package com.privateinternetaccess.android.pia.api;

import com.privateinternetaccess.android.PIAApplication;
import com.privateinternetaccess.android.pia.utils.DLog;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.collections.ArraysKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Ref;
import kotlin.text.Charsets;
import okhttp3.OkHttpClient;
import org.spongycastle.asn1.x500.RDN;
import org.spongycastle.asn1.x500.X500Name;
import org.spongycastle.asn1.x500.style.BCStyle;

/* compiled from: PIACertPinningAPI.kt */
@Metadata(d1 = {"\u0000F\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\b\u0016\u0018\u0000 \u00192\u00020\u0001:\u0001\u0019B\u0005¢\u0006\u0002\u0010\u0002J\u0012\u0010\u000b\u001a\u0004\u0018\u00010\u00062\u0006\u0010\f\u001a\u00020\rH\u0002J\u0018\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0011H\u0002J \u0010\u0013\u001a\u00020\u00142\u0018\u0010\u0003\u001a\u0014\u0012\u0010\u0012\u000e\u0012\u0004\u0012\u00020\u0006\u0012\u0004\u0012\u00020\u00060\u00050\u0004J\u0018\u0010\u0015\u001a\u00020\u000f2\u0006\u0010\u0016\u001a\u00020\u00062\u0006\u0010\u0017\u001a\u00020\u0018H\u0002R \u0010\u0003\u001a\u0014\u0012\u0010\u0012\u000e\u0012\u0004\u0012\u00020\u0006\u0012\u0004\u0012\u00020\u00060\u00050\u0004X\u0082.¢\u0006\u0002\n\u0000R\u0011\u0010\u0007\u001a\u00020\b¢\u0006\b\n\u0000\u001a\u0004\b\t\u0010\n¨\u0006\u001a"}, d2 = {"Lcom/privateinternetaccess/android/pia/api/PIACertPinningAPI;", "", "()V", "knownEndpointCommonName", "", "Lkotlin/Pair;", "", "okHttpClient", "Lokhttp3/OkHttpClient;", "getOkHttpClient", "()Lokhttp3/OkHttpClient;", "certificateCommonName", "name", "Lorg/spongycastle/asn1/x500/X500Name;", "isEqual", "", "a", "", "b", "setKnownEndpointCommonName", "", "verifyCommonName", "requestEndpoint", "certificate", "Ljava/security/cert/X509Certificate;", "Companion", "pia-3.33.0-10603_productionNoinappRelease"}, k = 1, mv = {1, 9, 0}, xi = 48)
/* loaded from: classes3.dex */
public class PIACertPinningAPI {
    public static final String TAG = "PIACertPinningAPI";
    private List<Pair<String, String>> knownEndpointCommonName;
    private final OkHttpClient okHttpClient;

    /* JADX WARN: Type inference failed for: r4v7, types: [T, javax.net.ssl.X509TrustManager] */
    public PIACertPinningAPI() {
        TrustManager[] trustManagers;
        boolean z;
        final Ref.ObjectRef objectRef = new Ref.ObjectRef();
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        SSLSocketFactory sSLSocketFactory = null;
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            InputStream rSA4096Certificate = PIAApplication.getRSA4096Certificate();
            keyStore.setCertificateEntry("pia", CertificateFactory.getInstance("X.509").generateCertificate(rSA4096Certificate));
            rSA4096Certificate.close();
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            trustManagers = trustManagerFactory.getTrustManagers();
            z = true;
            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                z = false;
            }
        } catch (IOException e) {
            e.printStackTrace();
        } catch (KeyManagementException e2) {
            e2.printStackTrace();
        } catch (KeyStoreException e3) {
            e3.printStackTrace();
        } catch (NoSuchAlgorithmException e4) {
            e4.printStackTrace();
        } catch (CertificateException e5) {
            e5.printStackTrace();
        }
        if (!z) {
            throw new IllegalStateException(("Unexpected default trust managers:" + Arrays.toString(trustManagers)).toString());
        }
        TrustManager trustManager = trustManagers[0];
        Intrinsics.checkNotNull(trustManager, "null cannot be cast to non-null type javax.net.ssl.X509TrustManager");
        objectRef.element = (X509TrustManager) trustManager;
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(null, trustManagers, new SecureRandom());
        sSLSocketFactory = sSLContext.getSocketFactory();
        builder.connectTimeout(8L, TimeUnit.SECONDS);
        if (objectRef.element != 0 && sSLSocketFactory != null) {
            builder.sslSocketFactory(sSLSocketFactory, (X509TrustManager) objectRef.element);
        }
        builder.hostnameVerifier(new HostnameVerifier() { // from class: com.privateinternetaccess.android.pia.api.PIACertPinningAPI$$ExternalSyntheticLambda0
            @Override // javax.net.ssl.HostnameVerifier
            public final boolean verify(String str, SSLSession sSLSession) {
                boolean _init_$lambda$1;
                _init_$lambda$1 = PIACertPinningAPI._init_$lambda$1(Ref.ObjectRef.this, this, str, sSLSession);
                return _init_$lambda$1;
            }
        });
        this.okHttpClient = builder.build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static final boolean _init_$lambda$1(Ref.ObjectRef trustManager, PIACertPinningAPI this$0, String str, SSLSession sSLSession) {
        boolean z;
        Intrinsics.checkNotNullParameter(trustManager, "$trustManager");
        Intrinsics.checkNotNullParameter(this$0, "this$0");
        try {
            Certificate[] peerCertificates = sSLSession.getPeerCertificates();
            Intrinsics.checkNotNull(peerCertificates, "null cannot be cast to non-null type kotlin.Array<out java.security.cert.X509Certificate>");
            X509Certificate[] x509CertificateArr = (X509Certificate[]) peerCertificates;
            X509TrustManager x509TrustManager = (X509TrustManager) trustManager.element;
            if (x509TrustManager != null) {
                x509TrustManager.checkServerTrusted(x509CertificateArr, "RSA");
            }
            Certificate[] peerCertificates2 = sSLSession.getPeerCertificates();
            Intrinsics.checkNotNullExpressionValue(peerCertificates2, "getPeerCertificates(...)");
            Certificate certificate = (Certificate) ArraysKt.first(peerCertificates2);
            Intrinsics.checkNotNull(str);
            Intrinsics.checkNotNull(certificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
            z = this$0.verifyCommonName(str, (X509Certificate) certificate);
        } catch (InvalidKeyException e) {
            e.printStackTrace();
            z = false;
            DLog.d(TAG, "Verifier succeeded? " + z);
            return z;
        } catch (NoSuchAlgorithmException e2) {
            e2.printStackTrace();
            z = false;
            DLog.d(TAG, "Verifier succeeded? " + z);
            return z;
        } catch (NoSuchProviderException e3) {
            e3.printStackTrace();
            z = false;
            DLog.d(TAG, "Verifier succeeded? " + z);
            return z;
        } catch (SignatureException e4) {
            e4.printStackTrace();
            z = false;
            DLog.d(TAG, "Verifier succeeded? " + z);
            return z;
        } catch (CertificateException e5) {
            e5.printStackTrace();
            z = false;
            DLog.d(TAG, "Verifier succeeded? " + z);
            return z;
        } catch (SSLPeerUnverifiedException e6) {
            e6.printStackTrace();
            z = false;
            DLog.d(TAG, "Verifier succeeded? " + z);
            return z;
        }
        DLog.d(TAG, "Verifier succeeded? " + z);
        return z;
    }

