package org.rustls.platformverifier;

import android.content.Context;
import android.net.http.X509TrustManagerExtensions;
import android.os.Build;
import android.util.Log;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPathChecker;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertSelector;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import kotlin.Lazy;
import kotlin.LazyKt__LazyJVMKt;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.TuplesKt;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.collections.CollectionsKt__CollectionsJVMKt;
import kotlin.collections.MapsKt__MapsJVMKt;
import kotlin.jvm.JvmStatic;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.Intrinsics;
import org.conscrypt.TrustManagerImpl$$ExternalSyntheticApiModelOutline4;

/* compiled from: CertificateVerifier.kt */
@Metadata(bv = {}, d1 = {"\u00002\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0010\u0011\n\u0000\n\u0002\u0010\u0012\n\u0000\n\u0002\u0010\t\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\bÁ\u0002\u0018\u00002\u00020\u0001JU\u0010\u000f\u001a\u00020\u000e2\u0006\u0010\u0003\u001a\u00020\u00022\u0006\u0010\u0005\u001a\u00020\u00042\u0006\u0010\u0006\u001a\u00020\u00042\f\u0010\b\u001a\b\u0012\u0004\u0012\u00020\u00040\u00072\b\u0010\n\u001a\u0004\u0018\u00010\t2\u0006\u0010\f\u001a\u00020\u000b2\f\u0010\r\u001a\b\u0012\u0004\u0012\u00020\t0\u0007H\u0003¢\u0006\u0004\b\u000f\u0010\u0010¨\u0006\u0011"}, d2 = {"Lorg/rustls/platformverifier/CertificateVerifier;", "", "Landroid/content/Context;", "context", "", "serverName", "authMethod", "", "allowedEkus", "", "ocspResponse", "", "time", "certChain", "Lorg/rustls/platformverifier/VerificationResult;", "verifyCertificateChain", "(Landroid/content/Context;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;[BJ[[B)Lorg/rustls/platformverifier/VerificationResult;", "rustls-platform-verifier_release"}, k = 1, mv = {1, 6, 0})
/* loaded from: classes4.dex */
public final class CertificateVerifier {
    public static final /* synthetic */ int $r8$clinit = 0;
    private static final CertificateFactory certFactory;
    private static final KeyStore systemKeystore;
    private static final Lazy<X509TrustManagerExtensions> systemTrustManager;

    static {
        final KeyStore keyStore;
        Lazy<X509TrustManagerExtensions> lazy;
        final KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
        Intrinsics.checkNotNullExpressionValue(keyStore2, "getInstance(KeyStore.getDefaultType())");
        if (keyStore2 != null) {
            keyStore2.load(null);
        }
        LazyKt__LazyJVMKt.lazy(new Function0<X509TrustManagerExtensions>() { // from class: org.rustls.platformverifier.CertificateVerifier$makeLazyTrustManager$1
            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final X509TrustManagerExtensions invoke() {
                int i = CertificateVerifier.$r8$clinit;
                return CertificateVerifier.access$createTrustManager(keyStore2);
            }
        });
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Intrinsics.checkNotNullExpressionValue(certificateFactory, "getInstance(\"X.509\")");
        certFactory = certificateFactory;
        new HashSet();
        String str = System.getenv("ANDROID_ROOT");
        if (str != null) {
            new File(Intrinsics.stringPlus(str, "/etc/security/cacerts"));
        }
        try {
            keyStore = KeyStore.getInstance("AndroidCAStore");
        } catch (KeyStoreException unused) {
            keyStore = null;
        }
        systemKeystore = keyStore;
        if (keyStore != null) {
            keyStore.load(null);
        }
        lazy = LazyKt__LazyJVMKt.lazy(new Function0<X509TrustManagerExtensions>() { // from class: org.rustls.platformverifier.CertificateVerifier$makeLazyTrustManager$1
            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final X509TrustManagerExtensions invoke() {
                int i = CertificateVerifier.$r8$clinit;
                return CertificateVerifier.access$createTrustManager(keyStore);
            }
        });
        systemTrustManager = lazy;
    }

    private CertificateVerifier() {
    }

    public static final X509TrustManagerExtensions access$createTrustManager(KeyStore keyStore) {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        try {
            TrustManager[] availableTrustManagers = trustManagerFactory.getTrustManagers();
            Intrinsics.checkNotNullExpressionValue(availableTrustManagers, "availableTrustManagers");
            int length = availableTrustManagers.length;
            int i = 0;
            while (i < length) {
                TrustManager trustManager = availableTrustManagers[i];
                i++;
                if (trustManager instanceof X509TrustManager) {
                    return new X509TrustManagerExtensions((X509TrustManager) trustManager);
                }
            }
            Log.e("rustls-platform-verifier-android", "failed to find a usable trust manager");
            return null;
        } catch (RuntimeException e) {
            Log.w("rustls-platform-verifier-android", Intrinsics.stringPlus("exception thrown creating a TrustManager: ", e));
            return null;
        }
    }

