package a.a.a.b;

import a.a.a.b.a;
import a.a.a.c.g;
import a.a.a.d;
import a.a.a.e;
import a.a.a.i.t;
import a.a.a.j;
import a.a.a.k;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.security.cert.CertificateEncodingException;

/* compiled from: DaneVerifier.java */
/* loaded from: classes.dex */
public class b {

    /* renamed from: a, reason: collision with root package name */
    private static final Logger f35a = Logger.getLogger(b.class.getName());

    /* renamed from: b, reason: collision with root package name */
    private final a.a.a.a f36b;

    public b() {
        this(new a.a.a.c.a());
    }

    private b(a.a.a.a aVar) {
        this.f36b = aVar;
    }

    private static boolean a(X509Certificate x509Certificate, t tVar, String str) throws CertificateException {
        byte[] encoded;
        byte b2 = tVar.f219a;
        if (b2 != 1 && b2 != 3) {
            f35a.warning("TLSA certificate usage " + ((int) tVar.f219a) + " not supported while verifying " + str);
            return false;
        }
        switch (tVar.f220b) {
            case 0:
                encoded = x509Certificate.getEncoded();
                break;
            case 1:
                encoded = x509Certificate.getPublicKey().getEncoded();
                break;
            default:
                f35a.warning("TLSA selector " + ((int) tVar.f220b) + " not supported while verifying " + str);
                return false;
        }
        switch (tVar.f221c) {
            case 0:
                break;
            case 1:
                try {
                    encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                    break;
                } catch (NoSuchAlgorithmException e2) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e2);
                }
            case 2:
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                    break;
                } catch (NoSuchAlgorithmException e3) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e3);
                }
            default:
                f35a.warning("TLSA matching type " + ((int) tVar.f221c) + " not supported while verifying " + str);
                return false;
        }
        if (Arrays.equals(tVar.f222d, encoded)) {
            return tVar.f219a == 3;
        }
        throw new a.C0001a(tVar, encoded);
    }

    private boolean a(X509Certificate[] x509CertificateArr, String str, int i) throws CertificateException {
        e a2 = e.a("_" + i + "._tcp." + str);
        try {
            d a3 = this.f36b.a(new j(a2, k.b.TLSA, k.a.IN));
            if (!a3.i) {
                String str2 = "Got TLSA response from DNS server, but was not signed properly.";
                if (a3 instanceof a.a.a.c.b) {
                    str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                    Iterator<g> it = ((a.a.a.c.b) a3).r.iterator();
                    while (it.hasNext()) {
                        str2 = str2 + " " + it.next();
                    }
                }
                f35a.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z = false;
            for (k<? extends a.a.a.i.g> kVar : a3.l) {
                if (kVar.f237b == k.b.TLSA && kVar.f236a.equals(a2)) {
                    try {
                        z |= a(x509CertificateArr[0], (t) kVar.f241f, str);
                    } catch (a.C0001a e2) {
                        linkedList.add(e2);
                    }
                    if (z) {
                        break;
                    }
                }
            }
            if (z || linkedList.isEmpty()) {
                return z;
            }
            throw new a.b(linkedList);
        } catch (IOException e3) {
            throw new RuntimeException(e3);
        }
    }

    private static X509Certificate[] a(javax.security.cert.X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509CertificateArr2[i] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e2) {
                f35a.log(Level.WARNING, "Could not convert", e2);
            }
        }
        return x509CertificateArr2;
    }

    public final boolean a(SSLSession sSLSession) throws CertificateException {
        try {
            return a(a(sSLSession.getPeerCertificateChain()), sSLSession.getPeerHost(), sSLSession.getPeerPort());
        } catch (SSLPeerUnverifiedException e2) {
            throw new CertificateException("Peer not verified", e2);
        }
    }
}