    private final String certificateCommonName(X500Name name) {
        RDN[] rDNs = name.getRDNs(BCStyle.CN);
        Intrinsics.checkNotNull(rDNs);
        if (rDNs.length == 0) {
            return null;
        }
        return ((RDN) ArraysKt.first(rDNs)).getFirst().getValue().toString();
    }

    private final boolean isEqual(byte[] a, byte[] b) {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        byte[] bArr = new byte[20];
        new SecureRandom().nextBytes(bArr);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(bArr);
        byteArrayOutputStream.write(a);
        byte[] digest = messageDigest.digest(byteArrayOutputStream.toByteArray());
        ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
        byteArrayOutputStream2.write(bArr);
        byteArrayOutputStream2.write(b);
        return MessageDigest.isEqual(digest, messageDigest.digest(byteArrayOutputStream2.toByteArray()));
    }

    private final boolean verifyCommonName(String requestEndpoint, X509Certificate certificate) {
        Principal subjectDN = certificate.getSubjectDN();
        Intrinsics.checkNotNull(subjectDN, "null cannot be cast to non-null type javax.security.auth.x500.X500Principal");
        X500Name x500Name = X500Name.getInstance(((X500Principal) subjectDN).getEncoded());
        Intrinsics.checkNotNullExpressionValue(x500Name, "getInstance(...)");
        String certificateCommonName = certificateCommonName(x500Name);
        if (certificateCommonName == null) {
            return false;
        }
        List<Pair<String, String>> list = this.knownEndpointCommonName;
        if (list == null) {
            Intrinsics.throwUninitializedPropertyAccessException("knownEndpointCommonName");
            list = null;
        }
        for (Pair<String, String> pair : list) {
            String component1 = pair.component1();
            String component2 = pair.component2();
            byte[] bytes = component1.getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
            byte[] bytes2 = requestEndpoint.getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes2, "getBytes(...)");
            if (isEqual(bytes, bytes2)) {
                byte[] bytes3 = component2.getBytes(Charsets.UTF_8);
                Intrinsics.checkNotNullExpressionValue(bytes3, "getBytes(...)");
                byte[] bytes4 = certificateCommonName.getBytes(Charsets.UTF_8);
                Intrinsics.checkNotNullExpressionValue(bytes4, "getBytes(...)");
                if (isEqual(bytes3, bytes4)) {
                    return true;
                }
            }
        }
        return false;
    }

    public final OkHttpClient getOkHttpClient() {
        return this.okHttpClient;
    }

    public final void setKnownEndpointCommonName(List<Pair<String, String>> knownEndpointCommonName) {
        Intrinsics.checkNotNullParameter(knownEndpointCommonName, "knownEndpointCommonName");
        this.knownEndpointCommonName = knownEndpointCommonName;
    }
}
