package com.l7tech.msso.io.http;

import com.l7tech.msso.cert.PublicKeyHash;
import com.l7tech.msso.cert.TrustedCertificateConfiguration;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public class TrustedCertificateConfigurationTrustManager implements X509TrustManager {
    private final Set<PublicKeyHash> pinnedPublicKeys;
    private final Collection<X509TrustManager> privateTrustStoreDelegates;
    private final Collection<X509TrustManager> publicPkiDelegates;

    public TrustedCertificateConfigurationTrustManager(TrustedCertificateConfiguration trustedCertificateConfiguration) {
        this.publicPkiDelegates = trustedCertificateConfiguration.isAlsoTrustPublicPki() ? getPlatformX509TrustManagers() : null;
        this.privateTrustStoreDelegates = getPrivateX509TrustManagers(trustedCertificateConfiguration.getTrustedCertificateAnchors());
        Collection<PublicKeyHash> trustedCertificatePinnedPublicKeyHashes = trustedCertificateConfiguration.getTrustedCertificatePinnedPublicKeyHashes();
        this.pinnedPublicKeys = trustedCertificatePinnedPublicKeyHashes != null ? new HashSet(trustedCertificatePinnedPublicKeyHashes) : null;
    }

    private CertificateException checkPrivateTrustStoreDelegates(X509Certificate[] x509CertificateArr, String str) {
        Iterator<X509TrustManager> it = this.privateTrustStoreDelegates.iterator();
        while (it.hasNext()) {
            try {
                it.next().checkServerTrusted(x509CertificateArr, str);
            } catch (CertificateException e) {
                return e;
            }
        }
        return null;
    }

    private static KeyStore createTrustStoreWithCerts(Collection<X509Certificate> collection) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            Iterator<X509Certificate> it = collection.iterator();
            int i = 1;
            while (it.hasNext()) {
                int i2 = i + 1;
                keyStore.setCertificateEntry("cert" + i, it.next());
                i = i2;
            }
            return keyStore;
        } catch (IOException e) {
            throw new RuntimeException("Unable to create trust store of default KeyStore type: " + e.getMessage(), e);
        } catch (KeyStoreException e2) {
            throw new RuntimeException("Unable to create trust store of default KeyStore type: " + e2.getMessage(), e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new RuntimeException("Unable to create trust store of default KeyStore type: " + e3.getMessage(), e3);
        } catch (CertificateException e4) {
            throw new RuntimeException("Unable to create trust store of default KeyStore type: " + e4.getMessage(), e4);
        }
    }

    private static Collection<X509TrustManager> getPlatformX509TrustManagers() {
        Collection<X509TrustManager> x509TrustManagers = getX509TrustManagers(null);
        if (x509TrustManagers.isEmpty()) {
            throw new RuntimeException("Cannot trust public PKI -- no default X509TrustManager found");
        }
        return x509TrustManagers;
    }

    private static Collection<X509TrustManager> getPrivateX509TrustManagers(Collection<X509Certificate> collection) {
        return getX509TrustManagers(createTrustStoreWithCerts(collection));
    }

    private static Collection<X509TrustManager> getX509TrustManagers(KeyStore keyStore) {
        ArrayList arrayList = new ArrayList();
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    arrayList.add((X509TrustManager) trustManager);
                }
            }
            return arrayList;
        } catch (KeyStoreException e) {
            throw new RuntimeException("Unable to obtain platform X.509 trust managers: " + e.getMessage(), e);
        } catch (NoSuchAlgorithmException e2) {
            throw new RuntimeException("No default TrustManagerFactory implementation available: " + e2.getMessage(), e2);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("This trust manager is only for clients");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z = false;
        if (this.pinnedPublicKeys != null && this.pinnedPublicKeys.size() > 0) {
            int length = x509CertificateArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if (this.pinnedPublicKeys.contains(PublicKeyHash.fromPublicKey(x509CertificateArr[i].getPublicKey()))) {
                    z = true;
                    break;
                }
                i++;
            }
            if (!z) {
                throw new CertificateException("Server certificate chain did not contain any of the pinned public keys");
            }
        }
        CertificateException checkPrivateTrustStoreDelegates = checkPrivateTrustStoreDelegates(x509CertificateArr, str);
        if (checkPrivateTrustStoreDelegates == null) {
            return;
        }
        if (this.publicPkiDelegates == null) {
            throw checkPrivateTrustStoreDelegates;
        }
        if (this.publicPkiDelegates.isEmpty()) {
            throw checkPrivateTrustStoreDelegates;
        }
        Iterator<X509TrustManager> it = this.publicPkiDelegates.iterator();
        while (it.hasNext()) {
            it.next().checkServerTrusted(x509CertificateArr, str);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}