    @JvmStatic
    private static final VerificationResult verifyCertificateChain(Context context, String serverName, String authMethod, String[] allowedEkus, byte[] ocspResponse, long time, byte[][] certChain) {
        List<String> extendedKeyUsage;
        CertPathChecker revocationChecker;
        PKIXRevocationChecker.Option option;
        PKIXRevocationChecker.Option option2;
        List<PKIXCertPathChecker> listOf;
        Map mapOf;
        boolean contains;
        ArrayList arrayList = new ArrayList();
        int length = certChain.length;
        int i = 0;
        while (i < length) {
            byte[] bArr = certChain[i];
            i++;
            try {
                Certificate generateCertificate = certFactory.generateCertificate(new ByteArrayInputStream(bArr));
                if (generateCertificate == null) {
                    throw new NullPointerException("null cannot be cast to non-null type java.security.cert.X509Certificate");
                }
                arrayList.add((X509Certificate) generateCertificate);
            } catch (CertificateException unused) {
                return new VerificationResult(StatusCode.InvalidEncoding, null, 2, null);
            }
        }
        X509Certificate x509Certificate = (X509Certificate) arrayList.get(0);
        try {
            x509Certificate.checkValidity(new Date(time));
            try {
                extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            } catch (NullPointerException unused2) {
                Log.w("rustls-platform-verifier-android", "exception handling certificate EKU");
            } catch (CertificateParsingException unused3) {
            }
            if (extendedKeyUsage != null) {
                if (!extendedKeyUsage.isEmpty()) {
                    Iterator<T> it = extendedKeyUsage.iterator();
                    while (it.hasNext()) {
                        contains = ArraysKt___ArraysKt.contains(allowedEkus, (String) it.next());
                        if (contains) {
                        }
                    }
                }
                return new VerificationResult(StatusCode.InvalidExtension, null, 2, null);
            }
            X509TrustManagerExtensions value = systemTrustManager.getValue();
            if (value == null) {
                return new VerificationResult(StatusCode.Unavailable, null, 2, null);
            }
            Pair pair = new Pair(value, systemKeystore);
            X509TrustManagerExtensions x509TrustManagerExtensions = (X509TrustManagerExtensions) pair.component1();
            KeyStore keyStore = (KeyStore) pair.component2();
            try {
                Object[] array = arrayList.toArray(new X509Certificate[0]);
                if (array == null) {
                    throw new NullPointerException("null cannot be cast to non-null type kotlin.Array<T of kotlin.collections.ArraysKt__ArraysJVMKt.toTypedArray>");
                }
                List<X509Certificate> checkServerTrusted = x509TrustManagerExtensions.checkServerTrusted((X509Certificate[]) array, authMethod, serverName);
                if (Build.VERSION.SDK_INT >= 24) {
                    PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, (CertSelector) null);
                    CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
                    revocationChecker = certPathValidator.getRevocationChecker();
                    if (revocationChecker == null) {
                        throw new NullPointerException("null cannot be cast to non-null type java.security.cert.PKIXRevocationChecker");
                    }
                    PKIXRevocationChecker m = TrustManagerImpl$$ExternalSyntheticApiModelOutline4.m(revocationChecker);
                    option = PKIXRevocationChecker.Option.SOFT_FAIL;
                    option2 = PKIXRevocationChecker.Option.ONLY_END_ENTITY;
                    m.setOptions(EnumSet.of(option, option2));
                    if (ocspResponse != null) {
                        mapOf = MapsKt__MapsJVMKt.mapOf(TuplesKt.to(x509Certificate, ocspResponse));
                        m.setOcspResponses(mapOf);
                    }
                    listOf = CollectionsKt__CollectionsJVMKt.listOf(m);
                    pKIXBuilderParameters.setCertPathCheckers(listOf);
                    pKIXBuilderParameters.setRevocationEnabled(false);
                    try {
                        certPathValidator.validate(certFactory.generateCertPath(checkServerTrusted), pKIXBuilderParameters);
                    } catch (CertPathValidatorException e) {
                        return new VerificationResult(StatusCode.Revoked, e.toString());
                    }
                } else {
                    Log.w("rustls-platform-verifier-android", "did not attempt to validate OCSP due to Android version");
                }
                return new VerificationResult(StatusCode.Ok, null, 2, null);
            } catch (CertificateException e2) {
                return new VerificationResult(StatusCode.UnknownCert, e2.toString());
            }
        } catch (CertificateExpiredException unused4) {
            return new VerificationResult(StatusCode.Expired, null, 2, null);
        } catch (CertificateNotYetValidException unused5) {
            return new VerificationResult(StatusCode.Expired, null, 2, null);
        }
    }
}
