package org.bouncycastle.jsse.provider;

import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CertStoreParameters;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jsse.BCExtendedSSLSession;
import org.bouncycastle.jsse.BCSNIHostName;
import org.bouncycastle.jsse.BCX509ExtendedTrustManager;
import org.bouncycastle.jsse.java.security.BCAlgorithmConstraints;
import org.bouncycastle.tls.TlsUtils;

/* loaded from: classes4.dex */
class bn extends BCX509ExtendedTrustManager {
    private static final Logger hIJ = Logger.getLogger(bn.class.getName());
    private static final boolean hWA = af.q("com.sun.net.ssl.checkRevocation", false);
    private static final boolean hWB = af.q("org.bouncycastle.jsse.trustManager.checkEKU", true);
    private static final Map<String, Integer> hWC = aUQ();
    private final boolean hSp;
    private final Set<X509Certificate> hWD;
    private final PKIXBuilderParameters hWE;
    private final X509TrustManager hWF;
    private final JcaJceHelper hjs;

    /* JADX INFO: Access modifiers changed from: package-private */
    public bn(boolean z, JcaJceHelper jcaJceHelper, PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        this.hSp = z;
        this.hjs = jcaJceHelper;
        Set<X509Certificate> x = x(pKIXParameters.getTrustAnchors());
        this.hWD = x;
        if (x.isEmpty()) {
            this.hWE = null;
        } else if (pKIXParameters instanceof PKIXBuilderParameters) {
            this.hWE = (PKIXBuilderParameters) pKIXParameters;
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(pKIXParameters.getTrustAnchors(), pKIXParameters.getTargetCertConstraints());
            this.hWE = pKIXBuilderParameters;
            pKIXBuilderParameters.setAnyPolicyInhibited(pKIXParameters.isAnyPolicyInhibited());
            pKIXBuilderParameters.setCertPathCheckers(pKIXParameters.getCertPathCheckers());
            pKIXBuilderParameters.setCertStores(pKIXParameters.getCertStores());
            pKIXBuilderParameters.setDate(pKIXParameters.getDate());
            pKIXBuilderParameters.setExplicitPolicyRequired(pKIXParameters.isExplicitPolicyRequired());
            pKIXBuilderParameters.setInitialPolicies(pKIXParameters.getInitialPolicies());
            pKIXBuilderParameters.setPolicyMappingInhibited(pKIXParameters.isPolicyMappingInhibited());
            pKIXBuilderParameters.setPolicyQualifiersRejected(pKIXParameters.getPolicyQualifiersRejected());
            pKIXBuilderParameters.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
            pKIXBuilderParameters.setSigProvider(pKIXParameters.getSigProvider());
        }
        this.hWF = bw.b(this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public bn(boolean z, JcaJceHelper jcaJceHelper, Set<TrustAnchor> set) throws InvalidAlgorithmParameterException {
        this.hSp = z;
        this.hjs = jcaJceHelper;
        Set<X509Certificate> x = x(set);
        this.hWD = x;
        if (x.isEmpty()) {
            this.hWE = null;
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, (CertSelector) null);
            this.hWE = pKIXBuilderParameters;
            pKIXBuilderParameters.setRevocationEnabled(hWA);
        }
        this.hWF = bw.b(this);
    }

    private CertStoreParameters a(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        ArrayList arrayList = new ArrayList(x509CertificateArr.length);
        arrayList.add(x509Certificate);
        for (int i = 1; i < x509CertificateArr.length; i++) {
            if (!this.hWD.contains(x509CertificateArr[i])) {
                arrayList.add(x509CertificateArr[i]);
            }
        }
        return new CollectionCertStoreParameters(Collections.unmodifiableCollection(arrayList));
    }

    private static X509CertSelector a(X509Certificate x509Certificate, CertSelector certSelector) {
        return new X509CertSelector(x509Certificate, certSelector) { // from class: org.bouncycastle.jsse.provider.bn.1
            final /* synthetic */ X509Certificate hWG;
            final /* synthetic */ CertSelector hWH;

