package s.b.f.k;

import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes2.dex */
public class l1 extends s.b.f.i {
    public static final Logger e = Logger.getLogger(l1.class.getName());
    public static final boolean f = i0.a("com.sun.net.ssl.checkRevocation", false);

    /* renamed from: g, reason: collision with root package name */
    public static final Map<String, Integer> f6730g;
    public final s.b.d.d.a a;
    public final Set<X509Certificate> b;

    /* renamed from: c, reason: collision with root package name */
    public final PKIXBuilderParameters f6731c;
    public final X509TrustManager d;

    static {
        HashMap hashMap = new HashMap();
        f(hashMap, 0, 3, 5, 17, 19, 0);
        f(hashMap, 2, 1);
        f(hashMap, 4, 7, 9, 16, 18);
        f6730g = Collections.unmodifiableMap(hashMap);
    }

    public l1(s.b.d.d.a aVar, PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        this.a = aVar;
        Set<X509Certificate> m2 = m(pKIXParameters.getTrustAnchors());
        this.b = m2;
        if (m2.isEmpty()) {
            this.f6731c = null;
        } else if (pKIXParameters instanceof PKIXBuilderParameters) {
            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) pKIXParameters.clone();
            this.f6731c = pKIXBuilderParameters;
            pKIXBuilderParameters.setTargetCertConstraints(null);
        } else {
            PKIXBuilderParameters pKIXBuilderParameters2 = new PKIXBuilderParameters(pKIXParameters.getTrustAnchors(), (CertSelector) null);
            this.f6731c = pKIXBuilderParameters2;
            pKIXBuilderParameters2.setAnyPolicyInhibited(pKIXParameters.isAnyPolicyInhibited());
            pKIXBuilderParameters2.setCertPathCheckers(pKIXParameters.getCertPathCheckers());
            pKIXBuilderParameters2.setCertStores(pKIXParameters.getCertStores());
            pKIXBuilderParameters2.setDate(pKIXParameters.getDate());
            pKIXBuilderParameters2.setExplicitPolicyRequired(pKIXParameters.isExplicitPolicyRequired());
            pKIXBuilderParameters2.setInitialPolicies(pKIXParameters.getInitialPolicies());
            pKIXBuilderParameters2.setPolicyMappingInhibited(pKIXParameters.isPolicyMappingInhibited());
            pKIXBuilderParameters2.setPolicyQualifiersRejected(pKIXParameters.getPolicyQualifiersRejected());
            pKIXBuilderParameters2.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
            pKIXBuilderParameters2.setSigProvider(pKIXParameters.getSigProvider());
        }
        this.d = t1.a(this);
    }

    public l1(s.b.d.d.a aVar, Set<TrustAnchor> set) throws InvalidAlgorithmParameterException {
        this.a = aVar;
        Set<X509Certificate> m2 = m(set);
        this.b = m2;
        if (m2.isEmpty()) {
            this.f6731c = null;
        } else {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, (CertSelector) null);
            this.f6731c = pKIXBuilderParameters;
            pKIXBuilderParameters.setRevocationEnabled(f);
        }
        this.d = t1.a(this);
    }

    public static void f(Map<String, Integer> map, int i2, int... iArr) {
        for (int i3 : iArr) {
            if (map.put(d0.h(i3), Integer.valueOf(i2)) != null) {
                throw new IllegalStateException("Duplicate keys in server key usages");
            }
        }
    }

    public static void h(String str, X509Certificate x509Certificate, String str2) throws CertificateException {
        boolean z;
        String w = d0.w(str, '[', ']');
        if (str2.equalsIgnoreCase("HTTPS")) {
            z = true;
        } else {
            if (!str2.equalsIgnoreCase("LDAP") && !str2.equalsIgnoreCase("LDAPS")) {
                throw new CertificateException(c.b.a.a.a.v("Unknown endpoint ID algorithm: ", str2));
            }
            z = false;
        }
        k.b.m.h.a.v(w, x509Certificate, z);
    }

    public static void i(X509Certificate[] x509CertificateArr, s1 s1Var, boolean z) throws CertificateException {
        String str;
        s.b.f.c q2;
        if (s1Var == null || (str = s1Var.a.f) == null || str.length() <= 0) {
            return;
        }
        s.b.f.b bVar = s1Var.b;
        if (bVar == null) {
            throw new CertificateException("No handshake session");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        String peerHost = bVar.getPeerHost();
        if (z && (q2 = d0.q(bVar.f())) != null) {
            String str2 = q2.f6684c;
            if (!str2.equalsIgnoreCase(peerHost)) {
                try {
                    h(str2, x509Certificate, str);
                    return;
                } catch (CertificateException e2) {
                    e.log(Level.FINE, "Server's endpoint ID did not match the SNI host_name: " + str2, (Throwable) e2);
                }
            }
        }
        h(peerHost, x509Certificate, str);
    }

    public static s.b.a.m2.r k(boolean z) {
        return z ? s.b.a.m2.r.f6571n : s.b.a.m2.r.f6572p;
    }

    public static int l(boolean z, String str) throws CertificateException {
        if (!z) {
            return 0;
        }
        Integer num = f6730g.get(str);
        if (num != null) {
            return num.intValue();
        }
        throw new CertificateException(c.b.a.a.a.v("Unsupported server authType: ", str));
    }

    public static Set<X509Certificate> m(Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        HashSet hashSet = new HashSet(set.size());
        for (TrustAnchor trustAnchor : set) {
            if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                hashSet.add(trustedCert);
            }
        }
        return hashSet;
    }

