package com.airwatch.certpinning;

import android.text.TextUtils;
import com.airwatch.certpinning.repository.CertPinRepository;
import com.airwatch.data.content.ContentPath;
import com.airwatch.storage.entity.CertificateRecord;
import com.airwatch.storage.entity.HostRecord;
import com.airwatch.util.Logger;
import com.cisco.anyconnect.vpn.jni.PromptEntry;
import java.io.ByteArrayInputStream;
import java.net.InetAddress;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.TuplesKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Reflection;
import kotlin.text.StringsKt;
import org.koin.core.component.KoinComponent;
import org.koin.core.component.KoinScopeComponent;

@Metadata(d1 = {"\u0000^\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010%\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0011\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000b\n\u0002\b\u0006\n\u0002\u0010\b\n\u0002\b\u0006\b\u0007\u0018\u0000 *2\u00020\u00012\u00020\u0002:\u0001*B\u0015\u0012\u0006\u0010\u0003\u001a\u00020\u0004\u0012\u0006\u0010\u0005\u001a\u00020\u0006¢\u0006\u0002\u0010\u0007J\u0018\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00042\u0006\u0010\u0011\u001a\u00020\rH\u0002J+\u0010\u0012\u001a\u00020\u000f2\u0006\u0010\u0013\u001a\u00020\u00142\f\u0010\u0015\u001a\b\u0012\u0004\u0012\u00020\r0\u00162\u0006\u0010\u0017\u001a\u00020\u0004H\u0014¢\u0006\u0002\u0010\u0018J\u0012\u0010\u0019\u001a\u0004\u0018\u00010\r2\u0006\u0010\u0010\u001a\u00020\u0004H\u0002J\u0012\u0010\u001a\u001a\u0004\u0018\u00010\u001b2\u0006\u0010\u0010\u001a\u00020\u0004H\u0002J\u0010\u0010\u001c\u001a\u00020\u00042\u0006\u0010\u0011\u001a\u00020\rH\u0002J\u0010\u0010\u001d\u001a\u00020\u001e2\u0006\u0010\u0010\u001a\u00020\u0004H\u0002J\b\u0010\u001f\u001a\u00020\u001eH\u0014J\u0010\u0010 \u001a\u00020\u000f2\u0006\u0010\u0013\u001a\u00020\u0004H\u0002J\u0012\u0010!\u001a\u0004\u0018\u00010\u00042\u0006\u0010\"\u001a\u00020\u0004H\u0002J\u0018\u0010#\u001a\u00020\u000f2\u0006\u0010\u0013\u001a\u00020\u00142\u0006\u0010$\u001a\u00020%H\u0016J\u0018\u0010&\u001a\u00020\u001e2\u0006\u0010\u0010\u001a\u00020\u00042\u0006\u0010\u0011\u001a\u00020\rH\u0002J\u0018\u0010'\u001a\u00020\u001e2\u0006\u0010\u0010\u001a\u00020\u00042\u0006\u0010\u0011\u001a\u00020\rH\u0002J\u0018\u0010(\u001a\u00020\u000f2\u0006\u0010\u0013\u001a\u00020\u00142\u0006\u0010)\u001a\u00020\u0004H\u0002R\u000e\u0010\b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n\u0000R(\u0010\n\u001a\u001c\u0012\u0004\u0012\u00020\u0004\u0012\u0012\u0012\u0010\u0012\u0004\u0012\u00020\u0004\u0012\u0006\u0012\u0004\u0018\u00010\r0\f0\u000bX\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006+"}, d2 = {"Lcom/airwatch/certpinning/PinBasedTrustManager;", "Lcom/airwatch/certpinning/ExtendedX509TrustManager;", "Lorg/koin/core/component/KoinComponent;", "targetHost", "", "trustSpecs", "Lcom/airwatch/certpinning/TrustSpecs;", "(Ljava/lang/String;Lcom/airwatch/certpinning/TrustSpecs;)V", "certPinRepository", "Lcom/airwatch/certpinning/repository/CertPinRepository;", "pinCerts", "", "Lkotlin/Pair;", "Ljava/security/cert/X509Certificate;", "cacheCertificate", "", PromptEntry.PROMPT_ENTRY_NAME_PIN, ContentPath.PATH_CERTIFICATE, "checkTrust", "host", "Ljava/net/InetAddress;", "chain", "", "authType", "(Ljava/net/InetAddress;[Ljava/security/cert/X509Certificate;Ljava/lang/String;)V", "getCachedCertificate", "getCertPinRecord", "Lcom/airwatch/storage/entity/CertificateRecord;", "getPin", "hasCertificateCache", "", "isTrustMaterialAvailable", "loadCerts", "matchPin", "currentPin", "onStartHandshake", "port", "", "saveCertificate", "validatePinCache", "verifyHostname", "matchingPin", "Companion", "AWFramework_release"}, k = 1, mv = {1, 5, 1}, xi = 48)
/* loaded from: classes3.dex */
public final class PinBasedTrustManager extends ExtendedX509TrustManager implements KoinComponent {
    private static final String TAG = "PinBasedTrustManager";
    private final CertPinRepository certPinRepository;
    private final Map<String, Pair<String, X509Certificate>> pinCerts;