            {
                this.hWG = x509Certificate;
                this.hWH = certSelector;
                setCertificate(x509Certificate);
            }

            @Override // java.security.cert.X509CertSelector, java.security.cert.CertSelector
            public boolean match(Certificate certificate) {
                CertSelector certSelector2;
                return super.match(certificate) && ((certSelector2 = this.hWH) == null || certSelector2.match(certificate));
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(String str, X509Certificate x509Certificate, String str2) throws CertificateException {
        boolean z;
        String kl = y.kl(str);
        if (str2.equalsIgnoreCase("HTTPS")) {
            z = true;
        } else {
            if (!str2.equalsIgnoreCase("LDAP") && !str2.equalsIgnoreCase("LDAPS")) {
                throw new CertificateException("Unknown endpoint ID algorithm: " + str2);
            }
            z = false;
        }
        o.a(kl, x509Certificate, z);
    }

    private static void a(CertPathBuilder certPathBuilder, PKIXBuilderParameters pKIXBuilderParameters, X509Certificate[] x509CertificateArr, List<byte[]> list) {
        HashMap hashMap = new HashMap();
        int min = Math.min(x509CertificateArr.length, list.size());
        for (int i = 0; i < min; i++) {
            byte[] bArr = list.get(i);
            if (bArr != null && bArr.length > 0) {
                X509Certificate x509Certificate = x509CertificateArr[i];
                if (!hashMap.containsKey(x509Certificate)) {
                    hashMap.put(x509Certificate, bArr);
                }
            }
        }
        if (hashMap.isEmpty()) {
            return;
        }
        try {
            ae.a(certPathBuilder, pKIXBuilderParameters, hashMap);
        } catch (RuntimeException e) {
            hIJ.log(Level.FINE, "Failed to add status responses for revocation checking", (Throwable) e);
        }
    }

    private static void a(X509Certificate x509Certificate, String str, boolean z, BCExtendedSSLSession bCExtendedSSLSession) throws CertificateException {
        BCSNIHostName ck;
        String peerHost = bCExtendedSSLSession.getPeerHost();
        if (z && (ck = y.ck(bCExtendedSSLSession.getRequestedServerNames())) != null) {
            String asciiName = ck.getAsciiName();
            if (!asciiName.equalsIgnoreCase(peerHost)) {
                try {
                    a(asciiName, x509Certificate, str);
                    return;
                } catch (CertificateException e) {
                    hIJ.log(Level.FINE, "Server's endpoint ID did not match the SNI host_name: " + asciiName, (Throwable) e);
                }
            }
        }
        a(peerHost, x509Certificate, str);
    }

    private static void a(Map<String, Integer> map, int i, int... iArr) {
        for (int i2 : iArr) {
            if (map.put(y.qA(i2), Integer.valueOf(i)) != null) {
                throw new IllegalStateException("Duplicate keys in server key usages");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(X509Certificate[] x509CertificateArr, bu buVar, boolean z) throws CertificateException {
        if (buVar != null) {
            String endpointIdentificationAlgorithm = buVar.getParameters().getEndpointIdentificationAlgorithm();
            if (y.kh(endpointIdentificationAlgorithm)) {
                BCExtendedSSLSession aVc = buVar.aVc();
                if (aVc == null) {
                    throw new CertificateException("No handshake session");
                }
                a(x509CertificateArr[0], endpointIdentificationAlgorithm, z, aVc);
            }
        }
    }

    private static X509Certificate[] a(CertPath certPath, TrustAnchor trustAnchor) throws CertificateException {
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size() + 1;
        X509Certificate[] x509CertificateArr = new X509Certificate[size];
        certificates.toArray(x509CertificateArr);
        x509CertificateArr[size - 1] = c(trustAnchor);
        return x509CertificateArr;
    }

