package org.minidns.dane;

import android.support.v4.media.e;
import io.adtrace.sdk.Constants;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.cert.CertificateEncodingException;
import org.minidns.AbstractDnsClient;
import org.minidns.dane.DaneCertificateException;
import org.minidns.dnsmessage.DnsMessage;
import org.minidns.dnsname.DnsName;
import org.minidns.record.Record;
import org.minidns.record.TLSA;
import org.minidns.record.h;
import zp.b;
import zp.c;

/* loaded from: classes3.dex */
public final class a {

    /* renamed from: b, reason: collision with root package name */
    public static final Logger f22534b = Logger.getLogger(a.class.getName());

    /* renamed from: a, reason: collision with root package name */
    public final AbstractDnsClient f22535a = new b(AbstractDnsClient.f22505g);

    /* renamed from: org.minidns.dane.a$a, reason: collision with other inner class name */
    /* loaded from: classes3.dex */
    public static /* synthetic */ class C0137a {

        /* renamed from: a, reason: collision with root package name */
        public static final /* synthetic */ int[] f22536a;

        /* renamed from: b, reason: collision with root package name */
        public static final /* synthetic */ int[] f22537b;

        /* renamed from: c, reason: collision with root package name */
        public static final /* synthetic */ int[] f22538c;

        static {
            int[] iArr = new int[TLSA.MatchingType.values().length];
            f22538c = iArr;
            try {
                iArr[TLSA.MatchingType.noHash.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f22538c[TLSA.MatchingType.sha256.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                f22538c[TLSA.MatchingType.sha512.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            int[] iArr2 = new int[TLSA.Selector.values().length];
            f22537b = iArr2;
            try {
                iArr2[TLSA.Selector.fullCertificate.ordinal()] = 1;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                f22537b[TLSA.Selector.subjectPublicKeyInfo.ordinal()] = 2;
            } catch (NoSuchFieldError unused5) {
            }
            int[] iArr3 = new int[TLSA.CertUsage.values().length];
            f22536a = iArr3;
            try {
                iArr3[TLSA.CertUsage.serviceCertificateConstraint.ordinal()] = 1;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                f22536a[TLSA.CertUsage.domainIssuedCertificate.ordinal()] = 2;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                f22536a[TLSA.CertUsage.caConstraint.ordinal()] = 3;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                f22536a[TLSA.CertUsage.trustAnchorAssertion.ordinal()] = 4;
            } catch (NoSuchFieldError unused9) {
            }
        }
    }

    public static boolean a(X509Certificate x509Certificate, TLSA tlsa, String str) throws CertificateException {
        byte[] encoded;
        TLSA.CertUsage certUsage = tlsa.f22651r;
        if (certUsage == null) {
            Logger logger = f22534b;
            StringBuilder a10 = e.a("TLSA certificate usage byte ");
            a10.append((int) tlsa.f22650q);
            a10.append(" is not supported while verifying ");
            a10.append(str);
            logger.warning(a10.toString());
            return false;
        }
        int i10 = C0137a.f22536a[certUsage.ordinal()];
        if (i10 != 1 && i10 != 2) {
            Logger logger2 = f22534b;
            StringBuilder a11 = e.a("TLSA certificate usage ");
            a11.append(tlsa.f22651r);
            a11.append(" (");
            a11.append((int) tlsa.f22650q);
            a11.append(") not supported while verifying ");
            a11.append(str);
            logger2.warning(a11.toString());
            return false;
        }
        TLSA.Selector selector = tlsa.f22653t;
        if (selector == null) {
            Logger logger3 = f22534b;
            StringBuilder a12 = e.a("TLSA selector byte ");
            a12.append((int) tlsa.f22652s);
            a12.append(" is not supported while verifying ");
            a12.append(str);
            logger3.warning(a12.toString());
            return false;
        }
        int i11 = C0137a.f22537b[selector.ordinal()];
        if (i11 == 1) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (i11 != 2) {
                Logger logger4 = f22534b;
                StringBuilder a13 = e.a("TLSA selector ");
                a13.append(tlsa.f22653t);
                a13.append(" (");
                a13.append((int) tlsa.f22652s);
                a13.append(") not supported while verifying ");
                a13.append(str);
                logger4.warning(a13.toString());
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        TLSA.MatchingType matchingType = tlsa.f22655v;
        if (matchingType == null) {
            Logger logger5 = f22534b;
            StringBuilder a14 = e.a("TLSA matching type byte ");
            a14.append((int) tlsa.f22654u);
            a14.append(" is not supported while verifying ");
            a14.append(str);
            logger5.warning(a14.toString());
            return false;
        }
        int i12 = C0137a.f22538c[matchingType.ordinal()];
        if (i12 != 1) {
            if (i12 == 2) {
                try {
                    encoded = MessageDigest.getInstance(Constants.SHA256).digest(encoded);
                } catch (NoSuchAlgorithmException e10) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e10);
                }
            } else {
                if (i12 != 3) {
                    Logger logger6 = f22534b;
                    StringBuilder a15 = e.a("TLSA matching type ");
                    a15.append(tlsa.f22655v);
                    a15.append(" not supported while verifying ");
                    a15.append(str);
                    logger6.warning(a15.toString());
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e11) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e11);
                }
            }
        }
        if (Arrays.equals(tlsa.f22656w, encoded)) {
            return tlsa.f22651r == TLSA.CertUsage.domainIssuedCertificate;
        }
        throw new DaneCertificateException.CertificateMismatch();
    }

    public static X509Certificate[] b(javax.security.cert.X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i10 = 0; i10 < x509CertificateArr.length; i10++) {
            try {
                x509CertificateArr2[i10] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i10].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e10) {
                f22534b.log(Level.WARNING, "Could not convert", e10);
            }
        }
        return x509CertificateArr2;
    }

    public final boolean c(X509Certificate[] x509CertificateArr, String str, int i10) throws CertificateException {
        String str2;
        DnsName i11 = DnsName.i("_" + i10 + "._tcp." + str);
        try {
            AbstractDnsClient abstractDnsClient = this.f22535a;
            Record.TYPE type = Record.TYPE.TLSA;
            Objects.requireNonNull(abstractDnsClient);
            DnsMessage k10 = abstractDnsClient.k(new org.minidns.dnsmessage.a(i11, type, Record.CLASS.IN));
            if (!k10.f22552i) {
                if (k10 instanceof c) {
                    Iterator<zp.e> it = ((c) k10).f31294w.iterator();
                    str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                    while (it.hasNext()) {
                        str2 = str2 + " " + it.next();
                    }
                } else {
                    str2 = "Got TLSA response from DNS server, but was not signed properly.";
                }
                f22534b.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z10 = false;
            for (Record<? extends h> record : k10.f22555l) {
                if (record.f22639b == Record.TYPE.TLSA && record.f22638a.equals(i11)) {
                    try {
                        z10 |= a(x509CertificateArr[0], (TLSA) record.f22643f, str);
                    } catch (DaneCertificateException.CertificateMismatch e10) {
                        linkedList.add(e10);
                    }
                    if (z10) {
                        break;
                    }
                }
            }
            if (z10 || linkedList.isEmpty()) {
                return z10;
            }
            throw new DaneCertificateException.MultipleCertificateMismatchExceptions(linkedList);
        } catch (IOException e11) {
            throw new RuntimeException(e11);
        }
    }
}
