2.hasNext()) {
                        break;
                    }
                    String next = iterator2.next();
                    if (next.equals(EKU_anyExtendedKeyUsage)) {
                        z = true;
                        break;
                    }
                    if (this.clientAuth) {
                        if (next.equals(EKU_clientAuth)) {
                            z = true;
                            break;
                        }
                    } else if (next.equals(EKU_serverAuth)) {
                        z = true;
                        break;
                    } else if (next.equals(EKU_nsSGC)) {
                        z = true;
                        break;
                    } else if (next.equals(EKU_msSGC)) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new CertPathValidatorException("End-entity certificate does not have a valid extendedKeyUsage.");
                }
                collection.remove(EKU_OID);
            } catch (CertificateParsingException e) {
                throw new CertPathValidatorException(e);
            }
        }
    }

    public TrustManagerImpl(KeyStore keyStore) {
        this(keyStore, null);
    }

    public TrustManagerImpl(KeyStore keyStore, CertPinManager certPinManager) {
        this(keyStore, certPinManager, null);
    }

    public TrustManagerImpl(KeyStore keyStore, CertPinManager certPinManager, TrustedCertificateStore trustedCertificateStore) {
        CertPathValidator certPathValidator = null;
        CertificateFactory certificateFactory = null;
        KeyStore keyStore2 = null;
        TrustedCertificateStore trustedCertificateStore2 = null;
        TrustedCertificateIndex trustedCertificateIndex = null;
        X509Certificate[] x509CertificateArr = null;
        Exception exc = null;
        try {
            certPathValidator = CertPathValidator.getInstance("PKIX");
            certificateFactory = CertificateFactory.getInstance("X509");
            if ("AndroidCAStore".equals(keyStore.getType())) {
                keyStore2 = keyStore;
                trustedCertificateStore2 = trustedCertificateStore != null ? trustedCertificateStore : new TrustedCertificateStore();
                x509CertificateArr = null;
                trustedCertificateIndex = new TrustedCertificateIndex();
            } else {
                keyStore2 = null;
                trustedCertificateStore2 = trustedCertificateStore;
                x509CertificateArr = acceptedIssuers(keyStore);
                trustedCertificateIndex = new TrustedCertificateIndex(trustAnchors(x509CertificateArr));
            }
        } catch (Exception e) {
            exc = e;
        }
        if (certPinManager != null) {
            this.pinManager = certPinManager;
        } else {
            try {
                this.pinManager = new CertPinManager(trustedCertificateStore2);
            } catch (PinManagerException e2) {
                throw new SecurityException("Could not initialize CertPinManager", e2);
            }
        }
        this.rootKeyStore = keyStore2;
        this.trustedCertificateStore = trustedCertificateStore2;
        this.validator = certPathValidator;
        this.factory = certificateFactory;
        this.trustedCertificateIndex = trustedCertificateIndex;
        this.acceptedIssuers = x509CertificateArr;
        this.err = exc;
    }

    private static X509Certificate[] acceptedIssuers(KeyStore keyStore) {
        try {
            ArrayList arrayList = new ArrayList();
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
                if (x509Certificate != null) {
                    arrayList.add(x509Certificate);
                }
            }
            return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
        } catch (KeyStoreException e) {
            return new X509Certificate[0];
        }
    }

    private static Set<TrustAnchor> trustAnchors(X509Certificate[] x509CertificateArr) {
        HashSet hashSet = new HashSet(x509CertificateArr.length);
        for (X509Certificate x509Certificate : x509CertificateArr) {
            hashSet.add(new TrustAnchor(x509Certificate, null));
        }
        return hashSet;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, null, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, null, false);
    }

    public List<X509Certificate> checkServerTrusted(X509Certificate[] x509CertificateArr, String str, String str2) throws CertificateException {
        return checkTrusted(x509CertificateArr, str, str2, false);
    }

    public boolean isUserAddedCertificate(X509Certificate x509Certificate) {
        if (this.trustedCertificateStore == null) {
            return false;
        }
        return this.trustedCertificateStore.isUserAddedCertificate(x509Certificate);
    }

    public List<X509Certificate> checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLSession sSLSession) throws CertificateException {
        return checkTrusted(x509CertificateArr, str, sSLSession.getPeerHost(), false);
    }

