package de.measite.minidns.dane;

import com.tencent.matrix.trace.core.AppMethodBeat;
import com.zego.zegoavkit2.ZegoConstants;
import de.measite.minidns.AbstractDNSClient;
import de.measite.minidns.DNSMessage;
import de.measite.minidns.DNSName;
import de.measite.minidns.Record;
import de.measite.minidns.dane.DaneCertificateException;
import de.measite.minidns.dnssec.DNSSECClient;
import de.measite.minidns.dnssec.DNSSECMessage;
import de.measite.minidns.dnssec.UnverifiedReason;
import de.measite.minidns.record.Data;
import de.measite.minidns.record.TLSA;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.security.cert.CertificateEncodingException;
import org.jivesoftware.smack.util.TLSUtils;

/* loaded from: classes4.dex */
public class DaneVerifier {
    private static final Logger LOGGER;
    private final AbstractDNSClient client;

    static {
        AppMethodBeat.i(81601);
        LOGGER = Logger.getLogger(DaneVerifier.class.getName());
        AppMethodBeat.o(81601);
    }

    public DaneVerifier() {
        this(new DNSSECClient());
        AppMethodBeat.i(81434);
        AppMethodBeat.o(81434);
    }

    public DaneVerifier(AbstractDNSClient abstractDNSClient) {
        this.client = abstractDNSClient;
    }

    private static boolean checkCertificateMatches(X509Certificate x509Certificate, TLSA tlsa, String str) throws CertificateException {
        byte[] encoded;
        AppMethodBeat.i(81528);
        byte b7 = tlsa.certUsage;
        if (b7 != 1 && b7 != 3) {
            LOGGER.warning("TLSA certificate usage " + ((int) tlsa.certUsage) + " not supported while verifying " + str);
            AppMethodBeat.o(81528);
            return false;
        }
        byte b8 = tlsa.selector;
        if (b8 == 0) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (b8 != 1) {
                LOGGER.warning("TLSA selector " + ((int) tlsa.selector) + " not supported while verifying " + str);
                AppMethodBeat.o(81528);
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        byte b10 = tlsa.matchingType;
        if (b10 != 0) {
            if (b10 == 1) {
                try {
                    encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                } catch (NoSuchAlgorithmException e8) {
                    CertificateException certificateException = new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e8);
                    AppMethodBeat.o(81528);
                    throw certificateException;
                }
            } else {
                if (b10 != 2) {
                    LOGGER.warning("TLSA matching type " + ((int) tlsa.matchingType) + " not supported while verifying " + str);
                    AppMethodBeat.o(81528);
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e10) {
                    CertificateException certificateException2 = new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e10);
                    AppMethodBeat.o(81528);
                    throw certificateException2;
                }
            }
        }
        if (tlsa.certificateAssociationEquals(encoded)) {
            boolean z10 = tlsa.certUsage == 3;
            AppMethodBeat.o(81528);
            return z10;
        }
        DaneCertificateException.CertificateMismatch certificateMismatch = new DaneCertificateException.CertificateMismatch(tlsa, encoded);
        AppMethodBeat.o(81528);
        throw certificateMismatch;
    }

    private static X509Certificate[] convert(Certificate[] certificateArr) {
        AppMethodBeat.i(81577);
        ArrayList arrayList = new ArrayList();
        for (Certificate certificate : certificateArr) {
            if (certificate instanceof X509Certificate) {
                arrayList.add((X509Certificate) certificate);
            }
        }
        X509Certificate[] x509CertificateArr = (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
        AppMethodBeat.o(81577);
        return x509CertificateArr;
    }

    private static X509Certificate[] convert(javax.security.cert.X509Certificate[] x509CertificateArr) {
        AppMethodBeat.i(81598);
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i10 = 0; i10 < x509CertificateArr.length; i10++) {
            try {
                x509CertificateArr2[i10] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i10].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e8) {
                LOGGER.log(Level.WARNING, "Could not convert", e8);
            }
        }
        AppMethodBeat.o(81598);
        return x509CertificateArr2;
    }

    public HttpsURLConnection verifiedConnect(HttpsURLConnection httpsURLConnection) throws IOException, CertificateException {
        AppMethodBeat.i(81533);
        HttpsURLConnection verifiedConnect = verifiedConnect(httpsURLConnection, null);
        AppMethodBeat.o(81533);
        return verifiedConnect;
    }

