package android.sec.enterprise.certificate;

import android.os.UserHandle;
import android.sec.enterprise.EnterpriseDeviceManager;
import android.util.Log;
import java.io.ByteArrayOutputStream;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;

/* loaded from: classes5.dex */
public class DelegatingCertPathValidatorHelper {
    public static final int ALERT = 1;
    public static final int AUDIT_LOG_GROUP_APPLICATION = 5;
    public static final int AUDIT_LOG_GROUP_EVENTS = 4;
    public static final int AUDIT_LOG_GROUP_NETWORK = 3;
    public static final int AUDIT_LOG_GROUP_SECURITY = 1;
    public static final int AUDIT_LOG_GROUP_SYSTEM = 2;
    public static final int CRITICAL = 2;
    public static final int ERROR = 3;
    public static final int NOTICE = 5;
    private static final String PEM_CERT_BEGIN = "-----BEGIN CERTIFICATE-----\n";
    private static final String PEM_CERT_END = "\n-----END CERTIFICATE-----\n";
    public static final int WARNING = 4;
    private static String TAG = "DelegatingCertPathValidatorHelper";
    private static boolean DEBUG = false;

    public static boolean isChainTrustedByMdm(List<X509Certificate> list) {
        boolean z7 = true;
        try {
            CertificatePolicy certificatePolicy = EnterpriseDeviceManager.getInstance().getCertificatePolicy();
            int myUserId = UserHandle.myUserId();
            if (certificatePolicy != null ? certificatePolicy.isCertificateTrustedUntrustedEnabledAsUser(myUserId) : false) {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                for (X509Certificate x509Certificate : list) {
                    byteArrayOutputStream.write(PEM_CERT_BEGIN.getBytes());
                    byteArrayOutputStream.write(java.util.Base64.getEncoder().encode(x509Certificate.getEncoded()));
                    byteArrayOutputStream.write(PEM_CERT_END.getBytes());
                }
                z7 = certificatePolicy.isCaCertificateTrustedAsUser(byteArrayOutputStream.toByteArray(), false, false, myUserId);
            }
        } catch (Exception e10) {
            Log.e(TAG, "Failed to call isCaCertificateTrustedAsUser() " + e10.getMessage());
        }
        if (DEBUG) {
            Log.d(TAG, "isChainTrustedByMdm: " + z7);
        }
        return z7;
    }

    public static boolean isOcspCheckEnabled() {
        CertificatePolicy certificatePolicy = EnterpriseDeviceManager.getInstance().getCertificatePolicy();
        if (certificatePolicy != null) {
            return certificatePolicy.isOcspCheckEnabled();
        }
        return false;
    }

    public static boolean isRevocationCheckEnabled() {
        CertificatePolicy certificatePolicy = EnterpriseDeviceManager.getInstance().getCertificatePolicy();
        boolean isRevocationCheckEnabled = certificatePolicy != null ? certificatePolicy.isRevocationCheckEnabled() : false;
        if (DEBUG) {
            Log.d(TAG, "isRevocationCheckEnabled " + isRevocationCheckEnabled);
        }
        return isRevocationCheckEnabled;
    }

    public static void setRevocationChecker(PKIXRevocationChecker pKIXRevocationChecker, PKIXParameters pKIXParameters) {
        if (DEBUG) {
            Log.d(TAG, "setRevocationChecker");
        }
        if (isRevocationCheckEnabled()) {
            ArrayList arrayList = new ArrayList();
            for (PKIXCertPathChecker pKIXCertPathChecker : pKIXParameters.getCertPathCheckers()) {
                if (!(pKIXCertPathChecker instanceof PKIXRevocationChecker)) {
                    arrayList.add(pKIXCertPathChecker);
                }
            }
            pKIXParameters.setCertPathCheckers(arrayList);
            if (!isOcspCheckEnabled()) {
                HashSet hashSet = new HashSet();
                hashSet.add(PKIXRevocationChecker.Option.NO_FALLBACK);
                hashSet.add(PKIXRevocationChecker.Option.PREFER_CRLS);
                pKIXRevocationChecker.setOptions(hashSet);
            }
            pKIXParameters.addCertPathChecker(pKIXRevocationChecker);
        }
    }
}