    /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
    public PinBasedTrustManager(String targetHost, TrustSpecs trustSpecs) {
        super(targetHost, trustSpecs);
        Intrinsics.checkNotNullParameter(targetHost, "targetHost");
        Intrinsics.checkNotNullParameter(trustSpecs, "trustSpecs");
        this.pinCerts = new LinkedHashMap();
        PinBasedTrustManager pinBasedTrustManager = this;
        this.certPinRepository = (CertPinRepository) (pinBasedTrustManager instanceof KoinScopeComponent ? ((KoinScopeComponent) pinBasedTrustManager).getScope() : pinBasedTrustManager.getKoin().getScopeRegistry().getRootScope()).get(Reflection.getOrCreateKotlinClass(CertPinRepository.class), null, null);
    }

    private final void cacheCertificate(String pin, X509Certificate certificate) {
        Pair<String, X509Certificate> pair = this.pinCerts.get(pin);
        if (pair != null) {
            this.pinCerts.put(pin, new Pair<>(pair.getFirst(), certificate));
        }
    }

    private final X509Certificate getCachedCertificate(String pin) {
        Pair<String, X509Certificate> pair = this.pinCerts.get(pin);
        if (pair == null) {
            return null;
        }
        return pair.getSecond();
    }

    private final CertificateRecord getCertPinRecord(String pin) {
        List<CertificateRecord> certsByPin = this.certPinRepository.getCertsByPin(pin);
        if (!certsByPin.isEmpty()) {
            return certsByPin.get(0);
        }
        return null;
    }

    private final String getPin(X509Certificate certificate) {
        byte[] encoded = certificate.getPublicKey().getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "encoded");
        String bytesToHex = ExtensionsKt.bytesToHex(encoded);
        Objects.requireNonNull(bytesToHex, "null cannot be cast to non-null type java.lang.String");
        String upperCase = bytesToHex.toUpperCase();
        Intrinsics.checkNotNullExpressionValue(upperCase, "(this as java.lang.String).toUpperCase()");
        return upperCase;
    }

    private final boolean hasCertificateCache(String pin) {
        Pair<String, X509Certificate> pair = this.pinCerts.get(pin);
        return (pair == null ? null : pair.getSecond()) != null;
    }

    private final void loadCerts(String host) {
        Certificate generateCertificate;
        X509Certificate x509Certificate;
        HostRecord hostByHostName = this.certPinRepository.getHostByHostName(host);
        if (hostByHostName == null) {
            return;
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            List<CertificateRecord> certsByHostID = this.certPinRepository.getCertsByHostID(hostByHostName.getId());
            Logger.d$default(TAG, "loadCerts: loading " + certsByHostID.size() + " pins for host " + host, null, 4, null);
            for (CertificateRecord certificateRecord : certsByHostID) {
                String pin = certificateRecord.getPin();
                byte[] certificate = certificateRecord.getCertificate();
                if (certificate != null) {
                    try {
                        generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(certificate));
                    } catch (CertificateException e) {
                        Logger.e(TAG, "could not read certificate", (Throwable) e);
                    }
                    if (generateCertificate == null) {
                        throw new NullPointerException("null cannot be cast to non-null type java.security.cert.X509Certificate");
                        break;
                    } else {
                        x509Certificate = (X509Certificate) generateCertificate;
                        this.pinCerts.put(pin, TuplesKt.to(host, x509Certificate));
                    }
                }
                x509Certificate = (X509Certificate) null;
                this.pinCerts.put(pin, TuplesKt.to(host, x509Certificate));
            }
        } catch (CertificateException e2) {
            throw new RuntimeException("could not get x509 certificate factory", e2);
        }
    }

    private final String matchPin(String currentPin) {
        Object obj;
        Iterator<T> it = this.pinCerts.keySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                obj = null;
                break;
            }
            obj = it.next();
            String str = (String) obj;
            boolean z = true;
            if (TextUtils.isEmpty(str) || !StringsKt.contains((CharSequence) currentPin, (CharSequence) str, true)) {
                z = false;
            }
            if (z) {
                break;
            }
        }
        return (String) obj;
    }

