package com.netki.tlsa;

import com.google.common.io.BaseEncoding;
import com.netki.dns.DNSBootstrapService;
import com.netki.dns.DNSUtil;
import com.netki.dnssec.DNSSECResolver;
import com.netki.exceptions.DNSSECException;
import java.io.IOException;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.xbill.DNS.Name;
import org.xbill.DNS.TLSARecord;
import org.xbill.DNS.TextParseException;

/* loaded from: classes.dex */
public class TLSAValidator {
    private CACertService caCertService;
    private CertChainValidator chainValidator;
    private DNSSECResolver dnssecResolver;

    public TLSAValidator() {
        try {
            this.dnssecResolver = new DNSSECResolver(new DNSBootstrapService());
            this.caCertService = CACertService.getInstance();
            this.chainValidator = new CertChainValidator();
        } catch (Exception e) {
            throw new ExceptionInInitializerError("Unable to initialize defaults");
        }
    }

    public TLSAValidator(DNSSECResolver dNSSECResolver, CACertService cACertService, CertChainValidator certChainValidator) {
        this.dnssecResolver = dNSSECResolver;
        this.caCertService = cACertService;
        this.chainValidator = certChainValidator;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Code restructure failed: missing block: B:16:0x003c, code lost:
    
        r1 = r3;
     */
    /* JADX WARN: Code restructure failed: missing block: B:17:0x003e, code lost:
    
        r1 = java.security.MessageDigest.getInstance("SHA-256").digest(r3);
     */
    /* JADX WARN: Code restructure failed: missing block: B:18:0x0049, code lost:
    
        r1 = java.security.MessageDigest.getInstance("SHA-512").digest(r3);
     */
    /* JADX WARN: Code restructure failed: missing block: B:9:0x0020, code lost:
    
        switch(r8.getMatchingType()) {
            case 0: goto L15;
            case 1: goto L16;
            case 2: goto L17;
            default: goto L10;
        };
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.security.cert.Certificate getMatchingCert(org.xbill.DNS.TLSARecord r8, java.util.List<java.security.cert.Certificate> r9) {
        /*
            r7 = this;
            r6 = 0
            java.util.Iterator r4 = r9.iterator()
        L5:
            boolean r5 = r4.hasNext()
            if (r5 == 0) goto L59
            java.lang.Object r0 = r4.next()
            java.security.cert.Certificate r0 = (java.security.cert.Certificate) r0
            byte[] r1 = new byte[r6]
            byte[] r3 = new byte[r6]
            int r5 = r8.getSelector()     // Catch: java.lang.Exception -> L54
            switch(r5) {
                case 0: goto L2e;
                case 1: goto L33;
                default: goto L1c;
            }     // Catch: java.lang.Exception -> L54
        L1c:
            int r5 = r8.getMatchingType()     // Catch: java.lang.Exception -> L54
            switch(r5) {
                case 0: goto L3c;
                case 1: goto L3e;
                case 2: goto L49;
                default: goto L23;
            }
        L23:
            byte[] r5 = r8.getCertificateAssociationData()
            boolean r5 = java.util.Arrays.equals(r1, r5)
            if (r5 == 0) goto L5
        L2d:
            return r0
        L2e:
            byte[] r3 = r0.getEncoded()     // Catch: java.lang.Exception -> L54
            goto L1c
        L33:
            java.security.PublicKey r5 = r0.getPublicKey()     // Catch: java.lang.Exception -> L54
            byte[] r3 = r5.getEncoded()     // Catch: java.lang.Exception -> L54
            goto L1c
        L3c:
            r1 = r3
            goto L23
        L3e:
            java.lang.String r5 = "SHA-256"
            java.security.MessageDigest r5 = java.security.MessageDigest.getInstance(r5)     // Catch: java.lang.Exception -> L54
            byte[] r1 = r5.digest(r3)     // Catch: java.lang.Exception -> L54
            goto L23
        L49:
            java.lang.String r5 = "SHA-512"
            java.security.MessageDigest r5 = java.security.MessageDigest.getInstance(r5)     // Catch: java.lang.Exception -> L54
            byte[] r1 = r5.digest(r3)     // Catch: java.lang.Exception -> L54
            goto L23
        L54:
            r2 = move-exception
            r2.printStackTrace()
            goto L23
        L59:
            r0 = 0
            goto L2d
        */
        throw new UnsupportedOperationException("Method not decompiled: com.netki.tlsa.TLSAValidator.getMatchingCert(org.xbill.DNS.TLSARecord, java.util.List):java.security.cert.Certificate");
    }