    private X509Certificate[] a(X509Certificate[] x509CertificateArr, BCAlgorithmConstraints bCAlgorithmConstraints, List<byte[]> list) throws GeneralSecurityException {
        CertStore certStore;
        CertPathBuilder certPathBuilder;
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (this.hWD.contains(x509Certificate)) {
            return new X509Certificate[]{x509Certificate};
        }
        Provider provider = this.hjs.createCertificateFactory("X.509").getProvider();
        CertStoreParameters a = a(x509Certificate, x509CertificateArr);
        try {
            certStore = CertStore.getInstance("Collection", a, provider);
        } catch (GeneralSecurityException unused) {
            certStore = CertStore.getInstance("Collection", a);
        }
        try {
            certPathBuilder = CertPathBuilder.getInstance("PKIX", provider);
        } catch (NoSuchAlgorithmException unused2) {
            certPathBuilder = CertPathBuilder.getInstance("PKIX");
        }
        PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.hWE.clone();
        pKIXBuilderParameters.addCertPathChecker(new ag(this.hSp, this.hjs, bCAlgorithmConstraints));
        pKIXBuilderParameters.addCertStore(certStore);
        pKIXBuilderParameters.setTargetCertConstraints(a(x509Certificate, pKIXBuilderParameters.getTargetCertConstraints()));
        if (!list.isEmpty()) {
            a(certPathBuilder, pKIXBuilderParameters, x509CertificateArr, list);
        }
        PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
        return a(pKIXCertPathBuilderResult.getCertPath(), pKIXCertPathBuilderResult.getTrustAnchor());
    }

    private static Map<String, Integer> aUQ() {
        HashMap hashMap = new HashMap();
        a(hashMap, 0, 3, 5, 17, 19, 0);
        a(hashMap, 2, 1);
        a(hashMap, 4, 7, 9, 16, 18);
        return Collections.unmodifiableMap(hashMap);
    }

    private static X509Certificate c(TrustAnchor trustAnchor) throws CertificateException {
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        if (trustedCert != null) {
            return trustedCert;
        }
        throw new CertificateException("No certificate for TrustAnchor");
    }

    private void c(X509Certificate[] x509CertificateArr, String str, bu buVar, boolean z) throws CertificateException {
        if (TlsUtils.isNullOrEmpty(x509CertificateArr)) {
            throw new IllegalArgumentException("'chain' must be a chain of at least one certificate");
        }
        if (TlsUtils.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("'authType' must be a non-null, non-empty string");
        }
        if (this.hWE == null) {
            throw new CertificateException("Unable to build a CertPath: no PKIXBuilderParameters available");
        }
        a(d(x509CertificateArr, str, buVar, z), buVar, z);
    }

    private X509Certificate[] d(X509Certificate[] x509CertificateArr, String str, bu buVar, boolean z) throws CertificateException {
        try {
            BCAlgorithmConstraints b = bu.b(buVar, false);
            X509Certificate[] a = a(x509CertificateArr, b, bu.a(buVar));
            ag.a(this.hjs, b, a, ds(z), f(z, str));
            return a;
        } catch (GeneralSecurityException e) {
            throw new CertificateException("Unable to construct a valid chain", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyPurposeId ds(boolean z) {
        if (hWB) {
            return z ? KeyPurposeId.id_kp_serverAuth : KeyPurposeId.id_kp_clientAuth;
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int f(boolean z, String str) throws CertificateException {
        if (!z) {
            return 0;
        }
        Integer num = hWC.get(str);
        if (num != null) {
            return num.intValue();
        }
        throw new CertificateException("Unsupported server authType: " + str);
    }

    private static Set<X509Certificate> x(Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        HashSet hashSet = new HashSet(set.size());
        for (TrustAnchor trustAnchor : set) {
            if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                hashSet.add(trustedCert);
            }
        }
        return hashSet;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManager aUR() {
        return this.hWF;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        c(x509CertificateArr, str, null, false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        c(x509CertificateArr, str, bu.d(socket), false);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        c(x509CertificateArr, str, bu.c(sSLEngine), false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        c(x509CertificateArr, str, null, true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        c(x509CertificateArr, str, bu.d(socket), true);
    }

    @Override // org.bouncycastle.jsse.BCX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        c(x509CertificateArr, str, bu.c(sSLEngine), true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        Set<X509Certificate> set = this.hWD;
        return (X509Certificate[]) set.toArray(new X509Certificate[set.size()]);
    }
}
