package org.rustls.platformverifier;

import android.annotation.SuppressLint;
import android.content.Context;
import android.net.http.X509TrustManagerExtensions;
import android.util.Log;
import ic.i;
import j0.AbstractC2130d;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.cert.CertPathChecker;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertSelector;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import kotlin.Lazy;
import kotlin.jvm.internal.k;
import sc.j;
import tc.AbstractC3289l;
import tc.AbstractC3290m;
import tc.z;

@SuppressLint({"LongLogTag"})
/* loaded from: classes2.dex */
public final class CertificateVerifier {
    public static final /* synthetic */ int $r8$clinit = 0;
    private static final CertificateFactory certFactory;
    private static File systemCertificateDirectory;
    private static final KeyStore systemKeystore;
    private static HashSet<j> systemTrustAnchorCache;
    private static final Lazy systemTrustManager;

    static {
        KeyStore keyStore;
        KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
        k.e("getInstance(KeyStore.getDefaultType())", keyStore2);
        keyStore2.load(null);
        AbstractC2130d.p(new CertificateVerifier$makeLazyTrustManager$1(keyStore2));
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        k.e("getInstance(\"X.509\")", certificateFactory);
        certFactory = certificateFactory;
        systemTrustAnchorCache = new HashSet<>();
        String str = System.getenv("ANDROID_ROOT");
        systemCertificateDirectory = str == null ? null : new File(k.j(str, "/etc/security/cacerts"));
        try {
            keyStore = KeyStore.getInstance("AndroidCAStore");
        } catch (KeyStoreException unused) {
            keyStore = null;
        }
        systemKeystore = keyStore;
        if (keyStore != null) {
            keyStore.load(null);
        }
        systemTrustManager = AbstractC2130d.p(new CertificateVerifier$makeLazyTrustManager$1(keyStore));
    }

    private CertificateVerifier() {
    }

    public static final X509TrustManagerExtensions access$createTrustManager(KeyStore keyStore) {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        try {
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            k.e("availableTrustManagers", trustManagers);
            int length = trustManagers.length;
            int i10 = 0;
            while (i10 < length) {
                TrustManager trustManager = trustManagers[i10];
                i10++;
                if (trustManager instanceof X509TrustManager) {
                    return new X509TrustManagerExtensions((X509TrustManager) trustManager);
                }
            }
            Log.e("rustls-platform-verifier-android", "failed to find a usable trust manager");
            return null;
        } catch (RuntimeException e10) {
            Log.w("rustls-platform-verifier-android", k.j("exception thrown creating a TrustManager: ", e10));
            return null;
        }
    }

