package org.conscrypt;

import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes4.dex */
public final class TrustManagerImpl implements X509TrustManager {
    private final X509Certificate[] acceptedIssuers;
    private final Exception err;
    private final CertificateFactory factory;
    private CertPinManager pinManager;
    private final KeyStore rootKeyStore;
    private final TrustedCertificateIndex trustedCertificateIndex;
    private final TrustedCertificateStore trustedCertificateStore;
    private final CertPathValidator validator;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes4.dex */
    public static class a extends PKIXCertPathChecker {
        private static final Set<String> a = Collections.unmodifiableSet(new HashSet(Arrays.asList("2.5.29.37")));
        private final boolean b;
        private final X509Certificate c;

        private a(boolean z, X509Certificate x509Certificate) {
            this.b = z;
            this.c = x509Certificate;
        }

        /* JADX WARN: Code restructure failed: missing block: B:25:0x0054, code lost:
        
            r6.remove("2.5.29.37");
         */
        /* JADX WARN: Code restructure failed: missing block: B:26:0x0059, code lost:
        
            return;
         */
        @Override // java.security.cert.PKIXCertPathChecker
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        public void check(java.security.cert.Certificate r5, java.util.Collection<java.lang.String> r6) throws java.security.cert.CertPathValidatorException {
            /*
                r4 = this;
                java.security.cert.X509Certificate r0 = r4.c
                if (r5 == r0) goto L5
                return
            L5:
                java.security.cert.X509Certificate r5 = r4.c     // Catch: java.security.cert.CertificateParsingException -> L62
                java.util.List r5 = r5.getExtendedKeyUsage()     // Catch: java.security.cert.CertificateParsingException -> L62
                if (r5 != 0) goto Le
                return
            Le:
                r0 = 0
                java.util.Iterator r5 = r5.iterator()
            L13:
                boolean r1 = r5.hasNext()
                r2 = 1
                if (r1 == 0) goto L51
                java.lang.Object r1 = r5.next()
                java.lang.String r1 = (java.lang.String) r1
                java.lang.String r3 = "2.5.29.37.0"
                boolean r3 = r1.equals(r3)
                if (r3 == 0) goto L29
                goto L52
            L29:
                boolean r3 = r4.b
                if (r3 == 0) goto L36
                java.lang.String r3 = "1.3.6.1.5.5.7.3.2"
                boolean r1 = r1.equals(r3)
                if (r1 == 0) goto L13
                goto L52
            L36:
                java.lang.String r3 = "1.3.6.1.5.5.7.3.1"
                boolean r3 = r1.equals(r3)
                if (r3 == 0) goto L3f
                goto L52
            L3f:
                java.lang.String r3 = "2.16.840.1.113730.4.1"
                boolean r3 = r1.equals(r3)
                if (r3 == 0) goto L48
                goto L52
            L48:
                java.lang.String r3 = "1.3.6.1.4.1.311.10.3.3"
                boolean r1 = r1.equals(r3)
                if (r1 == 0) goto L13
                goto L52
            L51:
                r2 = 0
            L52:
                if (r2 == 0) goto L5a
                java.lang.String r5 = "2.5.29.37"
                r6.remove(r5)
                return
            L5a:
                java.security.cert.CertPathValidatorException r5 = new java.security.cert.CertPathValidatorException
                java.lang.String r6 = "End-entity certificate does not have a valid extendedKeyUsage."
                r5.<init>(r6)
                throw r5
            L62:
                r5 = move-exception
                java.security.cert.CertPathValidatorException r6 = new java.security.cert.CertPathValidatorException
                r6.<init>(r5)
                throw r6
            */
            throw new UnsupportedOperationException("Method not decompiled: org.conscrypt.TrustManagerImpl.a.check(java.security.cert.Certificate, java.util.Collection):void");
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public Set<String> getSupportedExtensions() {
            return a;
        }

        @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
        public void init(boolean z) throws CertPathValidatorException {
        }

