package com.wickr.networking.ssl;

import android.content.Context;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.wickr.networking.util.ExtensionsKt;
import com.wickr.utils.HexUtils;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.ranges.IntRange;
import kotlin.text.MatchResult;
import kotlin.text.Regex;
import kotlin.text.StringsKt;
import okhttp3.CertificatePinner;
import timber.log.Timber;

/* compiled from: WickrTrustManager.kt */
@Metadata(bv = {1, 0, 3}, d1 = {"\u0000H\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u0002\n\u0002\u0010\u0011\n\u0002\b\b\n\u0002\u0018\u0002\n\u0002\b\u0004\u0018\u0000  2\u00020\u0001:\u0001 B'\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u000e\b\u0002\u0010\u0004\u001a\b\u0012\u0004\u0012\u00020\u00060\u0005\u0012\b\b\u0002\u0010\u0007\u001a\u00020\b¢\u0006\u0002\u0010\tJ#\u0010\u0012\u001a\u00020\u00132\f\u0010\n\u001a\b\u0012\u0004\u0012\u00020\f0\u00142\u0006\u0010\u0015\u001a\u00020\u0006H\u0016¢\u0006\u0002\u0010\u0016J#\u0010\u0017\u001a\u00020\u00132\f\u0010\n\u001a\b\u0012\u0004\u0012\u00020\f0\u00142\u0006\u0010\u0015\u001a\u00020\u0006H\u0016¢\u0006\u0002\u0010\u0016J\u0013\u0010\u0018\u001a\b\u0012\u0004\u0012\u00020\f0\u0014H\u0016¢\u0006\u0002\u0010\u0019J\u0018\u0010\u001a\u001a\u00020\u00132\u0006\u0010\u0002\u001a\u00020\u00032\u0006\u0010\u001b\u001a\u00020\u0006H\u0002J\u000e\u0010\u001c\u001a\u00020\u001d2\u0006\u0010\u001e\u001a\u00020\u0006J\f\u0010\u001f\u001a\u00020\u0013*\u00020\fH\u0002R\u0014\u0010\n\u001a\b\u0012\u0004\u0012\u00020\f0\u000bX\u0082\u0004¢\u0006\u0002\n\u0000R\u0011\u0010\r\u001a\u00020\u000e¢\u0006\b\n\u0000\u001a\u0004\b\u000f\u0010\u0010R\u000e\u0010\u0011\u001a\u00020\u0001X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006!"}, d2 = {"Lcom/wickr/networking/ssl/WickrTrustManager;", "Ljavax/net/ssl/X509TrustManager;", "context", "Landroid/content/Context;", "encodedCerts", "", "", "enableCRL", "", "(Landroid/content/Context;Ljava/util/List;Z)V", "certificates", "Ljava/util/ArrayList;", "Ljava/security/cert/X509Certificate;", "socketFactory", "Ljavax/net/ssl/SSLSocketFactory;", "getSocketFactory", "()Ljavax/net/ssl/SSLSocketFactory;", "systemTrustManager", "checkClientTrusted", "", "", "authType", "([Ljava/security/cert/X509Certificate;Ljava/lang/String;)V", "checkServerTrusted", "getAcceptedIssuers", "()[Ljava/security/cert/X509Certificate;", "loadCRLSet", "assetFileName", "pinCertificates", "Lokhttp3/CertificatePinner;", "hostname", "checkRevocation", "Companion", "networking_release"}, k = 1, mv = {1, 4, 2})
/* loaded from: classes3.dex */
public final class WickrTrustManager implements X509TrustManager {
    private static final String DEFAULT_CRL_LIST = "onecrl.json";
    private static final Gson crlGsonParser;
    private final ArrayList<X509Certificate> certificates;
    private final SSLSocketFactory socketFactory;
    private final X509TrustManager systemTrustManager;
    private static final HashMap<Integer, CRLEntry> crlSet = new HashMap<>();

    static {
        Gson create = new GsonBuilder().registerTypeAdapter(CRLList.class, new CRLListDeserializer()).create();
        Intrinsics.checkNotNullExpressionValue(create, "GsonBuilder()\n          …                .create()");
        crlGsonParser = create;
    }

