package com.keypr.api.sdk.cert;

import android.util.Log;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okio.ByteString;

/* loaded from: classes4.dex */
public class PinningTrustManager implements X509TrustManager {
    private static final String TAG = "PinningTrustManager";
    private final Set<PublicKey> cache = Collections.synchronizedSet(new HashSet());
    private boolean debug;
    private final X509TrustManager defaultManager;
    private final String[] legitimateCertPins;

    public PinningTrustManager(List<String> list, KeyStore keyStore) {
        this.legitimateCertPins = (String[]) list.toArray(new String[list.size()]);
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            this.defaultManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
        } catch (KeyStoreException | NoSuchAlgorithmException e2) {
            throw new AssertionError(e2);
        }
    }

    private PublicKey checkServerChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        boolean z2;
        boolean z3;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
            X509Certificate[] x509CertificateArr2 = x509CertificateArr;
            int i2 = 0;
            int i3 = 0;
            while (true) {
                z2 = true;
                if (i2 >= x509CertificateArr2.length) {
                    break;
                }
                i3++;
                int i4 = i2 + 1;
                int i5 = i4;
                while (true) {
                    if (i5 >= x509CertificateArr2.length) {
                        z3 = false;
                        break;
                    }
                    if (x509CertificateArr2[i2].getIssuerDN().equals(x509CertificateArr2[i5].getSubjectDN())) {
                        if (i5 != i4) {
                            if (x509CertificateArr2 == x509CertificateArr) {
                                x509CertificateArr2 = (X509Certificate[]) x509CertificateArr.clone();
                            }
                            X509Certificate x509Certificate = x509CertificateArr2[i5];
                            x509CertificateArr2[i5] = x509CertificateArr2[i4];
                            x509CertificateArr2[i4] = x509Certificate;
                        }
                        z3 = true;
                    } else {
                        i5++;
                    }
                }
                if (!z3) {
                    break;
                }
                i2 = i4;
            }
            if (i3 != x509CertificateArr2.length) {
                z2 = false;
            }
            if (!z2 || this.debug) {
                StringBuilder append = new StringBuilder().append("------\nServer certs chain:\n");
                for (int i6 = 0; i6 < x509CertificateArr2.length; i6++) {
                    if (i6 == i3) {
                        append.append("------\nUnrelated certs (should be empty):\n");
                    }
                    append.append(i6).append(": ").append(x509CertificateArr2[i6].getSubjectDN()).append(" - ").append(x509CertificateArr2[i6].getSerialNumber()).append('\n');
                }
                append.append("------");
                if (z2) {
                    Log.v(TAG, append.toString());
                } else {
                    Log.w(TAG, "Server supplies strange unrelated certs!\n" + ((Object) append));
                }
            }
            for (int i7 = 0; i7 < i3; i7++) {
                if (isValidCert(x509CertificateArr2[i7], messageDigest)) {
                    return x509CertificateArr2[i7].getPublicKey();
                }
            }
            throw new CertificateException("No valid pins found in server certificate chain!");
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException("We need SHA1 to decode cert.", e2);
        } catch (CertificateEncodingException e3) {
            throw new IllegalStateException("Illegal certificate in the chain.", e3);
        }
    }

    private boolean isValidCert(X509Certificate x509Certificate, MessageDigest messageDigest) throws CertificateEncodingException {
        String hex = ByteString.of(messageDigest.digest(x509Certificate.getEncoded())).hex();
        for (String str : this.legitimateCertPins) {
            if (str.equals(hex)) {
                return true;
            }
        }
        return false;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.defaultManager.checkServerTrusted(x509CertificateArr, str);
        PublicKey publicKey = x509CertificateArr[0].getPublicKey();
        if (this.cache.contains(publicKey)) {
            return;
        }
        checkServerChain(x509CertificateArr);
        this.cache.add(publicKey);
    }

    public void clearCache() {
        this.cache.clear();
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.defaultManager.getAcceptedIssuers();
    }

    public void setDebug(boolean z2) {
        this.debug = z2;
    }
}
