package org.matrix.androidsdk.ssl;

import android.util.Pair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import kotlin.UByte;
import okhttp3.CipherSuite;
import okhttp3.ConnectionSpec;
import okhttp3.TlsVersion;
import org.matrix.androidsdk.HomeServerConnectionConfig;
import org.matrix.androidsdk.core.Log;

/* loaded from: classes.dex */
public class CertUtil {
    private static final String LOG_TAG = CertUtil.class.getSimpleName();
    private static final char[] hexArray = "0123456789ABCDEF".toCharArray();

    public static String fingerprintToHexString(byte[] bArr) {
        return fingerprintToHexString(bArr, ' ');
    }

    public static String fingerprintToHexString(byte[] bArr, char c) {
        char[] cArr = new char[bArr.length * 3];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & UByte.MAX_VALUE;
            int i3 = i * 3;
            char[] cArr2 = hexArray;
            cArr[i3] = cArr2[i2 >>> 4];
            cArr[i3 + 1] = cArr2[i2 & 15];
            cArr[i3 + 2] = c;
        }
        return new String(cArr, 0, cArr.length - 1);
    }

    private static byte[] generateFingerprint(X509Certificate x509Certificate, String str) throws CertificateException {
        try {
            return MessageDigest.getInstance(str).digest(x509Certificate.getEncoded());
        } catch (Exception e) {
            throw new CertificateException(e);
        }
    }

    public static byte[] generateSha1Fingerprint(X509Certificate x509Certificate) throws CertificateException {
        return generateFingerprint(x509Certificate, "SHA-1");
    }

    public static byte[] generateSha256Fingerprint(X509Certificate x509Certificate) throws CertificateException {
        return generateFingerprint(x509Certificate, "SHA-256");
    }

    public static UnrecognizedCertificateException getCertificateException(Throwable th) {
        for (int i = 0; th != null && i < 10; i++) {
            if (th instanceof UnrecognizedCertificateException) {
                return (UnrecognizedCertificateException) th;
            }
            th = th.getCause();
        }
        return null;
    }

    public static List<ConnectionSpec> newConnectionSpecs(HomeServerConnectionConfig homeServerConnectionConfig, String str) {
        ConnectionSpec.Builder builder = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS);
        List<TlsVersion> acceptedTlsVersions = homeServerConnectionConfig.getAcceptedTlsVersions();
        if (acceptedTlsVersions != null) {
            builder.tlsVersions((TlsVersion[]) acceptedTlsVersions.toArray(new TlsVersion[0]));
        }
        List<CipherSuite> acceptedTlsCipherSuites = homeServerConnectionConfig.getAcceptedTlsCipherSuites();
        if (acceptedTlsCipherSuites != null) {
            builder.cipherSuites((CipherSuite[]) acceptedTlsCipherSuites.toArray(new CipherSuite[0]));
        }
        builder.supportsTlsExtensions(homeServerConnectionConfig.shouldAcceptTlsExtensions());
        ArrayList arrayList = new ArrayList();
        arrayList.add(builder.build());
        if (str.startsWith("http://")) {
            arrayList.add(ConnectionSpec.CLEARTEXT);
        }
        return arrayList;
    }

    public static HostnameVerifier newHostnameVerifier(HomeServerConnectionConfig homeServerConnectionConfig) {
        final HostnameVerifier defaultHostnameVerifier = HttpsURLConnection.getDefaultHostnameVerifier();
        final List<Fingerprint> allowedFingerprints = homeServerConnectionConfig.getAllowedFingerprints();
        return new HostnameVerifier() { // from class: org.matrix.androidsdk.ssl.CertUtil.1
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str, SSLSession sSLSession) {
                if (defaultHostnameVerifier.verify(str, sSLSession)) {
                    return true;
                }
                List list = allowedFingerprints;
                if (list != null && list.size() != 0) {
                    try {
                        for (Certificate certificate : sSLSession.getPeerCertificates()) {
                            for (Fingerprint fingerprint : allowedFingerprints) {
                                if (fingerprint != null && (certificate instanceof X509Certificate) && fingerprint.matchesCert((X509Certificate) certificate)) {
                                    return true;
                                }
                            }
                        }
                    } catch (CertificateException | SSLPeerUnverifiedException unused) {
                    }
                }
                return false;
            }
        };
    }

    public static Pair<SSLSocketFactory, X509TrustManager> newPinnedSSLSocketFactory(HomeServerConnectionConfig homeServerConnectionConfig) {
        TrustManagerFactory trustManagerFactory;
        X509TrustManager x509TrustManager;
        SSLSocketFactory socketFactory;
        if (!homeServerConnectionConfig.shouldPin()) {
            try {
                trustManagerFactory = TrustManagerFactory.getInstance("PKIX");
            } catch (NoSuchAlgorithmException e) {
                Log.e(LOG_TAG, "## newPinnedSSLSocketFactory() : TrustManagerFactory.getInstance failed " + e.getMessage(), e);
                trustManagerFactory = null;
            }
            if (trustManagerFactory == null) {
                try {
                    trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                } catch (NoSuchAlgorithmException e2) {
                    Log.e(LOG_TAG, "## newPinnedSSLSocketFactory() : TrustManagerFactory.getInstance with default algorithm failed " + e2.getMessage(), e2);
                }
            }
            if (trustManagerFactory != null) {
                try {
                    trustManagerFactory.init((KeyStore) null);
                    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                    for (int i = 0; i < trustManagers.length; i++) {
                        if (trustManagers[i] instanceof X509TrustManager) {
                            x509TrustManager = (X509TrustManager) trustManagers[i];
                            break;
                        }
                    }
                } catch (KeyStoreException e3) {
                    Log.e(LOG_TAG, "## newPinnedSSLSocketFactory() : " + e3.getMessage(), e3);
                }
            }
        }
        x509TrustManager = null;
        PinnedTrustManager pinnedTrustManager = new PinnedTrustManager(homeServerConnectionConfig.getAllowedFingerprints(), x509TrustManager);
        TrustManager[] trustManagerArr = {pinnedTrustManager};
        try {
            if (!homeServerConnectionConfig.forceUsageOfTlsVersions() || homeServerConnectionConfig.getAcceptedTlsVersions() == null) {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, trustManagerArr, new SecureRandom());
                socketFactory = sSLContext.getSocketFactory();
            } else {
                socketFactory = new TLSSocketFactory(trustManagerArr, homeServerConnectionConfig.getAcceptedTlsVersions());
            }
            return new Pair<>(socketFactory, pinnedTrustManager);
        } catch (Exception e4) {
            throw new RuntimeException(e4);
        }
    }
}