    @Override // s.b.f.i
    public void b(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        j(x509CertificateArr, str, s1.a(socket), false);
    }

    @Override // s.b.f.i
    public void c(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        j(x509CertificateArr, str, s1.b(sSLEngine), false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        j(x509CertificateArr, str, null, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        j(x509CertificateArr, str, null, true);
    }

    @Override // s.b.f.i
    public void d(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        j(x509CertificateArr, str, s1.a(socket), true);
    }

    @Override // s.b.f.i
    public void e(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        j(x509CertificateArr, str, s1.b(sSLEngine), true);
    }

    public final X509Certificate[] g(X509Certificate[] x509CertificateArr, s.b.f.j.a.a aVar, List<byte[]> list) throws GeneralSecurityException {
        CertStore certStore;
        CertPathBuilder certPathBuilder;
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (this.b.contains(x509Certificate)) {
            return new X509Certificate[]{x509Certificate};
        }
        Objects.requireNonNull(this.a);
        Provider provider = CertificateFactory.getInstance("X.509").getProvider();
        ArrayList arrayList = new ArrayList(x509CertificateArr.length);
        arrayList.add(x509Certificate);
        for (int i2 = 1; i2 < x509CertificateArr.length; i2++) {
            if (!this.b.contains(x509CertificateArr[i2])) {
                arrayList.add(x509CertificateArr[i2]);
            }
        }
        CollectionCertStoreParameters collectionCertStoreParameters = new CollectionCertStoreParameters(Collections.unmodifiableCollection(arrayList));
        try {
            certStore = CertStore.getInstance("Collection", collectionCertStoreParameters, provider);
        } catch (GeneralSecurityException unused) {
            certStore = CertStore.getInstance("Collection", collectionCertStoreParameters);
        }
        X509CertSelector x509CertSelector = new X509CertSelector();
        x509CertSelector.setCertificate(x509Certificate);
        try {
            certPathBuilder = CertPathBuilder.getInstance("PKIX", provider);
        } catch (NoSuchAlgorithmException unused2) {
            certPathBuilder = CertPathBuilder.getInstance("PKIX");
        }
        PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.f6731c.clone();
        pKIXBuilderParameters.addCertPathChecker(new j0(this.a, aVar));
        pKIXBuilderParameters.addCertStore(certStore);
        pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
        if (!list.isEmpty()) {
            HashMap hashMap = new HashMap();
            int min = Math.min(x509CertificateArr.length, list.size());
            for (int i3 = 0; i3 < min; i3++) {
                byte[] bArr = list.get(i3);
                if (bArr != null && bArr.length > 0) {
                    X509Certificate x509Certificate2 = x509CertificateArr[i3];
                    if (!hashMap.containsKey(x509Certificate2)) {
                        hashMap.put(x509Certificate2, bArr);
                    }
                }
            }
            if (!hashMap.isEmpty()) {
                try {
                    g0.a(certPathBuilder, pKIXBuilderParameters, hashMap);
                } catch (RuntimeException e2) {
                    e.log(Level.FINE, "Failed to add status responses for revocation checking", (Throwable) e2);
                }
            }
        }
        PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
        CertPath certPath = pKIXCertPathBuilderResult.getCertPath();
        TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
        List<? extends Certificate> certificates = certPath.getCertificates();
        int size = certificates.size() + 1;
        X509Certificate[] x509CertificateArr2 = new X509Certificate[size];
        certificates.toArray(x509CertificateArr2);
        int i4 = size - 1;
        X509Certificate trustedCert = trustAnchor.getTrustedCert();
        if (trustedCert == null) {
            throw new CertificateException("No certificate for TrustAnchor");
        }
        x509CertificateArr2[i4] = trustedCert;
        return x509CertificateArr2;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        Set<X509Certificate> set = this.b;
        return (X509Certificate[]) set.toArray(new X509Certificate[set.size()]);
    }

    public final void j(X509Certificate[] x509CertificateArr, String str, s1 s1Var, boolean z) throws CertificateException {
        List<byte[]> emptyList;
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            throw new IllegalArgumentException("'chain' must be a chain of at least one certificate");
        }
        if (str == null || str.length() < 1) {
            throw new IllegalArgumentException("'authType' must be a non-null, non-empty string");
        }
        if (this.f6731c == null) {
            throw new CertificateException("Unable to build a CertPath: no PKIXBuilderParameters available");
        }
        try {
            s.b.f.j.a.a c2 = s1.c(s1Var, false);
            if (s1Var == null) {
                emptyList = Collections.emptyList();
            } else {
                s.b.f.b bVar = s1Var.b;
                emptyList = bVar == null ? Collections.emptyList() : bVar.g();
            }
            X509Certificate[] g2 = g(x509CertificateArr, c2, emptyList);
            s.b.a.m2.r k2 = k(z);
            int l2 = l(z, str);
            s.b.d.d.a aVar = this.a;
            Map<String, String> map = j0.f6717n;
            X509Certificate x509Certificate = g2[g2.length - 1];
            if (g2.length > 1) {
                j0.d(aVar, c2, g2[g2.length - 2], x509Certificate);
            }
            j0.c(c2, g2[0], k2, l2);
            i(g2, s1Var, z);
        } catch (GeneralSecurityException e2) {
            throw new CertificateException("Unable to construct a valid chain", e2);
        }
    }
}
