package ctrip.android.network.sslpinning.pinning;

import android.net.http.X509TrustManagerExtensions;
import android.os.Build;
import androidx.annotation.NonNull;
import androidx.annotation.RequiresApi;
import com.netease.lava.base.util.StringUtils;
import ctrip.android.network.sslpinning.configuration.PublicKeyPin;
import ctrip.foundation.util.StringUtil;
import ctrip.foundation.util.UBTLogUtil;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.X509TrustManager;

@RequiresApi(api = 17)
/* loaded from: classes12.dex */
public class PinningTrustManager implements X509TrustManager {
    private final X509TrustManagerExtensions baselineTrustManager;
    private OnPinningResultCallback pinningResultCallback;
    private final String serverHostname;

    /* loaded from: classes12.dex */
    public enum PinningValidationResult {
        SUCCESS,
        FAILED,
        FAILED_CERTIFICATE_CHAIN_NOT_TRUSTED,
        ERROR_INVALID_PARAMETERS,
        FAILED_USER_DEFINED_TRUST_ANCHOR,
        ERROR_COULD_NOT_GENERATE_SPKI_HASH
    }

    public PinningTrustManager(@NonNull String str, @NonNull X509TrustManager x509TrustManager, @NonNull OnPinningResultCallback onPinningResultCallback) {
        this.serverHostname = str;
        this.pinningResultCallback = onPinningResultCallback;
        this.baselineTrustManager = new X509TrustManagerExtensions(x509TrustManager);
    }

    private static boolean isPinInChain(List<X509Certificate> list, Set<PublicKeyPin> set) {
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            if (set.contains(new PublicKeyPin(it.next()))) {
                return true;
            }
        }
        return false;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        List<X509Certificate> list;
        if (OkHttp3Helper.needCertificateCheck(this.serverHostname) && !OkHttp3Helper.isInBlackList(this.serverHostname)) {
            List<X509Certificate> asList = Arrays.asList(x509CertificateArr);
            boolean z2 = false;
            boolean z3 = !OkHostnameVerifier.INSTANCE.verify(this.serverHostname, x509CertificateArr[0]);
            try {
                list = this.baselineTrustManager.checkServerTrusted(x509CertificateArr, str, this.serverHostname);
            } catch (CertificateException e2) {
                if (Build.VERSION.SDK_INT < 24 || StringUtil.emptyOrNull(e2.getMessage()) || !e2.getMessage().startsWith("Pin verification failed")) {
                    list = asList;
                    z3 = true;
                } else {
                    list = asList;
                    z2 = true;
                }
            }
            if (!z3) {
                z2 = !isPinInChain(list, OkHttp3Helper.getDefaultPublicKeyPins());
            }
            if (z3 || z2) {
                PinningValidationResult pinningValidationResult = PinningValidationResult.FAILED;
                if (z3) {
                    pinningValidationResult = PinningValidationResult.FAILED_CERTIFICATE_CHAIN_NOT_TRUSTED;
                }
                OnPinningResultCallback onPinningResultCallback = this.pinningResultCallback;
                if (onPinningResultCallback != null) {
                    onPinningResultCallback.onPinningFailed(this.serverHostname, asList, list, pinningValidationResult);
                }
            } else {
                OnPinningResultCallback onPinningResultCallback2 = this.pinningResultCallback;
                if (onPinningResultCallback2 != null) {
                    onPinningResultCallback2.onPinningSuccess(this.serverHostname, asList, list);
                }
            }
            if (z3) {
                throw new CertificateException("Certificate validation failed for " + this.serverHostname);
            }
            if (z2) {
                StringBuilder sb = new StringBuilder();
                sb.append("Pin verification failed");
                sb.append("\n  Configured pins: ");
                Iterator<PublicKeyPin> it = OkHttp3Helper.getDefaultPublicKeyPins().iterator();
                while (it.hasNext()) {
                    sb.append(it.next());
                    sb.append(StringUtils.SPACE);
                }
                sb.append("\n  Peer certificate chain: ");
                for (X509Certificate x509Certificate : list) {
                    sb.append("\n    ");
                    sb.append(new PublicKeyPin(x509Certificate));
                    sb.append(" - ");
                    sb.append(x509Certificate.getSubjectDN());
                }
                HashMap hashMap = new HashMap();
                hashMap.put("hostName", this.serverHostname);
                hashMap.put("detail", sb.toString());
                UBTLogUtil.logDevTrace("o_ssl_pinning_error", hashMap);
                throw new CertificateException(sb.toString());
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}
