package com.yumc.android.common.http.ssl;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes2.dex */
public class DefaultX509TrustManager implements X509TrustManager {
    private X509Certificate[] mAcceptedIssuers;
    private Set<X509Certificate[]> mCaChains;
    private boolean mCheckDateValidation;
    private Map<String, CertificateChainRelation> mDnRelationMapper;
    private String[] mDomainWhitelist;
    private boolean mLooseMode;
    private Set<CertificateCheckPolicy> mPolicies;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static class CertificateChainRelation {
        X509Certificate[] belongs;
        X509Certificate certificate;

        CertificateChainRelation() {
        }
    }

    public DefaultX509TrustManager(Collection<X509CertificateChain> collection) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (collection == null || collection.size() == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        Iterator<X509CertificateChain> it = collection.iterator();
        while (it.hasNext()) {
            setup(it.next());
        }
    }

    public DefaultX509TrustManager(Collection<X509CertificateChain> collection, String[] strArr) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (collection == null || collection.size() == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        Iterator<X509CertificateChain> it = collection.iterator();
        while (it.hasNext()) {
            setup(it.next());
        }
        this.mDomainWhitelist = strArr;
    }

    public DefaultX509TrustManager(Collection<X509CertificateChain> collection, String[] strArr, boolean z) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (collection == null || collection.size() == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        Iterator<X509CertificateChain> it = collection.iterator();
        while (it.hasNext()) {
            setup(it.next());
        }
        this.mDomainWhitelist = strArr;
        this.mLooseMode = z;
    }

    public DefaultX509TrustManager(Collection<X509CertificateChain> collection, String[] strArr, boolean z, boolean z2) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (collection == null || collection.size() == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        this.mDomainWhitelist = strArr;
        this.mLooseMode = z;
        this.mCheckDateValidation = z2;
        Iterator<X509CertificateChain> it = collection.iterator();
        while (it.hasNext()) {
            setup(it.next());
        }
    }

    public DefaultX509TrustManager(X509CertificateChain[] x509CertificateChainArr) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (x509CertificateChainArr == null || x509CertificateChainArr.length == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        for (X509CertificateChain x509CertificateChain : x509CertificateChainArr) {
            setup(x509CertificateChain);
        }
    }

    public DefaultX509TrustManager(X509CertificateChain[] x509CertificateChainArr, String[] strArr) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (x509CertificateChainArr == null || x509CertificateChainArr.length == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        for (X509CertificateChain x509CertificateChain : x509CertificateChainArr) {
            setup(x509CertificateChain);
        }
        this.mDomainWhitelist = strArr;
    }

    public DefaultX509TrustManager(X509CertificateChain[] x509CertificateChainArr, String[] strArr, boolean z) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (x509CertificateChainArr == null || x509CertificateChainArr.length == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        for (X509CertificateChain x509CertificateChain : x509CertificateChainArr) {
            setup(x509CertificateChain);
        }
        this.mDomainWhitelist = strArr;
        this.mLooseMode = z;
    }

    public DefaultX509TrustManager(X509CertificateChain[] x509CertificateChainArr, String[] strArr, boolean z, boolean z2) throws CertificateException {
        this.mDnRelationMapper = new HashMap();
        this.mCaChains = new HashSet();
        this.mLooseMode = false;
        this.mPolicies = new HashSet();
        this.mCheckDateValidation = true;
        if (x509CertificateChainArr == null || x509CertificateChainArr.length == 0) {
            throw new CertificateException("invalid certification chains!");
        }
        this.mDomainWhitelist = strArr;
        this.mLooseMode = z;
        this.mCheckDateValidation = z2;
        for (X509CertificateChain x509CertificateChain : x509CertificateChainArr) {
            setup(x509CertificateChain);
        }
    }

    private void check(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (shouldCheck(x509CertificateArr, this.mCaChains)) {
            try {
                verify(x509CertificateArr, str);
                passed(x509CertificateArr, this.mCaChains);
            } catch (Exception e) {
                failure(x509CertificateArr, this.mCaChains);
                throw new CertificateException(e.getMessage());
            }
        }
    }

    private void checkChain(X509Certificate[] x509CertificateArr) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
        for (int length = x509CertificateArr.length - 1; length >= 0; length--) {
            verifyCertificate(x509CertificateArr[length]);
            if (length < x509CertificateArr.length - 1) {
                verifyCertificateSign(x509CertificateArr[length], x509CertificateArr[length + 1]);
            }
        }
    }

