package de.flyingsnail.ipv6droid.transport.dtls;

import de.flyingsnail.ipv6droid.android.AndroidLoggingHandler;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.tls.TlsFatalAlert;
import org.bouncycastle.tls.crypto.TlsCertificate;
import org.bouncycastle.util.encoders.Base64;

/* loaded from: classes.dex */
class ChainChecker {
    private final CertPathValidator certPathValidator;
    private final CertificateFactory certificateFactory;
    private final Logger logger = AndroidLoggingHandler.getLogger(ChainChecker.class);
    private final Set<TrustAnchor> trustAnchors;

    public ChainChecker(TlsCertificate tlsCertificate) {
        CertificateFactory certificateFactory;
        CertPathValidator certPathValidator;
        try {
            try {
                certificateFactory = CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME);
            } catch (NoSuchProviderException | CertificateException unused) {
                this.logger.info("Bouncy Castle provider of CertificateFactory not available on this device");
                certificateFactory = CertificateFactory.getInstance("X.509");
            }
            this.certificateFactory = certificateFactory;
            HashSet hashSet = new HashSet();
            this.trustAnchors = hashSet;
            try {
                hashSet.add(new TrustAnchor((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(tlsCertificate.getEncoded())), null));
                try {
                    try {
                        certPathValidator = CertPathValidator.getInstance("PKIX", certificateFactory.getProvider());
                    } catch (NoSuchAlgorithmException unused2) {
                        this.logger.info("CertPathValidator not provided by provider of CertificateFactory");
                        certPathValidator = CertPathValidator.getInstance("PKIX");
                        this.logger.info("CertificateFactory is " + this.certificateFactory.getProvider().getName() + "; PKIX provider is " + certPathValidator.getProvider().getName());
                    }
                    this.certPathValidator = certPathValidator;
                } catch (NoSuchAlgorithmException e) {
                    throw new IllegalStateException("No PKIX cert path builder available", e);
                }
            } catch (IOException | CertificateException e2) {
                throw new IllegalStateException("Cannot create trust anchors", e2);
            }
        } catch (CertificateException unused3) {
            throw new IllegalStateException("No X.509 certificate factory available");
        }
    }

    private PKIXCertPathChecker setupRevocationChecker() {
        this.logger.info("revocation checking not available on this plattform version");
        return new PKIXCertPathChecker() { // from class: de.flyingsnail.ipv6droid.transport.dtls.ChainChecker.1
            static final String cdpExtOid = "2.5.29.31";

            @Override // java.security.cert.PKIXCertPathChecker
            public void check(Certificate certificate, Collection<String> collection) throws CertPathValidatorException {
                if (collection.remove(cdpExtOid)) {
                    ChainChecker.this.logger.info("Dummy revocation checker removed 2.5.29.31 extension from unresolved.");
                }
            }

            @Override // java.security.cert.PKIXCertPathChecker
            public Set<String> getSupportedExtensions() {
                HashSet hashSet = new HashSet(1);
                hashSet.add(cdpExtOid);
                return hashSet;
            }

            @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
            public void init(boolean z) throws CertPathValidatorException {
                ChainChecker.this.logger.info("Using dummy revocation checker");
            }

            @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
            public boolean isForwardCheckingSupported() {
                return true;
            }

            public String toString() {
                return "dummy revocation checker";
            }
        };
    }

    public void checkChain(TlsCertificate[] tlsCertificateArr) throws IOException, TlsFatalAlert {
        X509CertSelector x509CertSelector = new X509CertSelector();
        ArrayList arrayList = new ArrayList(tlsCertificateArr.length);
        try {
            x509CertSelector.setCertificate((X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(tlsCertificateArr[0].getEncoded())));
            for (TlsCertificate tlsCertificate : tlsCertificateArr) {
                arrayList.add((X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(tlsCertificate.getEncoded())));
            }
            try {
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(this.trustAnchors, x509CertSelector);
                pKIXBuilderParameters.setRevocationEnabled(false);
                pKIXBuilderParameters.addCertPathChecker(setupRevocationChecker());
                String str = "Cert Path Checkers used: ";
                Iterator<PKIXCertPathChecker> it = pKIXBuilderParameters.getCertPathCheckers().iterator();
                while (it.hasNext()) {
                    str = str + "\n" + it.next().toString();
                }
                this.logger.info(str);
                ArrayList arrayList2 = new ArrayList(tlsCertificateArr.length);
                for (TlsCertificate tlsCertificate2 : tlsCertificateArr) {
                    arrayList2.add((X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(tlsCertificate2.getEncoded())));
                }
                this.certPathValidator.validate(this.certificateFactory.generateCertPath(arrayList2), pKIXBuilderParameters);
                this.logger.info("Peer authenticated by valid certificate chain");
            } catch (InvalidAlgorithmParameterException e) {
                throw new TlsFatalAlert((short) 80, (Throwable) e);
            } catch (CertPathValidatorException e2) {
                StringBuilder sb = new StringBuilder("Failed to verify cert chain:\n");
                for (TlsCertificate tlsCertificate3 : tlsCertificateArr) {
                    sb.append("-----BEGIN CERTIFICATE-----\n").append(Base64.toBase64String(tlsCertificate3.getEncoded())).append("\n-----END CERTIFICATE-----\n\n");
                }
                this.logger.info(sb.toString());
                this.logger.info("Error at cert #" + e2.getIndex());
                throw new TlsFatalAlert((short) 48, (Throwable) e2);
            } catch (CertificateException e3) {
                this.logger.log(Level.WARNING, "Invalid certificate presented", (Throwable) e3);
                throw new TlsFatalAlert((short) 42, (Throwable) e3);
            }
        } catch (CertificateException e4) {
            throw new TlsFatalAlert((short) 46, (Throwable) e4);
        }
    }
}
