package cn.com.bouncycastle.jsse.provider;

import java.io.File;
import java.io.IOException;
import java.net.Socket;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import org.bouncycastle.crypto.params.ECPublicKeyParameters;
import org.bouncycastle.crypto.signers.StandardDSAEncoding;
import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil;

/* loaded from: classes.dex */
public class ProvX509TrustManagerImpl implements ProvX509TrustManager {
    private final PKIXParameters baseParameters;
    private final Provider pkixProvider;
    private final Set<X509Certificate> trustedCerts;

    public ProvX509TrustManagerImpl(Provider provider, PKIXParameters pKIXParameters) throws InvalidAlgorithmParameterException {
        this.pkixProvider = provider;
        this.trustedCerts = getTrustedCerts(pKIXParameters.getTrustAnchors());
        if (pKIXParameters instanceof PKIXBuilderParameters) {
            this.baseParameters = pKIXParameters;
            return;
        }
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(pKIXParameters.getTrustAnchors(), pKIXParameters.getTargetCertConstraints());
        this.baseParameters = pKIXBuilderParameters;
        pKIXBuilderParameters.setCertStores(pKIXParameters.getCertStores());
        pKIXBuilderParameters.setRevocationEnabled(pKIXParameters.isRevocationEnabled());
        pKIXBuilderParameters.setCertPathCheckers(pKIXParameters.getCertPathCheckers());
        pKIXBuilderParameters.setDate(pKIXParameters.getDate());
        pKIXBuilderParameters.setAnyPolicyInhibited(pKIXParameters.isAnyPolicyInhibited());
        pKIXBuilderParameters.setPolicyMappingInhibited(pKIXParameters.isPolicyMappingInhibited());
        pKIXBuilderParameters.setExplicitPolicyRequired(pKIXParameters.isExplicitPolicyRequired());
    }

    public ProvX509TrustManagerImpl(Provider provider, Set<TrustAnchor> set) throws InvalidAlgorithmParameterException {
        this.pkixProvider = provider;
        this.trustedCerts = getTrustedCerts(set);
        PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, new X509CertSelector());
        this.baseParameters = pKIXBuilderParameters;
        pKIXBuilderParameters.setRevocationEnabled(false);
    }

    private void addSystemCACerts(Set<X509Certificate> set) throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
        if (System.getProperty("java.vm.name").equalsIgnoreCase("Dalvik")) {
            KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
            keyStore.load(null);
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                set.add((X509Certificate) keyStore.getCertificate(aliases.nextElement()));
            }
            return;
        }
        String property = System.getProperty("java.home");
        if (property == null || property.isEmpty()) {
            return;
        }
        String str = File.separator;
        File file = new File(property.concat(str).concat("lib").concat(str).concat("security").concat(str).concat("cacerts"));
        if (file.exists()) {
            KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore2.load(Files.newInputStream(file.toPath(), new OpenOption[0]), null);
            Enumeration<String> aliases2 = keyStore2.aliases();
            while (aliases2.hasMoreElements()) {
                set.add((X509Certificate) keyStore2.getCertificate(aliases2.nextElement()));
            }
        }
    }

    private boolean checkSignature(X509Certificate x509Certificate, X509Certificate x509Certificate2) throws CertificateException {
        try {
            if (isSafeASN1IntegerSignature(x509Certificate) && isSafeASN1IntegerSignature(x509Certificate2)) {
                PublicKey publicKey = x509Certificate.getPublicKey();
                if (!publicKey.getAlgorithm().equalsIgnoreCase(x509Certificate2.getPublicKey().getAlgorithm())) {
                    return false;
                }
                Signature signature = Signature.getInstance(x509Certificate2.getSigAlgName());
                signature.initVerify(publicKey);
                signature.update(x509Certificate2.getTBSCertificate());
                return signature.verify(x509Certificate2.getSignature());
            }
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException | CertificateEncodingException e2) {
            e2.printStackTrace();
            throw new CertificateException("unable to verify certificate signature:" + e2.getMessage(), e2);
        }
    }

    private Set<X509Certificate> getTrustedCerts(Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        HashSet hashSet = new HashSet(set.size());
        for (TrustAnchor trustAnchor : set) {
            if (trustAnchor != null && (trustedCert = trustAnchor.getTrustedCert()) != null) {
                hashSet.add(trustedCert);
            }
        }
        try {
            addSystemCACerts(hashSet);
        } catch (Exception e2) {
            e2.printStackTrace();
        }
        return hashSet;
    }

    private boolean isSafeASN1IntegerSignature(X509Certificate x509Certificate) {
        if (!"SM3WITHSM2".equalsIgnoreCase(x509Certificate.getSigAlgName())) {
            return true;
        }
        try {
            StandardDSAEncoding.INSTANCE.decode(((ECPublicKeyParameters) ECUtil.generatePublicKeyParameter(x509Certificate.getPublicKey())).getParameters().getN(), x509Certificate.getSignature());
            return true;
        } catch (IOException | IllegalArgumentException | InvalidKeyException e2) {
            return ((e2 instanceof IllegalArgumentException) && "Value out of range".equalsIgnoreCase(e2.getMessage())) ? false : true;
        }
    }

    private X509Certificate selectIssuer(Set<X509Certificate> set, X509Certificate x509Certificate) throws CertificateException {
        for (X509Certificate x509Certificate2 : set) {
            if (x509Certificate2.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal()) && checkSignature(x509Certificate2, x509Certificate)) {
                x509Certificate2.checkValidity();
                return x509Certificate2;
            }
        }
        return null;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // cn.com.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // cn.com.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // cn.com.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // cn.com.bouncycastle.jsse.provider.ProvX509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        validatePath(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        Set<X509Certificate> set = this.trustedCerts;
        return (X509Certificate[]) set.toArray(new X509Certificate[set.size()]);
    }

    public void validatePath(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length <= 0) {
            throw new IllegalArgumentException("'x509Certificates' must be a chain of at least one certificate");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        HashSet hashSet = new HashSet(this.trustedCerts.size());
        Iterator<X509Certificate> it = this.trustedCerts.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next());
        }
        hashSet.addAll(Arrays.asList(x509CertificateArr).subList(1, x509CertificateArr.length));
        while (!x509Certificate.getSubjectX500Principal().equals(x509Certificate.getIssuerX500Principal())) {
            X509Certificate selectIssuer = selectIssuer(hashSet, x509Certificate);
            if (selectIssuer == null) {
                throw new CertificateException("unable to build certificate path:" + x509Certificate);
            }
            x509Certificate = selectIssuer;
        }
        if (!checkSignature(x509Certificate, x509Certificate)) {
            throw new CertificateException("unable to verify certificate signature:" + x509Certificate);
        }
        x509Certificate.checkValidity();
        if (selectIssuer(this.trustedCerts, x509Certificate) != null) {
            return;
        }
        throw new CertificateException("unable to find trust cert:" + x509Certificate);
    }
}
