package mitm.common.security.certificate.validator;

import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CRLException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.Certificate;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import mitm.common.security.SecurityFactoryFactoryException;
import mitm.common.security.certpath.CertificatePathBuilder;
import mitm.common.security.certpath.CertificatePathBuilderFactory;
import mitm.common.security.certstore.CertStoreUtils;
import mitm.common.security.crl.RevocationChecker;
import mitm.common.security.crl.RevocationResult;
import mitm.common.security.crl.RevocationStatus;
import mitm.common.security.ctl.CTL;
import mitm.common.security.ctl.CTLException;
import mitm.common.security.ctl.CTLValidity;
import mitm.common.security.ctl.CTLValidityResult;
import mitm.common.util.Check;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes2.dex */
public class PKITrustCheckCertificateValidatorImpl implements PKITrustCheckCertificateValidator {
    private final RevocationStatus[] acceptableRevocationStatus;
    private Set<Certificate> additionalCertificates;
    private boolean blackListed;
    private CertPath certPath;
    private final CertificatePathBuilderFactory certificatePathBuilderFactory;
    private final CTL ctl;
    private Date date;
    private String failureMessage;
    private final String name;
    private final RevocationChecker revocationChecker;
    private boolean revoked;
    private TrustAnchor trustAnchor;
    private boolean trusted;
    boolean valid;
    private boolean whiteListed;
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) PKITrustCheckCertificateValidatorImpl.class);
    private static final RevocationStatus[] DEFAULT_ACCEPTABLE_REVOCATION_STATUS = {RevocationStatus.NOT_REVOKED, RevocationStatus.UNKNOWN, RevocationStatus.EXPIRED};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: mitm.common.security.certificate.validator.PKITrustCheckCertificateValidatorImpl$1, reason: invalid class name */
    /* loaded from: classes2.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$mitm$common$security$ctl$CTLValidity;

        static {
            int[] iArr = new int[CTLValidity.values().length];
            $SwitchMap$mitm$common$security$ctl$CTLValidity = iArr;
            try {
                iArr[CTLValidity.VALID.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$mitm$common$security$ctl$CTLValidity[CTLValidity.NOT_LISTED.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public static class CertPathAndAnchor {
        private final CertPath certPath;
        private final TrustAnchor trustAnchor;

        public CertPathAndAnchor(CertPath certPath, TrustAnchor trustAnchor) {
            this.certPath = certPath;
            this.trustAnchor = trustAnchor;
        }

        public CertPath getCertPath() {
            return this.certPath;
        }

        public TrustAnchor getTrustAnchor() {
            return this.trustAnchor;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PKITrustCheckCertificateValidatorImpl(String str, CertificatePathBuilderFactory certificatePathBuilderFactory, RevocationChecker revocationChecker, CTL ctl, Collection<? extends Certificate> collection) {
        this.failureMessage = "";
        Check.notNull(certificatePathBuilderFactory, "certificatePathBuilderFactory");
        Check.notNull(revocationChecker, "revocationChecker");
        this.name = str;
        this.certificatePathBuilderFactory = certificatePathBuilderFactory;
        this.revocationChecker = revocationChecker;
        this.ctl = ctl;
        this.acceptableRevocationStatus = DEFAULT_ACCEPTABLE_REVOCATION_STATUS;
        if (collection == null || collection.size() <= 0) {
            return;
        }
        this.additionalCertificates = new HashSet(collection);
    }

    public PKITrustCheckCertificateValidatorImpl(CertificatePathBuilderFactory certificatePathBuilderFactory, RevocationChecker revocationChecker, CTL ctl, Collection<? extends Certificate> collection) {
        this("PKITrustCheckCertificateValidator", certificatePathBuilderFactory, revocationChecker, ctl, collection);
    }

    private CertPathAndAnchor getCertPathAndAnchor(X509Certificate x509Certificate) throws CertPathBuilderException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, SecurityFactoryFactoryException {
        CertificatePathBuilder createCertificatePathBuilder = this.certificatePathBuilderFactory.createCertificatePathBuilder();
        modifyPathBuilder(createCertificatePathBuilder);
        createCertificatePathBuilder.addCertStore(CertStoreUtils.createCertStore(x509Certificate));
        Set<Certificate> set = this.additionalCertificates;
        if (set != null) {
            createCertificatePathBuilder.addCertStore(CertStoreUtils.createCertStore(set));
        }
        createCertificatePathBuilder.setDate(getDate());
        CertPathBuilderResult buildPath = createCertificatePathBuilder.buildPath(x509Certificate);
        return new CertPathAndAnchor(buildPath.getCertPath(), buildPath instanceof PKIXCertPathBuilderResult ? ((PKIXCertPathBuilderResult) buildPath).getTrustAnchor() : null);
    }

    private Date getDate() {
        Date date = this.date;
        return date != null ? date : new Date();
    }

    private boolean isBlackListed(CertPath certPath) throws CTLException {
        if (this.ctl == null) {
            return false;
        }
        List<? extends Certificate> certificates = certPath.getCertificates();
        int i = 0;
        while (i < certificates.size()) {
            Certificate certificate = certificates.get(i);
            if (certificate instanceof X509Certificate) {
                CTLValidityResult checkValidity = this.ctl.checkValidity((X509Certificate) certificate);
                if (CTLValidity.INVALID == checkValidity.getValidity()) {
                    reportFailure(i == 0 ? checkValidity.getMessage() : "Intermediate " + checkValidity.getMessage());
                    return true;
                }
            } else {
                logger.warn("Only X509Certificates can be black listed.");
            }
            i++;
        }
        return false;
    }