    public void handleTrustStorageUpdate() {
        if (this.acceptedIssuers == null) {
            this.trustedCertificateIndex.reset();
        } else {
            this.trustedCertificateIndex.reset(trustAnchors(this.acceptedIssuers));
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private List<X509Certificate> checkTrusted(X509Certificate[] x509CertificateArr, String str, String str2, boolean z) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0 || str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length parameter");
        }
        if (this.err != null) {
            throw new CertificateException(this.err);
        }
        HashSet hashSet = new HashSet();
        X509Certificate[] cleanupCertChainAndFindTrustAnchors = cleanupCertChainAndFindTrustAnchors(x509CertificateArr, hashSet);
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(cleanupCertChainAndFindTrustAnchors));
        Iterator<TrustAnchor> iterator2 = hashSet.iterator2();
        while (iterator2.hasNext()) {
            arrayList.add(iterator2.next().getTrustedCert());
        }
        X509Certificate x509Certificate = (X509Certificate) arrayList.get(arrayList.size() - 1);
        while (true) {
            X509Certificate x509Certificate2 = x509Certificate;
            TrustAnchor findByIssuerAndSignature = this.trustedCertificateIndex.findByIssuerAndSignature(x509Certificate2);
            if (findByIssuerAndSignature == null) {
                break;
            }
            X509Certificate trustedCert = findByIssuerAndSignature.getTrustedCert();
            if (trustedCert == x509Certificate2) {
                break;
            }
            arrayList.add(trustedCert);
            x509Certificate = trustedCert;
        }
        CertPath generateCertPath = this.factory.generateCertPath(Arrays.asList(cleanupCertChainAndFindTrustAnchors));
        if (str2 != null) {
            try {
                if (!this.pinManager.isChainValid(str2, arrayList)) {
                    throw new CertificateException(new CertPathValidatorException("Certificate path is not properly pinned.", null, generateCertPath, -1));
                }
            } catch (PinManagerException e) {
                throw new CertificateException(e);
            }
        }
        if (cleanupCertChainAndFindTrustAnchors.length == 0) {
            return arrayList;
        }
        if (hashSet.isEmpty()) {
            throw new CertificateException(new CertPathValidatorException("Trust anchor for certification path not found.", null, generateCertPath, -1));
        }
        ChainStrengthAnalyzer.check(cleanupCertChainAndFindTrustAnchors);
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(false);
            pKIXParameters.addCertPathChecker(new ExtendedKeyUsagePKIXCertPathChecker(z, cleanupCertChainAndFindTrustAnchors[0]));
            this.validator.validate(generateCertPath, pKIXParameters);
            for (int i = 1; i < cleanupCertChainAndFindTrustAnchors.length; i++) {
                this.trustedCertificateIndex.index(cleanupCertChainAndFindTrustAnchors[i]);
            }
            return arrayList;
        } catch (InvalidAlgorithmParameterException e2) {
            throw new CertificateException(e2);
        } catch (CertPathValidatorException e3) {
            throw new CertificateException(e3);
        }
    }

    private X509Certificate[] cleanupCertChainAndFindTrustAnchors(X509Certificate[] x509CertificateArr, Set<TrustAnchor> set) {
        TrustAnchor findTrustAnchorByIssuerAndSignature;
        int i = 0;
        while (i < x509CertificateArr.length) {
            boolean z = false;
            int i2 = i + 1;
            while (true) {
                if (i2 >= x509CertificateArr.length) {
                    break;
                }
                if (x509CertificateArr[i].getIssuerDN().equals(x509CertificateArr[i2].getSubjectDN())) {
                    z = true;
                    if (i2 != i + 1) {
                        if (x509CertificateArr == x509CertificateArr) {
                            x509CertificateArr = (X509Certificate[]) x509CertificateArr.clone();
                        }
                        X509Certificate x509Certificate = x509CertificateArr[i2];
                        x509CertificateArr[i2] = x509CertificateArr[i + 1];
                        x509CertificateArr[i + 1] = x509Certificate;
                    }
                } else {
                    i2++;
                }
            }
            if (!z) {
                break;
            }
            i++;
        }
        int i3 = 0;
        while (true) {
            if (i3 > i) {
                break;
            }
            TrustAnchor findTrustAnchorBySubjectAndPublicKey = findTrustAnchorBySubjectAndPublicKey(x509CertificateArr[i3]);
            if (findTrustAnchorBySubjectAndPublicKey != null) {
                set.add(findTrustAnchorBySubjectAndPublicKey);
                break;
            }
            i3++;
        }
        int i4 = i3;
        X509Certificate[] x509CertificateArr2 = i4 == x509CertificateArr.length ? x509CertificateArr : (X509Certificate[]) Arrays.copyOf(x509CertificateArr, i4);
        if (set.isEmpty() && (findTrustAnchorByIssuerAndSignature = findTrustAnchorByIssuerAndSignature(x509CertificateArr2[i3 - 1])) != null) {
            set.add(findTrustAnchorByIssuerAndSignature);
        }
        return x509CertificateArr2;
    }

    private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate x509Certificate) {
        X509Certificate findIssuer;
        TrustAnchor findByIssuerAndSignature = this.trustedCertificateIndex.findByIssuerAndSignature(x509Certificate);
        if (findByIssuerAndSignature != null) {
            return findByIssuerAndSignature;
        }
        if (this.trustedCertificateStore == null || (findIssuer = this.trustedCertificateStore.findIssuer(x509Certificate)) == null) {
            return null;
        }
        return this.trustedCertificateIndex.index(findIssuer);
    }

    private TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate x509Certificate) {
        X509Certificate trustAnchor;
        TrustAnchor findBySubjectAndPublicKey = this.trustedCertificateIndex.findBySubjectAndPublicKey(x509Certificate);
        if (findBySubjectAndPublicKey != null) {
            return findBySubjectAndPublicKey;
        }
        if (this.trustedCertificateStore == null || (trustAnchor = this.trustedCertificateStore.getTrustAnchor(x509Certificate)) == null) {
            return null;
        }
        return this.trustedCertificateIndex.index(trustAnchor);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.acceptedIssuers != null ? (X509Certificate[]) this.acceptedIssuers.clone() : acceptedIssuers(this.rootKeyStore);
    }
}
