package ch.threema.app.onprem;

import ch.threema.app.services.OnPremConfigFetcherProvider;
import ch.threema.base.utils.Base64;
import ch.threema.domain.onprem.OnPremConfigDomainRule;
import ch.threema.domain.onprem.OnPremConfigDomainRuleMatchMode;
import ch.threema.domain.onprem.OnPremConfigDomainRuleSpki;
import ch.threema.domain.onprem.OnPremConfigDomainRuleSpkiAlgorithm;
import ch.threema.domain.onprem.OnPremConfigDomains;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import kotlin.NoWhenBranchMatchedException;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.StringsKt__StringsJVMKt;

/* compiled from: OnPremCertPinningTrustManager.kt */
/* loaded from: classes3.dex */
public final class OnPremCertPinningTrustManager implements X509TrustManager {
    public final TrustManagerDelegate delegate;
    public final HostnameProvider hostnameProvider;
    public final OnPremConfigFetcherProvider onPremConfigFetcherProvider;

    /* compiled from: OnPremCertPinningTrustManager.kt */
    /* loaded from: classes3.dex */
    public /* synthetic */ class WhenMappings {
        public static final /* synthetic */ int[] $EnumSwitchMapping$0;
        public static final /* synthetic */ int[] $EnumSwitchMapping$1;

        static {
            int[] iArr = new int[OnPremConfigDomainRuleMatchMode.values().length];
            try {
                iArr[OnPremConfigDomainRuleMatchMode.EXACT.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                iArr[OnPremConfigDomainRuleMatchMode.INCLUDE_SUBDOMAINS.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            $EnumSwitchMapping$0 = iArr;
            int[] iArr2 = new int[OnPremConfigDomainRuleSpkiAlgorithm.values().length];
            try {
                iArr2[OnPremConfigDomainRuleSpkiAlgorithm.SHA256.ordinal()] = 1;
            } catch (NoSuchFieldError unused3) {
            }
            $EnumSwitchMapping$1 = iArr2;
        }
    }

    public OnPremCertPinningTrustManager(OnPremConfigFetcherProvider onPremConfigFetcherProvider, HostnameProvider hostnameProvider, TrustManagerDelegate delegate) {
        Intrinsics.checkNotNullParameter(onPremConfigFetcherProvider, "onPremConfigFetcherProvider");
        Intrinsics.checkNotNullParameter(hostnameProvider, "hostnameProvider");
        Intrinsics.checkNotNullParameter(delegate, "delegate");
        this.onPremConfigFetcherProvider = onPremConfigFetcherProvider;
        this.hostnameProvider = hostnameProvider;
        this.delegate = delegate;
    }

    public /* synthetic */ OnPremCertPinningTrustManager(OnPremConfigFetcherProvider onPremConfigFetcherProvider, HostnameProvider hostnameProvider, TrustManagerDelegate trustManagerDelegate, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this(onPremConfigFetcherProvider, hostnameProvider, (i & 4) != 0 ? new TrustManagerDelegate() : trustManagerDelegate);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        this.delegate.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        List<OnPremConfigDomainRule> rules;
        X509Certificate x509Certificate;
        boolean equals;
        Boolean bool;
        try {
            String hostname = this.hostnameProvider.getHostname();
            this.delegate.checkServerTrusted(x509CertificateArr, str, hostname);
            OnPremConfigDomains domains = this.onPremConfigFetcherProvider.getOnPremConfigFetcher().fetch().getDomains();
            if (domains == null || (rules = domains.getRules()) == null) {
                return;
            }
            if (x509CertificateArr == null || (x509Certificate = (X509Certificate) ArraysKt___ArraysKt.firstOrNull(x509CertificateArr)) == null) {
                throw new CertificateException("No certificate found in trust chain");
            }
            for (OnPremConfigDomainRule onPremConfigDomainRule : rules) {
                int i = WhenMappings.$EnumSwitchMapping$0[onPremConfigDomainRule.getMatchMode().ordinal()];
                boolean z = false;
                if (i == 1) {
                    equals = StringsKt__StringsJVMKt.equals(hostname, onPremConfigDomainRule.getFqdn(), true);
                } else {
                    if (i != 2) {
                        throw new NoWhenBranchMatchedException();
                    }
                    if (!StringsKt__StringsJVMKt.equals(hostname, onPremConfigDomainRule.getFqdn(), true)) {
                        if (!StringsKt__StringsJVMKt.endsWith(hostname, "." + onPremConfigDomainRule.getFqdn(), true)) {
                            equals = false;
                        }
                    }
                    equals = true;
                }
                if (equals) {
                    List<OnPremConfigDomainRuleSpki> spkis = onPremConfigDomainRule.getSpkis();
                    if (spkis != null) {
                        if (!spkis.isEmpty()) {
                            Iterator<T> it = spkis.iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                }
                                OnPremConfigDomainRuleSpki onPremConfigDomainRuleSpki = (OnPremConfigDomainRuleSpki) it.next();
                                if (MessageDigest.isEqual(getPublicKeyFingerprintFor(x509Certificate, onPremConfigDomainRuleSpki.getAlgorithm()), Base64.decode(onPremConfigDomainRuleSpki.getValue()))) {
                                    z = true;
                                    break;
                                }
                            }
                        }
                        bool = Boolean.valueOf(z);
                    } else {
                        bool = null;
                    }
                    if (Intrinsics.areEqual(bool, Boolean.FALSE)) {
                        throw new CertificateException("Certificate did not match any cert pinning rules for " + hostname);
                    }
                }
            }
        } catch (IllegalStateException e) {
            throw new CertificateException(e);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.getAcceptedIssuers();
    }

    public final byte[] getPublicKeyFingerprintFor(X509Certificate x509Certificate, OnPremConfigDomainRuleSpkiAlgorithm onPremConfigDomainRuleSpkiAlgorithm) {
        if (WhenMappings.$EnumSwitchMapping$1[onPremConfigDomainRuleSpkiAlgorithm.ordinal()] == 1) {
            return getPublicKeyFingerprintFor(x509Certificate, "sha-256");
        }
        throw new NoWhenBranchMatchedException();
    }

    public final byte[] getPublicKeyFingerprintFor(X509Certificate x509Certificate, String str) {
        MessageDigest messageDigest = MessageDigest.getInstance(str);
        messageDigest.update(x509Certificate.getPublicKey().getEncoded());
        byte[] digest = messageDigest.digest();
        Intrinsics.checkNotNullExpressionValue(digest, "digest(...)");
        return digest;
    }
}
