package com.privateinternetaccess.csi.internals;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.collections.ArraysKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Ref;
import kotlin.text.Charsets;
import okhttp3.OkHttpClient;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;

/* JADX INFO: Access modifiers changed from: package-private */
@Metadata(d1 = {"\u0000\f\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0004\b\u0002\u0018\u0000 \u00042\u00020\u0001:\u0002\u0003\u0004B\u0005¢\u0006\u0002\u0010\u0002¨\u0006\u0005"}, d2 = {"Lcom/privateinternetaccess/csi/internals/AccountCertificatePinner;", "", "()V", "AccountHostnameVerifier", "Companion", "csi_release"}, k = 1, mv = {1, 9, 0}, xi = 48)
/* loaded from: classes3.dex */
public final class AccountCertificatePinner {

    /* renamed from: Companion, reason: from kotlin metadata */
    public static final Companion INSTANCE = new Companion(null);

    /* JADX INFO: Access modifiers changed from: private */
    @Metadata(d1 = {"\u0000:\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\b\u0002\u0018\u00002\u00020\u0001B\u001f\u0012\b\u0010\u0002\u001a\u0004\u0018\u00010\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0006\u0010\u0006\u001a\u00020\u0005¢\u0006\u0002\u0010\u0007J\u0012\u0010\b\u001a\u0004\u0018\u00010\u00052\u0006\u0010\t\u001a\u00020\nH\u0002J\u0018\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000e2\u0006\u0010\u000f\u001a\u00020\u000eH\u0002J\u001c\u0010\u0010\u001a\u00020\f2\b\u0010\u0011\u001a\u0004\u0018\u00010\u00052\b\u0010\u0012\u001a\u0004\u0018\u00010\u0013H\u0016J\u001a\u0010\u0014\u001a\u00020\f2\b\u0010\u0011\u001a\u0004\u0018\u00010\u00052\u0006\u0010\u0015\u001a\u00020\u0016H\u0002R\u000e\u0010\u0006\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n\u0000R\u0010\u0010\u0002\u001a\u0004\u0018\u00010\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0017"}, d2 = {"Lcom/privateinternetaccess/csi/internals/AccountCertificatePinner$AccountHostnameVerifier;", "Ljavax/net/ssl/HostnameVerifier;", "trustManager", "Ljavax/net/ssl/X509TrustManager;", "requestHostname", "", "commonName", "(Ljavax/net/ssl/X509TrustManager;Ljava/lang/String;Ljava/lang/String;)V", "certificateCommonName", "name", "Lorg/bouncycastle/asn1/x500/X500Name;", "isEqual", "", "a", "", "b", "verify", "hostname", "session", "Ljavax/net/ssl/SSLSession;", "verifyCommonName", "certificate", "Ljava/security/cert/X509Certificate;", "csi_release"}, k = 1, mv = {1, 9, 0}, xi = 48)
    /* loaded from: classes3.dex */
    public static final class AccountHostnameVerifier implements HostnameVerifier {
        private final String commonName;
        private final String requestHostname;
        private final X509TrustManager trustManager;

        public AccountHostnameVerifier(X509TrustManager x509TrustManager, String requestHostname, String commonName) {
            Intrinsics.checkNotNullParameter(requestHostname, "requestHostname");
            Intrinsics.checkNotNullParameter(commonName, "commonName");
            this.trustManager = x509TrustManager;
            this.requestHostname = requestHostname;
            this.commonName = commonName;
        }

        private final String certificateCommonName(X500Name name) {
            RDN[] rDNs = name.getRDNs(BCStyle.CN);
            Intrinsics.checkNotNull(rDNs);
            if (rDNs.length == 0) {
                return null;
            }
            return ((RDN) ArraysKt.first(rDNs)).getFirst().getValue().toString();
        }

        private final boolean isEqual(byte[] a, byte[] b) {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            byte[] bArr = new byte[20];
            new SecureRandom().nextBytes(bArr);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byteArrayOutputStream.write(bArr);
            byteArrayOutputStream.write(a);
            byte[] digest = messageDigest.digest(byteArrayOutputStream.toByteArray());
            ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
            byteArrayOutputStream2.write(bArr);
            byteArrayOutputStream2.write(b);
            return MessageDigest.isEqual(digest, messageDigest.digest(byteArrayOutputStream2.toByteArray()));
        }