    private static final VerificationResult verifyCertificateChain(Context context, String str, String str2, String[] strArr, byte[] bArr, long j10, byte[][] bArr2) {
        List<String> extendedKeyUsage;
        File file;
        ArrayList arrayList = new ArrayList();
        int length = bArr2.length;
        int i10 = 0;
        while (i10 < length) {
            byte[] bArr3 = bArr2[i10];
            i10++;
            try {
                Certificate generateCertificate = certFactory.generateCertificate(new ByteArrayInputStream(bArr3));
                if (generateCertificate == null) {
                    throw new NullPointerException("null cannot be cast to non-null type java.security.cert.X509Certificate");
                }
                arrayList.add((X509Certificate) generateCertificate);
            } catch (CertificateException unused) {
                return new VerificationResult(StatusCode.InvalidEncoding, null, 2, null);
            }
        }
        X509Certificate x509Certificate = (X509Certificate) arrayList.get(0);
        try {
            x509Certificate.checkValidity(new Date(j10));
            try {
                extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            } catch (NullPointerException unused2) {
                Log.w("rustls-platform-verifier-android", "exception handling certificate EKU");
            } catch (CertificateParsingException unused3) {
            }
            if (extendedKeyUsage != null) {
                if (!extendedKeyUsage.isEmpty()) {
                    Iterator<T> it = extendedKeyUsage.iterator();
                    while (it.hasNext()) {
                        if (AbstractC3289l.s(strArr, (String) it.next())) {
                        }
                    }
                }
                return new VerificationResult(StatusCode.InvalidExtension, null, 2, null);
            }
            X509TrustManagerExtensions x509TrustManagerExtensions = (X509TrustManagerExtensions) systemTrustManager.getValue();
            if (x509TrustManagerExtensions == null) {
                return new VerificationResult(StatusCode.Unavailable, null, 2, null);
            }
            KeyStore keyStore = systemKeystore;
            try {
                Object[] array = arrayList.toArray(new X509Certificate[0]);
                if (array == null) {
                    throw new NullPointerException("null cannot be cast to non-null type kotlin.Array<T of kotlin.collections.ArraysKt__ArraysJVMKt.toTypedArray>");
                }
                List<X509Certificate> checkServerTrusted = x509TrustManagerExtensions.checkServerTrusted((X509Certificate[]) array, str2, str);
                if (bArr == null) {
                    k.e("validChain", checkServerTrusted);
                    Object D02 = AbstractC3290m.D0(checkServerTrusted);
                    k.e("validChain.last()", D02);
                    X509Certificate x509Certificate2 = (X509Certificate) D02;
                    if (keyStore != null && (file = systemCertificateDirectory) != null) {
                        j jVar = new j(x509Certificate2.getSubjectX500Principal(), x509Certificate2.getPublicKey());
                        if (!systemTrustAnchorCache.contains(jVar)) {
                            X500Principal subjectX500Principal = x509Certificate2.getSubjectX500Principal();
                            k.e("root.subjectX500Principal", subjectX500Principal);
                            char[] charArray = "0123456789abcdef".toCharArray();
                            k.e("this as java.lang.String).toCharArray()", charArray);
                            byte[] digest = MessageDigest.getInstance("MD5").digest(subjectX500Principal.getEncoded());
                            char[] cArr = new char[8];
                            int i11 = 0;
                            while (i11 < 4) {
                                int i12 = i11 + 1;
                                byte b9 = digest[3 - i11];
                                int i13 = i11 * 2;
                                cArr[i13] = charArray[(b9 >> 4) & 15];
                                cArr[i13 + 1] = charArray[b9 & 15];
                                i11 = i12;
                            }
                            String str3 = new String(cArr);
                            int i14 = 0;
                            while (true) {
                                String str4 = str3 + '.' + i14;
                                if (!new File(file, str4).exists()) {
                                    break;
                                }
                                Certificate certificate = keyStore.getCertificate(k.j("system:", str4));
                                if (certificate != null) {
                                    if (certificate instanceof X509Certificate) {
                                        X509Certificate x509Certificate3 = (X509Certificate) certificate;
                                        if (k.b(x509Certificate2.getSubjectX500Principal(), x509Certificate3.getSubjectX500Principal()) && k.b(x509Certificate2.getPublicKey(), x509Certificate3.getPublicKey())) {
                                            systemTrustAnchorCache.add(jVar);
                                            break;
                                        }
                                        i14++;
                                    } else {
                                        Log.e("rustls-platform-verifier-android", k.j("anchor is not a certificate, alias: ", str4));
                                    }
                                }
                            }
                        }
                    }
                    return new VerificationResult(StatusCode.Ok, null, 2, null);
                }
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, (CertSelector) null);
                CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
                CertPathChecker revocationChecker = certPathValidator.getRevocationChecker();
                if (revocationChecker == null) {
                    throw new NullPointerException("null cannot be cast to non-null type java.security.cert.PKIXRevocationChecker");
                }
                PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) revocationChecker;
                pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.SOFT_FAIL, PKIXRevocationChecker.Option.ONLY_END_ENTITY));
                if (bArr != null) {
                    pKIXRevocationChecker.setOcspResponses(z.g0(new j(x509Certificate, bArr)));
                }
                pKIXBuilderParameters.setCertPathCheckers(i.T(pKIXRevocationChecker));
                pKIXBuilderParameters.setRevocationEnabled(false);
                try {
                    certPathValidator.validate(certFactory.generateCertPath(checkServerTrusted), pKIXBuilderParameters);
                    return new VerificationResult(StatusCode.Ok, null, 2, null);
                } catch (CertPathValidatorException e10) {
                    return new VerificationResult(StatusCode.Revoked, e10.toString());
                }
            } catch (CertificateException e11) {
                return new VerificationResult(StatusCode.UnknownCert, e11.toString());
            }
        } catch (CertificateExpiredException unused4) {
            return new VerificationResult(StatusCode.Expired, null, 2, null);
        } catch (CertificateNotYetValidException unused5) {
            return new VerificationResult(StatusCode.Expired, null, 2, null);
        }
    }
}
