package org.openjsse.sun.security.ssl;

import java.net.Socket;
import java.security.AlgorithmConstraints;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.openjsse.javax.net.ssl.ExtendedSSLSession;
import org.openjsse.javax.net.ssl.SSLSocket;
import org.openjsse.sun.security.util.HostnameChecker;
import org.openjsse.sun.security.validator.Validator;
import sun.security.util.AnchorCertificates;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public final class X509TrustManagerImpl extends X509ExtendedTrustManager implements X509TrustManager {
    private volatile Validator clientValidator;
    private final PKIXBuilderParameters pkixParams;
    private volatile Validator serverValidator;
    private final Collection<X509Certificate> trustedCerts;
    private final String validatorType;

    public X509TrustManagerImpl(String str, PKIXBuilderParameters pKIXBuilderParameters) {
        this.validatorType = str;
        this.pkixParams = pKIXBuilderParameters;
        Validator validator = getValidator(Validator.VAR_TLS_SERVER);
        Collection<X509Certificate> trustedCertificates = validator.getTrustedCertificates();
        this.trustedCerts = trustedCertificates;
        this.serverValidator = validator;
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("adding as trusted certificates", trustedCertificates.toArray(new X509Certificate[0]));
        }
    }

    public X509TrustManagerImpl(String str, Collection<X509Certificate> collection) {
        this.validatorType = str;
        this.pkixParams = null;
        collection = collection == null ? Collections.emptySet() : collection;
        this.trustedCerts = collection;
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("adding as trusted certificates", collection.toArray(new X509Certificate[0]));
        }
    }

    public static void checkIdentity(String str, X509Certificate x509Certificate, String str2) {
        checkIdentity(str, x509Certificate, str2, false);
    }

    private static void checkIdentity(String str, X509Certificate x509Certificate, String str2, boolean z2) {
        if (str2 == null || str2.length() == 0) {
            return;
        }
        if (str != null && str.startsWith("[") && str.endsWith("]")) {
            str = str.substring(1, str.length() - 1);
        }
        if (str2.equalsIgnoreCase("HTTPS")) {
            HostnameChecker.getInstance((byte) 1).match(str, x509Certificate, z2);
        } else {
            if (!str2.equalsIgnoreCase("LDAP") && !str2.equalsIgnoreCase("LDAPS")) {
                throw new CertificateException("Unknown identification algorithm: ".concat(str2));
            }
            HostnameChecker.getInstance((byte) 2).match(str, x509Certificate, z2);
        }
    }

    public static void checkIdentity(SSLSession sSLSession, X509Certificate[] x509CertificateArr, String str, boolean z2) {
        String hostNameInSNI;
        boolean contains = AnchorCertificates.contains(x509CertificateArr[x509CertificateArr.length - 1]);
        String peerHost = sSLSession.getPeerHost();
        if (peerHost != null && peerHost.endsWith(".")) {
            peerHost = peerHost.substring(0, peerHost.length() - 1);
        }
        if (!z2 && (hostNameInSNI = getHostNameInSNI(getRequestedServerNames(sSLSession))) != null) {
            try {
                checkIdentity(hostNameInSNI, x509CertificateArr[0], str, contains);
                return;
            } catch (CertificateException e5) {
                if (hostNameInSNI.equalsIgnoreCase(peerHost)) {
                    throw e5;
                }
            }
        }
        checkIdentity(peerHost, x509CertificateArr[0], str, contains);
    }

    private void checkTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z2) {
        X509Certificate[] validate;
        Validator checkTrustedInit = checkTrustedInit(x509CertificateArr, str, z2);
        if (socket != null && socket.isConnected() && (socket instanceof SSLSocket)) {
            SSLSocket sSLSocket = (SSLSocket) socket;
            SSLSession handshakeSession = sSLSocket.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            boolean z4 = handshakeSession instanceof ExtendedSSLSession;
            SSLAlgorithmConstraints sSLAlgorithmConstraints = (z4 && ProtocolVersion.useTLS12PlusSpec(handshakeSession.getProtocol())) ? new SSLAlgorithmConstraints(sSLSocket, ((ExtendedSSLSession) handshakeSession).getLocalSupportedSignatureAlgorithms(), false) : new SSLAlgorithmConstraints(sSLSocket, false);
            List<byte[]> emptyList = Collections.emptyList();
            if (!z2 && z4) {
                emptyList = ((ExtendedSSLSession) handshakeSession).getStatusResponses();
            }
            if (z2) {
                str = null;
            }
            validate = validate(checkTrustedInit, x509CertificateArr, emptyList, sSLAlgorithmConstraints, str);
            String endpointIdentificationAlgorithm = sSLSocket.getSSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                checkIdentity(handshakeSession, validate, endpointIdentificationAlgorithm, z2);
            }
        } else {
            List emptyList2 = Collections.emptyList();
            if (z2) {
                str = null;
            }
            validate = validate(checkTrustedInit, x509CertificateArr, emptyList2, null, str);
        }
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("Found trusted certificate", validate[validate.length - 1]);
        }
    }