    public TLSARecord getTLSARecord(URL url) {
        int port = url.getPort();
        if (port == -1) {
            port = url.getDefaultPort();
        }
        String format = String.format("_%s._tcp.%s", Integer.valueOf(port), DNSUtil.ensureDot(url.getHost()));
        try {
            String resolve = this.dnssecResolver.resolve(format, 52);
            if (resolve.equals("")) {
                return null;
            }
            String[] split = resolve.split(" ");
            if (split.length != 4) {
                return null;
            }
            try {
                return new TLSARecord(new Name(format), 1, 0L, Integer.parseInt(split[0]), Integer.parseInt(split[1]), Integer.parseInt(split[2]), BaseEncoding.base16().decode(split[3]));
            } catch (TextParseException e) {
                return null;
            }
        } catch (DNSSECException e2) {
            return null;
        }
    }

    public List<Certificate> getUrlCerts(URL url) {
        SSLSocket sSLSocket = null;
        X509TrustManager x509TrustManager = new X509TrustManager() { // from class: com.netki.tlsa.TLSAValidator.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("SSL");
                sSLContext.init(null, new TrustManager[]{x509TrustManager}, null);
                sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(url.getHost(), url.getPort() == -1 ? url.getDefaultPort() : url.getPort());
                sSLSocket.startHandshake();
                ArrayList arrayList = new ArrayList(Arrays.asList(sSLSocket.getSession().getPeerCertificates()));
                if (sSLSocket == null || !sSLSocket.isConnected()) {
                    return arrayList;
                }
                try {
                    sSLSocket.close();
                    return arrayList;
                } catch (IOException e) {
                    return arrayList;
                }
            } catch (Exception e2) {
                e2.printStackTrace();
                if (sSLSocket != null && sSLSocket.isConnected()) {
                    try {
                        sSLSocket.close();
                    } catch (IOException e3) {
                    }
                }
                return new ArrayList();
            }
        } catch (Throwable th) {
            if (sSLSocket != null && sSLSocket.isConnected()) {
                try {
                    sSLSocket.close();
                } catch (IOException e4) {
                }
            }
            throw th;
        }
    }

    public boolean isValidCertChain(Certificate certificate, List<Certificate> list) {
        try {
            KeyStore caCertKeystore = this.caCertService.getCaCertKeystore();
            for (Certificate certificate2 : list) {
                if (certificate2 != certificate) {
                    caCertKeystore.setCertificateEntry(((X509Certificate) certificate2).getSubjectDN().toString(), certificate2);
                }
            }
            return this.chainValidator.validateKeyChain((X509Certificate) certificate, caCertKeystore);
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    public boolean validateTLSA(URL url) throws ValidSelfSignedCertException {
        TLSARecord tLSARecord = getTLSARecord(url);
        if (tLSARecord == null) {
            return false;
        }
        List<Certificate> urlCerts = getUrlCerts(url);
        if (urlCerts == null || urlCerts.size() == 0) {
            return false;
        }
        Certificate matchingCert = getMatchingCert(tLSARecord, urlCerts);
        if (matchingCert == null) {
            return false;
        }
        switch (tLSARecord.getCertificateUsage()) {
            case 0:
                if (isValidCertChain(matchingCert, urlCerts) && matchingCert != urlCerts.get(0)) {
                    return true;
                }
                break;
            case 1:
                if (isValidCertChain(matchingCert, urlCerts) && matchingCert == urlCerts.get(0)) {
                    return true;
                }
                break;
            case 2:
                if (isValidCertChain(urlCerts.get(0), urlCerts) && matchingCert == urlCerts.get(urlCerts.size() - 1)) {
                    throw new ValidSelfSignedCertException(matchingCert);
                }
                break;
            case 3:
                throw new ValidSelfSignedCertException(matchingCert);
        }
        return false;
    }
}
