package com.facebook.mobilenetwork.internal.certificateverifier;

import X.AbstractC105355e7;
import X.AbstractC15990qQ;
import X.AnonymousClass000;
import X.AnonymousClass001;
import X.D76;
import X.EAV;
import X.HPV;
import X.InterfaceC29432EpK;
import X.InterfaceC29464Ept;
import androidx.credentials.playservices.controllers.CreatePublicKeyCredential.PublicKeyCredentialControllerUtility;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import org.json.JSONArray;
import org.json.JSONObject;

/* loaded from: classes6.dex */
public class CertificateVerifier {
    public static final String CRL_KEY_ALGORITHM = "RSA";
    public static final byte[] CRL_PUBLIC_KEY_BYTES = {48, -126, 1, 34, 48, 13, 6, 9, 42, -122, 72, -122, -9, 13, 1, 1, 1, 5, 0, 3, -126, 1, 15, 0, 48, -126, 1, 10, 2, -126, 1, 1, 0, -69, 110, 57, -95, 80, -27, 35, 65, -65, -55, 5, 75, -31, 6, 19, 113, -119, -19, -80, 120, 45, 54, 79, -46, -86, -93, 50, 63, 47, 53, 105, -28, 35, -69, -120, 103, -72, -17, -9, -106, 2, 117, 126, -15, -115, 86, 3, -109, -11, -4, 76, -104, -92, -31, -7, 44, 49, 101, -79, -13, 64, -22, -59, -90, 20, 20, -90, -126, 38, 12, 53, -108, -113, 39, -80, Byte.MAX_VALUE, 125, 42, 70, -70, -108, -90, 121, 3, 78, -103, -82, 75, 6, 111, -106, 124, 68, -23, -69, 62, -114, 14, 100, -95, 84, 36, -109, -68, 43, 105, -95, 44, -126, 60, -76, 26, -50, 39, 54, 70, 27, -109, 89, 111, 126, 111, 94, -68, 126, -61, 101, -27, 105, 85, 46, -2, -59, 55, 64, 70, 5, 22, -54, 114, -110, -97, 87, 83, 5, -103, -60, -84, 77, 113, 120, 25, -88, -88, 102, -110, -69, -66, -89, 125, -40, -125, -122, 8, 84, -80, -65, 64, -98, 31, -48, 27, -8, 28, -42, -62, 122, 45, 111, -69, 47, -56, -12, -20, 19, -13, Byte.MAX_VALUE, -104, 85, 71, -14, 28, -63, 31, 86, -70, -99, -116, 74, Byte.MAX_VALUE, 72, -65, 66, -3, -19, -20, 99, -60, 111, -56, 24, 76, 87, -25, -81, 100, 8, 16, 41, -20, -19, -91, -1, 72, -96, -99, -58, -92, -64, -56, 87, 116, -20, -104, 96, 9, 88, -34, -113, 5, -75, -52, 1, 13, 3, 100, -120, -81, -36, 95, -93, -55, -100, 110, -110, -67, 2, 3, 1, 0, 1};
    public static final String CRL_SIGNATURE_ALGORITHM = "SHA256withRSA";
    public static final int MAX_CERTIFICATE_SERIAL_LENGTH = 40;
    public static final int SIGNATURE_ECDSA_SECP256R1_SHA256 = 1027;
    public static final int SIGNATURE_ECDSA_SECP384R1_SHA384 = 1283;
    public static final int SIGNATURE_ECDSA_SECP521R1_SHA512 = 1539;
    public static final int SIGNATURE_RSA_PSS_RSAE_SHA256 = 2052;
    public final D76 mFbPinningSSLContextFactory;
    public Set revokedCertificateSerials = AbstractC15990qQ.A0y();
    public final HPV mFbHostnameVerifier = new Object();

    /* JADX WARN: Type inference failed for: r0v2, types: [X.HPV, java.lang.Object] */
    public CertificateVerifier(long j, boolean z) {
        this.mFbPinningSSLContextFactory = new D76(j, z);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private X509Certificate[] parseCertificates(byte[][] bArr) {
        int length = bArr.length;
        if (length == 0) {
            throw new CertificateException("No certificates provided.");
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[length];
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
        int i = 0;
        do {
            x509CertificateArr[i] = certificateFactory.generateCertificate(new ByteArrayInputStream(bArr[i]));
            i++;
        } while (i < length);
        return x509CertificateArr;
    }

