package com.onavo.vpn.remote;

import com.facebook.proguard.annotations.DoNotStrip;
import java.io.ByteArrayInputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

@DoNotStrip
/* loaded from: classes.dex */
public class RemoteVpnCertificateVerifier {
    private static final String TAG = RemoteVpnCertificateVerifier.class.getSimpleName();
    private static final String TLS_WEB_CLIENT_AUTHENTICATION_OID = "1.3.6.1.5.5.7.3.2";
    private static final String TLS_WEB_SERVER_AUTHENTICATION_OID = "1.3.6.1.5.5.7.3.1";
    static String sVpnHost;

    private static X509Certificate[] generateCertificateChain(byte[][] bArr) {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        X509Certificate[] x509CertificateArr = new X509Certificate[bArr.length];
        int i = 0;
        while (true) {
            int i2 = i;
            if (i2 >= bArr.length) {
                return x509CertificateArr;
            }
            x509CertificateArr[i2] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(bArr[i2]));
            i = i2 + 1;
        }
    }

    @DoNotStrip
    public static int verifyCert(byte[][] bArr) {
        try {
            if (bArr.length == 0) {
                throw new CertificateException("Empty certificates chain received for verification");
            }
            X509Certificate[] generateCertificateChain = generateCertificateChain(bArr);
            verifyCertificatesChain(generateCertificateChain);
            verifyHostname(generateCertificateChain[0]);
            verifyKeyUsage(generateCertificateChain[0]);
            return 0;
        } catch (GeneralSecurityException e) {
            new Object[1][0] = e.getMessage();
            return -1;
        }
    }

    private static void verifyCertificatesChain(X509Certificate[] x509CertificateArr) {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        ((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).checkServerTrusted(x509CertificateArr, "RSA");
    }

    private static void verifyHostname(X509Certificate x509Certificate) {
        if (!new com.facebook.s.a.b().a(sVpnHost, x509Certificate).a()) {
            throw new CertificateException("Failed to verify certificate for host " + sVpnHost);
        }
    }

    private static void verifyKeyUsage(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (!keyUsage[0]) {
            throw new CertificateException("Certificate missing 'Digital Signature' in key usage");
        }
        if (!keyUsage[2]) {
            throw new CertificateException("Certificate missing 'Key Encipherment' in key usage");
        }
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (!extendedKeyUsage.contains(TLS_WEB_SERVER_AUTHENTICATION_OID)) {
            throw new CertificateException("Certificate missing 'TLS Web Server Authentication' in extended key usage");
        }
        if (!extendedKeyUsage.contains(TLS_WEB_CLIENT_AUTHENTICATION_OID)) {
            throw new CertificateException("Certificate missing 'TLS Web Client Authentication' in extended key usage");
        }
    }
}
