package com.guardsquare.dexguard.runtime.net;

import java.nio.ByteBuffer;
import java.nio.LongBuffer;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedList;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes4.dex */
class PinningUtil {
    private PinningUtil() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static X509Certificate[] cleanCertificateChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        HashMap hashMap = new HashMap();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            hashMap.put(x509Certificate.getSubjectX500Principal(), x509Certificate);
        }
        try {
            X509Certificate x509Certificate2 = x509CertificateArr[0];
            X509Certificate x509Certificate3 = (X509Certificate) hashMap.get(x509Certificate2.getIssuerX500Principal());
            hashMap.remove(x509Certificate2.getIssuerX500Principal());
            LinkedList linkedList = new LinkedList();
            linkedList.add(x509Certificate2);
            while (x509Certificate3 != null) {
                if (isParentForChild(x509Certificate3, x509Certificate2) && isValidChildKey(x509Certificate3, x509Certificate2)) {
                    linkedList.add(x509Certificate3);
                    x509Certificate2 = x509Certificate3;
                }
                x509Certificate3 = (X509Certificate) hashMap.get(x509Certificate2.getIssuerX500Principal());
                hashMap.remove(x509Certificate2.getIssuerX500Principal());
            }
            return (X509Certificate[]) linkedList.toArray(new X509Certificate[linkedList.size()]);
        } catch (Exception e) {
            throw ((CertificateException) new CertificateException().initCause(e));
        }
    }

    private static LongBuffer getLongBuffer(X509Certificate x509Certificate) throws NoSuchAlgorithmException {
        return ByteBuffer.wrap(MessageDigest.getInstance("SHA-256").digest(x509Certificate.getPublicKey().getEncoded())).asLongBuffer();
    }

    private static LongBuffer[] getTrustedCertificateHashes(KeyStore keyStore) {
        try {
            ArrayList arrayList = new ArrayList(keyStore.size());
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isCertificateEntry(nextElement)) {
                    arrayList.add(getLongBuffer((X509Certificate) keyStore.getCertificate(nextElement)));
                }
            }
            return (LongBuffer[]) arrayList.toArray(new LongBuffer[0]);
        } catch (KeyStoreException | NoSuchAlgorithmException unused) {
            throw new IllegalArgumentException("The trust store has not been initialized.");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isCertTrusted(X509Certificate x509Certificate, LongBuffer[] longBufferArr) throws NoSuchAlgorithmException {
        LongBuffer longBuffer = getLongBuffer(x509Certificate);
        for (LongBuffer longBuffer2 : longBufferArr) {
            if (longBuffer2.rewind().equals(longBuffer.rewind())) {
                return true;
            }
        }
        return false;
    }

    private static boolean isParentForChild(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return x509Certificate.getSubjectX500Principal().equals(x509Certificate2.getIssuerX500Principal());
    }

    private static boolean isValidChildKey(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        try {
            x509Certificate2.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception unused) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static X509TrustManager loadTrustedStore(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            if (keyStore != null) {
                validateTrustStore(keyStore);
                trustManagerFactory.init(keyStore);
            } else {
                trustManagerFactory.init((KeyStore) null);
            }
            TrustManager[] trustManagersViaReflection = ReflectionUtil.getTrustManagersViaReflection(trustManagerFactory);
            if (trustManagersViaReflection == null) {
                trustManagersViaReflection = trustManagerFactory.getTrustManagers();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) trustManagersViaReflection[0];
            if (keyStore != null) {
                validateTrustManager(x509TrustManager, keyStore);
            }
            return x509TrustManager;
        } catch (KeyStoreException | NoSuchAlgorithmException unused) {
            throw new IllegalArgumentException("Failed to properly initialize a trust store.");
        }
    }

    private static void validateTrustManager(X509TrustManager x509TrustManager, KeyStore keyStore) {
        boolean z = true;
        try {
            x509TrustManager.checkServerTrusted(new X509Certificate[]{null}, TrustManagerFactory.getDefaultAlgorithm());
        } catch (Exception unused) {
            z = false;
        }
        if (z) {
            throw new IllegalStateException("TrustManager trusts any certificates, probably hooked.");
        }
        X509Certificate[] acceptedIssuers = x509TrustManager.getAcceptedIssuers();
        if (acceptedIssuers == null || acceptedIssuers.length == 0) {
            throw new IllegalStateException("TrustManager does not contain any trusted certificates, probably hooked.");
        }
        try {
            LongBuffer[] trustedCertificateHashes = getTrustedCertificateHashes(keyStore);
            for (X509Certificate x509Certificate : acceptedIssuers) {
                if (!isCertTrusted(x509Certificate, trustedCertificateHashes)) {
                    throw new IllegalStateException("TrustManager trusts unknown certificates, probably hooked.");
                }
            }
        } catch (NoSuchAlgorithmException unused2) {
            throw new IllegalStateException("SHA-256 hashing algorithm not available.");
        }
    }

    private static void validateTrustStore(KeyStore keyStore) {
        int i = 0;
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    throw new IllegalArgumentException("A private key has been found in the trust store, please remove.");
                }
                if (keyStore.isCertificateEntry(nextElement)) {
                    i++;
                }
            }
            if (i == 0) {
                throw new IllegalArgumentException("No certificate has been found in the trust store.");
            }
        } catch (KeyStoreException unused) {
            throw new IllegalArgumentException("The trust store has not been initialized.");
        }
    }
}
