package com.netki.tlsa;

import com.google.common.io.BaseEncoding;
import com.netki.dns.DNSBootstrapService;
import com.netki.dns.DNSUtil;
import com.netki.dnssec.DNSSECResolver;
import com.netki.exceptions.DNSSECException;
import java.io.IOException;
import java.net.URL;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.xbill.DNS.Name;
import org.xbill.DNS.TLSARecord;
import org.xbill.DNS.TextParseException;

/* loaded from: classes.dex */
public class TLSAValidator {
    private CACertService caCertService;
    private CertChainValidator chainValidator;
    private DNSSECResolver dnssecResolver;

    public TLSAValidator() {
        try {
            this.dnssecResolver = new DNSSECResolver(new DNSBootstrapService());
            this.caCertService = CACertService.getInstance();
            this.chainValidator = new CertChainValidator();
        } catch (Exception unused) {
            throw new ExceptionInInitializerError("Unable to initialize defaults");
        }
    }

    public TLSAValidator(DNSSECResolver dNSSECResolver, CACertService cACertService, CertChainValidator certChainValidator) {
        this.dnssecResolver = dNSSECResolver;
        this.caCertService = cACertService;
        this.chainValidator = certChainValidator;
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:10:0x002e. Please report as an issue. */
    public Certificate getMatchingCert(TLSARecord tLSARecord, List<Certificate> list) {
        for (Certificate certificate : list) {
            byte[] bArr = new byte[0];
            byte[] bArr2 = new byte[0];
            try {
                switch (tLSARecord.getSelector()) {
                    case 0:
                        bArr2 = certificate.getEncoded();
                        break;
                    case 1:
                        bArr2 = certificate.getPublicKey().getEncoded();
                        break;
                }
                switch (tLSARecord.getMatchingType()) {
                    case 0:
                        bArr = bArr2;
                        break;
                    case 1:
                        bArr2 = MessageDigest.getInstance("SHA-256").digest(bArr2);
                        bArr = bArr2;
                        break;
                    case 2:
                        bArr2 = MessageDigest.getInstance("SHA-512").digest(bArr2);
                        bArr = bArr2;
                        break;
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
            if (Arrays.equals(bArr, tLSARecord.getCertificateAssociationData())) {
                return certificate;
            }
        }
        return null;
    }

    public TLSARecord getTLSARecord(URL url) {
        int port = url.getPort();
        if (port == -1) {
            port = url.getDefaultPort();
        }
        String format = String.format("_%s._tcp.%s", Integer.valueOf(port), DNSUtil.ensureDot(url.getHost()));
        try {
            String resolve = this.dnssecResolver.resolve(format, 52);
            if (resolve.equals("")) {
                return null;
            }
            String[] split = resolve.split(" ");
            if (split.length != 4) {
                return null;
            }
            try {
                return new TLSARecord(new Name(format), 1, 0L, Integer.parseInt(split[0]), Integer.parseInt(split[1]), Integer.parseInt(split[2]), BaseEncoding.base16().decode(split[3]));
            } catch (TextParseException unused) {
                return null;
            }
        } catch (DNSSECException unused2) {
            return null;
        }
    }

    public List<Certificate> getUrlCerts(URL url) {
        SSLSocket sSLSocket;
        X509TrustManager x509TrustManager = new X509TrustManager() { // from class: com.netki.tlsa.TLSAValidator.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        SSLSocket sSLSocket2 = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("SSL");
                sSLContext.init(null, new TrustManager[]{x509TrustManager}, null);
                sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(url.getHost(), url.getPort() == -1 ? url.getDefaultPort() : url.getPort());
            } catch (Exception e) {
                e = e;
            }
        } catch (Throwable th) {
            th = th;
        }
        try {
            sSLSocket.startHandshake();
            ArrayList arrayList = new ArrayList(Arrays.asList(sSLSocket.getSession().getPeerCertificates()));
            if (sSLSocket != null && sSLSocket.isConnected()) {
                try {
                    sSLSocket.close();
                } catch (IOException unused) {
                }
            }
            return arrayList;
        } catch (Exception e2) {
            sSLSocket2 = sSLSocket;
            e = e2;
            e.printStackTrace();
            if (sSLSocket2 != null && sSLSocket2.isConnected()) {
                try {
                    sSLSocket2.close();
                } catch (IOException unused2) {
                }
            }
            return new ArrayList();
        } catch (Throwable th2) {
            sSLSocket2 = sSLSocket;
            th = th2;
            if (sSLSocket2 != null && sSLSocket2.isConnected()) {
                try {
                    sSLSocket2.close();
                } catch (IOException unused3) {
                }
            }
            throw th;
        }
    }

    public boolean isValidCertChain(Certificate certificate, List<Certificate> list) {
        try {
            KeyStore caCertKeystore = this.caCertService.getCaCertKeystore();
            for (Certificate certificate2 : list) {
                if (certificate2 != certificate) {
                    caCertKeystore.setCertificateEntry(((X509Certificate) certificate2).getSubjectDN().toString(), certificate2);
                }
            }
            return this.chainValidator.validateKeyChain((X509Certificate) certificate, caCertKeystore);
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Removed duplicated region for block: B:32:0x0063 A[RETURN] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public boolean validateTLSA(java.net.URL r5) throws com.netki.tlsa.ValidSelfSignedCertException {
        /*
            r4 = this;
            org.xbill.DNS.TLSARecord r0 = r4.getTLSARecord(r5)
            r1 = 0
            if (r0 != 0) goto L8
            return r1
        L8:
            java.util.List r5 = r4.getUrlCerts(r5)
            if (r5 == 0) goto L64
            int r2 = r5.size()
            if (r2 != 0) goto L15
            goto L64
        L15:
            java.security.cert.Certificate r2 = r4.getMatchingCert(r0, r5)
            if (r2 != 0) goto L1c
            return r1
        L1c:
            int r0 = r0.getCertificateUsage()
            r3 = 1
            switch(r0) {
                case 0: goto L56;
                case 1: goto L49;
                case 2: goto L2b;
                case 3: goto L25;
                default: goto L24;
            }
        L24:
            goto L63
        L25:
            com.netki.tlsa.ValidSelfSignedCertException r5 = new com.netki.tlsa.ValidSelfSignedCertException
            r5.<init>(r2)
            throw r5
        L2b:
            java.lang.Object r0 = r5.get(r1)
            java.security.cert.Certificate r0 = (java.security.cert.Certificate) r0
            boolean r0 = r4.isValidCertChain(r0, r5)
            if (r0 == 0) goto L63
            int r0 = r5.size()
            int r0 = r0 - r3
            java.lang.Object r5 = r5.get(r0)
            if (r2 == r5) goto L43
            goto L63
        L43:
            com.netki.tlsa.ValidSelfSignedCertException r5 = new com.netki.tlsa.ValidSelfSignedCertException
            r5.<init>(r2)
            throw r5
        L49:
            boolean r0 = r4.isValidCertChain(r2, r5)
            if (r0 == 0) goto L63
            java.lang.Object r5 = r5.get(r1)
            if (r2 != r5) goto L63
            return r3
        L56:
            boolean r0 = r4.isValidCertChain(r2, r5)
            if (r0 == 0) goto L63
            java.lang.Object r5 = r5.get(r1)
            if (r2 == r5) goto L63
            return r3
        L63:
            return r1
        L64:
            return r1
        */
        throw new UnsupportedOperationException("Method not decompiled: com.netki.tlsa.TLSAValidator.validateTLSA(java.net.URL):boolean");
    }
}