    public WickrTrustManager(Context context, List<String> encodedCerts, boolean z) {
        Intrinsics.checkNotNullParameter(context, "context");
        Intrinsics.checkNotNullParameter(encodedCerts, "encodedCerts");
        this.certificates = new ArrayList<>();
        Timber.i("Initializing Trust Manager with " + (encodedCerts.isEmpty() ^ true ? Integer.valueOf(encodedCerts.size()) : "OS") + " certificates", new Object[0]);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        Iterator<T> it = encodedCerts.iterator();
        while (it.hasNext()) {
            X509Certificate asX509Certificate = ExtensionsKt.asX509Certificate((String) it.next());
            if (asX509Certificate != null) {
                StringBuilder append = new StringBuilder().append("Loading certificate into keystore: ");
                Principal subjectDN = asX509Certificate.getSubjectDN();
                Intrinsics.checkNotNullExpressionValue(subjectDN, "certificate.subjectDN");
                Timber.d(append.append(subjectDN.getName()).toString(), new Object[0]);
                this.certificates.add(asX509Certificate);
                keyStore.setCertificateEntry(asX509Certificate.toString(), asX509Certificate);
            }
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
        keyManagerFactory.init(keyStore, null);
        keyStore = this.certificates.isEmpty() ^ true ? keyStore : null;
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        Intrinsics.checkNotNullExpressionValue(trustManagerFactory, "trustManagerFactory");
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        Intrinsics.checkNotNullExpressionValue(trustManagers, "trustManagers");
        if (trustManagers.length == 0) {
            throw new NoSuchAlgorithmException("No system trust manager was found");
        }
        TrustManager trustManager = trustManagers[0];
        if (trustManager == null) {
            throw new NullPointerException("null cannot be cast to non-null type javax.net.ssl.X509TrustManager");
        }
        this.systemTrustManager = (X509TrustManager) trustManager;
        SSLContext sslContext = SSLContext.getInstance("TLS");
        Intrinsics.checkNotNullExpressionValue(keyManagerFactory, "keyManagerFactory");
        sslContext.init(keyManagerFactory.getKeyManagers(), new WickrTrustManager[]{this}, null);
        Intrinsics.checkNotNullExpressionValue(sslContext, "sslContext");
        SSLSocketFactory socketFactory = sslContext.getSocketFactory();
        Intrinsics.checkNotNullExpressionValue(socketFactory, "sslContext.socketFactory");
        this.socketFactory = socketFactory;
        if (z && crlSet.isEmpty()) {
            loadCRLSet(context, DEFAULT_CRL_LIST);
        } else {
            if (z) {
                return;
            }
            crlSet.clear();
        }
    }

    public /* synthetic */ WickrTrustManager(Context context, List list, boolean z, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this(context, (i & 2) != 0 ? CollectionsKt.emptyList() : list, (i & 4) != 0 ? true : z);
    }

    private final void checkRevocation(X509Certificate x509Certificate) throws CertificateException {
        if (crlSet.containsKey(Integer.valueOf(ExtensionsKt.asCRLEntry(x509Certificate).hashCode()))) {
            StringBuilder append = new StringBuilder().append("Certificate ").append(x509Certificate.getIssuerDN()).append('/');
            byte[] byteArray = x509Certificate.getSerialNumber().toByteArray();
            Intrinsics.checkNotNullExpressionValue(byteArray, "serialNumber.toByteArray()");
            Timber.d(append.append(HexUtils.toHexString(byteArray)).append(" is revoked").toString(), new Object[0]);
            StringBuilder append2 = new StringBuilder().append("Certificate ");
            byte[] byteArray2 = x509Certificate.getSerialNumber().toByteArray();
            Intrinsics.checkNotNullExpressionValue(byteArray2, "serialNumber.toByteArray()");
            throw new CertificateException(append2.append(HexUtils.toHexString(byteArray2)).append(" is revoked").toString());
        }
    }