    private boolean isRevoked(CertPath certPath, TrustAnchor trustAnchor) {
        boolean z = true;
        try {
            RevocationResult revocationStatus = this.revocationChecker.getRevocationStatus(certPath, trustAnchor, getDate());
            if (revocationStatus != null) {
                RevocationStatus[] revocationStatusArr = this.acceptableRevocationStatus;
                int length = revocationStatusArr.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (revocationStatusArr[i] == revocationStatus.getStatus()) {
                        z = false;
                        break;
                    }
                    i++;
                }
                if (z) {
                    reportFailure("Certificate not accepted. Revocation status :" + revocationStatus.getStatus());
                }
            }
        } catch (CRLException e) {
            reportFailure("Error while checking revocation status.", e);
        }
        return z;
    }

    private boolean isWhiteListed(X509Certificate x509Certificate) throws CTLException {
        CTL ctl = this.ctl;
        if (ctl != null) {
            CTLValidityResult checkValidity = ctl.checkValidity(x509Certificate);
            int i = AnonymousClass1.$SwitchMap$mitm$common$security$ctl$CTLValidity[checkValidity.getValidity().ordinal()];
            if (i == 1) {
                return true;
            }
            if (i != 2) {
                reportFailure(checkValidity.getMessage());
            }
        }
        return false;
    }

    private void reportFailure(String str) {
        reportFailure(str, null);
    }

    private void reportFailure(String str, Throwable th) {
        Throwable rootCause = ExceptionUtils.getRootCause(th);
        if (rootCause != null) {
            th = rootCause;
        }
        this.failureMessage = StringUtils.isNotBlank(this.failureMessage) ? this.failureMessage + "; " + str : str;
        if (th == null) {
            logger.debug(str);
        } else {
            this.failureMessage += " Exception: " + th.getMessage();
            logger.error(str, th);
        }
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public CertPath getCertPath() {
        return this.certPath;
    }

    @Override // mitm.common.security.certificate.validator.CertificateValidator
    public String getFailureMessage() {
        return this.failureMessage;
    }

    @Override // mitm.common.security.certificate.validator.CertificateValidator
    public String getName() {
        return this.name;
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public TrustAnchor getTrustAnchor() {
        return this.trustAnchor;
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public boolean isBlackListed() {
        return this.blackListed;
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public boolean isRevoked() {
        return this.revoked;
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public boolean isTrusted() {
        return this.trusted;
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public boolean isValid() {
        return this.valid;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r6v6, types: [java.lang.Throwable] */
    @Override // mitm.common.security.certificate.validator.CertificateValidator
    public boolean isValid(Certificate certificate) {
        TrustAnchor trustAnchor;
        CertPath certPath;
        this.valid = false;
        this.trusted = false;
        this.revoked = false;
        this.blackListed = false;
        this.whiteListed = false;
        if (!(certificate instanceof X509Certificate)) {
            this.failureMessage = "Certificate is not a X509Certificate";
            return false;
        }
        this.failureMessage = "";
        X509Certificate x509Certificate = (X509Certificate) certificate;
        try {
            CertPathAndAnchor certPathAndAnchor = getCertPathAndAnchor(x509Certificate);
            this.certPath = certPathAndAnchor.getCertPath();
            trustAnchor = certPathAndAnchor.getTrustAnchor();
            this.trustAnchor = trustAnchor;
            certPath = this.certPath;
        } catch (InvalidAlgorithmParameterException e) {
            reportFailure("Error building certPath.", e);
        } catch (NoSuchAlgorithmException e2) {
            reportFailure("Error building certPath.", e2);
        } catch (NoSuchProviderException e3) {
            reportFailure("Error building certPath.", e3);
        } catch (CertPathBuilderException e4) {
            e = e4;
            logger.debug("CertPathBuilderException", (Throwable) e);
            try {
                boolean isWhiteListed = isWhiteListed(x509Certificate);
                this.whiteListed = isWhiteListed;
                this.valid = isWhiteListed;
            } catch (CTLException e5) {
                logger.error("Error checking the CTL.", (Throwable) e5);
            }
            if (!this.valid) {
                ?? rootCause = ExceptionUtils.getRootCause(e);
                if (rootCause != 0) {
                    e = rootCause;
                }
                reportFailure("Error building certPath. " + e.getMessage());
            }
        } catch (SecurityFactoryFactoryException e6) {
            reportFailure("Error building certPath.", e6);
        } catch (CTLException e7) {
            reportFailure("Error checking CTL status.", e7);
        }
        if (certPath == null || trustAnchor == null) {
            throw new CertPathBuilderException("A valid CertPath could not be built.");
        }
        this.trusted = true;
        boolean isRevoked = isRevoked(certPath, trustAnchor);
        this.revoked = isRevoked;
        if (isRevoked) {
            this.valid = false;
        } else {
            boolean isBlackListed = isBlackListed(this.certPath);
            this.blackListed = isBlackListed;
            this.valid = !isBlackListed;
        }
        if (!this.valid) {
            logger.debug("Failure message: " + this.failureMessage);
        }
        return this.valid;
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public boolean isWhiteListed() {
        return this.whiteListed;
    }

    protected void modifyPathBuilder(CertificatePathBuilder certificatePathBuilder) {
    }

    @Override // mitm.common.security.certificate.validator.PKITrustCheckCertificateValidator
    public void setDate(Date date) {
        this.date = date;
    }
}