    private void checkTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine, boolean z2) {
        X509Certificate[] validate;
        Validator checkTrustedInit = checkTrustedInit(x509CertificateArr, str, z2);
        if (sSLEngine != null) {
            SSLSession handshakeSession = sSLEngine.getHandshakeSession();
            if (handshakeSession == null) {
                throw new CertificateException("No handshake session");
            }
            boolean z4 = handshakeSession instanceof ExtendedSSLSession;
            SSLAlgorithmConstraints sSLAlgorithmConstraints = (z4 && ProtocolVersion.useTLS12PlusSpec(handshakeSession.getProtocol())) ? new SSLAlgorithmConstraints(sSLEngine, ((ExtendedSSLSession) handshakeSession).getLocalSupportedSignatureAlgorithms(), false) : new SSLAlgorithmConstraints(sSLEngine, false);
            List<byte[]> emptyList = Collections.emptyList();
            if (!z2 && z4) {
                emptyList = ((ExtendedSSLSession) handshakeSession).getStatusResponses();
            }
            if (z2) {
                str = null;
            }
            validate = validate(checkTrustedInit, x509CertificateArr, emptyList, sSLAlgorithmConstraints, str);
            String endpointIdentificationAlgorithm = sSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
            if (endpointIdentificationAlgorithm != null && endpointIdentificationAlgorithm.length() != 0) {
                checkIdentity(handshakeSession, validate, endpointIdentificationAlgorithm, z2);
            }
        } else {
            List emptyList2 = Collections.emptyList();
            if (z2) {
                str = null;
            }
            validate = validate(checkTrustedInit, x509CertificateArr, emptyList2, null, str);
        }
        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
            SSLLogger.fine("Found trusted certificate", validate[validate.length - 1]);
        }
    }

    private Validator checkTrustedInit(X509Certificate[] x509CertificateArr, String str, boolean z2) {
        Validator validator;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("null or zero-length certificate chain");
        }
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length authentication type");
        }
        if (z2) {
            validator = this.clientValidator;
            if (validator == null) {
                synchronized (this) {
                    try {
                        validator = this.clientValidator;
                        if (validator == null) {
                            validator = getValidator(Validator.VAR_TLS_CLIENT);
                            this.clientValidator = validator;
                        }
                    } finally {
                    }
                }
            }
        } else {
            validator = this.serverValidator;
            if (validator == null) {
                synchronized (this) {
                    try {
                        validator = this.serverValidator;
                        if (validator == null) {
                            validator = getValidator(Validator.VAR_TLS_SERVER);
                            this.serverValidator = validator;
                        }
                    } finally {
                    }
                }
            }
        }
        return validator;
    }

    /* JADX WARN: Code restructure failed: missing block: B:17:0x0028, code lost:
    
        r0 = new javax.net.ssl.SNIHostName(r0.getEncoded());
     */
    /* JADX WARN: Code restructure failed: missing block: B:20:0x002c, code lost:
    
        if (org.openjsse.sun.security.ssl.SSLLogger.isOn != false) goto L15;
     */
    /* JADX WARN: Code restructure failed: missing block: B:23:0x0036, code lost:
    
        org.openjsse.sun.security.ssl.SSLLogger.fine("Illegal server name: " + r0, new java.lang.Object[0]);
     */
    /* JADX WARN: Code restructure failed: missing block: B:8:0x001a, code lost:
    
        if ((r0 instanceof javax.net.ssl.SNIHostName) == false) goto L23;
     */
    /* JADX WARN: Code restructure failed: missing block: B:9:0x001c, code lost:
    