        @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
        public boolean isForwardCheckingSupported() {
            return true;
        }
    }

    public TrustManagerImpl(KeyStore keyStore) {
        this(keyStore, null);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Removed duplicated region for block: B:17:0x0063  */
    /* JADX WARN: Removed duplicated region for block: B:21:0x0066 A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public TrustManagerImpl(java.security.KeyStore r8, org.conscrypt.CertPinManager r9) {
        /*
            r7 = this;
            r7.<init>()
            r0 = 0
            java.lang.String r1 = "PKIX"
            java.security.cert.CertPathValidator r1 = java.security.cert.CertPathValidator.getInstance(r1)     // Catch: java.lang.Exception -> L57
            java.lang.String r2 = "X509"
            java.security.cert.CertificateFactory r2 = java.security.cert.CertificateFactory.getInstance(r2)     // Catch: java.lang.Exception -> L54
            java.lang.String r3 = "AndroidCAStore"
            java.lang.String r4 = r8.getType()     // Catch: java.lang.Exception -> L51
            boolean r3 = r3.equals(r4)     // Catch: java.lang.Exception -> L51
            if (r3 == 0) goto L36
            org.conscrypt.TrustedCertificateStore r3 = new org.conscrypt.TrustedCertificateStore     // Catch: java.lang.Exception -> L2f
            r3.<init>()     // Catch: java.lang.Exception -> L2f
            org.conscrypt.TrustedCertificateIndex r4 = new org.conscrypt.TrustedCertificateIndex     // Catch: java.lang.Exception -> L28
            r4.<init>()     // Catch: java.lang.Exception -> L28
            r5 = r0
            goto L47
        L28:
            r4 = move-exception
            r5 = r0
            r6 = r3
            r3 = r8
            r8 = r4
            r4 = r6
            goto L5d
        L2f:
            r3 = move-exception
            r4 = r0
            r5 = r4
            r6 = r3
            r3 = r8
            r8 = r6
            goto L5d
        L36:
            java.security.cert.X509Certificate[] r8 = acceptedIssuers(r8)     // Catch: java.lang.Exception -> L51
            org.conscrypt.TrustedCertificateIndex r3 = new org.conscrypt.TrustedCertificateIndex     // Catch: java.lang.Exception -> L4b
            java.util.Set r4 = trustAnchors(r8)     // Catch: java.lang.Exception -> L4b
            r3.<init>(r4)     // Catch: java.lang.Exception -> L4b
            r5 = r8
            r8 = r0
            r4 = r3
            r3 = r8
        L47:
            r6 = r4
            r4 = r0
            r0 = r6
            goto L61
        L4b:
            r3 = move-exception
            r5 = r8
            r4 = r0
            r8 = r3
            r3 = r4
            goto L5d
        L51:
            r8 = move-exception
            r3 = r0
            goto L5b
        L54:
            r8 = move-exception
            r2 = r0
            goto L5a
        L57:
            r8 = move-exception
            r1 = r0
            r2 = r1
        L5a:
            r3 = r2
        L5b:
            r4 = r3
            r5 = r4
        L5d:
            r6 = r4
            r4 = r8
            r8 = r3
            r3 = r6
        L61:
            if (r9 == 0) goto L66
            r7.pinManager = r9
            goto L6d
        L66:
            org.conscrypt.CertPinManager r9 = new org.conscrypt.CertPinManager     // Catch: org.conscrypt.o -> L7c
            r9.<init>(r3)     // Catch: org.conscrypt.o -> L7c
            r7.pinManager = r9     // Catch: org.conscrypt.o -> L7c
        L6d:
            r7.rootKeyStore = r8
            r7.trustedCertificateStore = r3
            r7.validator = r1
            r7.factory = r2
            r7.trustedCertificateIndex = r0
            r7.acceptedIssuers = r5
            r7.err = r4
            return
        L7c:
            r8 = move-exception
            java.lang.SecurityException r9 = new java.lang.SecurityException
            java.lang.String r0 = "Could not initialize CertPinManager"
            r9.<init>(r0, r8)
            throw r9
        */
        throw new UnsupportedOperationException("Method not decompiled: org.conscrypt.TrustManagerImpl.<init>(java.security.KeyStore, org.conscrypt.CertPinManager):void");
    }