    private void checkPeerChain(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
        int i = 0;
        if (!isDomainInWhiteList(x509CertificateArr[0])) {
            throw new CertificateException("domain not in whitelist!");
        }
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        X509Certificate findIssuerCertificate = findIssuerCertificate(x509Certificate, x509CertificateArr2);
        if (findIssuerCertificate != null) {
            verifyCertificateSign(x509Certificate, findIssuerCertificate);
            return;
        }
        int length = x509CertificateArr.length;
        X509Certificate x509Certificate2 = null;
        X509Certificate x509Certificate3 = null;
        while (true) {
            if (i >= length) {
                break;
            }
            X509Certificate x509Certificate4 = x509CertificateArr[i];
            X509Certificate findIssuerCertificate2 = findIssuerCertificate(x509Certificate4, x509CertificateArr2);
            if (findIssuerCertificate2 != null) {
                x509Certificate2 = x509Certificate4;
                x509Certificate3 = findIssuerCertificate2;
                break;
            } else {
                i++;
                x509Certificate3 = findIssuerCertificate2;
            }
        }
        if (x509Certificate2 == null || x509Certificate3 == null) {
            throw new CertificateException("Can't check peer certificate chain, because there was no root CA certificate!");
        }
        verifyCertificateSign(x509Certificate2, x509Certificate3);
    }

    private void failure(X509Certificate[] x509CertificateArr, Collection<X509Certificate[]> collection) {
        Iterator<CertificateCheckPolicy> it = this.mPolicies.iterator();
        while (it.hasNext()) {
            it.next().onFailure(x509CertificateArr, collection);
        }
    }

    private X509Certificate findIssuerCertificate(X509Certificate x509Certificate, X509Certificate[] x509CertificateArr) {
        X500Principal issuerX500Principal;
        String name;
        String name2;
        if (x509CertificateArr == null || (issuerX500Principal = x509Certificate.getIssuerX500Principal()) == null || (name = issuerX500Principal.getName()) == null) {
            return null;
        }
        for (X509Certificate x509Certificate2 : x509CertificateArr) {
            X500Principal subjectX500Principal = x509Certificate2.getSubjectX500Principal();
            if (subjectX500Principal != null && (name2 = subjectX500Principal.getName()) != null && name.equals(name2)) {
                return x509Certificate2;
            }
        }
        return null;
    }

    private boolean isDomainInWhiteList(X509Certificate x509Certificate) {
        if (this.mDomainWhitelist == null || this.mDomainWhitelist.length == 0) {
            return true;
        }
        for (String str : this.mDomainWhitelist) {
            if (CertificateUtil.isCertificateDNSMatches(x509Certificate, str)) {
                return true;
            }
        }
        return false;
    }

    private void passed(X509Certificate[] x509CertificateArr, Collection<X509Certificate[]> collection) {
        Iterator<CertificateCheckPolicy> it = this.mPolicies.iterator();
        while (it.hasNext()) {
            it.next().onPassed(x509CertificateArr, collection);
        }
    }

    private void setup(X509CertificateChain x509CertificateChain) throws CertificateException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) x509CertificateChain.getChain().toArray(new X509Certificate[0]);
        if (x509CertificateArr.length == 0) {
            throw new CertificateException("empty chain!");
        }
        try {
            checkChain(x509CertificateArr);
            HashSet hashSet = new HashSet();
            for (X509Certificate x509Certificate : x509CertificateArr) {
                X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
                if (subjectX500Principal == null) {
                    throw new CertificateException("invalid certificate, can't find principal:" + x509Certificate);
                }
                String name = subjectX500Principal.getName();
                if (name == null || name.length() == 0) {
                    throw new CertificateException("invalid certificate: can't find principal DN" + x509Certificate);
                }
                if (this.mDnRelationMapper.containsKey(name)) {
                    throw new CertificateException("duplicate certificate: " + x509Certificate);
                }
                CertificateChainRelation certificateChainRelation = new CertificateChainRelation();
                certificateChainRelation.certificate = x509Certificate;
                certificateChainRelation.belongs = x509CertificateArr;
                this.mDnRelationMapper.put(name, certificateChainRelation);
                hashSet.add(x509Certificate);
            }
            this.mAcceptedIssuers = (X509Certificate[]) hashSet.toArray(new X509Certificate[0]);
            this.mCaChains.add(x509CertificateArr);
        } catch (Exception e) {
            throw new CertificateException(e.getMessage());
        }
    }

