package com.boxer.email.smime;

import android.content.Context;
import android.support.annotation.NonNull;
import android.support.annotation.Nullable;
import android.support.annotation.VisibleForTesting;
import android.support.annotation.WorkerThread;
import android.text.TextUtils;
import com.airwatch.crypto.openssl.OpenSSLWrapper;
import com.boxer.common.logging.LogUtils;
import com.boxer.common.logging.Logging;
import com.boxer.email.ConnectivityWrapper;
import com.boxer.email.smime.storage.CertificateManager;
import com.boxer.email.smime.storage.CertificateUtility;
import com.boxer.emailcommon.provider.EmailContent;
import com.boxer.injection.ObjectGraphController;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang3.StringUtils;

/* loaded from: classes2.dex */
public class X509CertificateVerifier {
    private static final String b = Logging.a(SMIMECryptoUtil.a.concat("X509CertVer"));
    private static final int c = 1;
    private static final char d = 0;
    protected X509Certificate a;
    private Context e;
    private boolean f;
    private final OpenSSLWrapper g;
    private final ConnectivityWrapper h;
    private final CertificateManager i;
    private SMIMECertRevocationChecker j;

    /* loaded from: classes2.dex */
    public static class CertVerificationResult {
        public boolean a;
        public boolean b;
        public boolean c;
        private final Certificate d;
        private EmailContent.CertTrustStatus e = EmailContent.CertTrustStatus.NOT_TRUSTED;
        private CertRevocationCheckResult f = new CertRevocationCheckResult(f());

        public CertVerificationResult(@NonNull Certificate certificate) {
            this.d = certificate;
        }

        private static int f() {
            return ObjectGraphController.a().e().t().F();
        }

        public EmailContent.CertTrustStatus a() {
            return this.e;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void a(@NonNull CertRevocationCheckResult certRevocationCheckResult) {
            this.f = certRevocationCheckResult;
            if (certRevocationCheckResult.getRevocationStatus() == 1) {
                this.e = EmailContent.CertTrustStatus.NOT_TRUSTED;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void a(@NonNull EmailContent.CertTrustStatus certTrustStatus) {
            this.e = certTrustStatus;
        }

        public int b() {
            return this.f.getRevocationStatus();
        }

        public Date c() {
            return this.f.getNextUpdate();
        }

        @NonNull
        public Certificate d() {
            return this.d;
        }

        public boolean e() {
            return this.a && this.b && !this.c;
        }
    }

    public X509CertificateVerifier(@NonNull Context context, @Nullable X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("certificate passed to " + b + " constructor cannot be null ");
        }
        this.a = x509Certificate;
        this.e = context;
        this.f = ObjectGraphController.a().e().t().I() == 1;
        this.g = new OpenSSLWrapper(this.e);
        this.h = new ConnectivityWrapper(this.e);
        this.i = ObjectGraphController.a().y();
    }

    public X509CertificateVerifier(@NonNull Context context, @Nullable X509Certificate x509Certificate, @Nullable SMIMECertRevocationChecker sMIMECertRevocationChecker) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("certificate passed to " + b + " constructor cannot be null ");
        }
        this.a = x509Certificate;
        this.e = context;
        this.f = ObjectGraphController.a().e().t().I() == 1;
        this.j = sMIMECertRevocationChecker;
        this.g = new OpenSSLWrapper(this.e);
        this.h = new ConnectivityWrapper(this.e);
        this.i = ObjectGraphController.a().y();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public X509CertificateVerifier(@NonNull Context context, @Nullable X509Certificate x509Certificate, boolean z, @Nullable OpenSSLWrapper openSSLWrapper, @Nullable SMIMECertRevocationChecker sMIMECertRevocationChecker, @Nullable ConnectivityWrapper connectivityWrapper, @Nullable CertificateManager certificateManager) {
        if (x509Certificate == null) {
            throw new IllegalArgumentException("certificate passed to " + b + " constructor cannot be null ");
        }
        this.a = x509Certificate;
        this.e = context;
        this.f = z;
        this.g = openSSLWrapper;
        this.j = sMIMECertRevocationChecker;
        this.h = connectivityWrapper;
        this.i = certificateManager;
    }

