package org.bouncycastle.jsse.provider;

import a.a.a.b.f;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jsse.BCExtendedSSLSession;
import org.bouncycastle.jsse.BCSNIHostName;
import org.bouncycastle.jsse.BCX509ExtendedTrustManager;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.tls.TlsUtils;

/* loaded from: classes5.dex */
class ProvX509TrustManager extends BCX509ExtendedTrustManager {
    public static final Logger f = Logger.getLogger(ProvX509TrustManager.class.getName());

    /* renamed from: g, reason: collision with root package name */
    public static final boolean f41568g = PropertyUtils.a("com.sun.net.ssl.checkRevocation", false);

    /* renamed from: h, reason: collision with root package name */
    public static final boolean f41569h = PropertyUtils.a("org.bouncycastle.jsse.trustManager.checkEKU", true);
    public static final Map<String, Integer> i;

    /* renamed from: a, reason: collision with root package name */
    public final boolean f41570a;

    /* renamed from: b, reason: collision with root package name */
    public final JcaJceHelper f41571b;

    /* renamed from: c, reason: collision with root package name */
    public final HashSet f41572c;
    public final PKIXBuilderParameters d;
    public final X509TrustManager e;

    static {
        HashMap hashMap = new HashMap();
        e(hashMap, 0, 3, 5, 17, 19, 0);
        e(hashMap, 2, 1);
        e(hashMap, 4, 7, 9, 16, 18);
        i = Collections.unmodifiableMap(hashMap);
    }

    public ProvX509TrustManager(boolean z, JcaJceHelper jcaJceHelper, PKIXParameters pKIXParameters) {
        this.f41570a = z;
        this.f41571b = jcaJceHelper;
        HashSet k2 = k(pKIXParameters.getTrustAnchors());
        this.f41572c = k2;
        if (k2.isEmpty()) {
            this.d = null;
        } else if (pKIXParameters instanceof PKIXBuilderParameters) {
            this.d = (PKIXBuilderParameters) pKIXParameters;
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(pKIXParameters.getTrustAnchors(), pKIXParameters.getTargetCertConstraints());
            this.d = pKIXBuilderParameters;
            pKIXBuilderParameters.setAnyPolicyInhibited(pKIXParameters.isAnyPolicyInhibited());
            pKIXBuilderParameters.setCertPathCheckers(pKIXParameters.getCertPathCheckers());
            pKIXBuilderParameters.setCertStores(pKIXParameters.getCertStores());
            pKIXBuilderParameters.setDate(pKIXParameters.getDate());
            pKIXBuilderParameters.setExplicitPolicyRequired(pKIXParameters.isExplicitPolicyRequired());
            pKIXBuilderParameters.setInitialPolicies(pKIXParameters.getInitialPolicies());
            pKIXBuilderParameters.setPolicyMappingInhibited(pKIXParameters.isPolicyMappingInhibited());
            pKIXBuilderParameters.setPolicyQualifiersRejected(pKIXParameters.getPolicyQualifiersRejected());
            pKIXBuilderParameters.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
            pKIXBuilderParameters.setSigProvider(pKIXParameters.getSigProvider());
        }
        this.e = X509TrustManagerUtil.a(this);
    }

    public ProvX509TrustManager(boolean z, JcaJceHelper jcaJceHelper, Set<TrustAnchor> set) {
        this.f41570a = z;
        this.f41571b = jcaJceHelper;
        HashSet k2 = k(set);
        this.f41572c = k2;
        if (k2.isEmpty()) {
            this.d = null;
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, (CertSelector) null);
            this.d = pKIXBuilderParameters;
            pKIXBuilderParameters.setRevocationEnabled(f41568g);
        }
        this.e = X509TrustManagerUtil.a(this);
    }

    public static void e(HashMap hashMap, int i2, int... iArr) {
        for (int i3 : iArr) {
            if (hashMap.put(JsseUtils.g(i3), Integer.valueOf(i2)) != null) {
                throw new IllegalStateException("Duplicate keys in server key usages");
            }
        }
    }

