package info.guardianproject.onionkit.trust;

import android.app.Notification;
import android.app.NotificationManager;
import android.app.PendingIntent;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
import ch.boye.httpclientandroidlib.cookie.ClientCookie;
import info.guardianproject.bouncycastle.asn1.ASN1InputStream;
import info.guardianproject.bouncycastle.asn1.ASN1Object;
import info.guardianproject.bouncycastle.asn1.ASN1OctetString;
import info.guardianproject.bouncycastle.asn1.ASN1String;
import info.guardianproject.bouncycastle.asn1.DEREncodable;
import info.guardianproject.bouncycastle.asn1.DERObject;
import info.guardianproject.bouncycastle.asn1.DEROctetString;
import info.guardianproject.bouncycastle.asn1.DERSequence;
import info.guardianproject.bouncycastle.asn1.DERString;
import info.guardianproject.bouncycastle.asn1.x509.BasicConstraints;
import info.guardianproject.bouncycastle.asn1.x509.GeneralName;
import info.guardianproject.bouncycastle.asn1.x509.KeyUsage;
import info.guardianproject.bouncycastle.asn1.x509.X509Extensions;
import info.guardianproject.onionkit.R;
import info.guardianproject.onionkit.ui.CertDisplayActivity;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes.dex */
public class StrongTrustManager implements X509TrustManager {
    private static final String TAG = "ONIONKIT";
    private static final String TRUSTSTORE_PASSWORD = "changeit";
    private static final String TRUSTSTORE_TYPE = "BKS";
    private int DEFAULT_NOTIFY_ID;
    private int mAppIcon;
    private String mAppName;
    boolean mCheckChainCrypto;
    boolean mCheckMatchingDomain;
    private Context mContext;
    private String mDomain;
    boolean mExpiredCheck;
    boolean mNotifyVerificationFail;
    boolean mNotifyVerificationSuccess;
    boolean mSelfSignedAllowed;
    private String mServer;
    private KeyStore mTrustStore;
    boolean mVerifyChain;
    boolean mVerifyRoot;
    public static boolean SHOW_DEBUG_OUTPUT = true;
    private static final Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");

    public StrongTrustManager(Context context) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        this.DEFAULT_NOTIFY_ID = 10;
        this.mAppIcon = R.drawable.ic_menu_key;
        this.mAppName = null;
        this.mExpiredCheck = true;
        this.mVerifyChain = true;
        this.mVerifyRoot = true;
        this.mSelfSignedAllowed = false;
        this.mCheckMatchingDomain = true;
        this.mCheckChainCrypto = true;
        this.mNotifyVerificationSuccess = false;
        this.mNotifyVerificationFail = true;
        this.mContext = context;
        this.mTrustStore = KeyStore.getInstance(TRUSTSTORE_TYPE);
        this.mTrustStore.load(this.mContext.getResources().openRawResource(R.raw.cacerts), TRUSTSTORE_PASSWORD.toCharArray());
        this.mAppName = this.mContext.getApplicationInfo().name;
    }

    public StrongTrustManager(Context context, String str, int i) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        this(context);
        this.mAppIcon = i;
        this.mAppName = str;
    }

    private void checkBasicConstraints(X509Certificate x509Certificate) throws GeneralSecurityException {
        if (x509Certificate.getBasicConstraints() == -1) {
            throw new GeneralSecurityException("Basic Constraints CA not set for issuer in chain");
        }
        try {
            Object extensionValue = getExtensionValue(x509Certificate, X509Extensions.BasicConstraints.getId(), BasicConstraints.class);
            if (extensionValue == null || !(extensionValue instanceof BasicConstraints)) {
                throw new GeneralSecurityException("Basic Constraints CA = true not set for issuer in chain");
            }
            BasicConstraints basicConstraints = (BasicConstraints) extensionValue;
            debug("Basic Constraints=CA:" + basicConstraints.isCA());
            if (basicConstraints.getPathLenConstraint() != null) {
                debug("Basic Constraints: pathLen=" + basicConstraints.getPathLenConstraint().intValue());
            }
            if (!basicConstraints.isCA()) {
                throw new GeneralSecurityException("Basic Constraints CA = true not set for issuer in chain");
            }
        } catch (IOException e) {
            throw new GeneralSecurityException("Basic Constraints CA = error reading extension");
        }
    }

