package net.soti.j;

import com.google.common.base.Optional;
import java.io.ByteArrayInputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.inject.Inject;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import net.soti.comm.as;
import net.soti.mobicontrol.cert.aa;
import net.soti.mobicontrol.fx.cd;
import net.soti.ssl.DelegatingTrustChecker;
import net.soti.ssl.DelegatingX509TrustManager;
import net.soti.ssl.RootCertificateStorage;
import net.soti.ssl.SslSha1SignatureCertificateException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes7.dex */
public class a extends DelegatingX509TrustManager {

    /* renamed from: a, reason: collision with root package name */
    private static final Logger f10623a = LoggerFactory.getLogger((Class<?>) a.class);

    /* renamed from: b, reason: collision with root package name */
    private static final String f10624b = "1.2.840.10040.4.3";

    /* renamed from: c, reason: collision with root package name */
    private static final String f10625c = "sha1";

    /* renamed from: d, reason: collision with root package name */
    private final RootCertificateStorage f10626d;

    @Inject
    public a(DelegatingTrustChecker delegatingTrustChecker, String str, Set<as> set, RootCertificateStorage rootCertificateStorage) {
        super(delegatingTrustChecker, str, set);
        this.f10626d = rootCertificateStorage;
    }

    private static Optional<X509Certificate> a(List<X509Certificate> list, X509Certificate x509Certificate) {
        Optional<X509Certificate> absent = Optional.absent();
        for (X509Certificate x509Certificate2 : list) {
            if (x509Certificate.getIssuerDN().equals(x509Certificate2.getSubjectDN())) {
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    absent = Optional.of(x509Certificate2);
                    break;
                } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException unused) {
                    f10623a.debug("Not the root");
                }
            }
        }
        return absent;
    }

    static X509Certificate a(String str) throws CertificateException {
        try {
            return (X509Certificate) CertificateFactory.getInstance(aa.f12780b).generateCertificate(new ByteArrayInputStream(cd.a(str)));
        } catch (CertificateException e2) {
            f10623a.error("Failed to convert HEX to X509 Certificate.", (Throwable) e2);
            throw new CertificateException(e2);
        }
    }

    private static List<X509Certificate> a(Collection<String> collection) throws CertificateException {
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(a(it.next()));
        }
        return arrayList;
    }

    private void a(X509Certificate x509Certificate) throws CertificateException {
        List arrayList = new ArrayList();
        try {
            arrayList = Arrays.asList(a());
        } catch (KeyStoreException | NoSuchAlgorithmException e2) {
            f10623a.error("Failed to get the default keystore root certificates", e2);
        }
        if (a(arrayList, x509Certificate).isPresent()) {
            return;
        }
        Optional<X509Certificate> a2 = a(a(this.f10626d.getMcRootCertsFromStorage()), x509Certificate);
        if (a2.isPresent()) {
            b(a2.get());
        } else {
            f10623a.debug("Could not find root certificate to check algorithm");
        }
    }

    static void a(X509Certificate[] x509CertificateArr) throws SslSha1SignatureCertificateException {
        for (X509Certificate x509Certificate : x509CertificateArr) {
            b(x509Certificate);
        }
    }

    private static void b(X509Certificate x509Certificate) throws SslSha1SignatureCertificateException {
        if (c(x509Certificate)) {
            throw new SslSha1SignatureCertificateException("Chain contains SHA1 algorithm which is deprecated");
        }
    }

    private static X509Certificate[] b(X509Certificate[] x509CertificateArr) {
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        if (!x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN())) {
            return x509CertificateArr;
        }
        f10623a.debug("Cut root from the chain");
        return (X509Certificate[]) Arrays.copyOf(x509CertificateArr, x509CertificateArr.length - 1);
    }

    private static boolean c(X509Certificate x509Certificate) {
        return x509Certificate.getSigAlgName().toLowerCase().contains(f10625c) || f10624b.equalsIgnoreCase(x509Certificate.getSigAlgOID());
    }

    X509Certificate[] a() throws NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        return ((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).getAcceptedIssuers();
    }

    @Override // net.soti.ssl.DelegatingX509TrustManager, javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr.length == 0) {
            f10623a.error("We received an empty certificate chain.");
            throw new CertificateException();
        }
        X509Certificate[] b2 = b(x509CertificateArr);
        X509Certificate x509Certificate = b2[b2.length - 1];
        a(b2);
        a(x509Certificate);
        super.checkServerTrusted(x509CertificateArr, str);
    }
}
