package com.facebook.fbreact.directwifi;

import android.util.Base64;
import androidx.annotation.Nullable;
import com.facebook.common.dextricks.DalvikInternals;
import com.facebook.debug.log.BLog;
import com.facebook.infer.annotation.SuppressLint;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.ConnectionSpec;
import okhttp3.OkHttpClient;
import okhttp3.internal.Util;
import okhttp3.internal.platform.Platform;

/* loaded from: classes2.dex */
public class DirectWiFiTLSUtils {
    static final String a = "DirectWiFiTLSUtils";
    static final Pattern b = Pattern.compile(".*CN=\"?([a-zA-Z0-9=/+]+)\"?.*");
    static final byte[] c = {42, -122, 72, -122, -9, DalvikInternals.IOPRIO_CLASS_SHIFT, 1, 1, 1};

    /* loaded from: classes2.dex */
    public interface CertificateNameValidator {
        boolean a(String str, String str2);
    }

    public static X509Certificate a(String str) {
        return (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(Base64.decode(str.replace("-----BEGIN CERTIFICATE-----\n", "").replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", ""), 0)));
    }

    public static Date a() {
        Certificate[] certificateChain;
        Date date = new Date(0L);
        try {
            KeyStore a2 = DirectWiFiKeystoreProvider.a.a();
            if (!a2.containsAlias("com.facebook.bishop.bptls-pk") || (certificateChain = a2.getCertificateChain("com.facebook.bishop.bptls-pk")) == null) {
                return date;
            }
            Date date2 = date;
            for (Certificate certificate : certificateChain) {
                if (certificate instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) certificate;
                    if (date2 == date || date2.after(x509Certificate.getNotAfter())) {
                        date2 = x509Certificate.getNotAfter();
                    }
                }
            }
            return date2;
        } catch (IOException | GeneralSecurityException unused) {
            return date;
        }
    }

    @Nullable
    public static OkHttpClient a(final String str, final List<X509Certificate> list, final CertificateNameValidator certificateNameValidator) {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: com.facebook.fbreact.directwifi.DirectWiFiTLSUtils.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str2) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str2) {
                boolean z;
                if (x509CertificateArr.length == 0) {
                    BLog.b(DirectWiFiTLSUtils.a, "no device certificate");
                    throw new CertificateException("no device certificate", new DirectWiFiException("no device certificate", 2703));
                }
                List list2 = list;
                if (list2 == null || list2.size() == 0) {
                    BLog.b(DirectWiFiTLSUtils.a, "no trusted roots");
                    throw new CertificateException("no trusted roots", new DirectWiFiException("no trusted roots", 2704));
                }
                boolean z2 = false;
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    try {
                        x509Certificate.checkValidity();
                    } catch (CertificateExpiredException | CertificateNotYetValidException e) {
                        BLog.b(DirectWiFiTLSUtils.a, "server cert not valid", e);
                        throw new CertificateException("server cert not valid", new DirectWiFiException("server cert not valid", 2703));
                    }
                }
                for (int i = 1; i < x509CertificateArr.length; i++) {
                    try {
                        x509CertificateArr[i - 1].verify(x509CertificateArr[i].getPublicKey());
                    } catch (GeneralSecurityException e2) {
                        BLog.b(DirectWiFiTLSUtils.a, "bad server certificate", e2);
                        throw new CertificateException("bad server certificate", new DirectWiFiException("bad server certificate", 2703));
                    }
                }
                X509Certificate x509Certificate2 = x509CertificateArr[x509CertificateArr.length - 1];
                Iterator it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        z = false;
                        break;
                    }
                    if (Arrays.equals(x509Certificate2.getPublicKey().getEncoded(), ((X509Certificate) it.next()).getPublicKey().getEncoded())) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new CertificateException("bad root");
                }
                Matcher matcher = DirectWiFiTLSUtils.b.matcher(x509CertificateArr[0].getSubjectDN().toString());
                if (matcher.matches()) {
                    if (!certificateNameValidator.a(matcher.group(1).replace("\"", ""), str)) {
                        BLog.b(DirectWiFiTLSUtils.a, "bad server CN");
                        throw new CertificateException("bad server CN", new DirectWiFiException("bad server CN", 2703));
                    }
                    z2 = true;
                }
                if (z2) {
                    return;
                }
                BLog.b(DirectWiFiTLSUtils.a, "bad or missing server CN");
                throw new CertificateException("bad or missing server CN", new DirectWiFiException("bad or missing server CN", 2703));
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        }};
        try {
            final KeyStore a2 = DirectWiFiKeystoreProvider.a.a();
            X509KeyManager x509KeyManager = new X509KeyManager() { // from class: com.facebook.fbreact.directwifi.DirectWiFiTLSUtils.3
                @Override // javax.net.ssl.X509KeyManager
                public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
                    return "com.facebook.bishop.bptls-pk";
                }

                @Override // javax.net.ssl.X509KeyManager
                @SuppressLint
                public String chooseServerAlias(String str2, Principal[] principalArr, Socket socket) {
                    return null;
                }

                @Override // javax.net.ssl.X509KeyManager
                @SuppressLint
                public X509Certificate[] getCertificateChain(String str2) {
                    try {
                        Certificate[] certificateChain = a2.getCertificateChain(str2);
                        if (certificateChain.length == 0) {
                            BLog.b(DirectWiFiTLSUtils.a, "didn't have a certificate chain");
                            return null;
                        }
                        X509Certificate[] x509CertificateArr = new X509Certificate[certificateChain.length];
                        for (int i = 0; i < certificateChain.length; i++) {
                            x509CertificateArr[i] = (X509Certificate) certificateChain[i];
                        }
                        return x509CertificateArr;
                    } catch (GeneralSecurityException e) {
                        BLog.b(DirectWiFiTLSUtils.a, "failed to read certificate chain", e);
                        return null;
                    }
                }

                @Override // javax.net.ssl.X509KeyManager
                public String[] getClientAliases(String str2, Principal[] principalArr) {
                    return new String[]{"com.facebook.bishop.bptls-pk"};
                }

                @Override // javax.net.ssl.X509KeyManager
                @SuppressLint
                public PrivateKey getPrivateKey(String str2) {
                    try {
                        return (PrivateKey) a2.getKey(str2, null);
                    } catch (GeneralSecurityException unused) {
                        return null;
                    }
                }

                @Override // javax.net.ssl.X509KeyManager
                @SuppressLint
                public String[] getServerAliases(String str2, Principal[] principalArr) {
                    return null;
                }
            };
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(new KeyManager[]{x509KeyManager}, trustManagerArr, new SecureRandom());
            SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            X509TrustManager x509TrustManager = (X509TrustManager) trustManagerArr[0];
            if (socketFactory == null) {
                throw new NullPointerException("sslSocketFactory == null");
            }
            if (x509TrustManager == null) {
                throw new NullPointerException("trustManager == null");
            }
            builder.m = socketFactory;
            builder.n = Platform.c.a(x509TrustManager);
            builder.d = Util.a(Arrays.asList(ConnectionSpec.b));
            builder.o = new HostnameVerifier() { // from class: com.facebook.fbreact.directwifi.DirectWiFiTLSUtils.2
                @Override // javax.net.ssl.HostnameVerifier
                public boolean verify(String str2, SSLSession sSLSession) {
                    return true;
                }
            };
            return builder.a();
        } catch (IOException | GeneralSecurityException unused) {
            return null;
        }
    }
}
