package org.minidns.dane;

import com.adjust.sdk.Constants;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Logger;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.minidns.dane.DaneCertificateException;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.dnsname.DnsName;
import org.minidns.dnssec.DnssecClient;
import org.minidns.dnssec.DnssecQueryResult;
import org.minidns.dnssec.DnssecUnverifiedReason;
import org.minidns.record.Data;
import org.minidns.record.Record;
import org.minidns.record.TLSA;

/* loaded from: classes7.dex */
public class DaneVerifier {

    /* renamed from: b, reason: collision with root package name */
    private static final Logger f79932b = Logger.getLogger(DaneVerifier.class.getName());

    /* renamed from: a, reason: collision with root package name */
    private final DnssecClient f79933a;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.minidns.dane.DaneVerifier$1, reason: invalid class name */
    /* loaded from: classes7.dex */
    public static /* synthetic */ class AnonymousClass1 {

        /* renamed from: a, reason: collision with root package name */
        static final /* synthetic */ int[] f79934a;

        /* renamed from: b, reason: collision with root package name */
        static final /* synthetic */ int[] f79935b;

        /* renamed from: c, reason: collision with root package name */
        static final /* synthetic */ int[] f79936c;

        static {
            int[] iArr = new int[TLSA.MatchingType.values().length];
            f79936c = iArr;
            try {
                iArr[TLSA.MatchingType.noHash.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f79936c[TLSA.MatchingType.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                f79936c[TLSA.MatchingType.sha512.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            int[] iArr2 = new int[TLSA.Selector.values().length];
            f79935b = iArr2;
            try {
                iArr2[TLSA.Selector.fullCertificate.ordinal()] = 1;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                f79935b[TLSA.Selector.subjectPublicKeyInfo.ordinal()] = 2;
            } catch (NoSuchFieldError unused5) {
            }
            int[] iArr3 = new int[TLSA.CertUsage.values().length];
            f79934a = iArr3;
            try {
                iArr3[TLSA.CertUsage.serviceCertificateConstraint.ordinal()] = 1;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                f79934a[TLSA.CertUsage.domainIssuedCertificate.ordinal()] = 2;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                f79934a[TLSA.CertUsage.caConstraint.ordinal()] = 3;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                f79934a[TLSA.CertUsage.trustAnchorAssertion.ordinal()] = 4;
            } catch (NoSuchFieldError unused9) {
            }
        }
    }

    public DaneVerifier() {
        this(new DnssecClient());
    }

    public DaneVerifier(DnssecClient dnssecClient) {
        this.f79933a = dnssecClient;
    }

    private static boolean a(X509Certificate x509Certificate, TLSA tlsa, String str) throws CertificateException {
        byte[] encoded;
        TLSA.CertUsage certUsage = tlsa.f80318d;
        if (certUsage == null) {
            f79932b.warning("TLSA certificate usage byte " + ((int) tlsa.f80317c) + " is not supported while verifying " + str);
            return false;
        }
        int i2 = AnonymousClass1.f79934a[certUsage.ordinal()];
        if (i2 != 1 && i2 != 2) {
            f79932b.warning("TLSA certificate usage " + tlsa.f80318d + " (" + ((int) tlsa.f80317c) + ") not supported while verifying " + str);
            return false;
        }
        TLSA.Selector selector = tlsa.f80320s;
        if (selector == null) {
            f79932b.warning("TLSA selector byte " + ((int) tlsa.f80319r) + " is not supported while verifying " + str);
            return false;
        }
        int i3 = AnonymousClass1.f79935b[selector.ordinal()];
        if (i3 == 1) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (i3 != 2) {
                f79932b.warning("TLSA selector " + tlsa.f80320s + " (" + ((int) tlsa.f80319r) + ") not supported while verifying " + str);
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        TLSA.MatchingType matchingType = tlsa.f80322u;
        if (matchingType == null) {
            f79932b.warning("TLSA matching type byte " + ((int) tlsa.f80321t) + " is not supported while verifying " + str);
            return false;
        }
        int i4 = AnonymousClass1.f79936c[matchingType.ordinal()];
        if (i4 != 1) {
            if (i4 == 2) {
                try {
                    encoded = MessageDigest.getInstance(Constants.SHA256).digest(encoded);
                } catch (NoSuchAlgorithmException e2) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e2);
                }
            } else {
                if (i4 != 3) {
                    f79932b.warning("TLSA matching type " + tlsa.f80322u + " not supported while verifying " + str);
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e3) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e3);
                }
            }
        }
        if (tlsa.l(encoded)) {
            return tlsa.f80318d == TLSA.CertUsage.domainIssuedCertificate;
        }
        throw new DaneCertificateException.CertificateMismatch(tlsa, encoded);
    }

    private static X509Certificate[] b(Certificate[] certificateArr) {
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : certificateArr) {
            if (certificate instanceof X509Certificate) {
                arrayList.add((X509Certificate) certificate);
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    public boolean c(SSLSession sSLSession) throws CertificateException {
        try {
            return d(b(sSLSession.getPeerCertificates()), sSLSession.getPeerHost(), sSLSession.getPeerPort());
        } catch (SSLPeerUnverifiedException e2) {
            throw new CertificateException("Peer not verified", e2);
        }
    }

    public boolean d(X509Certificate[] x509CertificateArr, String str, int i2) throws CertificateException {
        DnsName c2 = DnsName.c("_" + i2 + "._tcp." + str);
        try {
            DnssecQueryResult v2 = this.f79933a.v(c2, Record.TYPE.TLSA);
            DnsMessage dnsMessage = v2.f80056b.f80035c;
            if (!v2.b()) {
                String str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                Iterator<DnssecUnverifiedReason> it = v2.a().iterator();
                while (it.hasNext()) {
                    str2 = str2 + " " + it.next();
                }
                f79932b.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z2 = false;
            for (Record<? extends Data> record : dnsMessage.f79957l) {
                if (record.f80255b == Record.TYPE.TLSA && record.f80254a.equals(c2)) {
                    try {
                        z2 |= a(x509CertificateArr[0], (TLSA) record.f80259f, str);
                    } catch (DaneCertificateException.CertificateMismatch e2) {
                        linkedList.add(e2);
                    }
                    if (z2) {
                        break;
                    }
                }
            }
            if (z2 || linkedList.isEmpty()) {
                return z2;
            }
            throw new DaneCertificateException.MultipleCertificateMismatchExceptions(linkedList);
        } catch (IOException e3) {
            throw new RuntimeException(e3);
        }
    }
}
