package com.facebook.mobilenetwork.internal.certificateverifier;

import com.facebook.infer.annotation.Nullsafe;
import com.facebook.netlite.certificatepinning.HostnameAwareX509TrustManager;
import com.facebook.netlite.certificatepinning.internal.HostnameAwareTrustManagerWithOptionalPinning;
import com.facebook.netlite.certificatepinning.internal.TrustManagerWithOptionalPinning;
import com.facebook.netlite.sandbox.certificatepinning.FbPinningSSLContextFactoryWithSandbox;
import com.facebook.proguard.annotations.DoNotStrip;
import com.facebook.ssl.verification.FbHostnameVerifier;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import org.json.JSONArray;
import org.json.JSONObject;

@DoNotStrip
@Nullsafe(Nullsafe.Mode.LOCAL)
/* loaded from: classes.dex */
public class CertificateVerifier {
    private final FbPinningSSLContextFactoryWithSandbox b;
    Set<BigInteger> a = new HashSet();
    private final FbHostnameVerifier c = new FbHostnameVerifier();

    @DoNotStrip
    public CertificateVerifier(long j, boolean z, String str) {
        this.b = new FbPinningSSLContextFactoryWithSandbox(j, z);
    }

    @DoNotStrip
    void updateRevokedCertificateSerials(String str) {
        boolean verify;
        if (str == null) {
            return;
        }
        try {
            JSONObject jSONObject = new JSONObject(str);
            String string = jSONObject.getString("signature");
            String string2 = jSONObject.getJSONObject("signature_algorithm").getString("algorithm");
            if (string2.equalsIgnoreCase("sha256_rsa") && string.length() != 512) {
                throw new Exception("Invalid CRL signature length.");
            }
            if (!CertificateVerifierUtil.a(string).booleanValue()) {
                throw new Exception("Invalid CRL signature format.");
            }
            String string3 = jSONObject.getString("tbs_cert_list");
            if (string2.equalsIgnoreCase("sha256_rsa")) {
                PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode("MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu245oVDlI0G/yQVL4QYTcYntsHgtNk/SqqMyPy81aeQju4hnuO/3lgJ1fvGNVgOT9fxMmKTh+SwxZbHzQOrFphQUpoImDDWUjyewf30qRrqUpnkDTpmuSwZvlnxE6bs+jg5koVQkk7wraaEsgjy0Gs4nNkYbk1lvfm9evH7DZeVpVS7+xTdARgUWynKSn1dTBZnErE1xeBmoqGaSu76nfdiDhghUsL9Anh/QG/gc1sJ6LW+7L8j07BPzf5hVR/IcwR9Wup2MSn9Iv0L97exjxG/IGExX569kCBAp7O2l/0igncakwMhXdOyYYAlY3o8FtcwBDQNkiK/cX6PJnG6SvQIDAQAB")));
                Signature signature = Signature.getInstance("SHA256withRSA");
                signature.initVerify(generatePublic);
                signature.update(string3.getBytes(StandardCharsets.UTF_8));
                verify = signature.verify(CertificateVerifierUtil.b(string));
            } else {
                verify = false;
            }
            if (!verify) {
                throw new Exception("CRL signature validation failed.");
            }
            JSONArray jSONArray = new JSONObject(string3).getJSONArray("revoked_certificates");
            for (int i = 0; i < jSONArray.length(); i++) {
                String string4 = jSONArray.getJSONObject(i).getString("user_certificate");
                if (!string4.substring(0, 2).equalsIgnoreCase("0x")) {
                    throw new Exception("Invalid CRL serial number format.");
                }
                if (string4.substring(2).length() > 40) {
                    throw new Exception("Invalid CRL serial number length.");
                }
                this.a.add(new BigInteger(string4.substring(2), 16));
            }
        } catch (Exception e) {
            throw new CertificateException("Invalid CRL: " + e.getMessage());
        }
    }

    @DoNotStrip
    public void verify(byte[][] bArr, String str) {
        verify(bArr, str, true);
    }

    @DoNotStrip
    public void verify(byte[][] bArr, String str, boolean z) {
        X509Certificate[] x509CertificateArr = new X509Certificate[bArr.length];
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
        for (int i = 0; i < bArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(bArr[i]));
        }
        BigInteger serialNumber = x509CertificateArr[0].getSerialNumber();
        if (serialNumber != null && this.a.contains(serialNumber)) {
            throw new CertificateException("Certificate present in the CRL.");
        }
        X509TrustManager a = this.b.a();
        if (a instanceof HostnameAwareTrustManagerWithOptionalPinning) {
            ((HostnameAwareTrustManagerWithOptionalPinning) a).a(x509CertificateArr, "ECDHE_ECDSA", str, z);
        } else if (a instanceof TrustManagerWithOptionalPinning) {
            ((TrustManagerWithOptionalPinning) a).a(x509CertificateArr, "ECDHE_ECDSA", z);
        } else if (a instanceof HostnameAwareX509TrustManager) {
            ((HostnameAwareX509TrustManager) a).a(x509CertificateArr, "ECDHE_ECDSA", str);
        } else {
            a.checkServerTrusted(x509CertificateArr, "ECDHE_ECDSA");
        }
        if (!FbHostnameVerifier.a(str, x509CertificateArr[0]).a) {
            throw new CertificateException("Hostname verification failed.");
        }
    }
}
