package com.samsung.android.knox.efota.network.certificate;

import android.content.Context;
import android.net.http.X509TrustManagerExtensions;
import android.util.Log;
import com.samsung.android.knox.efota.common.utils.ServerTypeConfig$ServerType;
import com.samsung.android.knox.efota.common.utils.u;
import java.io.InputStreamReader;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public final class f extends g {

    /* renamed from: d, reason: collision with root package name */
    public static final t6.c f3392d = kotlin.a.c(new b7.a() { // from class: com.samsung.android.knox.efota.network.certificate.X509Trust$Companion$MASTER_PINNING_SERVER_CERT$2
        @Override // b7.a
        public final Object a() {
            return u.a() == ServerTypeConfig$ServerType.f2874q ? "MASTER_PINNING_SERVER_CERT_PROD.PEM" : "MASTER_PINNING_SERVER_CERT_STAGE.PEM";
        }
    });

    /* renamed from: b, reason: collision with root package name */
    public final Context f3393b;

    /* renamed from: c, reason: collision with root package name */
    public final com.samsung.android.knox.efota.network.url.f f3394c;

    public f(Context context, com.samsung.android.knox.efota.network.url.f fVar, h hVar) {
        super(hVar);
        this.f3393b = context;
        this.f3394c = fVar;
    }

    public final String b() {
        final StringBuilder sb = new StringBuilder();
        try {
            k6.b.v(new InputStreamReader(this.f3393b.getAssets().open((String) f3392d.getValue()), StandardCharsets.UTF_8), new b7.b() { // from class: com.samsung.android.knox.efota.network.certificate.X509Trust$getPinnedMasterPEMString$1
                /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
                {
                    super(1);
                }

                @Override // b7.b
                public final Object n(Object obj) {
                    String str = (String) obj;
                    com.samsung.android.knox.efota.unenroll.c.n(str, "it");
                    sb.append(str);
                    return t6.d.f9862a;
                }
            });
            String sb2 = sb.toString();
            com.samsung.android.knox.efota.unenroll.c.m(sb2, "pinnedPEM.toString()");
            return sb2;
        } catch (Throwable th) {
            o5.e.c("CertificatePinning", "Failed to read master pinning cert");
            o5.e.d("CertificatePinning", th.getMessage(), th);
            th.printStackTrace();
            throw new CertificateException("Failed to read master pinning cert");
        }
    }

    public final TrustManagerFactory c() {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
        com.samsung.android.knox.efota.unenroll.c.m(trustManagerFactory, "getInstance(X509_ALGORITHM)");
        KeyStore keyStore = KeyStore.getInstance("BKS");
        keyStore.load(null, null);
        try {
            keyStore.setCertificateEntry("THE_MASTER_ALIAS", g.a(b()));
            trustManagerFactory.init(keyStore);
            return trustManagerFactory;
        } catch (Throwable th) {
            o5.e.d("CertificatePinning", th.getMessage(), th);
            o5.e.c("CertificatePinning", "Fail converting the master pem cert to X509!");
            throw new CertificateException("Failed to convert master pem to X509!");
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        com.samsung.android.knox.efota.unenroll.c.n(x509CertificateArr, "chain");
        o5.e.f("CertificatePinning", "--check CLIENT Trusted--");
    }

    @Override // javax.net.ssl.X509TrustManager
    public final void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        URL b8;
        com.samsung.android.knox.efota.unenroll.c.n(x509CertificateArr, "chain");
        o5.e.f("CertificatePinning", "--check SERVER Trusted--");
        if (x509CertificateArr.length == 0) {
            o5.e.c("CertificatePinning", "--check SERVER Trusted-- ...... SERVER DOES NOT PROVIDE A CERTIFICATE CHAIN!");
            throw new IllegalArgumentException("This server does not provide a certificate chain");
        }
        try {
            o5.e.a("CertificatePinning", "--check SERVER Trusted-- ...... performing customary SSL/TLS checks...");
            TrustManager[] trustManagers = c().getTrustManagers();
            com.samsung.android.knox.efota.unenroll.c.m(trustManagers, "makeTrustManager().trustManagers");
            for (TrustManager trustManager : trustManagers) {
                h hVar = this.f3395a;
                com.samsung.android.knox.efota.unenroll.c.j(trustManager, "null cannot be cast to non-null type javax.net.ssl.X509TrustManager");
                hVar.getClass();
                X509TrustManagerExtensions x509TrustManagerExtensions = new X509TrustManagerExtensions((X509TrustManager) trustManager);
                b8 = this.f3394c.b("");
                x509TrustManagerExtensions.checkServerTrusted(x509CertificateArr, str, b8.toString());
            }
            o5.e.a("CertificatePinning", "--check SERVER Trusted-- ...... SERVER IS TRUSTED");
        } catch (Exception e10) {
            String message = e10.getMessage();
            if (message == null) {
                message = "";
            }
            String concat = "## KFM Agent ## ".concat(message);
            com.samsung.android.knox.efota.common.log.a.f2836a.f("CertificatePinning---" + concat + " error: " + e10.getMessage());
            Log.e("CertificatePinning", concat, e10);
            throw new CertificateException("Server certificate does not pass SSL/TLS check");
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public final X509Certificate[] getAcceptedIssuers() {
        o5.e.a("CertificatePinning", "--getAcceptedIssuers--");
        return new X509Certificate[0];
    }
}
