package com.netki.tlsa;

import com.google.common.io.BaseEncoding;
import com.netki.dns.DNSUtil;
import com.netki.dnssec.DNSSECResolver;
import com.netki.exceptions.DNSSECException;
import java.io.IOException;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.xbill.DNS.Name;
import org.xbill.DNS.TLSARecord;
import org.xbill.DNS.TextParseException;

/* loaded from: classes.dex */
public class TLSAValidator {
    private CACertService caCertService;
    private CertChainValidator chainValidator;
    private DNSSECResolver dnssecResolver;

    public TLSAValidator(DNSSECResolver dNSSECResolver, CACertService cACertService, CertChainValidator certChainValidator) {
        this.dnssecResolver = dNSSECResolver;
        this.caCertService = cACertService;
        this.chainValidator = certChainValidator;
    }

    /* JADX WARN: Removed duplicated region for block: B:18:0x005d A[SYNTHETIC] */
    /* JADX WARN: Removed duplicated region for block: B:21:? A[LOOP:0: B:2:0x0004->B:21:?, LOOP_END, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.security.cert.Certificate getMatchingCert(org.xbill.DNS.TLSARecord r6, java.util.List<java.security.cert.Certificate> r7) {
        /*
            r5 = this;
            java.util.Iterator r7 = r7.iterator()
        L4:
            boolean r0 = r7.hasNext()
            if (r0 == 0) goto L5e
            java.lang.Object r0 = r7.next()
            java.security.cert.Certificate r0 = (java.security.cert.Certificate) r0
            r1 = 0
            byte[] r2 = new byte[r1]
            byte[] r1 = new byte[r1]
            int r3 = r6.getSelector()     // Catch: java.lang.Exception -> L4f
            r4 = 1
            if (r3 == 0) goto L28
            if (r3 == r4) goto L1f
            goto L2c
        L1f:
            java.security.PublicKey r1 = r0.getPublicKey()     // Catch: java.lang.Exception -> L4f
            byte[] r1 = r1.getEncoded()     // Catch: java.lang.Exception -> L4f
            goto L2c
        L28:
            byte[] r1 = r0.getEncoded()     // Catch: java.lang.Exception -> L4f
        L2c:
            int r3 = r6.getMatchingType()     // Catch: java.lang.Exception -> L4f
            if (r3 == 0) goto L4d
            if (r3 == r4) goto L43
            r4 = 2
            if (r3 == r4) goto L38
            goto L53
        L38:
            java.lang.String r3 = "SHA-512"
            java.security.MessageDigest r3 = java.security.MessageDigest.getInstance(r3)     // Catch: java.lang.Exception -> L4f
            byte[] r1 = r3.digest(r1)     // Catch: java.lang.Exception -> L4f
            goto L4d
        L43:
            java.lang.String r3 = "SHA-256"
            java.security.MessageDigest r3 = java.security.MessageDigest.getInstance(r3)     // Catch: java.lang.Exception -> L4f
            byte[] r1 = r3.digest(r1)     // Catch: java.lang.Exception -> L4f
        L4d:
            r2 = r1
            goto L53
        L4f:
            r1 = move-exception
            r1.printStackTrace()
        L53:
            byte[] r1 = r6.getCertificateAssociationData()
            boolean r1 = java.util.Arrays.equals(r2, r1)
            if (r1 == 0) goto L4
            return r0
        L5e:
            r6 = 0
            return r6
        */
        throw new UnsupportedOperationException("Method not decompiled: com.netki.tlsa.TLSAValidator.getMatchingCert(org.xbill.DNS.TLSARecord, java.util.List):java.security.cert.Certificate");
    }