    private void checkKeyUsage(X509Certificate x509Certificate) throws GeneralSecurityException {
        try {
            Object extensionValue = getExtensionValue(x509Certificate, X509Extensions.KeyUsage.getId(), KeyUsage.class);
            if (extensionValue == null || !(extensionValue instanceof KeyUsage)) {
                return;
            }
            KeyUsage keyUsage = (KeyUsage) extensionValue;
            debug("KeyUsage=" + keyUsage.intValue() + ";" + keyUsage.getString());
            int intValue = keyUsage.intValue();
            if ((intValue & 2) == 2 || (intValue & 4) == 4) {
            } else {
                throw new GeneralSecurityException("KeyUsage = not set for signing");
            }
        } catch (IOException e) {
            throw new GeneralSecurityException("Basic Constraints CA = error reading extension");
        }
    }

    static boolean checkMatchingDomain(String str, String str2, Collection<String> collection) {
        for (String str3 : collection) {
            if (str3.startsWith("*.")) {
                String substring = str3.substring(1);
                if (str2.replaceFirst("[^.]+", "").equalsIgnoreCase(substring) || str.replaceFirst("[^.]+", "").equalsIgnoreCase(substring)) {
                    return true;
                }
            } else if (str2.equalsIgnoreCase(str3) || str.equalsIgnoreCase(str3)) {
                return true;
            }
        }
        return false;
    }

    private void checkStrongCrypto(X509Certificate x509Certificate) throws CertificateException {
        String lowerCase = x509Certificate.getSigAlgName().toLowerCase();
        if (lowerCase.contains("md5")) {
            debug("cert uses weak crypto: " + lowerCase);
            if (this.mNotifyVerificationFail) {
                showCertMessage(this.mContext.getString(R.string.warning_weak_crypto), x509Certificate.getIssuerDN().getName(), x509Certificate, null);
            }
            throw new CertificateException("issuer uses weak crypto: " + lowerCase);
        }
    }

    private boolean checkSubjectMatchesIssuer(X500Principal x500Principal, X500Principal x500Principal2) {
        return Arrays.equals(x500Principal.getEncoded(), x500Principal2.getEncoded()) && x500Principal.getName("RFC1779").equals(x500Principal2.getName("RFC1779"));
    }

    private void debug(String str) {
        if (SHOW_DEBUG_OUTPUT) {
            Log.d(TAG, str);
        }
    }

    private X509Certificate findCertIssuerInStore(X509Certificate x509Certificate, KeyStore keyStore) throws CertificateException {
        debug("searching store for issuer: " + x509Certificate.getIssuerDN());
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
                if (checkSubjectMatchesIssuer(x509Certificate2.getSubjectX500Principal(), x509Certificate.getIssuerX500Principal())) {
                    debug("found issuer for current cert in chain in ROOT CA store: " + x509Certificate2.getSubjectDN());
                    return x509Certificate2;
                }
            }
            return null;
        } catch (KeyStoreException e) {
            String string = this.mContext.getString(R.string.error_problem_access_local_root_ca_store);
            debug(string);
            throw new CertificateException(string);
        }
    }

    private Object getExtensionValue(X509Certificate x509Certificate, String str, Object obj) throws IOException {
        String str2 = null;
        byte[] extensionValue = x509Certificate.getExtensionValue(str);
        if (extensionValue != null) {
            DERObject dERObject = toDERObject(extensionValue);
            if (dERObject instanceof DEROctetString) {
                DEROctetString dEROctetString = (DEROctetString) dERObject;
                DEREncodable dERObject2 = toDERObject(dEROctetString.getOctets());
                if (obj == BasicConstraints.class) {
                    return BasicConstraints.getInstance(ASN1Object.fromByteArray(dEROctetString.getOctets()));
                }
                if (obj == KeyUsage.class) {
                    return KeyUsage.getInstance(ASN1Object.fromByteArray(dEROctetString.getOctets()));
                }
                if (dERObject2 instanceof ASN1String) {
                    str2 = ((ASN1String) dERObject2).getString();
                }
            }
        }
        return str2;
    }

