package com.tomtom.navcloud.common.security;

import com.tomtom.navcloud.common.Logger;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public abstract class BasePinningTrustManager implements X509TrustManager {
    private final X509CertificateChainNormaliser chainNormaliser;
    private final List<X509TrustManager> delegateTrustManagers;
    private final Set<SubjectPublicKeyInfo> pinnedAuthorities;

    /* JADX INFO: Access modifiers changed from: protected */
    public BasePinningTrustManager(Set<SubjectPublicKeyInfo> set, List<X509TrustManager> list) {
        if (set == null) {
            throw new IllegalArgumentException("Authorities must not be null");
        }
        if (list == null) {
            throw new IllegalArgumentException("Delegate trust managers must not be null");
        }
        this.pinnedAuthorities = set;
        this.delegateTrustManagers = list;
        this.chainNormaliser = new X509CertificateChainNormaliser(TrustedRootsKeyStore.getInstance().getTrustedRootsData(), getLogger());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String[] getChainNames(X509Certificate[] x509CertificateArr) {
        String[] strArr = new String[x509CertificateArr.length];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = x509CertificateArr[i].getSubjectDN().getName();
        }
        return strArr;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static TrustManager[] getSystemTrustManagers(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return trustManagerFactory.getTrustManagers();
        } catch (KeyStoreException e) {
            throw new RuntimeException("Error loading trusted roots.", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("Error initializing trust managers.", e2);
        }
    }

    private boolean isValidPin(X509Certificate x509Certificate) {
        return this.pinnedAuthorities.contains(SubjectPublicKeyInfo.valueOf(x509Certificate));
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        throw new UnsupportedOperationException("Client certificate validation is not supported.");
    }

    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        throw new UnsupportedOperationException("Client certificate validation is not supported.");
    }

    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        throw new UnsupportedOperationException("Client certificate validation is not supported.");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkPinning(X509Certificate[] x509CertificateArr) {
        Iterator<X509Certificate> it = this.chainNormaliser.normalise(x509CertificateArr).iterator();
        while (it.hasNext()) {
            if (isValidPin(it.next())) {
                return;
            }
        }
        throw new CertificateException("Certificate is not signed by an approved authority.");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Chain is empty");
        }
        try {
            checkTrust(x509CertificateArr, str);
        } catch (Error e) {
            throw e;
        } catch (RuntimeException e2) {
            throw e2;
        } catch (CertificateException e3) {
            throw e3;
        } catch (Throwable th) {
            throw new CertificateException("Unexpected validation error", th);
        }
    }

    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Chain is empty");
        }
        try {
            checkTrust(x509CertificateArr, str, socket);
        } catch (Error e) {
            throw e;
        } catch (RuntimeException e2) {
            throw e2;
        } catch (CertificateException e3) {
            throw e3;
        } catch (Throwable th) {
            throw new CertificateException("Unexpected validation error", th);
        }
    }

    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("Chain is empty");
        }
        try {
            checkTrust(x509CertificateArr, str, sSLEngine.getPeerHost());
        } catch (Error e) {
            throw e;
        } catch (RuntimeException e2) {
            throw e2;
        } catch (CertificateException e3) {
            throw e3;
        } catch (Throwable th) {
            throw new CertificateException("Unexpected validation error", th);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkSystemTrust(X509Certificate[] x509CertificateArr, String str, String str2) {
        for (X509TrustManager x509TrustManager : this.delegateTrustManagers) {
            if (str2 != null) {
                try {
                    if (str2.length() != 0) {
                        try {
                            x509TrustManager.getClass().getMethod("checkServerTrusted", X509Certificate[].class, String.class, String.class).invoke(x509TrustManager, x509CertificateArr, str, str2);
                            return;
                        } catch (Exception e) {
                            throw new CertificateException("Failed to validate: host-aware checkServerTrusted error.", e);
                        }
                    }
                } catch (CertificateException e2) {
                    if (getLogger().isDebugEnabled()) {
                        getLogger().debug("Chain not valid according to delegate: ".concat(String.valueOf(x509TrustManager)), e2);
                    }
                }
            }
            x509TrustManager.checkServerTrusted(x509CertificateArr, str);
            return;
        }
        throw new CertificateException("Certificate chain is not trusted.");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkSystemTrust(X509Certificate[] x509CertificateArr, String str, Socket socket) {
        for (X509TrustManager x509TrustManager : this.delegateTrustManagers) {
            try {
                if (socket == null) {
                    x509TrustManager.checkServerTrusted(x509CertificateArr, str);
                    return;
                }
                try {
                    x509TrustManager.getClass().getMethod("checkServerTrusted", X509Certificate[].class, String.class, Socket.class).invoke(x509TrustManager, x509CertificateArr, str, socket);
                    return;
                } catch (Exception e) {
                    throw new CertificateException("Failed to validate: host-aware checkServerTrusted error.", e);
                }
            } catch (CertificateException e2) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Chain not valid according to delegate: ".concat(String.valueOf(x509TrustManager)), e2);
                }
            }
        }
        throw new CertificateException("Certificate chain is not trusted.");
    }

    protected abstract void checkTrust(X509Certificate[] x509CertificateArr, String str);

    protected abstract void checkTrust(X509Certificate[] x509CertificateArr, String str, String str2);

    protected abstract void checkTrust(X509Certificate[] x509CertificateArr, String str, Socket socket);

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    protected abstract Logger getLogger();
}
