package com.datatheorem.android.trustkit.pinning;

import android.net.http.X509TrustManagerExtensions;
import com.datatheorem.android.trustkit.config.DomainPinningPolicy;
import com.datatheorem.android.trustkit.config.PublicKeyPin;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.X509TrustManager;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class PinningTrustManager implements X509TrustManager {
    private final X509TrustManagerExtensions baselineTrustManager;
    private final DomainPinningPolicy serverConfig;
    private final String serverHostname;

    public PinningTrustManager(String str, DomainPinningPolicy domainPinningPolicy, X509TrustManager x509TrustManager) {
        this.serverHostname = str;
        this.serverConfig = domainPinningPolicy;
        this.baselineTrustManager = new X509TrustManagerExtensions(x509TrustManager);
    }

    private static boolean isPinInChain(List<X509Certificate> list, Set<PublicKeyPin> set) {
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            if (set.contains(new PublicKeyPin(it.next()))) {
                return true;
            }
        }
        return false;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        boolean z;
        boolean z2;
        List<X509Certificate> list;
        List<X509Certificate> asList = Arrays.asList(x509CertificateArr);
        boolean z3 = !OkHostnameVerifier.INSTANCE.verify(this.serverHostname, x509CertificateArr[0]);
        try {
            list = this.baselineTrustManager.checkServerTrusted(x509CertificateArr, str, this.serverHostname);
            z = z3;
            z2 = false;
        } catch (CertificateException e) {
            if (e.getMessage().startsWith("Pin verification failed")) {
                z = z3;
                z2 = true;
            } else {
                z = true;
                z2 = false;
            }
            list = asList;
        }
        if (z || z2) {
            PinningValidationResult pinningValidationResult = PinningValidationResult.FAILED;
            if (z) {
                pinningValidationResult = PinningValidationResult.FAILED_CERTIFICATE_CHAIN_NOT_TRUSTED;
            }
            TrustManagerBuilder.getReporter().pinValidationFailed(this.serverHostname, 0, asList, list, this.serverConfig, pinningValidationResult);
        }
        if (z) {
            throw new CertificateException("Certificate validation failed for " + this.serverHostname);
        }
        if (z2 && this.serverConfig.shouldEnforcePinning()) {
            StringBuilder sb = new StringBuilder("Pin verification failed\n  Configured pins: ");
            Iterator<PublicKeyPin> it = this.serverConfig.getPublicKeyPins().iterator();
            while (it.hasNext()) {
                sb.append(it.next());
                sb.append(" ");
            }
            sb.append("\n  Peer certificate chain: ");
            for (X509Certificate x509Certificate : list) {
                sb.append("\n    ").append(new PublicKeyPin(x509Certificate)).append(" - ").append(x509Certificate.getSubjectDN());
            }
            throw new CertificateException(sb.toString());
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}
