package com.yinhai.hybird.md.engine.trustkit.pinning;

import android.net.http.X509TrustManagerExtensions;
import android.os.Build;
import android.support.annotation.NonNull;
import android.support.annotation.RequiresApi;
import com.yinhai.hybird.md.engine.trustkit.config.DomainPinningPolicy;
import com.yinhai.hybird.md.engine.trustkit.config.PublicKeyPin;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.X509TrustManager;

/* JADX INFO: Access modifiers changed from: package-private */
@RequiresApi(api = 17)
/* loaded from: classes.dex */
public class PinningTrustManager implements X509TrustManager {
    private final X509TrustManagerExtensions baselineTrustManager;
    private final DomainPinningPolicy serverConfig;
    private final String serverHostname;

    public PinningTrustManager(@NonNull String str, @NonNull DomainPinningPolicy domainPinningPolicy, @NonNull X509TrustManager x509TrustManager) {
        this.serverHostname = str;
        this.serverConfig = domainPinningPolicy;
        if (Build.VERSION.SDK_INT < 17) {
            this.baselineTrustManager = null;
        } else {
            this.baselineTrustManager = new X509TrustManagerExtensions(x509TrustManager);
        }
    }

    private static boolean isPinInChain(List<X509Certificate> list, Set<PublicKeyPin> set) {
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            if (set.contains(new PublicKeyPin(it.next()))) {
                return true;
            }
        }
        return false;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        List<X509Certificate> list;
        boolean z;
        List<X509Certificate> asList = Arrays.asList(x509CertificateArr);
        boolean z2 = !OkHostnameVerifier.INSTANCE.verify(this.serverHostname, x509CertificateArr[0]);
        try {
            list = this.baselineTrustManager.checkServerTrusted(x509CertificateArr, str, this.serverHostname);
            z = false;
        } catch (CertificateException e) {
            if (Build.VERSION.SDK_INT < 24 || !e.getMessage().startsWith("Pin verification failed")) {
                list = asList;
                z = false;
                z2 = true;
            } else {
                list = asList;
                z = true;
            }
        }
        if (Build.VERSION.SDK_INT < 24 && !z2) {
            if (!(this.serverConfig.getExpirationDate() != null && this.serverConfig.getExpirationDate().compareTo(new Date()) < 0)) {
                z = !isPinInChain(list, this.serverConfig.getPublicKeyPins());
            }
        }
        if (z2 || z) {
            TrustManagerBuilder.getReporter().pinValidationFailed(this.serverHostname, 0, asList, list, this.serverConfig, z2 ? PinningValidationResult.FAILED_CERTIFICATE_CHAIN_NOT_TRUSTED : PinningValidationResult.FAILED);
        }
        if (z2) {
            throw new CertificateException("Certificate validation failed for " + this.serverHostname);
        }
        if (z && this.serverConfig.shouldEnforcePinning()) {
            StringBuilder sb = new StringBuilder();
            sb.append("Pin verification failed");
            sb.append("\n  Configured pins: ");
            Iterator<PublicKeyPin> it = this.serverConfig.getPublicKeyPins().iterator();
            while (it.hasNext()) {
                sb.append(it.next());
                sb.append(" ");
            }
            sb.append("\n  Peer certificate chain: ");
            for (X509Certificate x509Certificate : list) {
                sb.append("\n    ");
                sb.append(new PublicKeyPin(x509Certificate));
                sb.append(" - ");
                sb.append(x509Certificate.getSubjectDN());
            }
            throw new CertificateException(sb.toString());
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}