    private final boolean saveCertificate(String pin, X509Certificate certificate) {
        Objects.requireNonNull(pin, "null cannot be cast to non-null type java.lang.String");
        String upperCase = pin.toUpperCase();
        Intrinsics.checkNotNullExpressionValue(upperCase, "(this as java.lang.String).toUpperCase()");
        CertificateRecord certPinRecord = getCertPinRecord(upperCase);
        if (certPinRecord == null) {
            return false;
        }
        try {
            certPinRecord.setCertificate(certificate.getEncoded());
            return this.certPinRepository.update(certPinRecord) > 0;
        } catch (CertificateEncodingException e) {
            throw new RuntimeException("could not get x509 certificate encoding", e);
        }
    }

    private final boolean validatePinCache(String pin, X509Certificate certificate) {
        X509Certificate cachedCertificate = getCachedCertificate(pin);
        Intrinsics.checkNotNull(cachedCertificate);
        if (b.a(certificate.getPublicKey(), cachedCertificate.getPublicKey())) {
            return true;
        }
        Logger.e$default(TAG, "validatePinCache: public key content for pin " + pin + " not equal", null, 4, null);
        return false;
    }

    private final void verifyHostname(InetAddress host, String matchingPin) throws CertificateException {
        Logger.d$default(TAG, "verifyHostname called for host = %s", host, null, 8, null);
        String hostName = host.getHostName();
        if (TextUtils.isEmpty(hostName)) {
            hostName = host.getHostAddress();
            Logger.w$default(TAG, "verifyHostname: could not resolve host. using host address %s", hostName, null, 8, null);
        }
        Pair<String, X509Certificate> pair = this.pinCerts.get(matchingPin);
        if (pair == null) {
            throw new SSLPinningCertificateException(hostName, Intrinsics.stringPlus("no pins match hostname ", hostName));
        }
        String first = pair.getFirst();
        Logger.d$default(TAG, "verifyHostname: using matchingHost = %s", first, null, 8, null);
        boolean equals = StringsKt.equals(first, getTargetHost(), true);
        if (StringsKt.equals(first, hostName, true) || equals) {
            return;
        }
        Logger.w$default(TAG, "verifyHostname: hostname pin mismatch", null, 4, null);
        throw new SSLPinningCertificateException(hostName, Intrinsics.stringPlus("hostname pin mismatch for host ", hostName));
    }

    @Override // com.airwatch.certpinning.ExtendedX509TrustManager
    protected void checkTrust(InetAddress host, X509Certificate[] chain, String authType) {
        X509Certificate x509Certificate;
        Intrinsics.checkNotNullParameter(host, "host");
        Intrinsics.checkNotNullParameter(chain, "chain");
        Intrinsics.checkNotNullParameter(authType, "authType");
        int length = chain.length;
        String str = null;
        int i = 0;
        while (true) {
            if (i >= length) {
                x509Certificate = null;
                break;
            }
            X509Certificate x509Certificate2 = chain[i];
            i++;
            String matchPin = matchPin(getPin(x509Certificate2));
            String str2 = matchPin;
            if (!(str2 == null || StringsKt.isBlank(str2))) {
                x509Certificate = x509Certificate2;
                str = matchPin;
                break;
            }
            str = matchPin;
        }
        String str3 = str;
        if ((str3 == null || StringsKt.isBlank(str3)) || x509Certificate == null) {
            throw new CertificateException(Intrinsics.stringPlus("Certificate pin match not found for ", host));
        }
        Logger.d$default(TAG, Intrinsics.stringPlus("Pin found for ", host), null, 4, null);
        verifyHostname(host, str);
        if (hasCertificateCache(str) && !validatePinCache(str, x509Certificate)) {
            throw new SSLPinningCertificateException(host.getHostName(), "Certificate match not found");
        }
        saveCertificate(str, x509Certificate);
        cacheCertificate(str, x509Certificate);
    }

    @Override // com.airwatch.certpinning.ExtendedX509TrustManager
    protected boolean isTrustMaterialAvailable() {
        return !this.pinCerts.isEmpty();
    }

    @Override // com.airwatch.certpinning.ExtendedX509TrustManager, com.airwatch.certpinning.ExtendedSSLSocketFactory.Listener
    public void onStartHandshake(InetAddress host, int port) {
        Intrinsics.checkNotNullParameter(host, "host");
        loadCerts(getTargetHost());
        if (!TextUtils.isEmpty(host.getHostName()) && !Intrinsics.areEqual(getTargetHost(), host.getHostName())) {
            String hostName = host.getHostName();
            Intrinsics.checkNotNullExpressionValue(hostName, "host.hostName");
            loadCerts(hostName);
        }
        super.onStartHandshake(host, port);
    }
}