    @Nullable
    private String a(@NonNull Map<String, String> map, @NonNull X509Certificate x509Certificate) {
        String b2 = new X509CertificateExtensions(this.e, x509Certificate).b();
        if (b2 != null) {
            return map.get(b2);
        }
        return null;
    }

    private boolean a() throws NoSuchProviderException, InvalidKeyException {
        return this.f ? e() : d();
    }

    private boolean a(@NonNull String str) {
        return str.indexOf(0) >= 0 || str.contains(System.lineSeparator()) || !StringUtils.isAsciiPrintable(str);
    }

    private boolean a(@NonNull KeyStore keyStore, @NonNull Map<String, String> map, @NonNull X509Certificate x509Certificate) throws NoSuchProviderException, InvalidKeyException {
        String a = a(map, x509Certificate);
        if (TextUtils.isEmpty(a)) {
            LogUtils.d(b, "Could not find signing cert in keystore", new Object[0]);
        } else {
            try {
                X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate(a);
                if (a(x509Certificate, x509Certificate2.getPublicKey())) {
                    if (!CertificateUtility.d(x509Certificate2)) {
                        if (!a(keyStore, map, x509Certificate2)) {
                            return false;
                        }
                    }
                    return true;
                }
            } catch (KeyStoreException | NoSuchAlgorithmException e) {
                LogUtils.d(b, e, "Error verifying certificate", new Object[0]);
            }
        }
        throw new InvalidKeyException("cert was not signed by any certificates in trustedCA");
    }

    private boolean a(@NonNull X509Certificate x509Certificate, @NonNull PublicKey publicKey) throws NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(publicKey);
            return true;
        } catch (InvalidKeyException | SignatureException | CertificateException e) {
            return false;
        }
    }

    private boolean a(@NonNull Map<String, X509Certificate> map, @NonNull Map<String, String> map2, @NonNull X509Certificate x509Certificate) throws NoSuchProviderException, InvalidKeyException {
        String a = a(map2, x509Certificate);
        if (TextUtils.isEmpty(a)) {
            LogUtils.d(b, "Could not find signing cert in keystore", new Object[0]);
        } else {
            try {
                X509Certificate x509Certificate2 = map.get(a);
                if (a(x509Certificate, x509Certificate2.getPublicKey())) {
                    if (!CertificateUtility.d(x509Certificate2)) {
                        if (!a(map, map2, x509Certificate2)) {
                            return false;
                        }
                    }
                    return true;
                }
            } catch (NoSuchAlgorithmException e) {
                LogUtils.d(b, e, "Error verifying certificate", new Object[0]);
            }
        }
        throw new InvalidKeyException("cert was not signed by any certificates in trustedCA");
    }

    private boolean b() {
        String name = this.a.getSubjectDN().getName();
        if (!TextUtils.isEmpty(name) && a(name)) {
            LogUtils.e(b, "Certificate is spoofed considering the subject distinguished name in the cert.", new Object[0]);
            return true;
        }
        try {
            Collection<List<?>> subjectAlternativeNames = this.a.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    if (((Integer) list.get(0)).intValue() == 1) {
                        String str = (String) list.get(1);
                        if (!TextUtils.isEmpty(str) && a(str)) {
                            LogUtils.e(b, "Certificate is spoofed considering the subject alternative name in the cert..", new Object[0]);
                            return true;
                        }
                    }
                }
            }
        } catch (CertificateParsingException e) {
            LogUtils.e(b, e, "Unable to get SAN to check for spoofing attack.", new Object[0]);
        }
        return false;
    }

    @WorkerThread
    protected void a(@NonNull CertVerificationResult certVerificationResult) {
    }

    @VisibleForTesting
    boolean a(@NonNull KeyStore keyStore) throws InvalidKeyException, NoSuchProviderException {
        HashMap hashMap = new HashMap();
        try {
            keyStore.load(null, null);
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                X509CertificateExtensions x509CertificateExtensions = new X509CertificateExtensions(this.e, (X509Certificate) keyStore.getCertificate(nextElement));
                if (x509CertificateExtensions.a() != null) {
                    hashMap.put(x509CertificateExtensions.a(), nextElement);
                } else {
                    LogUtils.d(b, "Skipping %s because of null subject key ID", nextElement);
                }
            }
            return a(keyStore, hashMap, this.a);
        } catch (IOException e) {
            e = e;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            throw new InvalidKeyException("Error loading the Keystore for Trusted Certs");
        } catch (KeyStoreException e2) {
            e = e2;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            throw new InvalidKeyException("Error loading the Keystore for Trusted Certs");
        } catch (NoSuchAlgorithmException e3) {
            e = e3;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            throw new InvalidKeyException("Error loading the Keystore for Trusted Certs");
        } catch (CertificateException e4) {
            e = e4;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            throw new InvalidKeyException("Error loading the Keystore for Trusted Certs");
        }
    }

