package com.paypal.android.foundation.core.certpinning;

import android.support.annotation.Nullable;
import android.support.annotation.VisibleForTesting;
import android.util.Base64;
import com.paypal.android.foundation.core.DesignByContract;
import com.paypal.android.foundation.core.FoundationCore;
import com.paypal.android.foundation.core.certpinning.operation.PinningTrustCertReportingOperation;
import com.paypal.android.foundation.core.log.DebugLogger;
import com.paypal.android.foundation.core.message.FailureMessage;
import com.paypal.android.foundation.core.operations.OperationListener;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes2.dex */
public class PinningTrustManager implements X509TrustManager {
    private static final String FAILURE_CERT_CHAIN_CLEANSING = "FAILED CERT CHAIN CLEANSING";
    private static final String FAILURE_CERT_PINNING = "FAILED CERT PINNING";
    private static final DebugLogger L = DebugLogger.getLogger(PinningTrustManager.class);
    public static final String[] PINS = {"25b41b506e4930952823a6eb9f1d31def645ea38a5c6c6a96d71957e384df058", "5a889647220e54d6bd8a16817224520bb5c78e58984bd570506388b9de0f075f", "967b0cd93fcef7f27ce2c245767ae9b05a776b0649f9965b6290968469686872", "59df317bfa9f4f0ab7ca514d7772296aa2c765b87664d08b96e57399e364729c", "8bb593a93be1d0e8a822bb887c547890c3e706aad2dab76254f97fb36b82fc26"};
    private static List<String> mServerWhiteList;
    private PinningTrustCertReportingOperation mPinningTrustCertReportingOperation;
    private final List<byte[]> mPins = new LinkedList();
    private final Set<X509Certificate> cache = Collections.synchronizedSet(new HashSet());
    private SystemKeyStore mSystemKeyStore = SystemKeyStore.getInstance();
    private TrustManager[] mSystemTrustManagers = initializeSystemTrustManagers(this.mSystemKeyStore);

    public PinningTrustManager() {
        for (String str : PINS) {
            this.mPins.add(hexStringToByteArray(str));
        }
        this.mPinningTrustCertReportingOperation = FoundationCore.getPinningTrustCertReportingOperation();
    }

    private ArrayList<String> certChainToArray(X509Certificate[] x509CertificateArr) throws CertificateEncodingException {
        ArrayList<String> arrayList = new ArrayList<>();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            arrayList.add(Base64.encodeToString(x509Certificate.getEncoded(), 0));
        }
        return arrayList;
    }

    private void checkPinTrust(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            x509CertificateArr = CertificateChainCleaner.a(x509CertificateArr, this.mSystemKeyStore);
        } catch (CertificateException unused) {
            L.debug("*** after CertificateChainCleaner.getCleanChain check. Chain not clean. Logging.", new Object[0]);
            logFailure(null, certChainToArray(x509CertificateArr), FAILURE_CERT_CHAIN_CLEANSING);
        }
        L.debug("*** after CertificateChainCleaner.getCleanChain. Will validate cert pinning.", new Object[0]);
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            if (isValidPin(x509Certificate)) {
                L.debug("*** after isValidPin check. Will cache chain cert.", new Object[0]);
                this.cache.add(x509Certificate);
                return;
            } else {
                arrayList.add(Base64.encodeToString(getPinFromCertificate(x509Certificate), 0));
                arrayList2.add(Base64.encodeToString(x509Certificate.getEncoded(), 0));
            }
        }
        L.debug("*** isValidPin- failed cert pinning. Will log!", new Object[0]);
        logFailure(arrayList, arrayList2, FAILURE_CERT_PINNING);
        throw new CertificateException(FAILURE_CERT_PINNING);
    }

    private void checkSystemTrust(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        for (TrustManager trustManager : this.mSystemTrustManagers) {
            ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, str);
        }
    }

    private byte[] getPinFromCertificate(X509Certificate x509Certificate) {
        try {
            return MessageDigest.getInstance("SHA256").digest(x509Certificate.getPublicKey().getEncoded());
        } catch (NoSuchAlgorithmException e) {
            L.error("getPinFromCertificate failed : " + e.getMessage(), new Object[0]);
            return null;
        }
    }

    private byte[] hexStringToByteArray(String str) {
        int length = str.length();
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            bArr[i / 2] = (byte) ((Character.digit(str.charAt(i), 16) << 4) + Character.digit(str.charAt(i + 1), 16));
        }
        return bArr;
    }