    public HttpsURLConnection verifiedConnect(HttpsURLConnection httpsURLConnection, X509TrustManager x509TrustManager) throws IOException, CertificateException {
        AppMethodBeat.i(81562);
        try {
            SSLContext sSLContext = SSLContext.getInstance(TLSUtils.TLS);
            ExpectingTrustManager expectingTrustManager = new ExpectingTrustManager(x509TrustManager);
            sSLContext.init(null, new TrustManager[]{expectingTrustManager}, null);
            httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
            httpsURLConnection.connect();
            if (!verifyCertificateChain(convert(httpsURLConnection.getServerCertificates()), httpsURLConnection.getURL().getHost(), httpsURLConnection.getURL().getPort() < 0 ? httpsURLConnection.getURL().getDefaultPort() : httpsURLConnection.getURL().getPort()) && expectingTrustManager.hasException()) {
                IOException iOException = new IOException("Peer verification failed using PKIX", expectingTrustManager.getException());
                AppMethodBeat.o(81562);
                throw iOException;
            }
            AppMethodBeat.o(81562);
            return httpsURLConnection;
        } catch (KeyManagementException | NoSuchAlgorithmException e8) {
            RuntimeException runtimeException = new RuntimeException(e8);
            AppMethodBeat.o(81562);
            throw runtimeException;
        }
    }

    public boolean verify(SSLSession sSLSession) throws CertificateException {
        AppMethodBeat.i(81453);
        try {
            boolean verifyCertificateChain = verifyCertificateChain(convert(sSLSession.getPeerCertificateChain()), sSLSession.getPeerHost(), sSLSession.getPeerPort());
            AppMethodBeat.o(81453);
            return verifyCertificateChain;
        } catch (SSLPeerUnverifiedException e8) {
            CertificateException certificateException = new CertificateException("Peer not verified", e8);
            AppMethodBeat.o(81453);
            throw certificateException;
        }
    }

    public boolean verify(SSLSocket sSLSocket) throws CertificateException {
        AppMethodBeat.i(81443);
        if (sSLSocket.isConnected()) {
            boolean verify = verify(sSLSocket.getSession());
            AppMethodBeat.o(81443);
            return verify;
        }
        IllegalStateException illegalStateException = new IllegalStateException("Socket not yet connected.");
        AppMethodBeat.o(81443);
        throw illegalStateException;
    }

    public boolean verifyCertificateChain(X509Certificate[] x509CertificateArr, String str, int i10) throws CertificateException {
        AppMethodBeat.i(81507);
        DNSName from = DNSName.from("_" + i10 + "._tcp." + str);
        try {
            DNSMessage query = this.client.query(from, Record.TYPE.TLSA);
            if (!query.authenticData) {
                String str2 = "Got TLSA response from DNS server, but was not signed properly.";
                if (query instanceof DNSSECMessage) {
                    str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                    Iterator<UnverifiedReason> it = ((DNSSECMessage) query).getUnverifiedReasons().iterator();
                    while (it.hasNext()) {
                        str2 = str2 + ZegoConstants.ZegoVideoDataAuxPublishingStream + it.next();
                    }
                }
                LOGGER.info(str2);
                AppMethodBeat.o(81507);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z10 = false;
            for (Record<? extends Data> record : query.answerSection) {
                if (record.type == Record.TYPE.TLSA && record.name.equals(from)) {
                    try {
                        z10 |= checkCertificateMatches(x509CertificateArr[0], (TLSA) record.payloadData, str);
                    } catch (DaneCertificateException.CertificateMismatch e8) {
                        linkedList.add(e8);
                    }
                    if (z10) {
                        break;
                    }
                }
            }
            if (z10 || linkedList.isEmpty()) {
                AppMethodBeat.o(81507);
                return z10;
            }
            DaneCertificateException.MultipleCertificateMismatchExceptions multipleCertificateMismatchExceptions = new DaneCertificateException.MultipleCertificateMismatchExceptions(linkedList);
            AppMethodBeat.o(81507);
            throw multipleCertificateMismatchExceptions;
        } catch (IOException e10) {
            RuntimeException runtimeException = new RuntimeException(e10);
            AppMethodBeat.o(81507);
            throw runtimeException;
        }
    }
}