        private final boolean verifyCommonName(String hostname, X509Certificate certificate) {
            boolean isEqual;
            Ref.BooleanRef booleanRef = new Ref.BooleanRef();
            Principal subjectDN = certificate.getSubjectDN();
            Intrinsics.checkNotNull(subjectDN, "null cannot be cast to non-null type javax.security.auth.x500.X500Principal");
            X500Name x500Name = X500Name.getInstance(((X500Principal) subjectDN).getEncoded());
            Intrinsics.checkNotNullExpressionValue(x500Name, "getInstance(...)");
            String certificateCommonName = certificateCommonName(x500Name);
            if (certificateCommonName != null) {
                if (hostname != null) {
                    byte[] bytes = hostname.getBytes(Charsets.UTF_8);
                    Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
                    byte[] bytes2 = this.requestHostname.getBytes(Charsets.UTF_8);
                    Intrinsics.checkNotNullExpressionValue(bytes2, "getBytes(...)");
                    if (isEqual(bytes, bytes2)) {
                        byte[] bytes3 = this.commonName.getBytes(Charsets.UTF_8);
                        Intrinsics.checkNotNullExpressionValue(bytes3, "getBytes(...)");
                        byte[] bytes4 = certificateCommonName.getBytes(Charsets.UTF_8);
                        Intrinsics.checkNotNullExpressionValue(bytes4, "getBytes(...)");
                        if (isEqual(bytes3, bytes4)) {
                            isEqual = true;
                            Boolean.valueOf(isEqual).getClass();
                        }
                    }
                    isEqual = false;
                    Boolean.valueOf(isEqual).getClass();
                } else {
                    byte[] bytes5 = this.commonName.getBytes(Charsets.UTF_8);
                    Intrinsics.checkNotNullExpressionValue(bytes5, "getBytes(...)");
                    byte[] bytes6 = certificateCommonName.getBytes(Charsets.UTF_8);
                    Intrinsics.checkNotNullExpressionValue(bytes6, "getBytes(...)");
                    isEqual = isEqual(bytes5, bytes6);
                }
                booleanRef.element = isEqual;
            }
            return booleanRef.element;
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String hostname, SSLSession session) {
            Certificate[] peerCertificates;
            if (session != null) {
                try {
                    peerCertificates = session.getPeerCertificates();
                } catch (InvalidKeyException e) {
                    e.printStackTrace();
                    return false;
                } catch (NoSuchAlgorithmException e2) {
                    e2.printStackTrace();
                    return false;
                } catch (NoSuchProviderException e3) {
                    e3.printStackTrace();
                    return false;
                } catch (SignatureException e4) {
                    e4.printStackTrace();
                    return false;
                } catch (CertificateException e5) {
                    e5.printStackTrace();
                    return false;
                } catch (SSLPeerUnverifiedException e6) {
                    e6.printStackTrace();
                    return false;
                }
            } else {
                peerCertificates = null;
            }
            Intrinsics.checkNotNull(peerCertificates, "null cannot be cast to non-null type kotlin.Array<out java.security.cert.X509Certificate>");
            X509Certificate[] x509CertificateArr = (X509Certificate[]) peerCertificates;
            X509TrustManager x509TrustManager = this.trustManager;
            if (x509TrustManager != null) {
                x509TrustManager.checkServerTrusted(x509CertificateArr, "RSA");
            }
            Certificate[] peerCertificates2 = session.getPeerCertificates();
            Intrinsics.checkNotNullExpressionValue(peerCertificates2, "getPeerCertificates(...)");
            Certificate certificate = (Certificate) ArraysKt.first(peerCertificates2);
            Intrinsics.checkNotNull(certificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
            return verifyCommonName(hostname, (X509Certificate) certificate);
        }
    }

    @Metadata(d1 = {"\u0000\u001a\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0003\b\u0086\u0003\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u001e\u0010\u0003\u001a\u00020\u00042\u0006\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\u00062\u0006\u0010\b\u001a\u00020\u0006¨\u0006\t"}, d2 = {"Lcom/privateinternetaccess/csi/internals/AccountCertificatePinner$Companion;", "", "()V", "getOkHttpClient", "Lokhttp3/OkHttpClient;", "certificate", "", "requestHostname", "commonName", "csi_release"}, k = 1, mv = {1, 9, 0}, xi = 48)
    /* loaded from: classes3.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        public final OkHttpClient getOkHttpClient(String certificate, String requestHostname, String commonName) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, KeyManagementException, IllegalStateException {
            Intrinsics.checkNotNullParameter(certificate, "certificate");
            Intrinsics.checkNotNullParameter(requestHostname, "requestHostname");
            Intrinsics.checkNotNullParameter(commonName, "commonName");
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            KeyStore keyStore = KeyStore.getInstance("BKS");
            keyStore.load(null);
            byte[] bytes = certificate.getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bytes);
            keyStore.setCertificateEntry("csi", CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream));
            byteArrayInputStream.close();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers.length == 1) {
                TrustManager trustManager = trustManagers[0];
                if (trustManager instanceof X509TrustManager) {
                    Intrinsics.checkNotNull(trustManager, "null cannot be cast to non-null type javax.net.ssl.X509TrustManager");
                    X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
                    SSLContext sSLContext = SSLContext.getInstance("SSL");
                    sSLContext.init(null, trustManagers, new SecureRandom());
                    SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
                    builder.connectTimeout(3000L, TimeUnit.MILLISECONDS);
                    if (socketFactory != null) {
                        builder.sslSocketFactory(socketFactory, x509TrustManager);
                    }
                    builder.hostnameVerifier(new AccountHostnameVerifier(x509TrustManager, requestHostname, commonName));
                    return builder.build();
                }
            }
            throw new IllegalStateException(("Unexpected default trust managers:" + Arrays.toString(trustManagers)).toString());
        }
    }
}
