package info.guardianproject.onionkit.trust;

import android.content.Context;
import android.util.Log;
import info.guardianproject.onionkit.R;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.X509TrustManager;
import org.spongycastle.asn1.ASN1OctetString;
import org.spongycastle.asn1.ASN1Primitive;
import org.spongycastle.asn1.ASN1String;
import org.spongycastle.asn1.DERSequence;
import org.spongycastle.asn1.x509.GeneralName;
import org.spongycastle.asn1.x509.X509Extensions;

/* loaded from: classes.dex */
public abstract class StrongTrustManager implements X509TrustManager {
    private static final String TAG = "ONIONKIT";
    private static final String TRUSTSTORE_PASSWORD = "changeit";
    private static final String TRUSTSTORE_TYPE = "BKS";
    boolean mCheckChainCrypto;
    boolean mCheckMatchingDomain;
    private Context mContext;
    private String mDomain;
    boolean mExpiredCheck;
    boolean mNotifyVerificationFail;
    boolean mNotifyVerificationSuccess;
    boolean mSelfSignedAllowed;
    private String mServer;
    private KeyStore mTrustStore;
    boolean mVerifyChain;
    boolean mVerifyRoot;
    public static boolean SHOW_DEBUG_OUTPUT = true;
    private static final Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");

    public StrongTrustManager(Context context) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        this.mExpiredCheck = true;
        this.mVerifyChain = true;
        this.mVerifyRoot = true;
        this.mSelfSignedAllowed = false;
        this.mCheckMatchingDomain = true;
        this.mCheckChainCrypto = true;
        this.mNotifyVerificationSuccess = false;
        this.mNotifyVerificationFail = true;
        this.mContext = context;
        this.mTrustStore = KeyStore.getInstance(TRUSTSTORE_TYPE);
        this.mTrustStore.load(this.mContext.getResources().openRawResource(R.raw.debiancacerts), "changeit".toCharArray());
    }

    @Deprecated
    public StrongTrustManager(Context context, String str, int i) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        this(context);
    }

    public StrongTrustManager(Context context, KeyStore keyStore) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        this.mExpiredCheck = true;
        this.mVerifyChain = true;
        this.mVerifyRoot = true;
        this.mSelfSignedAllowed = false;
        this.mCheckMatchingDomain = true;
        this.mCheckChainCrypto = true;
        this.mNotifyVerificationSuccess = false;
        this.mNotifyVerificationFail = true;
        this.mContext = context;
        this.mTrustStore = keyStore;
    }

    static boolean checkMatchingDomain(String str, String str2, Collection<String> collection) {
        for (String str3 : collection) {
            if (str3.startsWith("*.")) {
                String substring = str3.substring(1);
                if (str2.replaceFirst("[^.]+", "").equalsIgnoreCase(substring) || str.replaceFirst("[^.]+", "").equalsIgnoreCase(substring)) {
                    return true;
                }
            } else if (str2.equalsIgnoreCase(str3) || str.equalsIgnoreCase(str3)) {
                return true;
            }
        }
        return false;
    }

    public static Collection<String> getPeerIdentity(X509Certificate x509Certificate) {
        Collection<String> subjectAlternativeNames = getSubjectAlternativeNames(x509Certificate);
        if (!subjectAlternativeNames.isEmpty()) {
            return subjectAlternativeNames;
        }
        String name = x509Certificate.getSubjectDN().getName();
        Matcher matcher = cnPattern.matcher(name);
        if (matcher.find()) {
            name = matcher.group(2);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(name);
        return arrayList;
    }

    static Collection<String> getSubjectAlternativeNames(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        try {
            byte[] extensionValue = x509Certificate.getExtensionValue(X509Extensions.SubjectAlternativeName.getId());
            if (extensionValue == null) {
                return Collections.emptyList();
            }
            Enumeration objects = DERSequence.getInstance(ASN1Primitive.fromByteArray(((ASN1OctetString) ASN1Primitive.fromByteArray(extensionValue)).getOctets())).getObjects();
            while (objects.hasMoreElements()) {
                GeneralName generalName = GeneralName.getInstance(objects.nextElement());
                switch (generalName.getTagNo()) {
                    case 2:
                        arrayList.add(((ASN1String) generalName.getName()).getString());
                        break;
                }
            }
            return Collections.unmodifiableCollection(arrayList);
        } catch (Exception e) {
            Log.e(TAG, "getSubjectAlternativeNames()", e);
            return arrayList;
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    public String getDomain() {
        return this.mDomain;
    }

    public String getFingerprint(X509Certificate x509Certificate, String str) throws NoSuchAlgorithmException, CertificateEncodingException {
        byte[] digest = MessageDigest.getInstance(str).digest(x509Certificate.getEncoded());
        StringBuffer stringBuffer = new StringBuffer();
        for (byte b : digest) {
            String hexString = Integer.toHexString(b & 255);
            if (hexString.length() == 1) {
                stringBuffer.append("0");
            }
            stringBuffer.append(hexString);
            stringBuffer.append(' ');
        }
        return stringBuffer.toString();
    }

    public KeyStore getKeyStore() {
        return this.mTrustStore;
    }

    public String getServer() {
        return this.mServer;
    }

    public KeyStore getTrustStore() {
        return this.mTrustStore;
    }

    public String getTrustStorePassword() {
        return "changeit";
    }

    public boolean hasCheckChainCrypto() {
        return this.mCheckChainCrypto;
    }

    public boolean isCheckMatchingDomain() {
        return this.mCheckMatchingDomain;
    }

    public boolean isExpiredCheck() {
        return this.mExpiredCheck;
    }

    public boolean isSelfSignedAllowed() {
        return this.mSelfSignedAllowed;
    }

    public boolean isVerifyChain() {
        return this.mVerifyChain;
    }

    public boolean isVerifyRoot() {
        return this.mVerifyRoot;
    }

    public void setCheckChainCrypto(boolean z) {
        this.mCheckChainCrypto = z;
    }

    public void setCheckMatchingDomain(boolean z) {
        this.mCheckMatchingDomain = z;
    }

    public void setDomain(String str) {
        this.mDomain = str;
    }

    public void setExpiredCheck(boolean z) {
        this.mExpiredCheck = z;
    }

    public void setNotifyVerificationFail(boolean z) {
        this.mNotifyVerificationFail = z;
    }

    public void setNotifyVerificationSuccess(boolean z) {
        this.mNotifyVerificationSuccess = z;
    }

    public void setSelfSignedAllowed(boolean z) {
        this.mSelfSignedAllowed = z;
    }

    public void setServer(String str) {
        this.mServer = str;
    }

    public void setTrustStore(KeyStore keyStore) {
        this.mTrustStore = keyStore;
    }

    public void setVerifyChain(boolean z) {
        this.mVerifyChain = z;
    }

    public void setVerifyRoot(boolean z) {
        this.mVerifyRoot = z;
    }
}
