package com.facebook.netlite.certificatepinning.internal;

import android.annotation.SuppressLint;
import android.util.Base64;
import java.nio.ByteBuffer;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.thoughtcrime.ssl.pinning.CertificateChainCleaner;
import org.thoughtcrime.ssl.pinning.SystemKeyStore;

/* loaded from: classes.dex */
public class FbPinningTrustManager implements X509TrustManager {
    private final long mEnforceUntilTimestampMillis;
    private final SystemKeyStore mKeyStore;
    private final boolean mPinTimeoutSet;
    private final Set<ByteBuffer> mPins;
    protected final TrustManager[] mSystemTrustManagers;

    public FbPinningTrustManager(long j) {
        this(j, SystemKeyStore.getInstance());
    }

    FbPinningTrustManager(long j, SystemKeyStore systemKeyStore) {
        this.mPins = new HashSet();
        this.mKeyStore = systemKeyStore;
        this.mSystemTrustManagers = initializeSystemTrustManagers();
        this.mPinTimeoutSet = j > 0;
        this.mEnforceUntilTimestampMillis = j + 31536000000L;
        for (String str : CertificatePinningData.FB_CERT_SHA256_PINS) {
            this.mPins.add(ByteBuffer.wrap(Base64.decode(str, 0)));
        }
    }

    private void checkSystemTrust(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        for (TrustManager trustManager : this.mSystemTrustManagers) {
            ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, str);
        }
    }

    private static TrustManager[] initializeSystemTrustManagers() {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            trustManagerFactory.init((KeyStore) null);
            return trustManagerFactory.getTrustManagers();
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new IllegalStateException("Failure initializing TrustManager", e);
        }
    }

    private boolean isValidPin(X509Certificate x509Certificate) throws CertificateException {
        try {
            return this.mPins.contains(ByteBuffer.wrap(MessageDigest.getInstance("SHA-256").digest(x509Certificate.getPublicKey().getEncoded())));
        } catch (NoSuchAlgorithmException e) {
            throw new CertificateException(e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @SuppressLint({"BadMethodUse-java.lang.System.currentTimeMillis"})
    public void checkPinTrust(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (!this.mPinTimeoutSet || System.currentTimeMillis() <= this.mEnforceUntilTimestampMillis) {
            if (x509CertificateArr.length == 0) {
                throw new CertificateException("pinning error: certificate chain empty");
            }
            for (X509Certificate x509Certificate : CertificateChainCleaner.getCleanChain(x509CertificateArr, this.mKeyStore)) {
                if (isValidPin(x509Certificate)) {
                    return;
                }
            }
            StringBuilder sb = new StringBuilder();
            sb.append("pinning error, trusted chain: ");
            for (X509Certificate x509Certificate2 : x509CertificateArr) {
                sb.append(Base64.encodeToString(x509Certificate2.getEncoded(), 0));
                sb.append("\n");
            }
            throw new CertificateException(sb.toString());
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkSystemTrust(x509CertificateArr, str);
        checkPinTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr = new X509Certificate[0];
        for (TrustManager trustManager : this.mSystemTrustManagers) {
            X509Certificate[] acceptedIssuers = ((X509TrustManager) trustManager).getAcceptedIssuers();
            int length = x509CertificateArr.length;
            x509CertificateArr = (X509Certificate[]) Arrays.copyOf(x509CertificateArr, acceptedIssuers.length + length);
            System.arraycopy(acceptedIssuers, 0, x509CertificateArr, length, acceptedIssuers.length);
        }
        return x509CertificateArr;
    }
}