    @WorkerThread
    void b(@NonNull CertVerificationResult certVerificationResult) {
        if (this.j == null) {
            return;
        }
        try {
            CertificateAlias a = CertificateUtility.a(this.a.getEncoded());
            CertRevocationCheckResult a2 = this.i.a(a, this.j.c());
            if (CertificateUtility.a(a2.getNextUpdate())) {
                LogUtils.b(b, "Valid revocation status found for certificate with alias: " + a, new Object[0]);
                certVerificationResult.a(a2);
            } else if (a2.getRetryCount() >= 3) {
                certVerificationResult.a(a2);
                LogUtils.c(b, "Max limit reached. Not retrying to check the revocation status for cert with alias: " + a, new Object[0]);
            } else if (this.h != null && this.h.a() && this.g != null) {
                this.j.a(this.a, this.g, a2);
                LogUtils.b(b, "Alias: " + a + " revocationStatus obtained from openssl api: " + a2.getRevocationStatus(), new Object[0]);
                certVerificationResult.a(a2);
            }
        } catch (CertificateEncodingException e) {
            LogUtils.e(b, e, "Failed to check the revocation status of the certificate as we couldn't get alias from the certificate.", new Object[0]);
        }
    }

    @WorkerThread
    @NonNull
    public CertVerificationResult c() {
        CertVerificationResult certVerificationResult = new CertVerificationResult(this.a);
        try {
            this.a.checkValidity();
            certVerificationResult.b = true;
            certVerificationResult.c = b();
            if (certVerificationResult.c) {
                LogUtils.e(b, "Certificate with subject %s is spoofed", this.a.getSubjectDN().getName());
                certVerificationResult.a(EmailContent.CertTrustStatus.NOT_TRUSTED);
            } else {
                if (this.j != null && this.j.b()) {
                    b(certVerificationResult);
                }
                if (certVerificationResult.b() != 1) {
                    a(certVerificationResult);
                }
            }
        } catch (CertificateExpiredException e) {
            LogUtils.d(b, "certificate expired", e);
            certVerificationResult.a(EmailContent.CertTrustStatus.NOT_TRUSTED);
        } catch (CertificateNotYetValidException e2) {
            LogUtils.d(b, "certificate not yet valid", e2);
            certVerificationResult.a(EmailContent.CertTrustStatus.NOT_TRUSTED);
        }
        return certVerificationResult;
    }

    protected boolean d() throws NoSuchProviderException, InvalidKeyException {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
            if (keyStore != null) {
                return a(keyStore);
            }
        } catch (KeyStoreException e) {
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
        }
        throw new InvalidKeyException("Error loading the Keystore for Trusted Certs");
    }

    @WorkerThread
    protected boolean e() {
        HashMap hashMap = new HashMap();
        try {
            Map<String, X509Certificate> c2 = ObjectGraphController.a().y().c();
            if (c2.isEmpty()) {
                return false;
            }
            for (X509Certificate x509Certificate : c2.values()) {
                X509CertificateExtensions x509CertificateExtensions = new X509CertificateExtensions(this.e, x509Certificate);
                CertificateAlias a = CertificateUtility.a(x509Certificate.getEncoded());
                if (x509CertificateExtensions.a() != null) {
                    hashMap.put(x509CertificateExtensions.a(), a.toString());
                } else {
                    LogUtils.d(b, "Skipping %s because of null subject key ID", a);
                }
            }
            return a(c2, hashMap, this.a);
        } catch (InvalidKeyException e) {
            e = e;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            return true;
        } catch (NoSuchProviderException e2) {
            e = e2;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            return true;
        } catch (CertificateException e3) {
            e = e3;
            LogUtils.d(b, e, "Error verifying certificate against trusted CAs", new Object[0]);
            return true;
        }
    }

    public EmailContent.CertTrustStatus f() throws CertificateEncodingException {
        boolean z = false;
        EmailContent.CertTrustStatus i = ObjectGraphController.a().y().i(CertificateUtility.a(this.a.getEncoded()));
        if (i != EmailContent.CertTrustStatus.UNKNOWN_TRUST) {
            return i;
        }
        try {
            z = a();
        } catch (InvalidKeyException | NoSuchProviderException e) {
            LogUtils.d(b, "Certificate not trusted: " + this.a.getSubjectDN().toString(), new Object[0]);
        }
        if (z) {
            i = EmailContent.CertTrustStatus.TRUSTED;
        }
        return i == EmailContent.CertTrustStatus.UNKNOWN_TRUST ? EmailContent.CertTrustStatus.NOT_TRUSTED : i;
    }
}