    private boolean shouldCheck(X509Certificate[] x509CertificateArr, Collection<X509Certificate[]> collection) {
        if (this.mPolicies.size() == 0) {
            return true;
        }
        Iterator<CertificateCheckPolicy> it = this.mPolicies.iterator();
        while (it.hasNext()) {
            if (it.next().shouldCheck(x509CertificateArr, collection, this.mDomainWhitelist)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Code restructure failed: missing block: B:16:0x004d, code lost:
    
        if (r4 == null) goto L26;
     */
    /* JADX WARN: Code restructure failed: missing block: B:17:0x004f, code lost:
    
        checkPeerChain(r3, r4);
     */
    /* JADX WARN: Code restructure failed: missing block: B:18:0x0052, code lost:
    
        return;
     */
    /* JADX WARN: Code restructure failed: missing block: B:21:0x005a, code lost:
    
        throw new java.security.cert.CertificateException("Can't find issuer CA chain");
     */
    /* JADX WARN: Code restructure failed: missing block: B:26:0x0043, code lost:
    
        throw new java.security.cert.CertificateException("Can't find issuer DN");
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private void verify(java.security.cert.X509Certificate[] r3, java.lang.String r4) throws java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException, java.security.NoSuchProviderException, java.security.SignatureException {
        /*
            r2 = this;
            r2.checkChain(r3)
            int r4 = r3.length
            int r4 = r4 + (-1)
        L6:
            if (r4 < 0) goto L4c
            r0 = r3[r4]
            javax.security.auth.x500.X500Principal r0 = r0.getIssuerX500Principal()
            if (r0 == 0) goto L44
            java.lang.String r0 = r0.getName()
            if (r0 == 0) goto L3c
            int r1 = r0.length()
            if (r1 == 0) goto L3c
            java.util.Map<java.lang.String, com.yumc.android.common.http.ssl.DefaultX509TrustManager$CertificateChainRelation> r1 = r2.mDnRelationMapper
            boolean r1 = r1.containsKey(r0)
            if (r1 == 0) goto L39
            java.util.Map<java.lang.String, com.yumc.android.common.http.ssl.DefaultX509TrustManager$CertificateChainRelation> r4 = r2.mDnRelationMapper
            java.lang.Object r4 = r4.get(r0)
            com.yumc.android.common.http.ssl.DefaultX509TrustManager$CertificateChainRelation r4 = (com.yumc.android.common.http.ssl.DefaultX509TrustManager.CertificateChainRelation) r4
            if (r4 == 0) goto L31
            java.security.cert.X509Certificate[] r4 = r4.belongs
            goto L4d
        L31:
            java.security.cert.CertificateException r3 = new java.security.cert.CertificateException
            java.lang.String r4 = "Certificate relation error!"
            r3.<init>(r4)
            throw r3
        L39:
            int r4 = r4 + (-1)
            goto L6
        L3c:
            java.security.cert.CertificateException r3 = new java.security.cert.CertificateException
            java.lang.String r4 = "Can't find issuer DN"
            r3.<init>(r4)
            throw r3
        L44:
            java.security.cert.CertificateException r3 = new java.security.cert.CertificateException
            java.lang.String r4 = "Can't find issuer"
            r3.<init>(r4)
            throw r3
        L4c:
            r4 = 0
        L4d:
            if (r4 == 0) goto L53
            r2.checkPeerChain(r3, r4)
            return
        L53:
            java.security.cert.CertificateException r3 = new java.security.cert.CertificateException
            java.lang.String r4 = "Can't find issuer CA chain"
            r3.<init>(r4)
            throw r3
        */
        throw new UnsupportedOperationException("Method not decompiled: com.yumc.android.common.http.ssl.DefaultX509TrustManager.verify(java.security.cert.X509Certificate[], java.lang.String):void");
    }

    private void verifyCertificate(X509Certificate x509Certificate) throws CertificateException {
        if (this.mCheckDateValidation) {
            x509Certificate.checkValidity();
            x509Certificate.checkValidity(new Date());
        }
    }

    private void verifyCertificateSign(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        x509Certificate.verify(x509Certificate2.getPublicKey());
    }

    public void addPolicy(CertificateCheckPolicy certificateCheckPolicy) {
        if (certificateCheckPolicy != null) {
            this.mPolicies.remove(certificateCheckPolicy);
            this.mPolicies.add(certificateCheckPolicy);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.mLooseMode) {
            return;
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("no certificate received!");
        }
        check(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.mLooseMode) {
            return;
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("no certificate received!");
        }
        check(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.mAcceptedIssuers;
    }

    public Collection<CertificateCheckPolicy> getPolicies() {
        return this.mPolicies;
    }

    public void setCheckDateValidation(boolean z) {
        this.mCheckDateValidation = z;
    }
}
