package eu.siacs.conversations.crypto;

import android.util.Log;
import android.util.Pair;
import com.google.common.base.CharMatcher;
import com.google.common.base.MoreObjects;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.net.IDN;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.SSLSession;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1TaggedObject;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.DLSequence;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;

/* loaded from: classes.dex */
public class XmppDomainVerifier {

    /* loaded from: classes.dex */
    public static final class ValidDomains {
        final List domains;
        final List srvNames;
        final List xmppAddresses;

        private ValidDomains(List list, List list2, List list3) {
            this.xmppAddresses = list;
            this.srvNames = list2;
            this.domains = list3;
        }

        public List all() {
            ImmutableList.Builder builder = new ImmutableList.Builder();
            builder.addAll((Iterable) this.xmppAddresses);
            builder.addAll((Iterable) this.srvNames);
            builder.addAll((Iterable) this.domains);
            return builder.build();
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("xmppAddresses", this.xmppAddresses).add("srvNames", this.srvNames).add("domains", this.domains).toString();
        }
    }

    private static List getCommonNames(X509Certificate x509Certificate) {
        ImmutableList.Builder builder = new ImmutableList.Builder();
        try {
            X500Name subject = new JcaX509CertificateHolder(x509Certificate).getSubject();
            RDN[] rDNs = subject.getRDNs(BCStyle.CN);
            for (int i = 0; i < rDNs.length; i++) {
                builder.add((Object) IETFUtils.valueToString(subject.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
            }
            return builder.build();
        } catch (CertificateEncodingException unused) {
            return Collections.emptyList();
        }
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception unused) {
            return false;
        }
    }

    public static boolean matchDomain(String str, List list) {
        StringBuilder sb;
        Iterator it = list.iterator();
        while (it.hasNext()) {
            String str2 = (String) it.next();
            if (str2.startsWith("*.")) {
                String substring = str2.substring(1);
                if (CharMatcher.is('.').countIn(substring) < 2) {
                    Log.w("XmppDomainVerifier", "not enough labels in wildcard certificate");
                    return false;
                }
                int indexOf = str.indexOf(46);
                if (indexOf != -1 && str.substring(indexOf).equalsIgnoreCase(substring)) {
                    sb = new StringBuilder();
                    sb.append("domain ");
                    sb.append(str);
                    sb.append(" matched ");
                    sb.append(str2);
                    Log.d("XmppDomainVerifier", sb.toString());
                    return true;
                }
            } else if (str2.equalsIgnoreCase(str)) {
                sb = new StringBuilder();
                sb.append("domain ");
                sb.append(str);
                sb.append(" matched ");
                sb.append(str2);
                Log.d("XmppDomainVerifier", sb.toString());
                return true;
            }
        }
        return false;
    }

    private static Pair parseOtherName(byte[] bArr) {
        try {
            ASN1Primitive fromByteArray = ASN1Primitive.fromByteArray(bArr);
            if (fromByteArray instanceof ASN1TaggedObject) {
                ASN1Object baseObject = ((ASN1TaggedObject) fromByteArray).getBaseObject();
                if (baseObject instanceof DLSequence) {
                    DLSequence dLSequence = (DLSequence) baseObject;
                    if (dLSequence.size() >= 2) {
                        ASN1Encodable objectAt = dLSequence.getObjectAt(1);
                        if (objectAt instanceof ASN1TaggedObject) {
                            String obj = dLSequence.getObjectAt(0).toString();
                            ASN1Object baseObject2 = ((ASN1TaggedObject) objectAt).getBaseObject();
                            if (baseObject2 instanceof DERUTF8String) {
                                return new Pair(obj, ((DERUTF8String) baseObject2).getString());
                            }
                            if (baseObject2 instanceof DERIA5String) {
                                return new Pair(obj, ((DERIA5String) baseObject2).getString());
                            }
                        }
                    }
                }
            }
        } catch (IOException unused) {
        }
        return null;
    }

    public static ValidDomains parseValidDomains(X509Certificate x509Certificate) {
        Object obj;
        List commonNames = getCommonNames(x509Certificate);
        Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        if (subjectAlternativeNames != null) {
            for (List<?> list : subjectAlternativeNames) {
                Integer num = (Integer) list.get(0);
                if (num.intValue() == 0) {
                    Pair parseOtherName = parseOtherName((byte[]) list.get(1));
                    if (parseOtherName != null && (obj = parseOtherName.first) != null && parseOtherName.second != null) {
                        String str = (String) obj;
                        str.hashCode();
                        if (str.equals("1.3.6.1.5.5.7.8.5")) {
                            arrayList.add(((String) parseOtherName.second).toLowerCase(Locale.US));
                        } else if (str.equals("1.3.6.1.5.5.7.8.7")) {
                            arrayList2.add(((String) parseOtherName.second).toLowerCase(Locale.US));
                        } else {
                            Log.d("XmppDomainVerifier", "oid: " + ((String) parseOtherName.first) + " value: " + ((String) parseOtherName.second));
                        }
                    }
                } else if (num.intValue() == 2) {
                    Object obj2 = list.get(1);
                    if (obj2 instanceof String) {
                        arrayList3.add(((String) obj2).toLowerCase(Locale.US));
                    }
                }
            }
        }
        if (arrayList2.isEmpty() && arrayList.isEmpty() && arrayList3.isEmpty()) {
            arrayList3.addAll(commonNames);
        }
        return new ValidDomains(arrayList, arrayList2, arrayList3);
    }

    public boolean verify(String str, String str2, SSLSession sSLSession) {
        String ascii = IDN.toASCII(str);
        String ascii2 = str2 == null ? null : IDN.toASCII(str2);
        Certificate[] peerCertificates = sSLSession.getPeerCertificates();
        if (peerCertificates.length == 0) {
            return false;
        }
        Certificate certificate = peerCertificates[0];
        if (!(certificate instanceof X509Certificate)) {
            return false;
        }
        X509Certificate x509Certificate = (X509Certificate) certificate;
        List commonNames = getCommonNames(x509Certificate);
        if (isSelfSigned(x509Certificate) && commonNames.size() == 1 && matchDomain(ascii, commonNames)) {
            Log.d("XmppDomainVerifier", "accepted CN in self signed cert as work around for " + ascii);
            return true;
        }
        try {
            ValidDomains parseValidDomains = parseValidDomains(x509Certificate);
            Log.d("XmppDomainVerifier", "searching for " + ascii + " in " + parseValidDomains);
            if (ascii2 != null) {
                Log.d("XmppDomainVerifier", "also trying to verify hostname " + ascii2);
            }
            if (!parseValidDomains.xmppAddresses.contains(ascii)) {
                if (!parseValidDomains.srvNames.contains("_xmpp-client." + ascii) && !matchDomain(ascii, parseValidDomains.domains)) {
                    if (ascii2 == null) {
                        return false;
                    }
                    if (!matchDomain(ascii2, parseValidDomains.domains)) {
                        return false;
                    }
                }
            }
            return true;
        } catch (Exception unused) {
            return false;
        }
    }
}
