package io.split.android.client.network;

import androidx.annotation.NonNull;
import androidx.annotation.Nullable;
import androidx.annotation.VisibleForTesting;
import io.split.android.client.utils.Base64Util;
import io.split.android.client.utils.logger.Logger;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes7.dex */
public class CertificateCheckerImpl implements CertificateChecker {

    @NonNull
    public final Base64Encoder mBase64Encoder;

    @NonNull
    public final ChainCleaner mChainCleaner;

    @NonNull
    public final Map<String, Set<CertificatePin>> mConfiguredPins;

    @Nullable
    public final CertificatePinningFailureListener mFailureListener;

    @NonNull
    public final PinEncoder mPinEncoder;

    /* loaded from: classes7.dex */
    public static class DefaultBase64Encoder implements Base64Encoder {
        private DefaultBase64Encoder() {
        }

        @Override // io.split.android.client.network.Base64Encoder
        public String encode(String str) {
            return Base64Util.encode(str);
        }

        @Override // io.split.android.client.network.Base64Encoder
        public String encode(byte[] bArr) {
            return Base64Util.encode(bArr);
        }
    }

    public CertificateCheckerImpl(CertificatePinningConfiguration certificatePinningConfiguration, @Nullable X509TrustManager x509TrustManager) {
        this(certificatePinningConfiguration.getPins(), certificatePinningConfiguration.getFailureListener(), new ChainCleanerImpl(x509TrustManager), new DefaultBase64Encoder(), new PinEncoderImpl());
    }

    @VisibleForTesting
    public CertificateCheckerImpl(@Nullable Map<String, Set<CertificatePin>> map, @Nullable CertificatePinningFailureListener certificatePinningFailureListener, @NonNull ChainCleaner chainCleaner, @NonNull Base64Encoder base64Encoder, @NonNull PinEncoder pinEncoder) {
        this.mConfiguredPins = map == null ? new HashMap<>() : map;
        this.mFailureListener = certificatePinningFailureListener;
        this.mChainCleaner = chainCleaner;
        this.mBase64Encoder = base64Encoder;
        this.mPinEncoder = pinEncoder;
    }

    public final String certificateChainInfo(List<X509Certificate> list) {
        StringBuilder sb = new StringBuilder();
        for (X509Certificate x509Certificate : list) {
            sb.append(x509Certificate.getSubjectDN().getName());
            sb.append(" - ");
            sb.append("sha256/");
            sb.append(this.mBase64Encoder.encode(this.mPinEncoder.encodeCertPin("sha256", x509Certificate.getPublicKey().getEncoded())));
        }
        return sb.toString();
    }

    @Override // io.split.android.client.network.CertificateChecker
    public synchronized void checkPins(HttpsURLConnection httpsURLConnection) throws SSLPeerUnverifiedException {
        String host = httpsURLConnection.getURL().getHost();
        Set<CertificatePin> pinsForHost = CertificateCheckerHelper.getPinsForHost(host, this.mConfiguredPins);
        if (pinsForHost == null || pinsForHost.isEmpty()) {
            Logger.d("No certificate pins configured for " + host + ". Skipping pinning verification.");
            return;
        }
        try {
            List<X509Certificate> clean = this.mChainCleaner.clean(host, httpsURLConnection.getServerCertificates());
            for (X509Certificate x509Certificate : clean) {
                for (CertificatePin certificatePin : pinsForHost) {
                    if (Arrays.equals(this.mPinEncoder.encodeCertPin(certificatePin.getAlgorithm(), x509Certificate.getPublicKey().getEncoded()), certificatePin.getPin())) {
                        Logger.v("Certificate pinning verification successful for " + host);
                        return;
                    }
                }
            }
            try {
                CertificatePinningFailureListener certificatePinningFailureListener = this.mFailureListener;
                if (certificatePinningFailureListener != null) {
                    certificatePinningFailureListener.onCertificatePinningFailure(host, clean);
                }
            } catch (Exception e) {
                Logger.w("Exception occurred executing certificate pinning failure listener: " + e.getLocalizedMessage());
            }
            throw new SSLPeerUnverifiedException("Certificate pinning verification failed for host: " + host + ". Chain:\n" + certificateChainInfo(clean));
        } catch (Exception unused) {
            throw new SSLPeerUnverifiedException("Error cleaning certificate chain for host: " + host);
        }
    }
}
