package org.minidns.dane;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.cert.CertificateEncodingException;
import org.minidns.AbstractDnsClient;
import org.minidns.dane.DaneCertificateException;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.dnsmessage.Question;
import org.minidns.dnsname.DnsName;
import org.minidns.dnssec.DnssecClient;
import org.minidns.dnssec.DnssecMessage;
import org.minidns.dnssec.UnverifiedReason;
import org.minidns.record.Data;
import org.minidns.record.Record;
import org.minidns.record.TLSA;

/* loaded from: classes.dex */
public final class DaneVerifier {
    public static final Logger LOGGER = Logger.getLogger(DaneVerifier.class.getName());
    public final AbstractDnsClient client = new DnssecClient();

    public static boolean checkCertificateMatches(X509Certificate x509Certificate, TLSA tlsa, String str) throws CertificateException {
        byte[] encoded;
        TLSA.CertUsage certUsage = tlsa.certUsage;
        Logger logger = LOGGER;
        byte b = tlsa.certUsageByte;
        if (certUsage == null) {
            logger.warning("TLSA certificate usage byte " + ((int) b) + " is not supported while verifying " + str);
            return false;
        }
        int ordinal = certUsage.ordinal();
        TLSA.CertUsage certUsage2 = tlsa.certUsage;
        if (ordinal != 1 && ordinal != 3) {
            logger.warning("TLSA certificate usage " + certUsage2 + " (" + ((int) b) + ") not supported while verifying " + str);
            return false;
        }
        byte b2 = tlsa.selectorByte;
        TLSA.Selector selector = tlsa.selector;
        if (selector == null) {
            logger.warning("TLSA selector byte " + ((int) b2) + " is not supported while verifying " + str);
            return false;
        }
        int ordinal2 = selector.ordinal();
        if (ordinal2 == 0) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (ordinal2 != 1) {
                logger.warning("TLSA selector " + selector + " (" + ((int) b2) + ") not supported while verifying " + str);
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        TLSA.MatchingType matchingType = tlsa.matchingType;
        if (matchingType == null) {
            logger.warning("TLSA matching type byte " + ((int) tlsa.matchingTypeByte) + " is not supported while verifying " + str);
            return false;
        }
        int ordinal3 = matchingType.ordinal();
        if (ordinal3 != 0) {
            if (ordinal3 == 1) {
                try {
                    encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                } catch (NoSuchAlgorithmException e) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e);
                }
            } else {
                if (ordinal3 != 2) {
                    logger.warning("TLSA matching type " + matchingType + " not supported while verifying " + str);
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e2) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e2);
                }
            }
        }
        if (Arrays.equals(tlsa.certificateAssociation, encoded)) {
            return certUsage2 == TLSA.CertUsage.domainIssuedCertificate;
        }
        throw new DaneCertificateException.CertificateMismatch();
    }

    public static X509Certificate[] convert(javax.security.cert.X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509CertificateArr2[i] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e) {
                LOGGER.log(Level.WARNING, "Could not convert", e);
            }
        }
        return x509CertificateArr2;
    }

    public final boolean verifyCertificateChain(X509Certificate[] x509CertificateArr, String str, int i) throws CertificateException {
        String str2;
        DnsName from = DnsName.from("_" + i + "._tcp." + str);
        try {
            AbstractDnsClient abstractDnsClient = this.client;
            Record.TYPE type = Record.TYPE.TLSA;
            abstractDnsClient.getClass();
            Record.CLASS r3 = Record.CLASS.IN;
            DnsMessage query = abstractDnsClient.query(new Question(from, type, 0));
            if (!query.authenticData) {
                if (query instanceof DnssecMessage) {
                    Iterator<UnverifiedReason> it = ((DnssecMessage) query).result.iterator();
                    str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                    while (it.hasNext()) {
                        str2 = str2 + " " + it.next();
                    }
                } else {
                    str2 = "Got TLSA response from DNS server, but was not signed properly.";
                }
                LOGGER.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z = false;
            for (Record<? extends Data> record : query.answerSection) {
                if (record.type == Record.TYPE.TLSA && record.name.equals(from)) {
                    try {
                        z |= checkCertificateMatches(x509CertificateArr[0], (TLSA) record.payloadData, str);
                    } catch (DaneCertificateException.CertificateMismatch e) {
                        linkedList.add(e);
                    }
                    if (z) {
                        break;
                    }
                }
            }
            if (z || linkedList.isEmpty()) {
                return z;
            }
            throw new DaneCertificateException.MultipleCertificateMismatchExceptions(linkedList);
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }
}
