package at.rundquadrat.android.r2mail2;

import android.content.Context;
import android.preference.PreferenceManager;
import at.rundquadrat.android.r2mail2.ValidationResult;
import at.rundquadrat.android.r2mail2.exceptions.CertificateChainException;
import at.rundquadrat.android.r2mail2.exceptions.CertificateHostnameException;
import at.rundquadrat.android.r2mail2.tasks.CertificateValidatorTask;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public class CustomTrustManager implements X509TrustManager {
    private boolean allowWildCards;
    private String certHexSignature;
    private Context context;
    private String hostname;
    private final FileLogger log;
    private boolean trustall;

    public CustomTrustManager(Context context, String str) {
        this(context, str, true, false, null);
    }

    public CustomTrustManager(Context context, String str, boolean z, String str2) {
        this(context, str, true, z, str2);
    }

    public CustomTrustManager(Context context, String str, boolean z, boolean z2, String str2) {
        this.log = new FileLogger();
        this.context = context;
        this.trustall = z2;
        this.hostname = str.toLowerCase();
        this.allowWildCards = z;
        this.certHexSignature = str2;
    }

    private void validateCert(X509Certificate[] x509CertificateArr, boolean z) throws CertificateException {
        String string = PreferenceManager.getDefaultSharedPreferences(this.context).getString(Constants.PREFS_KEY_REVOCE_ORDER, "");
        boolean z2 = PreferenceManager.getDefaultSharedPreferences(this.context).getBoolean(Constants.PREFS_KEY_DOWNLAOD_CERTS, true);
        boolean z3 = PreferenceManager.getDefaultSharedPreferences(this.context).getBoolean(Constants.PREFS_KEY_USESYSTEM_ROOT, true);
        boolean z4 = PreferenceManager.getDefaultSharedPreferences(this.context).getBoolean(Constants.PREFS_KEY_STRICT_CERT_CHECK, true);
        boolean z5 = true;
        boolean z6 = true;
        String[] stringArray = this.context.getResources().getStringArray(R.array.revocationOrder);
        if (string.equalsIgnoreCase(stringArray[1])) {
            z6 = false;
        } else if (string.equalsIgnoreCase(stringArray[2])) {
            z5 = false;
        } else if (string.equalsIgnoreCase(stringArray[3])) {
            z6 = false;
            z5 = false;
        }
        ArrayList arrayList = new ArrayList();
        for (X509Certificate x509Certificate : x509CertificateArr) {
            arrayList.add(new FullX509Certificate(x509Certificate));
        }
        ValidationResult.CertificateValidationResult validateCert = CertificateValidatorTask.validateCert(this.context, z6, z5, z2, z3, arrayList);
        if (!validateCert.certValid || !validateCert.chainValid) {
            if (validateCert.chainValid) {
                this.log.e("Error validating certificate: " + validateCert.getErrors());
                throw new CertificateException(validateCert.getErrors());
            }
            this.log.e("Error validating certificate: " + validateCert.getErrors());
            throw new CertificateChainException(validateCert.getErrors(), x509CertificateArr);
        }
        if (z && z4) {
            if (validateCert.sortedChain.isEmpty()) {
                throw new CertificateException("Error could not find a certificate chain to a trusted root");
            }
            boolean[] keyUsage = validateCert.sortedChain.get(0).getKeyUsage();
            List<String> extendedKeyUsage = validateCert.sortedChain.get(0).getExtendedKeyUsage();
            if (keyUsage != null) {
                if (keyUsage[2] || keyUsage[4]) {
                    return;
                }
                this.log.e("Error server certificate does not have the required key usage");
                throw new CertificateException("Server certificate does not have the required key usage - keyEnc or keyAgr");
            }
            if (extendedKeyUsage == null || extendedKeyUsage.contains("1.3.6.1.5.5.7.3.1")) {
                return;
            }
            this.log.e("Error server certificate does not have the required extended key usage");
            throw new CertificateException("Server certificate does not have the required extended key usage - TLS Web server authentication");
        }
    }

    private boolean validateCertSignature(X509Certificate[] x509CertificateArr) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("No certificate chain to verify server certificate");
        }
        return this.certHexSignature != null && toHex(x509CertificateArr[0].getSignature()).equalsIgnoreCase(this.certHexSignature);
    }

    private void validateHostname(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (str == null) {
            throw new CertificateException("No hostname to verify server certificate");
        }
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new CertificateException("No certificate chain to verify server certificate");
        }
        FullX509Certificate fullX509Certificate = new FullX509Certificate(x509CertificateArr[0]);
        ArrayList arrayList = new ArrayList();
        for (String str2 : fullX509Certificate.getCNs()) {
            if (str2.equals(str)) {
                return;
            }
            if (this.allowWildCards && str2.startsWith("*.") && this.allowWildCards && str.endsWith(str2.substring(1))) {
                return;
            }
            if (!arrayList.contains(str2)) {
                arrayList.add(str2);
            }
        }
        for (String str3 : fullX509Certificate.getDNSNames()) {
            if (str3.equals(str)) {
                return;
            }
            if (this.allowWildCards && str3.startsWith("*.") && str.endsWith(str3.substring(1))) {
                return;
            }
            if (!arrayList.contains(str3)) {
                arrayList.add(str3);
            }
        }
        throw new CertificateHostnameException("Hostname " + str + " not found in server certificate", str, (String[]) arrayList.toArray(new String[arrayList.size()]), x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.trustall) {
            return;
        }
        validateCert(x509CertificateArr, false);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.trustall || validateCertSignature(x509CertificateArr)) {
            return;
        }
        validateHostname(x509CertificateArr, this.hostname);
        validateCert(x509CertificateArr, true);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] trustedRoots = R2Mail2.getCertDb(this.context).getTrustedRoots();
        R2Mail2.closeCertDb();
        return trustedRoots;
    }

    public String toHex(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append("0123456789ABCDEF".charAt((b & 240) >> 4)).append("0123456789ABCDEF".charAt(b & 15));
        }
        return sb.toString();
    }
}