    public static Collection<String> getPeerIdentity(X509Certificate x509Certificate) {
        Collection<String> subjectAlternativeNames = getSubjectAlternativeNames(x509Certificate);
        if (!subjectAlternativeNames.isEmpty()) {
            return subjectAlternativeNames;
        }
        String name = x509Certificate.getSubjectDN().getName();
        Matcher matcher = cnPattern.matcher(name);
        if (matcher.find()) {
            name = matcher.group(2);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(name);
        return arrayList;
    }

    static Collection<String> getSubjectAlternativeNames(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.SubjectAlternativeName.getId());
            if (extensionValue == null) {
                return Collections.emptyList();
            }
            Enumeration objects = DERSequence.getInstance(ASN1Object.fromByteArray(((ASN1OctetString) ASN1Object.fromByteArray(extensionValue)).getOctets())).getObjects();
            while (objects.hasMoreElements()) {
                GeneralName generalName = GeneralName.getInstance(objects.nextElement());
                switch (generalName.getTagNo()) {
                    case 2:
                        arrayList.add(((DERString) generalName.getName()).getString());
                        break;
                }
            }
            return Collections.unmodifiableCollection(arrayList);
        } catch (Exception e) {
            Log.e(TAG, "getSubjectAlternativeNames()", e);
            return arrayList;
        }
    }

    private String join(Collection<String> collection) {
        boolean z = true;
        StringBuffer stringBuffer = new StringBuffer();
        for (String str : collection) {
            if (!z) {
                stringBuffer.append(':');
            }
            z = false;
            stringBuffer.append(str);
        }
        return stringBuffer.toString();
    }

    private void showCertMessage(String str, String str2, X509Certificate x509Certificate, String str3) {
        Intent intent = new Intent(this.mContext, (Class<?>) CertDisplayActivity.class);
        intent.putExtra("issuer", x509Certificate.getIssuerDN().getName());
        intent.putExtra("subject", x509Certificate.getSubjectDN().getName());
        if (str3 != null) {
            intent.putExtra("fingerprint", str3);
        }
        intent.putExtra("issued", x509Certificate.getNotBefore().toGMTString());
        intent.putExtra(ClientCookie.EXPIRES_ATTR, x509Certificate.getNotAfter().toGMTString());
        intent.putExtra("msg", str + ": " + str2);
        showToolbarNotification(str, str2, this.DEFAULT_NOTIFY_ID, this.mAppIcon, 16, intent);
    }

    private void showToolbarNotification(String str, String str2, int i, int i2, int i3, Intent intent) {
        Context context = this.mContext;
        Context context2 = this.mContext;
        NotificationManager notificationManager = (NotificationManager) context.getSystemService("notification");
        notificationManager.cancelAll();
        Notification notification = new Notification(i2, this.mAppName != null ? this.mAppName + ": " + str : str, System.currentTimeMillis());
        if (i3 > 0) {
            notification.flags |= i3;
        }
        notification.setLatestEventInfo(this.mContext, str, str2, PendingIntent.getActivity(this.mContext, 0, intent, 134217728));
        notificationManager.notify(i, notification);
    }

    private DERObject toDERObject(byte[] bArr) throws IOException {
        return new ASN1InputStream(new ByteArrayInputStream(bArr)).readObject();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        debug("WARNING: Client Cert Trust NOT YET IMPLEMENTED");
    }

