package com.wolfssl.provider.jsse;

import com.wolfssl.WolfSSLCertManager;
import com.wolfssl.WolfSSLException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes4.dex */
public class WolfSSLTrustX509 implements X509TrustManager {
    private KeyStore store;

    public WolfSSLTrustX509(KeyStore keyStore) {
        this.store = keyStore;
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "created new WolfSSLTrustX509");
    }

    private List<X509Certificate> certManagerVerify(X509Certificate[] x509CertificateArr, String str, boolean z) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0 || str == null || str.length() == 0) {
            throw new CertificateException();
        }
        try {
            WolfSSLCertManager wolfSSLCertManager = new WolfSSLCertManager();
            try {
                wolfSSLCertManager.CertManagerLoadCAKeyStore(this.store);
                X509Certificate[] sortCertChainBySubjectIssuer = sortCertChainBySubjectIssuer(x509CertificateArr);
                for (int length = sortCertChainBySubjectIssuer.length - 1; length > 0; length += -1) {
                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Verifying intermediate chain cert: " + sortCertChainBySubjectIssuer[length].getSubjectX500Principal().getName());
                    byte[] encoded = sortCertChainBySubjectIssuer[length].getEncoded();
                    if (wolfSSLCertManager.CertManagerVerifyBuffer(encoded, encoded.length, 2) != 1) {
                        wolfSSLCertManager.free();
                        throw new CertificateException("Failed to verify intermediate chain cert");
                    }
                    if (wolfSSLCertManager.CertManagerLoadCABuffer(encoded, encoded.length, 2) != 1) {
                        wolfSSLCertManager.free();
                        throw new CertificateException("Failed to load intermediate CA certificate as trusted root");
                    }
                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Loaded intermediate CA: " + sortCertChainBySubjectIssuer[length].getSubjectX500Principal().getName());
                }
                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Verifying peer certificate: " + sortCertChainBySubjectIssuer[0].getSubjectX500Principal().getName());
                byte[] encoded2 = sortCertChainBySubjectIssuer[0].getEncoded();
                if (encoded2 == null) {
                    wolfSSLCertManager.free();
                    throw new CertificateException("Failed to get encoded peer cert");
                }
                if (wolfSSLCertManager.CertManagerVerifyBuffer(encoded2, encoded2.length, 2) != 1) {
                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Failed to verify peer certificate");
                    wolfSSLCertManager.free();
                    throw new CertificateException("Failed to verify peer certificate");
                }
                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Verified peer certificate: " + sortCertChainBySubjectIssuer[0].getSubjectX500Principal().getName());
                wolfSSLCertManager.free();
                if (!z) {
                    return null;
                }
                X509Certificate findRootCAFromKeyStoreForCert = findRootCAFromKeyStoreForCert(sortCertChainBySubjectIssuer[sortCertChainBySubjectIssuer.length - 1], this.store);
                if (findRootCAFromKeyStoreForCert == null) {
                    throw new CertificateException("Unable to find root CA in KeyStore to append to chain list");
                }
                ArrayList arrayList = new ArrayList();
                arrayList.addAll(Arrays.asList(sortCertChainBySubjectIssuer));
                arrayList.add(findRootCAFromKeyStoreForCert);
                return arrayList;
            } catch (WolfSSLException unused) {
                wolfSSLCertManager.free();
                throw new CertificateException("Failed to load trusted certs into WolfSSLCertManager");
            }
        } catch (WolfSSLException unused2) {
            throw new CertificateException("Failed to create native WolfSSLCertManager");
        }
    }