    private static X509Certificate[] acceptedIssuers(KeyStore keyStore) {
        try {
            ArrayList arrayList = new ArrayList();
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
                if (x509Certificate != null) {
                    arrayList.add(x509Certificate);
                }
            }
            return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
        } catch (KeyStoreException unused) {
            return new X509Certificate[0];
        }
    }

    private List<X509Certificate> checkTrusted(X509Certificate[] x509CertificateArr, String str, String str2, boolean z) throws CertificateException {
        X509Certificate trustedCert;
        if (x509CertificateArr == null || x509CertificateArr.length == 0 || str == null || str.length() == 0) {
            throw new IllegalArgumentException("null or zero-length parameter");
        }
        if (this.err != null) {
            throw new CertificateException(this.err);
        }
        HashSet hashSet = new HashSet();
        X509Certificate[] cleanupCertChainAndFindTrustAnchors = cleanupCertChainAndFindTrustAnchors(x509CertificateArr, hashSet);
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(cleanupCertChainAndFindTrustAnchors));
        Iterator<TrustAnchor> it = hashSet.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getTrustedCert());
        }
        X509Certificate x509Certificate = (X509Certificate) arrayList.get(arrayList.size() - 1);
        while (true) {
            TrustAnchor findByIssuerAndSignature = this.trustedCertificateIndex.findByIssuerAndSignature(x509Certificate);
            if (findByIssuerAndSignature != null && (trustedCert = findByIssuerAndSignature.getTrustedCert()) != x509Certificate) {
                arrayList.add(trustedCert);
                x509Certificate = trustedCert;
            }
        }
        CertPath generateCertPath = this.factory.generateCertPath(Arrays.asList(cleanupCertChainAndFindTrustAnchors));
        if (str2 != null) {
            try {
                if (this.pinManager.chainIsNotPinned(str2, arrayList)) {
                    throw new CertificateException(new CertPathValidatorException("Certificate path is not properly pinned.", null, generateCertPath, -1));
                }
            } catch (o e) {
                throw new CertificateException(e);
            }
        }
        if (cleanupCertChainAndFindTrustAnchors.length == 0) {
            return arrayList;
        }
        if (hashSet.isEmpty()) {
            throw new CertificateException(new CertPathValidatorException("Trust anchor for certification path not found.", null, generateCertPath, -1));
        }
        ChainStrengthAnalyzer.check(cleanupCertChainAndFindTrustAnchors);
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(false);
            pKIXParameters.addCertPathChecker(new a(z, cleanupCertChainAndFindTrustAnchors[0]));
            this.validator.validate(generateCertPath, pKIXParameters);
            for (int i = 1; i < cleanupCertChainAndFindTrustAnchors.length; i++) {
                this.trustedCertificateIndex.index(cleanupCertChainAndFindTrustAnchors[i]);
            }
            return arrayList;
        } catch (InvalidAlgorithmParameterException e2) {
            throw new CertificateException(e2);
        } catch (CertPathValidatorException e3) {
            throw new CertificateException(e3);
        }
    }

