package com.lookout.network.pinning;

import android.util.Base64;
import com.lookout.network.pinning.CertPinningException;
import java.security.MessageDigest;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spongycastle.asn1.x500.X500Name;
import org.spongycastle.asn1.x500.X500NameStyle;
import org.spongycastle.asn1.x500.style.BCStyle;
import org.spongycastle.asn1.x509.SubjectPublicKeyInfo;
import org.spongycastle.cert.jcajce.JcaX509CertificateHolder;

/* loaded from: classes.dex */
public class PinnedTrustManager implements X509TrustManager {
    private final X509TrustManager a;
    private final List b;
    private final X500NameStyle c = BCStyle.INSTANCE;
    private final Logger d = LoggerFactory.a(PinnedTrustManager.class);

    /* loaded from: classes.dex */
    public class PinnedCertificateException extends CertificateException {
        public PinnedCertificateException(String str) {
            super(str);
        }
    }

    /* loaded from: classes.dex */
    public class RootCert {
        private final SubjectPublicKeyInfo a;
        private final X500Name b;
        private final String c;
        private final X509Certificate d;
        private final Logger e = LoggerFactory.a(PinnedTrustManager.class);
        private final X500NameStyle f = BCStyle.INSTANCE;

        public RootCert(X509Certificate x509Certificate) {
            JcaX509CertificateHolder jcaX509CertificateHolder = new JcaX509CertificateHolder(x509Certificate);
            this.d = x509Certificate;
            this.a = jcaX509CertificateHolder.getSubjectPublicKeyInfo();
            this.b = jcaX509CertificateHolder.getSubject();
            this.c = a(this.a.getEncoded());
        }

        private String a(byte[] bArr) {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(bArr);
            return Base64.encodeToString(messageDigest.digest(), 2);
        }

        public String a() {
            return this.c;
        }

        public boolean a(X509Certificate x509Certificate) {
            try {
                return a(new JcaX509CertificateHolder(x509Certificate).getIssuer());
            } catch (CertificateEncodingException e) {
                this.e.d("Unable to get certificate encoding", (Throwable) e);
                return false;
            }
        }

        boolean a(X500Name x500Name) {
            return this.f.areEqual(this.b, x500Name);
        }

        public X500Name b() {
            return this.b;
        }
    }

    public PinnedTrustManager(X509TrustManager x509TrustManager, String[] strArr) {
        this.a = x509TrustManager;
        this.b = a(Arrays.asList(strArr));
        a();
    }

    private List a(List list) {
        RootCert rootCert;
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        try {
            X509Certificate[] acceptedIssuers = this.a.getAcceptedIssuers();
            if (acceptedIssuers == null) {
                throw new CertPinningException("System trust manager returned null for getAcceptedIssuers");
            }
            for (X509Certificate x509Certificate : acceptedIssuers) {
                try {
                    rootCert = new RootCert(x509Certificate);
                } catch (Exception e) {
                    this.d.d("Unable to cast X509Certificate to RootCert", (Throwable) e);
                    rootCert = null;
                }
                if (rootCert != null && list.contains(rootCert.a())) {
                    arrayList.add(rootCert);
                    hashSet.add(rootCert.a());
                    this.d.b("Pinning root cert: " + rootCert.b().toString());
                }
                if (hashSet.size() == list.size()) {
                    break;
                }
            }
            if (arrayList.size() < list.size()) {
                throw new CertPinningException.TrustStoreException("Unable to find all trusted certs");
            }
            return arrayList;
        } catch (Exception e2) {
            throw new CertPinningException("Exception in getAcceptedIssuers", e2);
        }
    }

    private void a() {
        for (X509Certificate x509Certificate : this.a.getAcceptedIssuers()) {
            for (RootCert rootCert : this.b) {
                try {
                    RootCert rootCert2 = new RootCert(x509Certificate);
                    if (this.c.areEqual(rootCert2.b(), rootCert.b()) && !rootCert2.a().equals(rootCert.a())) {
                        throw new CertPinningException.TrustStoreException("Root cert DN collision: " + x509Certificate.getSubjectDN().toString());
                    }
                } catch (Exception e) {
                    this.d.d("Unable to create RootCert from X509Certificate", (Throwable) e);
                }
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        this.a.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        boolean z;
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            this.d.e("checkServerTrusted called with no cert chain");
            throw new PinnedCertificateException("No certificate chain provided");
        }
        boolean z2 = false;
        int length = x509CertificateArr.length - 1;
        while (length >= 0) {
            X509Certificate x509Certificate = x509CertificateArr[length];
            Iterator it = this.b.iterator();
            while (true) {
                if (!it.hasNext()) {
                    z = z2;
                    break;
                } else if (((RootCert) it.next()).a(x509Certificate)) {
                    z = true;
                    break;
                }
            }
            length--;
            z2 = z;
        }
        if (!z2) {
            throw new PinnedCertificateException("Unable to verify cert against pinned root certs");
        }
        this.a.checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.a.getAcceptedIssuers();
    }
}