    /* JADX WARN: Code restructure failed: missing block: B:100:0x03af, code lost:
    
        debug("ERROR: unverified issuer: " + r20.getIssuerDN());
     */
    /* JADX WARN: Code restructure failed: missing block: B:101:0x03d3, code lost:
    
        if (r28.mNotifyVerificationFail != false) goto L92;
     */
    /* JADX WARN: Code restructure failed: missing block: B:102:0x03d5, code lost:
    
        showCertMessage(r28.mContext.getString(info.guardianproject.onionkit.R.string.error_signature_chain_verification_failed) + r12.getMessage(), r23.getIssuerDN().getName(), r23, r8);
     */
    /* JADX WARN: Code restructure failed: missing block: B:104:0x0441, code lost:
    
        throw new java.security.cert.CertificateException(r28.mContext.getString(info.guardianproject.onionkit.R.string.error_signature_chain_verification_failed) + r23.getIssuerDN().getName() + ": " + r12.getMessage());
     */
    /* JADX WARN: Code restructure failed: missing block: B:92:0x035d, code lost:
    
        debug("found issuer for current cert in chain: " + r23.getSubjectDN());
        r23.checkValidity();
     */
    /* JADX WARN: Code restructure failed: missing block: B:94:0x0380, code lost:
    
        r20.verify(r23.getPublicKey());
     */
    /* JADX WARN: Code restructure failed: missing block: B:95:0x038b, code lost:
    
        r11 = true;
        debug("SUCCESS: verified issuer: " + r20.getIssuerDN());
     */
    /* JADX WARN: Code restructure failed: missing block: B:99:0x03ae, code lost:
    
        r12 = move-exception;
     */
    @Override // javax.net.ssl.X509TrustManager
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void checkServerTrusted(java.security.cert.X509Certificate[] r29, java.lang.String r30) throws java.security.cert.CertificateException {
        /*
            Method dump skipped, instructions count: 1412
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: info.guardianproject.onionkit.trust.StrongTrustManager.checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String):void");
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    public String getDomain() {
        return this.mDomain;
    }

    public String getFingerprint(X509Certificate x509Certificate, String str) throws NoSuchAlgorithmException, CertificateEncodingException {
        byte[] digest = MessageDigest.getInstance(str).digest(x509Certificate.getEncoded());
        StringBuffer stringBuffer = new StringBuffer();
        for (byte b : digest) {
            String hexString = Integer.toHexString(b & 255);
            if (hexString.length() == 1) {
                stringBuffer.append("0");
            }
            stringBuffer.append(hexString);
            stringBuffer.append(' ');
        }
        return stringBuffer.toString();
    }

    public KeyStore getKeyStore() {
        return this.mTrustStore;
    }

    public String getServer() {
        return this.mServer;
    }

    public KeyStore getTrustStore() {
        return this.mTrustStore;
    }

    public String getTrustStorePassword() {
        return TRUSTSTORE_PASSWORD;
    }

    public boolean hasCheckChainCrypto() {
        return this.mCheckChainCrypto;
    }

    public boolean isCheckMatchingDomain() {
        return this.mCheckMatchingDomain;
    }

    public boolean isExpiredCheck() {
        return this.mExpiredCheck;
    }

    public boolean isSelfSignedAllowed() {
        return this.mSelfSignedAllowed;
    }

    public boolean isVerifyChain() {
        return this.mVerifyChain;
    }

    public boolean isVerifyRoot() {
        return this.mVerifyRoot;
    }

    public void setAppIcon(int i) {
        this.mAppIcon = i;
    }

    public void setCheckChainCrypto(boolean z) {
        this.mCheckChainCrypto = z;
    }

    public void setCheckMatchingDomain(boolean z) {
        this.mCheckMatchingDomain = z;
    }

    public void setDomain(String str) {
        this.mDomain = str;
    }

    public void setExpiredCheck(boolean z) {
        this.mExpiredCheck = z;
    }

    public void setNotifyVerificationFail(boolean z) {
        this.mNotifyVerificationFail = z;
    }

    public void setNotifyVerificationSuccess(boolean z) {
        this.mNotifyVerificationSuccess = z;
    }

    public void setSelfSignedAllowed(boolean z) {
        this.mSelfSignedAllowed = z;
    }

    public void setServer(String str) {
        this.mServer = str;
    }

    public void setTrustStore(KeyStore keyStore) {
        this.mTrustStore = keyStore;
    }

    public void setVerifyChain(boolean z) {
        this.mVerifyChain = z;
    }

    public void setVerifyRoot(boolean z) {
        this.mVerifyRoot = z;
    }
}