    private void verify(X509Certificate[] x509CertificateArr, String str, boolean z) {
        BigInteger serialNumber = x509CertificateArr[0].getSerialNumber();
        if (serialNumber != null && this.revokedCertificateSerials.contains(serialNumber)) {
            StringBuilder A13 = AnonymousClass000.A13();
            A13.append("Certificate is revoked. Serial=");
            AbstractC15990qQ.A1L(serialNumber, A13);
            throw new CertificateException(A13.toString());
        }
        X509TrustManager x509TrustManager = this.mFbPinningSSLContextFactory.A00[0];
        if (x509TrustManager instanceof InterfaceC29432EpK) {
            ((InterfaceC29432EpK) x509TrustManager).AAi(x509CertificateArr, str, z);
        } else if (x509TrustManager instanceof EAV) {
            ((EAV) x509TrustManager).A01.checkServerTrusted(x509CertificateArr, "ECDHE_ECDSA");
            if (z) {
                throw new CertificateException("SystemKeystore is not intialized.");
            }
        } else if (x509TrustManager instanceof InterfaceC29464Ept) {
            ((InterfaceC29464Ept) x509TrustManager).AAh(x509CertificateArr, str);
        } else {
            x509TrustManager.checkServerTrusted(x509CertificateArr, "ECDHE_ECDSA");
        }
        if (!this.mFbHostnameVerifier.A01(str, x509CertificateArr[0])) {
            throw new CertificateException("Hostname verification failed.");
        }
    }

    private boolean verifyCrlSignature(String str, String str2, String str3) {
        if (!str3.equalsIgnoreCase("sha256_rsa")) {
            return false;
        }
        PublicKey generatePublic = KeyFactory.getInstance(CRL_KEY_ALGORITHM).generatePublic(new X509EncodedKeySpec(CRL_PUBLIC_KEY_BYTES));
        Signature signature = Signature.getInstance(CRL_SIGNATURE_ALGORITHM);
        signature.initVerify(generatePublic);
        signature.update(str.getBytes(StandardCharsets.UTF_8));
        int length = str2.length();
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            bArr[i / 2] = (byte) ((Character.digit(str2.charAt(i), 16) << 4) + Character.digit(str2.charAt(i + 1), 16));
        }
        return signature.verify(bArr);
    }

    public byte[] getCrlPublicKeyBytes() {
        return CRL_PUBLIC_KEY_BYTES;
    }

    public void setCertificateRevocationList(String str) {
        Boolean A0m;
        if (str == null || str.isEmpty()) {
            return;
        }
        try {
            JSONObject A1N = AbstractC105355e7.A1N(str);
            String string = A1N.getString(PublicKeyCredentialControllerUtility.JSON_KEY_SIGNATURE);
            String string2 = A1N.getJSONObject("signature_algorithm").getString("algorithm");
            if (string2.equalsIgnoreCase("sha256_rsa") && string.length() != 512) {
                throw new Exception("Invalid CRL signature length.");
            }
            for (char c : string.toCharArray()) {
                if (c < '0' || (c > '9' && (c < 'A' || (c > 'F' && (c < 'a' || c > 'f'))))) {
                    A0m = false;
                    break;
                }
            }
            A0m = AnonymousClass000.A0m();
            if (!A0m.booleanValue()) {
                throw new Exception("Invalid CRL signature format.");
            }
            String string3 = A1N.getString("tbs_cert_list");
            if (!verifyCrlSignature(string3, string, string2)) {
                throw new Exception("CRL signature validation failed.");
            }
            JSONArray jSONArray = AbstractC105355e7.A1N(string3).getJSONArray("revoked_certificates");
            for (int i = 0; i < jSONArray.length(); i++) {
                String string4 = jSONArray.getJSONObject(i).getString("user_certificate");
                if (!string4.substring(0, 2).equalsIgnoreCase("0x")) {
                    throw new Exception("Invalid CRL serial number format.");
                }
                if (string4.substring(2).length() > 40) {
                    throw new Exception("Invalid CRL serial number length.");
                }
                this.revokedCertificateSerials.add(new BigInteger(string4.substring(2), 16));
            }
        } catch (Exception e) {
            throw new CertificateException(AnonymousClass001.A16("Invalid CRL: ", AnonymousClass000.A13(), e));
        }
    }

    public void verify(byte[][] bArr, String str) {
        verify(bArr, str, true);
    }

    public void verify(byte[][] bArr, String str, boolean z) {
        verify(parseCertificates(bArr), str, z);
    }

    public void verifyWithProofOfPossession(byte[][] bArr, String str, boolean z, int i, byte[] bArr2, byte[] bArr3) {
        Signature signature;
        X509Certificate[] parseCertificates = parseCertificates(bArr);
        X509Certificate x509Certificate = parseCertificates[0];
        try {
            if (i == 1027) {
                signature = Signature.getInstance("SHA256withECDSA");
            } else if (i == 1283) {
                signature = Signature.getInstance("SHA384withECDSA");
            } else if (i == 1539) {
                signature = Signature.getInstance("SHA512withECDSA");
            } else {
                if (i != 2052) {
                    throw new CertificateException(AnonymousClass000.A0z("Unrecognized signature scheme = ", AnonymousClass000.A13(), i));
                }
                signature = Signature.getInstance("SHA256withRSA/PSS");
            }
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(bArr2);
            if (!signature.verify(bArr3)) {
                throw new CertificateException("Leaf signature verification failed.");
            }
            verify(parseCertificates, str, z);
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new CertificateException(AnonymousClass001.A16("Leaf signature verification failed ", AnonymousClass000.A13(), e));
        }
    }
}