    public static void g(String str, X509Certificate x509Certificate, String str2) {
        int length;
        boolean z = JsseUtils.f41429a;
        boolean z2 = false;
        if (str != null && (length = str.length() - 1) > 0 && str.charAt(0) == '[' && str.charAt(length) == ']') {
            str = str.substring(1, length);
        }
        if (str2.equalsIgnoreCase("HTTPS")) {
            z2 = true;
        } else if (!str2.equalsIgnoreCase("LDAP") && !str2.equalsIgnoreCase("LDAPS")) {
            throw new CertificateException("Unknown endpoint ID algorithm: ".concat(str2));
        }
        HostnameUtil.a(str, x509Certificate, z2);
    }

    public static void h(X509Certificate[] x509CertificateArr, TransportData transportData, boolean z) {
        BCSNIHostName p2;
        if (transportData != null) {
            String str = transportData.f41608a.f;
            if (JsseUtils.u(str)) {
                BCExtendedSSLSession bCExtendedSSLSession = transportData.f41609b;
                if (bCExtendedSSLSession == null) {
                    throw new CertificateException("No handshake session");
                }
                X509Certificate x509Certificate = x509CertificateArr[0];
                String peerHost = bCExtendedSSLSession.getPeerHost();
                if (z && (p2 = JsseUtils.p(bCExtendedSSLSession.g())) != null) {
                    String str2 = p2.f41354c;
                    if (!str2.equalsIgnoreCase(peerHost)) {
                        try {
                            g(str2, x509Certificate, str);
                            return;
                        } catch (CertificateException e) {
                            f.log(Level.FINE, "Server's endpoint ID did not match the SNI host_name: ".concat(str2), (Throwable) e);
                        }
                    }
                }
                g(peerHost, x509Certificate, str);
            }
        }
    }

    public static int j(String str, boolean z) {
        if (!z) {
            return 0;
        }
        Integer num = i.get(str);
        if (num != null) {
            return num.intValue();
        }
        throw new CertificateException(f.n("Unsupported server authType: ", str));
    }

    public static HashSet k(Set set) {
        X509Certificate trustedCert;
        HashSet hashSet = new HashSet(set.size());
        Iterator it = set.iterator();
        while (it.hasNext()) {
            TrustAnchor trustAnchor = (TrustAnchor) it.next();
            if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                hashSet.add(trustedCert);
            }
        }
        return hashSet;
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void a(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        i(x509CertificateArr, str, TransportData.a(socket), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void b(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        i(x509CertificateArr, str, TransportData.b(sSLEngine), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void c(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        i(x509CertificateArr, str, TransportData.a(socket), true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        i(x509CertificateArr, str, null, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        i(x509CertificateArr, str, null, true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public final void d(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        i(x509CertificateArr, str, TransportData.b(sSLEngine), true);
    }

    public final X509Certificate[] f(X509Certificate[] x509CertificateArr, BCAlgorithmConstraints bCAlgorithmConstraints, List<byte[]> list) {
        CertStore certStore;
        CertPathBuilder certPathBuilder;
        X509Certificate x509Certificate = x509CertificateArr[0];
        HashSet hashSet = this.f41572c;
        if (hashSet.contains(x509Certificate)) {
            return new X509Certificate[]{x509Certificate};
        }
        JcaJceHelper jcaJceHelper = this.f41571b;
        Provider provider = jcaJceHelper.f("X.509").getProvider();
        ArrayList arrayList = new ArrayList(x509CertificateArr.length);
        arrayList.add(x509Certificate);
        for (int i2 = 1; i2 < x509CertificateArr.length; i2++) {
            if (!hashSet.contains(x509CertificateArr[i2])) {
                arrayList.add(x509CertificateArr[i2]);
            }
        }
        CollectionCertStoreParameters collectionCertStoreParameters = new CollectionCertStoreParameters(Collections.unmodifiableCollection(arrayList));
        try {
            certStore = CertStore.getInstance("Collection", collectionCertStoreParameters, provider);
        } catch (GeneralSecurityException unused) {
            certStore = CertStore.getInstance("Collection", collectionCertStoreParameters);
        }
        try {
            certPathBuilder = CertPathBuilder.getInstance("PKIX", provider);
        } catch (NoSuchAlgorithmException unused2) {
            certPathBuilder = CertPathBuilder.getInstance("PKIX");
        }
        PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.d.clone();
        pKIXBuilderParameters.addCertPathChecker(new ProvAlgorithmChecker(this.f41570a, jcaJceHelper, bCAlgorithmConstraints));
        pKIXBuilderParameters.addCertStore(certStore);
        pKIXBuilderParameters.setTargetCertConstraints(new X509CertSelector(x509Certificate, pKIXBuilderParameters.getTargetCertConstraints()) { // from class: org.bouncycastle.jsse.provider.ProvX509TrustManager.1