    private final void loadCRLSet(Context context, String assetFileName) {
        InputStream open = context.getAssets().open(assetFileName);
        try {
            CRLList cRLList = (CRLList) crlGsonParser.getAdapter(CRLList.class).fromJson(new InputStreamReader(open));
            CloseableKt.closeFinally(open, null);
            Timber.i("Loading " + cRLList.getEntries().size() + " CRL entries from resource file", new Object[0]);
            List filterNotNull = CollectionsKt.filterNotNull(cRLList.getEntries());
            ArrayList arrayList = new ArrayList();
            for (Object obj : filterNotNull) {
                boolean z = ((CRLEntry) obj).getSerial().length() > 0;
                if (!z) {
                    Timber.d("Filtering out incomplete CRL entry: " + z, new Object[0]);
                }
                if (z) {
                    arrayList.add(obj);
                }
            }
            ArrayList<CRLEntry> arrayList2 = arrayList;
            Timber.i("Loaded " + arrayList2.size() + " filtered CRL entries from resource data", new Object[0]);
            for (CRLEntry cRLEntry : arrayList2) {
                HashMap<Integer, CRLEntry> hashMap = crlSet;
                if (hashMap.containsKey(Integer.valueOf(cRLEntry.hashCode()))) {
                    Timber.d("Replacing CRL entry: \n" + hashMap.get(Integer.valueOf(cRLEntry.hashCode())) + " \n" + cRLEntry, new Object[0]);
                }
                hashMap.put(Integer.valueOf(cRLEntry.hashCode()), cRLEntry);
            }
            Timber.i("Loaded " + crlSet.size() + " CRL entries into memory", new Object[0]);
        } finally {
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
        Intrinsics.checkNotNullParameter(certificates, "certificates");
        Intrinsics.checkNotNullParameter(authType, "authType");
        this.systemTrustManager.checkClientTrusted(certificates, authType);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException {
        Intrinsics.checkNotNullParameter(certificates, "certificates");
        Intrinsics.checkNotNullParameter(authType, "authType");
        for (X509Certificate x509Certificate : certificates) {
            x509Certificate.checkValidity();
            checkRevocation(x509Certificate);
        }
        this.systemTrustManager.checkServerTrusted(certificates, authType);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] acceptedIssuers = this.systemTrustManager.getAcceptedIssuers();
        Intrinsics.checkNotNullExpressionValue(acceptedIssuers, "systemTrustManager.acceptedIssuers");
        return acceptedIssuers;
    }

    public final SSLSocketFactory getSocketFactory() {
        return this.socketFactory;
    }

    public final CertificatePinner pinCertificates(String hostname) {
        IntRange range;
        Intrinsics.checkNotNullParameter(hostname, "hostname");
        MatchResult find$default = Regex.find$default(new Regex(":\\d+$"), hostname, 0, 2, null);
        Integer valueOf = (find$default == null || (range = find$default.getRange()) == null) ? null : Integer.valueOf(range.getStart().intValue());
        if (valueOf != null) {
            hostname = hostname.substring(0, valueOf.intValue());
            Intrinsics.checkNotNullExpressionValue(hostname, "(this as java.lang.Strin…ing(startIndex, endIndex)");
        }
        String substringAfter$default = StringsKt.substringAfter$default(hostname, "://", (String) null, 2, (Object) null);
        CertificatePinner.Builder builder = new CertificatePinner.Builder();
        Iterator<T> it = this.certificates.iterator();
        while (it.hasNext()) {
            String pin = CertificatePinner.pin((X509Certificate) it.next());
            Timber.d("Pinning certificate: hostname: " + hostname + ", cert: " + pin, new Object[0]);
            builder.add(hostname, pin);
            if (!StringsKt.equals(hostname, substringAfter$default, true)) {
                Timber.d("Pinning certificate: hostname: " + substringAfter$default + ", cert: " + pin, new Object[0]);
                builder.add(substringAfter$default, pin);
            }
        }
        CertificatePinner build = builder.build();
        Intrinsics.checkNotNullExpressionValue(build, "CertificatePinner.Builde…      }\n        }.build()");
        return build;
    }
}