    private TrustManager[] initializeSystemTrustManagers(SystemKeyStore systemKeyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            trustManagerFactory.init(systemKeyStore.trustStore);
            return trustManagerFactory.getTrustManagers();
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private boolean isValidPin(X509Certificate x509Certificate) throws CertificateException {
        for (byte[] bArr : this.mPins) {
            byte[] pinFromCertificate = getPinFromCertificate(x509Certificate);
            if (Arrays.equals(bArr, pinFromCertificate)) {
                L.debug("*** isValidPin- found cert pinned!", pinFromCertificate);
                return true;
            }
        }
        return false;
    }

    private void logFailure(@Nullable List<String> list, @Nullable List<String> list2, @Nullable String str) {
        if (this.mPinningTrustCertReportingOperation != null) {
            if (list != null) {
                this.mPinningTrustCertReportingOperation.setFailedPinList(list);
            }
            if (list2 != null) {
                this.mPinningTrustCertReportingOperation.setFailedCertList(list2);
            }
            if (str != null) {
                this.mPinningTrustCertReportingOperation.setMessage(str);
            }
            this.mPinningTrustCertReportingOperation.operate(new OperationListener() { // from class: com.paypal.android.foundation.core.certpinning.PinningTrustManager.1
                @Override // com.paypal.android.foundation.core.operations.OperationListener
                public void onFailure(FailureMessage failureMessage) {
                    PinningTrustManager.L.debug("Failed cert pinning and logged to logging endpoint. Log endpoint failure.", new Object[0]);
                }

                @Override // com.paypal.android.foundation.core.operations.OperationListener
                public void onSuccess(Object obj) {
                    PinningTrustManager.L.debug("Failed cert pinning and logged to logging endpoint. Log endpoint success.", new Object[0]);
                }
            });
        }
    }

    public static void setWhiteListedServer(List<String> list) {
        if (mServerWhiteList != null) {
            throw new IllegalStateException("This can only be set once during FoundationPayPalCore.setup() call.");
        }
        if (mServerWhiteList != null || list == null) {
            return;
        }
        mServerWhiteList = list;
    }

    @VisibleForTesting
    protected synchronized boolean chainContainsWhitelistedServer(X509Certificate[] x509CertificateArr) throws CertificateParsingException {
        if (mServerWhiteList == null) {
            L.debug("FoundationPayPalCore.setup() is not done yet. mServerWhiteList is initialized there", new Object[0]);
            return false;
        }
        boolean z = false;
        for (X509Certificate x509Certificate : x509CertificateArr) {
            try {
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                if (subjectAlternativeNames != null) {
                    Iterator<List<?>> it = subjectAlternativeNames.iterator();
                    while (true) {
                        if (it.hasNext()) {
                            List<?> next = it.next();
                            if (((Integer) next.get(0)).intValue() == 2 && mServerWhiteList.contains(next.get(1))) {
                                z = true;
                                break;
                            }
                        }
                    }
                }
            } catch (CertificateParsingException e) {
                L.debug("*** chainContainsWhitelistedServer failed = " + e.getMessage(), new Object[0]);
                return false;
            }
        }
        return z;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        DesignByContract.require(!this.mPins.isEmpty(), "Empty pins. PinningTrustManager.initialize must be called prior to calling checkServerTrusted()", new Object[0]);
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("checkServerTrusted: X509Certificate chain is empty");
        }
        if (this.cache.contains(x509CertificateArr[0])) {
            return;
        }
        L.debug("*** chain[0] = " + x509CertificateArr[0].getSubjectDN().getName(), new Object[0]);
        checkSystemTrust(x509CertificateArr, str);
        if (!chainContainsWhitelistedServer(x509CertificateArr)) {
            checkPinTrust(x509CertificateArr);
        } else {
            L.debug("*** after chainLoggingServer check. Found logging server. Complete.", new Object[0]);
            this.cache.add(x509CertificateArr[0]);
        }
    }

    public void clearCache() {
        this.cache.clear();
    }

    @Deprecated
    void debug_setPinningTrustCertReportingOperation(PinningTrustCertReportingOperation pinningTrustCertReportingOperation) {
        this.mPinningTrustCertReportingOperation = pinningTrustCertReportingOperation;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return null;
    }

    @VisibleForTesting
    protected Set<X509Certificate> getCache() {
        return this.cache;
    }
}
