package cn.com.suresec.jsse.provider;

import cn.com.suresec.jsse.BCExtendedSSLSession;
import cn.com.suresec.jsse.BCSNIHostName;
import cn.com.suresec.jsse.BCSNIServerName;
import cn.com.suresec.jsse.BCSSLParameters;
import cn.com.suresec.jsse.BCX509ExtendedTrustManager;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Provider;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.X509TrustManager;

/* compiled from: ProvX509TrustManager.java */
/* loaded from: classes.dex */
class ay extends BCX509ExtendedTrustManager {

    /* renamed from: a, reason: collision with root package name */
    private static final Logger f1143a = Logger.getLogger(ay.class.getName());

    /* renamed from: b, reason: collision with root package name */
    private final Provider f1144b;

    /* renamed from: c, reason: collision with root package name */
    private final Set<X509Certificate> f1145c;
    private final PKIXParameters d;
    private final X509TrustManager e;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ay(Provider provider, PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        this.f1144b = provider;
        this.f1145c = a(pKIXParameters.getTrustAnchors());
        if (pKIXParameters instanceof PKIXBuilderParameters) {
            this.d = pKIXParameters;
        } else {
            this.d = new PKIXBuilderParameters(pKIXParameters.getTrustAnchors(), pKIXParameters.getTargetCertConstraints());
            this.d.setCertStores(pKIXParameters.getCertStores());
            this.d.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
            this.d.setCertPathCheckers(pKIXParameters.getCertPathCheckers());
            this.d.setDate(pKIXParameters.getDate());
            this.d.setAnyPolicyInhibited(pKIXParameters.isAnyPolicyInhibited());
            this.d.setPolicyMappingInhibited(pKIXParameters.isPolicyMappingInhibited());
            this.d.setExplicitPolicyRequired(pKIXParameters.isExplicitPolicyRequired());
        }
        this.e = bh.a((BCX509ExtendedTrustManager) this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ay(Provider provider, Set<TrustAnchor> set) throws InvalidAlgorithmParameterException {
        this.f1144b = provider;
        this.f1145c = a(set);
        this.d = new PKIXBuilderParameters(set, new X509CertSelector());
        this.d.setRevocationEnabled(false);
        this.e = bh.a((BCX509ExtendedTrustManager) this);
    }

    private static BCExtendedSSLSession a(SSLEngine sSLEngine) throws CertificateException {
        BCExtendedSSLSession a2 = ba.a(sSLEngine);
        if (a2 == null) {
            throw new CertificateException("No handshake session for engine");
        }
        return a2;
    }

    private static BCExtendedSSLSession a(SSLSocket sSLSocket) throws CertificateException {
        BCExtendedSSLSession a2 = bd.a(sSLSocket);
        if (a2 == null) {
            throw new CertificateException("No handshake session for socket");
        }
        return a2;
    }

    private static BCSNIHostName a(BCExtendedSSLSession bCExtendedSSLSession) {
        List<BCSNIServerName> requestedServerNames = bCExtendedSSLSession.getRequestedServerNames();
        if (requestedServerNames != null) {
            for (BCSNIServerName bCSNIServerName : requestedServerNames) {
                if (bCSNIServerName != null && bCSNIServerName.getType() == 0) {
                    if (bCSNIServerName instanceof BCSNIHostName) {
                        return (BCSNIHostName) bCSNIServerName;
                    }
                    try {
                        return new BCSNIHostName(bCSNIServerName.getEncoded());
                    } catch (RuntimeException unused) {
                        return null;
                    }
                }
            }
        }
        return null;
    }

    private static Set<X509Certificate> a(Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        HashSet hashSet = new HashSet(set.size());
        for (TrustAnchor trustAnchor : set) {
            if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                hashSet.add(trustedCert);
            }
        }
        return hashSet;
    }

    private static void a(String str, X509Certificate x509Certificate, String str2) throws CertificateException {
        String b2 = t.b(str);
        if (str2.equalsIgnoreCase("HTTPS")) {
            m.a(b2, x509Certificate, true);
        } else if (str2.equalsIgnoreCase("LDAP") || str2.equalsIgnoreCase("LDAPS")) {
            m.a(b2, x509Certificate, false);
        } else {
            throw new CertificateException("Unknown endpoint ID algorithm: " + str2);
        }
    }

