package com.commonsware.cwac.netsecurity.config;

import com.commonsware.cwac.netsecurity.conscrypt.TrustManagerImpl;
import com.commonsware.cwac.netsecurity.luni.X509ExtendedTrustManager;
import java.io.IOException;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import javax.net.ssl.SSLEngine;

/* loaded from: classes20.dex */
public class NetworkSecurityTrustManager extends X509ExtendedTrustManager {
    private final TrustManagerImpl mDelegate;
    private X509Certificate[] mIssuers;
    private final Object mIssuersLock = new Object();
    private final NetworkSecurityConfig mNetworkSecurityConfig;

    public NetworkSecurityTrustManager(NetworkSecurityConfig networkSecurityConfig) {
        Objects.requireNonNull(networkSecurityConfig, "config must not be null");
        this.mNetworkSecurityConfig = networkSecurityConfig;
        try {
            TrustedCertificateStoreAdapter trustedCertificateStoreAdapter = new TrustedCertificateStoreAdapter(networkSecurityConfig);
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            this.mDelegate = new TrustManagerImpl(keyStore, null, trustedCertificateStoreAdapter);
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private void checkPins(List<X509Certificate> list) throws CertificateException {
        PinSet pins = this.mNetworkSecurityConfig.getPins();
        if (pins.pins.isEmpty() || System.currentTimeMillis() > pins.expirationTime || !isPinningEnforced(list)) {
            return;
        }
        Set<String> pinAlgorithms = pins.getPinAlgorithms();
        HashMap hashMap = new HashMap(pinAlgorithms.size());
        for (int size = list.size() - 1; size >= 0; size--) {
            byte[] encoded = list.get(size).getPublicKey().getEncoded();
            for (String str : pinAlgorithms) {
                MessageDigest messageDigest = (MessageDigest) hashMap.get(str);
                if (messageDigest == null) {
                    try {
                        messageDigest = MessageDigest.getInstance(str);
                        hashMap.put(str, messageDigest);
                    } catch (GeneralSecurityException e) {
                        throw new RuntimeException(e);
                    }
                }
                if (pins.pins.contains(new Pin(str, messageDigest.digest(encoded)))) {
                    return;
                }
            }
        }
        throw new CertificateException("Pin verification failed");
    }

    private boolean isPinningEnforced(List<X509Certificate> list) throws CertificateException {
        if (list.isEmpty()) {
            return false;
        }
        if (this.mNetworkSecurityConfig.findTrustAnchorBySubjectAndPublicKey(list.get(list.size() - 1)) != null) {
            return !r2.overridesPins;
        }
        throw new CertificateException("Trusted chain does not end in a TrustAnchor");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.mDelegate.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // com.commonsware.cwac.netsecurity.luni.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        this.mDelegate.checkClientTrusted(x509CertificateArr, str, socket);
    }

    @Override // com.commonsware.cwac.netsecurity.luni.X509ExtendedTrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        this.mDelegate.checkClientTrusted(x509CertificateArr, str, sSLEngine);
    }

    public List<X509Certificate> checkServerTrusted(X509Certificate[] x509CertificateArr, String str, String str2) throws CertificateException {
        List<X509Certificate> checkServerTrusted = this.mDelegate.checkServerTrusted(x509CertificateArr, str, str2);
        checkPins(checkServerTrusted);
        return checkServerTrusted;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkServerTrusted(x509CertificateArr, str, (String) null);
    }

    @Override // com.commonsware.cwac.netsecurity.luni.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        checkPins(this.mDelegate.getTrustedChainForServer(x509CertificateArr, str, socket));
    }

    @Override // com.commonsware.cwac.netsecurity.luni.X509ExtendedTrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        checkPins(this.mDelegate.getTrustedChainForServer(x509CertificateArr, str, sSLEngine));
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] x509CertificateArr;
        synchronized (this.mIssuersLock) {
            if (this.mIssuers == null) {
                Set<TrustAnchor> trustAnchors = this.mNetworkSecurityConfig.getTrustAnchors();
                X509Certificate[] x509CertificateArr2 = new X509Certificate[trustAnchors.size()];
                int i = 0;
                Iterator<TrustAnchor> it = trustAnchors.iterator();
                while (it.hasNext()) {
                    x509CertificateArr2[i] = it.next().certificate;
                    i++;
                }
                this.mIssuers = x509CertificateArr2;
            }
            x509CertificateArr = (X509Certificate[]) this.mIssuers.clone();
        }
        return x509CertificateArr;
    }

    public void handleTrustStorageUpdate() {
        synchronized (this.mIssuersLock) {
            this.mIssuers = null;
            this.mDelegate.handleTrustStorageUpdate();
        }
    }
}