    private X509Certificate[] cleanupCertChainAndFindTrustAnchors(X509Certificate[] x509CertificateArr, Set<TrustAnchor> set) {
        TrustAnchor findTrustAnchorByIssuerAndSignature;
        X509Certificate[] x509CertificateArr2;
        boolean z;
        int i = 0;
        X509Certificate[] x509CertificateArr3 = x509CertificateArr;
        int i2 = 0;
        while (true) {
            if (i2 >= x509CertificateArr3.length) {
                break;
            }
            int i3 = i2 + 1;
            int i4 = i3;
            while (true) {
                if (i4 >= x509CertificateArr3.length) {
                    x509CertificateArr2 = x509CertificateArr3;
                    z = false;
                    break;
                }
                if (x509CertificateArr3[i2].getIssuerDN().equals(x509CertificateArr3[i4].getSubjectDN())) {
                    if (i4 != i3) {
                        if (x509CertificateArr3 == x509CertificateArr) {
                            x509CertificateArr3 = (X509Certificate[]) x509CertificateArr.clone();
                        }
                        X509Certificate x509Certificate = x509CertificateArr3[i4];
                        x509CertificateArr3[i4] = x509CertificateArr3[i3];
                        x509CertificateArr3[i3] = x509Certificate;
                    }
                    x509CertificateArr2 = x509CertificateArr3;
                    z = true;
                } else {
                    i4++;
                }
            }
            if (!z) {
                x509CertificateArr3 = x509CertificateArr2;
                break;
            }
            i2 = i3;
            x509CertificateArr3 = x509CertificateArr2;
        }
        while (true) {
            if (i > i2) {
                break;
            }
            TrustAnchor findTrustAnchorBySubjectAndPublicKey = findTrustAnchorBySubjectAndPublicKey(x509CertificateArr3[i]);
            if (findTrustAnchorBySubjectAndPublicKey != null) {
                set.add(findTrustAnchorBySubjectAndPublicKey);
                break;
            }
            i++;
        }
        if (i != x509CertificateArr3.length) {
            x509CertificateArr3 = (X509Certificate[]) Arrays.copyOf(x509CertificateArr3, i);
        }
        if (set.isEmpty() && (findTrustAnchorByIssuerAndSignature = findTrustAnchorByIssuerAndSignature(x509CertificateArr3[i - 1])) != null) {
            set.add(findTrustAnchorByIssuerAndSignature);
        }
        return x509CertificateArr3;
    }

    private TrustAnchor findTrustAnchorByIssuerAndSignature(X509Certificate x509Certificate) {
        X509Certificate findIssuer;
        TrustAnchor findByIssuerAndSignature = this.trustedCertificateIndex.findByIssuerAndSignature(x509Certificate);
        if (findByIssuerAndSignature != null) {
            return findByIssuerAndSignature;
        }
        if (this.trustedCertificateStore == null || (findIssuer = this.trustedCertificateStore.findIssuer(x509Certificate)) == null) {
            return null;
        }
        return this.trustedCertificateIndex.index(findIssuer);
    }

    private TrustAnchor findTrustAnchorBySubjectAndPublicKey(X509Certificate x509Certificate) {
        TrustAnchor findBySubjectAndPublicKey = this.trustedCertificateIndex.findBySubjectAndPublicKey(x509Certificate);
        if (findBySubjectAndPublicKey != null) {
            return findBySubjectAndPublicKey;
        }
        if (this.trustedCertificateStore != null && this.trustedCertificateStore.isTrustAnchor(x509Certificate)) {
            return this.trustedCertificateIndex.index(x509Certificate);
        }
        return null;
    }

    private static Set<TrustAnchor> trustAnchors(X509Certificate[] x509CertificateArr) {
        HashSet hashSet = new HashSet(x509CertificateArr.length);
        for (X509Certificate x509Certificate : x509CertificateArr) {
            hashSet.add(new TrustAnchor(x509Certificate, null));
        }
        return hashSet;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, null, true);
    }

    public List<X509Certificate> checkServerTrusted(X509Certificate[] x509CertificateArr, String str, String str2) throws CertificateException {
        return checkTrusted(x509CertificateArr, str, str2, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkTrusted(x509CertificateArr, str, null, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.acceptedIssuers != null ? (X509Certificate[]) this.acceptedIssuers.clone() : acceptedIssuers(this.rootKeyStore);
    }

    public void handleTrustStorageUpdate() {
        if (this.acceptedIssuers == null) {
            this.trustedCertificateIndex.reset();
        } else {
            this.trustedCertificateIndex.reset(trustAnchors(this.acceptedIssuers));
        }
    }
}