    public TLSARecord getTLSARecord(URL url) {
        int port = url.getPort();
        if (port == -1) {
            port = url.getDefaultPort();
        }
        String format = String.format("_%s._tcp.%s", Integer.valueOf(port), DNSUtil.ensureDot(url.getHost()));
        try {
            String resolve = this.dnssecResolver.resolve(format, 52);
            if (resolve.equals("")) {
                return null;
            }
            String[] split = resolve.split(" ");
            if (split.length != 4) {
                return null;
            }
            return new TLSARecord(new Name(format), 1, 0L, Integer.parseInt(split[0]), Integer.parseInt(split[1]), Integer.parseInt(split[2]), BaseEncoding.base16().decode(split[3]));
        } catch (DNSSECException | TextParseException unused) {
            return null;
        }
    }

    public List<Certificate> getUrlCerts(URL url) {
        SSLSocket sSLSocket;
        X509TrustManager x509TrustManager = new X509TrustManager() { // from class: com.netki.tlsa.TLSAValidator.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return null;
            }
        };
        SSLSocket sSLSocket2 = null;
        try {
            try {
                SSLContext sSLContext = SSLContext.getInstance("SSL");
                sSLContext.init(null, new TrustManager[]{x509TrustManager}, null);
                sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket(url.getHost(), url.getPort() == -1 ? url.getDefaultPort() : url.getPort());
            } catch (Exception e) {
                e = e;
            }
        } catch (Throwable th) {
            th = th;
        }
        try {
            sSLSocket.startHandshake();
            ArrayList arrayList = new ArrayList(Arrays.asList(sSLSocket.getSession().getPeerCertificates()));
            if (sSLSocket.isConnected()) {
                try {
                    sSLSocket.close();
                } catch (IOException unused) {
                }
            }
            return arrayList;
        } catch (Exception e2) {
            sSLSocket2 = sSLSocket;
            e = e2;
            e.printStackTrace();
            if (sSLSocket2 != null && sSLSocket2.isConnected()) {
                try {
                    sSLSocket2.close();
                } catch (IOException unused2) {
                }
            }
            return new ArrayList();
        } catch (Throwable th2) {
            sSLSocket2 = sSLSocket;
            th = th2;
            if (sSLSocket2 != null && sSLSocket2.isConnected()) {
                try {
                    sSLSocket2.close();
                } catch (IOException unused3) {
                }
            }
            throw th;
        }
    }

    public boolean isValidCertChain(Certificate certificate, List<Certificate> list) {
        try {
            KeyStore caCertKeystore = this.caCertService.getCaCertKeystore();
            for (Certificate certificate2 : list) {
                if (certificate2 != certificate) {
                    caCertKeystore.setCertificateEntry(((X509Certificate) certificate2).getSubjectDN().toString(), certificate2);
                }
            }
            return this.chainValidator.validateKeyChain((X509Certificate) certificate, caCertKeystore);
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
    }

    public boolean validateTLSA(URL url) throws ValidSelfSignedCertException {
        List<Certificate> urlCerts;
        Certificate matchingCert;
        TLSARecord tLSARecord = getTLSARecord(url);
        if (tLSARecord == null || (urlCerts = getUrlCerts(url)) == null || urlCerts.size() == 0 || (matchingCert = getMatchingCert(tLSARecord, urlCerts)) == null) {
            return false;
        }
        int certificateUsage = tLSARecord.getCertificateUsage();
        if (certificateUsage != 0) {
            if (certificateUsage != 1) {
                if (certificateUsage != 2) {
                    if (certificateUsage == 3) {
                        throw new ValidSelfSignedCertException(matchingCert);
                    }
                } else if (isValidCertChain(urlCerts.get(0), urlCerts) && matchingCert == urlCerts.get(urlCerts.size() - 1)) {
                    throw new ValidSelfSignedCertException(matchingCert);
                }
            } else if (isValidCertChain(matchingCert, urlCerts) && matchingCert == urlCerts.get(0)) {
                return true;
            }
        } else if (isValidCertChain(matchingCert, urlCerts) && matchingCert != urlCerts.get(0)) {
            return true;
        }
        return false;
    }
}