    private X509Certificate findRootCAFromKeyStoreForCert(X509Certificate x509Certificate, KeyStore keyStore) throws CertificateException {
        boolean z;
        ArrayList arrayList = new ArrayList();
        if (x509Certificate == null || keyStore == null) {
            throw new CertificateException("Certificate or KeyStore is null");
        }
        X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
        if (issuerX500Principal == null) {
            throw new CertificateException("Unable to get expected issuer");
        }
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Searching KeyStore for root CA matching: " + issuerX500Principal.getName());
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (true) {
                z = false;
                X509Certificate x509Certificate2 = null;
                if (!aliases.hasMoreElements()) {
                    break;
                }
                String nextElement = aliases.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                    if (certificateChain != null) {
                        x509Certificate2 = (X509Certificate) certificateChain[0];
                    }
                } else {
                    x509Certificate2 = (X509Certificate) keyStore.getCertificate(nextElement);
                }
                if (x509Certificate2 != null && x509Certificate2.getBasicConstraints() >= 0 && x509Certificate2.getSubjectX500Principal().equals(issuerX500Principal)) {
                    arrayList.add(x509Certificate2);
                }
            }
            if (arrayList.size() == 0) {
                WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "No root CA found in KeyStore to validate certificate");
                return null;
            }
            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Found " + arrayList.size() + " possible root CAs, testing");
            try {
                WolfSSLCertManager wolfSSLCertManager = new WolfSSLCertManager();
                int i = -1;
                for (int i2 = 0; i2 < arrayList.size(); i2++) {
                    if (wolfSSLCertManager.CertManagerLoadCABuffer(((X509Certificate) arrayList.get(i2)).getEncoded(), r3.length, 2) != 1) {
                        wolfSSLCertManager.free();
                        throw new CertificateException("Failed to load root CA DERinto wolfSSL cert manager");
                    }
                    if (wolfSSLCertManager.CertManagerVerifyBuffer(x509Certificate.getEncoded(), r3.length, 2) != 1) {
                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Potential root " + i2 + " did not verify cert");
                    } else {
                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Found valid root: " + ((X509Certificate) arrayList.get(i2)).getSubjectX500Principal().getName());
                        i = i2;
                        z = true;
                    }
                    if (wolfSSLCertManager.CertManagerUnloadCAs() != 1) {
                        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "Error unloading root CAs from WolfSSLCertManager");
                        wolfSSLCertManager.free();
                        throw new CertificateException("Failed to unload root CA from WolfSSLCertManager");
                    }
                    if (z) {
                        break;
                    }
                }
                wolfSSLCertManager.free();
                if (z) {
                    return (X509Certificate) arrayList.get(i);
                }
                return null;
            } catch (WolfSSLException unused) {
                throw new CertificateException("Failed to create native WolfSSLCertManager");
            }
        } catch (KeyStoreException e) {
            throw new CertificateException(e);
        }
    }

    private X509Certificate[] sortCertChainBySubjectIssuer(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new CertificateException("Input cert chain null");
        }
        if (x509CertificateArr.length == 1) {
            return (X509Certificate[]) x509CertificateArr.clone();
        }
        X509Certificate[] x509CertificateArr2 = (X509Certificate[]) x509CertificateArr.clone();
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "sorting peer chain (" + x509CertificateArr2.length + " certs):");
        for (int i = 0; i < x509CertificateArr2.length; i++) {
            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "\t[" + i + "]: subject: " + x509CertificateArr2[i].getSubjectX500Principal().getName());
        }
        int i2 = 0;
        loop1: while (i2 < x509CertificateArr2.length) {
            int i3 = i2 + 1;
            for (int i4 = i3; i4 < x509CertificateArr2.length; i4++) {
                if (x509CertificateArr2[i2].getIssuerX500Principal().equals(x509CertificateArr2[i4].getSubjectX500Principal())) {
                    if (i4 != i3) {
                        X509Certificate x509Certificate = x509CertificateArr2[i4];
                        x509CertificateArr2[i4] = x509CertificateArr2[i3];
                        x509CertificateArr2[i3] = x509Certificate;
                    }
                    i2 = i3;
                }
            }
        }
        Class<?> cls = getClass();
        String str = WolfSSLDebug.INFO;
        StringBuilder sb = new StringBuilder();
        sb.append("sorted peer chain (");
        int i5 = i2 + 1;
        sb.append(i5);
        sb.append(" certs):");
        WolfSSLDebug.log(cls, str, sb.toString());
        for (int i6 = 0; i6 <= i2; i6++) {
            WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "\t[" + i6 + "]: subject: " + x509CertificateArr2[i6].getSubjectX500Principal().getName());
        }
        if (x509CertificateArr2.length > i5) {
        }
        return x509CertificateArr2;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "entered checkClientTrusted()");
        certManagerVerify(x509CertificateArr, str, false);
    }

    public List<X509Certificate> checkServerTrusted(X509Certificate[] x509CertificateArr, String str, String str2) throws CertificateException {
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "entered checkServerTrusted()");
        return certManagerVerify(x509CertificateArr, str, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "entered checkServerTrusted()");
        certManagerVerify(x509CertificateArr, str, false);
    }

    protected void finalize() throws Throwable {
        this.store = null;
        super.finalize();
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate x509Certificate;
        WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO, "entered getAcceptedIssuers()");
        try {
            ArrayList arrayList = new ArrayList();
            Enumeration<String> aliases = this.store.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (this.store.isKeyEntry(nextElement)) {
                    Certificate[] certificateChain = this.store.getCertificateChain(nextElement);
                    x509Certificate = certificateChain != null ? (X509Certificate) certificateChain[0] : null;
                } else {
                    x509Certificate = (X509Certificate) this.store.getCertificate(nextElement);
                }
                if (x509Certificate != null && x509Certificate.getBasicConstraints() >= 0) {
                    arrayList.add(x509Certificate);
                }
            }
            return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
        } catch (KeyStoreException unused) {
            return new X509Certificate[0];
        }
    }
}
