package gj;

import gj.a;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.security.cert.CertificateEncodingException;
import jj.g;
import org.apache.commons.lang3.StringUtils;
import org.minidns.AbstractDnsClient;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.record.Record;
import org.minidns.record.TLSA;

/* loaded from: classes4.dex */
public class b {

    /* renamed from: b, reason: collision with root package name */
    private static final Logger f26565b = Logger.getLogger(b.class.getName());

    /* renamed from: a, reason: collision with root package name */
    private final AbstractDnsClient f26566a;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class a {

        /* renamed from: a, reason: collision with root package name */
        static final /* synthetic */ int[] f26567a;

        /* renamed from: b, reason: collision with root package name */
        static final /* synthetic */ int[] f26568b;

        /* renamed from: c, reason: collision with root package name */
        static final /* synthetic */ int[] f26569c;

        static {
            int[] iArr = new int[TLSA.MatchingType.values().length];
            f26569c = iArr;
            try {
                iArr[TLSA.MatchingType.noHash.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f26569c[TLSA.MatchingType.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                f26569c[TLSA.MatchingType.sha512.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            int[] iArr2 = new int[TLSA.Selector.values().length];
            f26568b = iArr2;
            try {
                iArr2[TLSA.Selector.fullCertificate.ordinal()] = 1;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                f26568b[TLSA.Selector.subjectPublicKeyInfo.ordinal()] = 2;
            } catch (NoSuchFieldError unused5) {
            }
            int[] iArr3 = new int[TLSA.CertUsage.values().length];
            f26567a = iArr3;
            try {
                iArr3[TLSA.CertUsage.serviceCertificateConstraint.ordinal()] = 1;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                f26567a[TLSA.CertUsage.domainIssuedCertificate.ordinal()] = 2;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                f26567a[TLSA.CertUsage.caConstraint.ordinal()] = 3;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                f26567a[TLSA.CertUsage.trustAnchorAssertion.ordinal()] = 4;
            } catch (NoSuchFieldError unused9) {
            }
        }
    }

    public b() {
        this(new jj.b());
    }

    public b(AbstractDnsClient abstractDnsClient) {
        this.f26566a = abstractDnsClient;
    }

    private static boolean a(X509Certificate x509Certificate, TLSA tlsa, String str) {
        byte[] encoded;
        TLSA.CertUsage certUsage = tlsa.f39126d;
        if (certUsage == null) {
            f26565b.warning("TLSA certificate usage byte " + ((int) tlsa.f39125c) + " is not supported while verifying " + str);
            return false;
        }
        int i10 = a.f26567a[certUsage.ordinal()];
        if (i10 != 1 && i10 != 2) {
            f26565b.warning("TLSA certificate usage " + tlsa.f39126d + " (" + ((int) tlsa.f39125c) + ") not supported while verifying " + str);
            return false;
        }
        TLSA.Selector selector = tlsa.f39128f;
        if (selector == null) {
            f26565b.warning("TLSA selector byte " + ((int) tlsa.f39127e) + " is not supported while verifying " + str);
            return false;
        }
        int i11 = a.f26568b[selector.ordinal()];
        if (i11 == 1) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (i11 != 2) {
                f26565b.warning("TLSA selector " + tlsa.f39128f + " (" + ((int) tlsa.f39127e) + ") not supported while verifying " + str);
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        TLSA.MatchingType matchingType = tlsa.f39130h;
        if (matchingType == null) {
            f26565b.warning("TLSA matching type byte " + ((int) tlsa.f39129g) + " is not supported while verifying " + str);
            return false;
        }
        int i12 = a.f26569c[matchingType.ordinal()];
        if (i12 != 1) {
            if (i12 == 2) {
                try {
                    encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                } catch (NoSuchAlgorithmException e10) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e10);
                }
            } else {
                if (i12 != 3) {
                    f26565b.warning("TLSA matching type " + tlsa.f39130h + " not supported while verifying " + str);
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e11) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e11);
                }
            }
        }
        if (tlsa.o(encoded)) {
            return tlsa.f39126d == TLSA.CertUsage.domainIssuedCertificate;
        }
        throw new a.C0650a(tlsa, encoded);
    }

    private static X509Certificate[] b(javax.security.cert.X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i10 = 0; i10 < x509CertificateArr.length; i10++) {
            try {
                x509CertificateArr2[i10] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i10].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e10) {
                f26565b.log(Level.WARNING, "Could not convert", e10);
            }
        }
        return x509CertificateArr2;
    }

    public boolean c(SSLSession sSLSession) {
        try {
            return e(b(sSLSession.getPeerCertificateChain()), sSLSession.getPeerHost(), sSLSession.getPeerPort());
        } catch (SSLPeerUnverifiedException e10) {
            throw new CertificateException("Peer not verified", e10);
        }
    }

    public boolean d(SSLSocket sSLSocket) {
        if (sSLSocket.isConnected()) {
            return c(sSLSocket.getSession());
        }
        throw new IllegalStateException("Socket not yet connected.");
    }

    public boolean e(X509Certificate[] x509CertificateArr, String str, int i10) {
        ij.a e10 = ij.a.e("_" + i10 + "._tcp." + str);
        try {
            DnsMessage m10 = this.f26566a.m(e10, Record.TYPE.TLSA);
            if (m10.f39030i) {
                LinkedList linkedList = new LinkedList();
                boolean z10 = false;
                for (Record record : m10.f39033l) {
                    if (record.f39113b == Record.TYPE.TLSA && record.f39112a.equals(e10)) {
                        try {
                            z10 |= a(x509CertificateArr[0], (TLSA) record.f39117f, str);
                        } catch (a.C0650a e11) {
                            linkedList.add(e11);
                        }
                        if (z10) {
                            break;
                        }
                    }
                }
                if (z10 || linkedList.isEmpty()) {
                    return z10;
                }
                throw new a.b(linkedList);
            }
            String str2 = "Got TLSA response from DNS server, but was not signed properly.";
            if (m10 instanceof jj.c) {
                String str3 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                Iterator it = ((jj.c) m10).p().iterator();
                while (it.hasNext()) {
                    str3 = str3 + StringUtils.SPACE + ((g) it.next());
                }
                str2 = str3;
            }
            f26565b.info(str2);
            return false;
        } catch (IOException e12) {
            throw new RuntimeException(e12);
        }
    }
}
