package com.okta.android.auth.security;

import android.text.TextUtils;
import android.util.Base64;
import com.google.common.collect.ImmutableSet;
import com.okta.android.auth.OktaApp;
import com.okta.android.auth.R;
import com.okta.android.auth.constants.IsDeveloperBuild;
import com.okta.android.auth.core.NotificationGenerator;
import com.okta.android.auth.security.KeyList;
import com.okta.android.auth.shared.util.UnitTestChecker;
import com.okta.lib.android.common.utilities.Log;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.inject.Inject;
import javax.inject.Provider;
import javax.inject.Singleton;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

@Singleton
/* loaded from: classes2.dex */
public class PubKeyManager implements X509TrustManager {
    private static final Set<String> DEBUG_EXEMPTED_DOMAINS = ImmutableSet.of("okta1.com", "widerock.com", "hioktane.com", "localhost");
    private static final int DNS_LIST_INTEGER = 2;
    private static final String TAG = "PubKeyManager";
    private X509TrustManager defaultTrustManager;
    String exceptionDomain;

    @Inject
    @IsDeveloperBuild
    Provider<Boolean> isDeveloperBuild;

    @Inject
    NotificationGenerator notificationGenerator;

    @Inject
    public PubKeyManager() {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            trustManagerFactory.init((KeyStore) null);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    this.defaultTrustManager = (X509TrustManager) trustManager;
                    return;
                }
            }
        } catch (Exception e) {
            Log.w(TAG, "unable to generate a default trust manager", e);
        }
    }

    private void checkCertIsPubliclyTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            trustManagerFactory.init((KeyStore) null);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, str);
            }
        } catch (KeyStoreException unused) {
            throwCertificateError("Unable to initialize a Keystore when checking the server certificate");
        } catch (NoSuchAlgorithmException unused2) {
            throwCertificateError("Unable to find the X509 algorithm when checking server certificate");
        } catch (CertificateException e) {
            throwCertificateError(e);
        }
    }

    private void checkPinnedAlternates(Collection collection, X509Certificate x509Certificate) throws CertificateException {
        if (collection == null) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            List list = (List) it.next();
            if (list.get(0).equals(2)) {
                arrayList.add(((String) list.get(1)).toLowerCase());
            }
        }
        checkPinnedServers(arrayList, x509Certificate);
    }

    private void checkPinnedCN(X509Certificate x509Certificate) throws CertificateException {
        String name = x509Certificate.getSubjectDN().getName();
        ArrayList arrayList = new ArrayList();
        Log.v(TAG, "Top certificate SubjectDN: " + name);
        Matcher matcher = Pattern.compile("CN=[A-Za-z\\.\\*0-9]*").matcher(name);
        while (matcher.find()) {
            arrayList.add(matcher.group());
        }
        checkPinnedServers(arrayList, x509Certificate);
    }

    private void checkTopCert(X509Certificate[] x509CertificateArr) throws CertificateException {
        Collection<List<?>> subjectAlternativeNames = x509CertificateArr[0].getSubjectAlternativeNames();
        if (subjectAlternativeNames != null) {
            checkPinnedAlternates(subjectAlternativeNames, x509CertificateArr[0]);
        } else {
            checkPinnedCN(x509CertificateArr[0]);
        }
    }

    private boolean isExemptedDomain(String str) {
        boolean z = (((isMatchToDomain(str, "crashlytics.com") || isMatchToDomain(str, "oktacdn.com")) || isMatchToDomain(str, "instabug.com")) || isMatchToDomain(str, "google.com")) || isMatchToDomain(str, "google-analytics.com");
        String str2 = this.exceptionDomain;
        if (str2 != null) {
            z = z || isMatchToDomain(str2, str);
            Log.i(TAG, "isExemptedDomain :" + str + " value " + z);
        }
        if (this.isDeveloperBuild.get().booleanValue()) {
            return z || isPresentInExemptTargetSet(str);
        }
        return z;
    }

    private boolean isMatchToDomain(String str, String str2) {
        return str.endsWith(new StringBuilder().append(".").append(str2).toString()) || str.equals(str2);
    }

    private boolean isPresentInExemptTargetSet(String str) {
        Iterator<String> it = DEBUG_EXEMPTED_DOMAINS.iterator();
        while (it.hasNext()) {
            if (isMatchToDomain(str, it.next())) {
                return true;
            }
        }
        return false;
    }