            /* renamed from: a, reason: collision with root package name */
            public final /* synthetic */ CertSelector f41573a;

            {
                this.f41573a = r2;
                setCertificate(x509Certificate);
            }

            @Override // java.security.cert.X509CertSelector, java.security.cert.CertSelector
            public final boolean match(Certificate certificate) {
                CertSelector certSelector;
                return super.match(certificate) && ((certSelector = this.f41573a) == null || certSelector.match(certificate));
            }
        });
        if (!list.isEmpty()) {
            HashMap hashMap = new HashMap();
            int min = Math.min(x509CertificateArr.length, list.size());
            for (int i3 = 0; i3 < min; i3++) {
                byte[] bArr = list.get(i3);
                if (bArr != null && bArr.length > 0) {
                    X509Certificate x509Certificate2 = x509CertificateArr[i3];
                    if (!hashMap.containsKey(x509Certificate2)) {
                        hashMap.put(x509Certificate2, bArr);
                    }
                }
            }
            if (!hashMap.isEmpty()) {
                try {
                    PKIXUtil.a(certPathBuilder, pKIXBuilderParameters, hashMap);
                } catch (RuntimeException e) {
                    f.log(Level.FINE, "Failed to add status responses for revocation checking", (Throwable) e);
                }
            }
        }
        PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
        CertPath certPath = pKIXCertPathBuilderResult.getCertPath();
        TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size() + 1;
        X509Certificate[] x509CertificateArr2 = new X509Certificate[size];
        certificates.toArray(x509CertificateArr2);
        int i4 = size - 1;
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        if (trustedCert == null) {
            throw new CertificateException("No certificate for TrustAnchor");
        }
        x509CertificateArr2[i4] = trustedCert;
        return x509CertificateArr2;
    }

    @Override // javax.net.ssl.X509TrustManager
    public final X509Certificate[] getAcceptedIssuers() {
        HashSet hashSet = this.f41572c;
        return (X509Certificate[]) hashSet.toArray(new X509Certificate[hashSet.size()]);
    }

    public final void i(X509Certificate[] x509CertificateArr, String str, TransportData transportData, boolean z) {
        List<byte[]> emptyList;
        if (TlsUtils.U(x509CertificateArr)) {
            throw new IllegalArgumentException("'chain' must be a chain of at least one certificate");
        }
        if (TlsUtils.R(str)) {
            throw new IllegalArgumentException("'authType' must be a non-null, non-empty string");
        }
        if (this.d == null) {
            throw new CertificateException("Unable to build a CertPath: no PKIXBuilderParameters available");
        }
        try {
            BCAlgorithmConstraints c2 = TransportData.c(transportData, false);
            if (transportData == null) {
                emptyList = Collections.emptyList();
            } else {
                BCExtendedSSLSession bCExtendedSSLSession = transportData.f41609b;
                emptyList = bCExtendedSSLSession == null ? Collections.emptyList() : bCExtendedSSLSession.h();
            }
            X509Certificate[] f2 = f(x509CertificateArr, c2, emptyList);
            KeyPurposeId keyPurposeId = !f41569h ? null : z ? KeyPurposeId.f39657s : KeyPurposeId.x;
            int j = j(str, z);
            JcaJceHelper jcaJceHelper = this.f41571b;
            Map<String, String> map = ProvAlgorithmChecker.f41458y;
            X509Certificate x509Certificate = f2[f2.length - 1];
            if (f2.length > 1) {
                ProvAlgorithmChecker.c(jcaJceHelper, c2, f2[f2.length - 2], x509Certificate);
            }
            ProvAlgorithmChecker.b(c2, f2[0], keyPurposeId, j);
            h(f2, transportData, z);
        } catch (GeneralSecurityException e) {
            throw new CertificateException("Unable to construct a valid chain", e);
        }
    }
}