    private static void a(X509Certificate x509Certificate, String str, boolean z, BCExtendedSSLSession bCExtendedSSLSession) throws CertificateException {
        BCSNIHostName a2;
        String peerHost = bCExtendedSSLSession.getPeerHost();
        if (z && (a2 = a(bCExtendedSSLSession)) != null) {
            String asciiName = a2.getAsciiName();
            if (!asciiName.equalsIgnoreCase(peerHost)) {
                try {
                    a(asciiName, x509Certificate, str);
                    return;
                } catch (CertificateException e) {
                    f1143a.log(Level.FINE, "Server's endpoint ID did not match the SNI host_name: " + asciiName, (Throwable) e);
                }
            }
        }
        a(peerHost, x509Certificate, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z) throws CertificateException {
        if ((socket instanceof SSLSocket) && socket.isConnected()) {
            SSLSocket sSLSocket = (SSLSocket) socket;
            a(x509CertificateArr, str, z, a(sSLSocket), b(sSLSocket));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void a(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine, boolean z) throws CertificateException {
        if (sSLEngine != null) {
            a(x509CertificateArr, str, z, a(sSLEngine), b(sSLEngine));
        }
    }

    private void a(X509Certificate[] x509CertificateArr, String str, boolean z) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length < 1) {
            throw new IllegalArgumentException("'chain' must be a chain of at least one certificate");
        }
        if (str == null || str.length() < 1) {
            throw new IllegalArgumentException("'authType' must be a non-null, non-empty string");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (this.f1145c.contains(x509Certificate)) {
            return;
        }
        try {
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr)), this.f1144b);
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", this.f1144b);
            X509CertSelector x509CertSelector = (X509CertSelector) this.d.getTargetCertConstraints().clone();
            x509CertSelector.setCertificate(x509Certificate);
            PKIXBuilderParameters pKIXBuilderParameters = (PKIXBuilderParameters) this.d.clone();
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setTargetCertConstraints(x509CertSelector);
        } catch (GeneralSecurityException e) {
            throw new CertificateException("unable to process certificates: " + e.getMessage(), e);
        }
    }

    private static void a(X509Certificate[] x509CertificateArr, String str, boolean z, BCExtendedSSLSession bCExtendedSSLSession, BCSSLParameters bCSSLParameters) throws CertificateException {
        String endpointIdentificationAlgorithm = bCSSLParameters.getEndpointIdentificationAlgorithm();
        if (endpointIdentificationAlgorithm == null || endpointIdentificationAlgorithm.length() <= 0) {
            return;
        }
        a(x509CertificateArr[0], endpointIdentificationAlgorithm, z, bCExtendedSSLSession);
    }

    private static BCSSLParameters b(SSLEngine sSLEngine) throws CertificateException {
        BCSSLParameters b2 = ba.b(sSLEngine);
        if (b2 == null) {
            throw new CertificateException("No SSL parameters for engine");
        }
        return b2;
    }

    private static BCSSLParameters b(SSLSocket sSLSocket) throws CertificateException {
        BCSSLParameters b2 = bd.b(sSLSocket);
        if (b2 == null) {
            throw new CertificateException("No SSL parameters for socket");
        }
        return b2;
    }

    private void b(X509Certificate[] x509CertificateArr, String str, Socket socket, boolean z) throws CertificateException {
        a(x509CertificateArr, str, z);
        a(x509CertificateArr, str, socket, z);
    }

    private void b(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine, boolean z) throws CertificateException {
        a(x509CertificateArr, str, z);
        a(x509CertificateArr, str, sSLEngine, z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509TrustManager a() {
        return this.e;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        b(x509CertificateArr, str, (Socket) null, false);
    }

    @Override // cn.com.suresec.jsse.BCX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        b(x509CertificateArr, str, socket, false);
    }

    @Override // cn.com.suresec.jsse.BCX509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        b(x509CertificateArr, str, sSLEngine, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        b(x509CertificateArr, str, (Socket) null, true);
    }

    @Override // cn.com.suresec.jsse.BCX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        b(x509CertificateArr, str, socket, true);
    }

    @Override // cn.com.suresec.jsse.BCX509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        b(x509CertificateArr, str, sSLEngine, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return (X509Certificate[]) this.f1145c.toArray(new X509Certificate[this.f1145c.size()]);
    }
}