    private void throwCertificateError(String str) throws CertificateException {
        throwCertificateError(new CertificateException(str));
    }

    private void throwCertificateError(CertificateException certificateException) throws CertificateException {
        Log.w(TAG, certificateException.getMessage() != null ? certificateException.getMessage() : certificateException.toString(), certificateException);
        if (UnitTestChecker.isUnitTest()) {
            throw certificateException;
        }
        this.notificationGenerator.reportLowPriorityFailure(OktaApp.getOktaApp().getString(R.string.ssl_pinning_error));
        throw certificateException;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        X509TrustManager x509TrustManager = this.defaultTrustManager;
        if (x509TrustManager != null) {
            x509TrustManager.checkClientTrusted(x509CertificateArr, str);
        }
    }

    public void checkPinnedKeys(X509Certificate x509Certificate, String[] strArr) throws CertificateException {
        RSAPublicKey rSAPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
        int length = strArr.length;
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            if (Arrays.equals(Base64.decode(strArr[i], 0), rSAPublicKey.getEncoded())) {
                z = true;
                break;
            }
            i++;
        }
        if (z) {
            return;
        }
        Log.e(TAG, "Cert failed SSL Pinning");
        throwCertificateError("Failed to find a matching pinned public key");
    }

    void checkPinnedServers(List<String> list, X509Certificate x509Certificate) throws CertificateException {
        if (list == null || list.isEmpty()) {
            Log.w(TAG, "No domain name when checking key pinning");
            return;
        }
        for (String str : list) {
            if (str != null) {
                for (KeyList.DomainKeys domainKeys : KeyList.ACCEPTED_DOMAINS_AND_KEYS) {
                    if (str.endsWith(domainKeys.domain)) {
                        checkPinnedKeys(x509Certificate, domainKeys.keys);
                        Log.v(TAG, "Key pinning successful for " + str);
                        return;
                    }
                }
                if (isExemptedDomain(str)) {
                    return;
                }
            }
        }
        throwCertificateError("Attempting connection to unsupported domains " + Arrays.toString(list.toArray()));
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null) {
            throw new IllegalArgumentException("checkServerTrusted: X509Certificate array is null");
        }
        if (x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("checkServerTrusted: X509Certificate is empty");
        }
        if (TextUtils.isEmpty(str)) {
            throwCertificateError("checkServerTrusted: unknown/empty AuthType");
        }
        Log.i(TAG, "Checking server certificate");
        checkCertIsPubliclyTrusted(x509CertificateArr, str);
        checkTopCert(x509CertificateArr);
    }

    public void clearExceptionDomain() {
        this.exceptionDomain = null;
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509TrustManager x509TrustManager = this.defaultTrustManager;
        return x509TrustManager != null ? x509TrustManager.getAcceptedIssuers() : new X509Certificate[0];
    }

    public boolean isOktaDomain(String str) {
        if (TextUtils.isEmpty(str)) {
            Log.w(TAG, "isOktaDomain skipped, empty input" + str);
            return false;
        }
        try {
            URL url = new URL(str);
            String host = url.getHost();
            Iterator<KeyList.DomainKeys> it = KeyList.ACCEPTED_DOMAINS_AND_KEYS.iterator();
            while (it.hasNext()) {
                if (isMatchToDomain(host, it.next().domain)) {
                    return true;
                }
            }
            if (this.isDeveloperBuild.get().booleanValue()) {
                return isPresentInExemptTargetSet(url.getHost());
            }
            return false;
        } catch (MalformedURLException e) {
            Log.e(TAG, "isOktaDomain exception " + str, e);
            return false;
        }
    }

    public void setExceptionDomain(String str) {
        if (TextUtils.isEmpty(str)) {
            Log.e(TAG, "setExceptionDomain skipped, empty input" + str);
            return;
        }
        try {
            URL url = new URL(str);
            if (isOktaDomain(str)) {
                Log.i(TAG, "okta domain detected, skip exemption " + str);
            } else {
                Log.i(TAG, "setting exception domain:" + str);
                this.exceptionDomain = url.getHost();
            }
        } catch (MalformedURLException e) {
            Log.e(TAG, "setExceptionDomain exception " + str, e);
        }
    }
}