        r0 = (javax.net.ssl.SNIHostName) r0;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private static java.lang.String getHostNameInSNI(java.util.List<javax.net.ssl.SNIServerName> r3) {
        /*
            java.util.Iterator r3 = r3.iterator()
        L4:
            boolean r0 = r3.hasNext()
            r1 = 0
            if (r0 == 0) goto L4a
            java.lang.Object r0 = r3.next()
            javax.net.ssl.SNIServerName r0 = (javax.net.ssl.SNIServerName) r0
            int r2 = r0.getType()
            if (r2 == 0) goto L18
            goto L4
        L18:
            boolean r3 = r0 instanceof javax.net.ssl.SNIHostName
            if (r3 == 0) goto L1f
            javax.net.ssl.SNIHostName r0 = (javax.net.ssl.SNIHostName) r0
            goto L4b
        L1f:
            javax.net.ssl.SNIHostName r3 = new javax.net.ssl.SNIHostName     // Catch: java.lang.IllegalArgumentException -> L2a
            byte[] r2 = r0.getEncoded()     // Catch: java.lang.IllegalArgumentException -> L2a
            r3.<init>(r2)     // Catch: java.lang.IllegalArgumentException -> L2a
            r0 = r3
            goto L4b
        L2a:
            boolean r3 = org.openjsse.sun.security.ssl.SSLLogger.isOn
            if (r3 == 0) goto L4a
            java.lang.String r3 = "ssl,trustmanager"
            boolean r3 = org.openjsse.sun.security.ssl.SSLLogger.isOn(r3)
            if (r3 == 0) goto L4a
            java.lang.StringBuilder r3 = new java.lang.StringBuilder
            java.lang.String r2 = "Illegal server name: "
            r3.<init>(r2)
            r3.append(r0)
            java.lang.String r3 = r3.toString()
            r0 = 0
            java.lang.Object[] r0 = new java.lang.Object[r0]
            org.openjsse.sun.security.ssl.SSLLogger.fine(r3, r0)
        L4a:
            r0 = r1
        L4b:
            if (r0 == 0) goto L52
            java.lang.String r3 = r0.getAsciiName()
            return r3
        L52:
            return r1
        */
        throw new UnsupportedOperationException("Method not decompiled: org.openjsse.sun.security.ssl.X509TrustManagerImpl.getHostNameInSNI(java.util.List):java.lang.String");
    }

    public static List<SNIServerName> getRequestedServerNames(Socket socket) {
        return (socket != null && socket.isConnected() && (socket instanceof SSLSocket)) ? getRequestedServerNames(((SSLSocket) socket).getHandshakeSession()) : Collections.emptyList();
    }

    public static List<SNIServerName> getRequestedServerNames(SSLEngine sSLEngine) {
        return sSLEngine != null ? getRequestedServerNames(sSLEngine.getHandshakeSession()) : Collections.emptyList();
    }

    private static List<SNIServerName> getRequestedServerNames(SSLSession sSLSession) {
        return (sSLSession == null || !(sSLSession instanceof ExtendedSSLSession)) ? Collections.emptyList() : ((ExtendedSSLSession) sSLSession).getRequestedServerNames();
    }

    private Validator getValidator(String str) {
        PKIXBuilderParameters pKIXBuilderParameters = this.pkixParams;
        return pKIXBuilderParameters == null ? Validator.getInstance(this.validatorType, str, this.trustedCerts) : Validator.getInstance(this.validatorType, str, pKIXBuilderParameters);
    }

    private static X509Certificate[] validate(Validator validator, X509Certificate[] x509CertificateArr, List<byte[]> list, AlgorithmConstraints algorithmConstraints, String str) {
        Object beginFipsProvider = JsseJce.beginFipsProvider();
        try {
            return validator.validate(x509CertificateArr, null, list, algorithmConstraints, str);
        } finally {
            JsseJce.endFipsProvider(beginFipsProvider);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        checkTrusted(x509CertificateArr, str, (Socket) null, true);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        checkTrusted(x509CertificateArr, str, socket, true);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        checkTrusted(x509CertificateArr, str, sSLEngine, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        checkTrusted(x509CertificateArr, str, (Socket) null, false);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        checkTrusted(x509CertificateArr, str, socket, false);
    }

    @Override // javax.net.ssl.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        checkTrusted(x509CertificateArr, str, sSLEngine, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = new X509Certificate[this.trustedCerts.size()];
        this.trustedCerts.toArray(x509CertificateArr);
        return x509CertificateArr;
    }
}
