package com.blackberry.security.trustmgr.x509;

import com.blackberry.security.trustmgr.PeerIdentity;
import com.blackberry.security.trustmgr.ValidationException;
import com.blackberry.security.trustmgr.internal.o;
import com.blackberry.security.trustmgr.internal.q;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import org.apache.http.conn.ssl.AbstractVerifier;
import te.a;

/* loaded from: classes.dex */
public class X509PeerIdentityVerifier implements o {
    private static final int ALT_NAME_DNS = 2;
    private static final int ALT_NAME_RFC822 = 1;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.blackberry.security.trustmgr.x509.X509PeerIdentityVerifier$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$blackberry$security$trustmgr$PeerIdentity$Type;

        static {
            int[] iArr = new int[PeerIdentity.Type.values().length];
            $SwitchMap$com$blackberry$security$trustmgr$PeerIdentity$Type = iArr;
            try {
                iArr[PeerIdentity.Type.EMAIL_ADDRESS.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$blackberry$security$trustmgr$PeerIdentity$Type[PeerIdentity.Type.DNS.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    private q checkPublicSuffix(X509Certificate x509Certificate) {
        for (String str : getSubjectCommonNames(x509Certificate)) {
            if (str.startsWith("*.")) {
                String substring = str.substring(2);
                if (!substring.isEmpty() && a.d(substring) && a.b(substring).c()) {
                    q qVar = new q(q.a.WARN_INVALID_NAME);
                    qVar.c(str + " is a public suffix");
                    return qVar;
                }
            }
        }
        return null;
    }

    private Set<String> getSubjectAltNames(X509Certificate x509Certificate, PeerIdentity.Type type) {
        int i10;
        Integer num;
        String str;
        HashSet hashSet = new HashSet();
        int i11 = AnonymousClass1.$SwitchMap$com$blackberry$security$trustmgr$PeerIdentity$Type[type.ordinal()];
        if (i11 == 1) {
            i10 = 1;
        } else {
            if (i11 != 2) {
                throw new IllegalArgumentException("Unsupported peer type " + type);
            }
            i10 = 2;
        }
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        if (subjectAlternativeNames == null) {
            return Collections.emptySet();
        }
        for (List<?> list : subjectAlternativeNames) {
            if (list != null && list.size() >= 2 && (num = (Integer) list.get(0)) != null && num.intValue() == i10 && (str = (String) list.get(1)) != null) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    private List<String> getSubjectCommonNames(X509Certificate x509Certificate) {
        String[] cNs = AbstractVerifier.getCNs(x509Certificate);
        return cNs != null ? Arrays.asList(cNs) : Collections.emptyList();
    }

    private boolean verifyPeerName(String str, String str2) {
        int i10;
        int length;
        if (str != null && str2 != null) {
            String lowerCase = str2.toLowerCase(Locale.US);
            if (!str.isEmpty() && !lowerCase.isEmpty()) {
                if (!lowerCase.startsWith("*.")) {
                    return lowerCase.equals(str);
                }
                if (lowerCase.regionMatches(2, str, 0, str.length())) {
                    return true;
                }
                int indexOf = str.indexOf(46);
                if (indexOf != -1 && (length = str.length() - (i10 = indexOf + 1)) != 0 && lowerCase.regionMatches(2, str, i10, length)) {
                    return true;
                }
            }
        }
        return false;
    }

    @Override // com.blackberry.security.trustmgr.internal.o
    public List<q> verify(PeerIdentity peerIdentity, Certificate certificate) {
        q checkPublicSuffix;
        if (!(certificate instanceof X509Certificate)) {
            throw new IllegalArgumentException("Unsupported certificate type: " + certificate.getType());
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        ArrayList arrayList = new ArrayList();
        boolean z10 = false;
        String lowerCase = peerIdentity.getEncoded().toLowerCase(Locale.US);
        HashSet hashSet = new HashSet();
        try {
            Set<String> subjectAltNames = getSubjectAltNames(x509Certificate, peerIdentity.getType());
            if (subjectAltNames.size() > 0) {
                Iterator<String> it = subjectAltNames.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (verifyPeerName(lowerCase, it.next())) {
                        z10 = true;
                        break;
                    }
                }
                hashSet.addAll(subjectAltNames);
            } else {
                List<String> subjectCommonNames = getSubjectCommonNames(x509Certificate);
                Iterator<String> it2 = subjectCommonNames.iterator();
                while (it2.hasNext()) {
                    if (verifyPeerName(lowerCase, it2.next())) {
                        z10 = true;
                    }
                }
                hashSet.addAll(subjectCommonNames);
            }
            if (!z10) {
                q qVar = new q(q.a.WARN_INVALID_NAME);
                qVar.c("No match found, Presented ID = " + lowerCase + ", Reference IDs = " + hashSet);
                arrayList.add(qVar);
            }
            if (peerIdentity.getType().equals(PeerIdentity.Type.DNS) && (checkPublicSuffix = checkPublicSuffix(x509Certificate)) != null) {
                arrayList.add(checkPublicSuffix);
            }
            return arrayList;
        } catch (CertificateParsingException e10) {
            throw new ValidationException("Failed to parse certificate", e10);
        }
    }
}
