package org.minidns.dane;

import di.b;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Logger;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import li.h;
import li.u;
import li.x;
import org.minidns.dane.DaneCertificateException;

/* loaded from: classes3.dex */
public class a {

    /* renamed from: b, reason: collision with root package name */
    public static final Logger f32576b = Logger.getLogger(a.class.getName());

    /* renamed from: a, reason: collision with root package name */
    public final org.minidns.dnssec.a f32577a;

    /* renamed from: org.minidns.dane.a$a, reason: collision with other inner class name */
    /* loaded from: classes3.dex */
    public static /* synthetic */ class C0378a {

        /* renamed from: a, reason: collision with root package name */
        public static final /* synthetic */ int[] f32578a;

        /* renamed from: b, reason: collision with root package name */
        public static final /* synthetic */ int[] f32579b;

        /* renamed from: c, reason: collision with root package name */
        public static final /* synthetic */ int[] f32580c;

        static {
            int[] iArr = new int[x.b.values().length];
            f32580c = iArr;
            try {
                iArr[x.b.noHash.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f32580c[x.b.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                f32580c[x.b.sha512.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            int[] iArr2 = new int[x.c.values().length];
            f32579b = iArr2;
            try {
                iArr2[x.c.fullCertificate.ordinal()] = 1;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                f32579b[x.c.subjectPublicKeyInfo.ordinal()] = 2;
            } catch (NoSuchFieldError unused5) {
            }
            int[] iArr3 = new int[x.a.values().length];
            f32578a = iArr3;
            try {
                iArr3[x.a.serviceCertificateConstraint.ordinal()] = 1;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                f32578a[x.a.domainIssuedCertificate.ordinal()] = 2;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                f32578a[x.a.caConstraint.ordinal()] = 3;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                f32578a[x.a.trustAnchorAssertion.ordinal()] = 4;
            } catch (NoSuchFieldError unused9) {
            }
        }
    }

    public a() {
        this(new org.minidns.dnssec.a());
    }

    public a(org.minidns.dnssec.a aVar) {
        this.f32577a = aVar;
    }

    public static boolean a(X509Certificate x509Certificate, x xVar, String str) throws CertificateException {
        byte[] encoded;
        x.a aVar = xVar.f29330e;
        if (aVar == null) {
            f32576b.warning("TLSA certificate usage byte " + ((int) xVar.f29329d) + " is not supported while verifying " + str);
            return false;
        }
        int i10 = C0378a.f32578a[aVar.ordinal()];
        if (i10 != 1 && i10 != 2) {
            f32576b.warning("TLSA certificate usage " + xVar.f29330e + " (" + ((int) xVar.f29329d) + ") not supported while verifying " + str);
            return false;
        }
        x.c cVar = xVar.f29332g;
        if (cVar == null) {
            f32576b.warning("TLSA selector byte " + ((int) xVar.f29331f) + " is not supported while verifying " + str);
            return false;
        }
        int i11 = C0378a.f32579b[cVar.ordinal()];
        if (i11 == 1) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (i11 != 2) {
                f32576b.warning("TLSA selector " + xVar.f29332g + " (" + ((int) xVar.f29331f) + ") not supported while verifying " + str);
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        x.b bVar = xVar.f29334i;
        if (bVar == null) {
            f32576b.warning("TLSA matching type byte " + ((int) xVar.f29333h) + " is not supported while verifying " + str);
            return false;
        }
        int i12 = C0378a.f32580c[bVar.ordinal()];
        if (i12 != 1) {
            if (i12 == 2) {
                try {
                    encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                } catch (NoSuchAlgorithmException e10) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e10);
                }
            } else {
                if (i12 != 3) {
                    f32576b.warning("TLSA matching type " + xVar.f29334i + " not supported while verifying " + str);
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e11) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e11);
                }
            }
        }
        if (xVar.k(encoded)) {
            return xVar.f29330e == x.a.domainIssuedCertificate;
        }
        throw new DaneCertificateException.CertificateMismatch(xVar, encoded);
    }

    public static X509Certificate[] b(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : certificateArr) {
            if (certificate instanceof X509Certificate) {
                arrayList.add((X509Certificate) certificate);
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    public HttpsURLConnection c(HttpsURLConnection httpsURLConnection) throws IOException, CertificateException {
        return d(httpsURLConnection, null);
    }

    public HttpsURLConnection d(HttpsURLConnection httpsURLConnection, X509TrustManager x509TrustManager) throws IOException, CertificateException {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            zh.a aVar = new zh.a(x509TrustManager);
            sSLContext.init(null, new TrustManager[]{aVar}, null);
            httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
            httpsURLConnection.connect();
            if (!g(b(httpsURLConnection.getServerCertificates()), httpsURLConnection.getURL().getHost(), httpsURLConnection.getURL().getPort() < 0 ? httpsURLConnection.getURL().getDefaultPort() : httpsURLConnection.getURL().getPort()) && aVar.b()) {
                throw new IOException("Peer verification failed using PKIX", aVar.a());
            }
            return httpsURLConnection;
        } catch (KeyManagementException | NoSuchAlgorithmException e10) {
            throw new RuntimeException(e10);
        }
    }

    public boolean e(SSLSession sSLSession) throws CertificateException {
        try {
            return g(b(sSLSession.getPeerCertificates()), sSLSession.getPeerHost(), sSLSession.getPeerPort());
        } catch (SSLPeerUnverifiedException e10) {
            throw new CertificateException("Peer not verified", e10);
        }
    }

    public boolean f(SSLSocket sSLSocket) throws CertificateException {
        if (sSLSocket.isConnected()) {
            return e(sSLSocket.getSession());
        }
        throw new IllegalStateException("Socket not yet connected.");
    }

    public boolean g(X509Certificate[] x509CertificateArr, String str, int i10) throws CertificateException {
        org.minidns.dnsname.a e10 = org.minidns.dnsname.a.e("_" + i10 + "._tcp." + str);
        try {
            b U = this.f32577a.U(e10, u.c.TLSA);
            bi.a aVar = U.f22250b.f10077c;
            if (!U.c()) {
                String str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                Iterator<org.minidns.dnssec.b> it = U.b().iterator();
                while (it.hasNext()) {
                    str2 = str2 + " " + it.next();
                }
                f32576b.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z10 = false;
            for (u<? extends h> uVar : aVar.f9246l) {
                if (uVar.f29249b == u.c.TLSA && uVar.f29248a.equals(e10)) {
                    try {
                        z10 |= a(x509CertificateArr[0], (x) uVar.f29253f, str);
                    } catch (DaneCertificateException.CertificateMismatch e11) {
                        linkedList.add(e11);
                    }
                    if (z10) {
                        break;
                    }
                }
            }
            if (z10 || linkedList.isEmpty()) {
                return z10;
            }
            throw new DaneCertificateException.MultipleCertificateMismatchExceptions(linkedList);
        } catch (IOException e12) {
            throw new RuntimeException(e12);
        }
    }
}
