package com.facebook.netlite.certificatepinning.internal;

import android.annotation.SuppressLint;
import android.util.Base64;
import com.adjust.sdk.Constants;
import com.facebook.annotations.OkToExtend;
import com.facebook.errorreporting.lacrima.collector.large.SimpleLogcatCollector;
import com.facebook.infer.annotation.Nullsafe;
import e.a.a.a.a;
import e.a.a.a.b;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.X509TrustManager;

@OkToExtend
@Nullsafe(Nullsafe.Mode.LOCAL)
/* loaded from: classes.dex */
public class FbPinningTrustManager implements X509TrustManager {
    private static final String TAG = "FbPinningTrustManager";
    private final long mEnforceUntilTimestampMillis;
    private b mKeyStore;
    private final boolean mPinTimeoutSet;
    private final Set<ByteBuffer> mPins;
    protected final X509TrustManager mSystemTrustManager;

    public FbPinningTrustManager(long j) {
        this(j, b.a());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FbPinningTrustManager(long j, b bVar) {
        this.mPins = new HashSet();
        this.mKeyStore = bVar;
        this.mSystemTrustManager = TrustManagerUtil.initializeSystemTrustManager();
        this.mPinTimeoutSet = j > 0;
        this.mEnforceUntilTimestampMillis = j + 31536000000L;
        for (String str : CertificatePinningData.FB_CERT_SHA256_PINS) {
            this.mPins.add(ByteBuffer.wrap(Base64.decode(str, 0)));
        }
    }

    private void checkSystemTrust(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.mSystemTrustManager.checkServerTrusted(x509CertificateArr, str);
    }

    private boolean isValidPin(X509Certificate x509Certificate) throws CertificateException {
        try {
            return this.mPins.contains(ByteBuffer.wrap(MessageDigest.getInstance(Constants.SHA256).digest(x509Certificate.getPublicKey().getEncoded())));
        } catch (NoSuchAlgorithmException e2) {
            throw new CertificateException(e2);
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new CertificateException("Client certificates not supported!");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkPinTrust(X509Certificate[] x509CertificateArr) throws CertificateException {
        b bVar = this.mKeyStore;
        if (bVar == null) {
            throw new CertificateException("SystemKeystore is not intialized.");
        }
        checkPinTrustWithCleanChain(Arrays.asList(a.a(x509CertificateArr, bVar)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @SuppressLint({"BadMethodUse-java.lang.System.currentTimeMillis"})
    public void checkPinTrustWithCleanChain(List<X509Certificate> list) throws CertificateException {
        if (!this.mPinTimeoutSet || System.currentTimeMillis() <= this.mEnforceUntilTimestampMillis) {
            if (list.isEmpty()) {
                throw new CertificateException("pinning error: certificate chain empty");
            }
            Iterator<X509Certificate> it = list.iterator();
            while (it.hasNext()) {
                if (isValidPin(it.next())) {
                    return;
                }
            }
            StringBuilder sb = new StringBuilder();
            sb.append("pinning error, trusted chain: ");
            Iterator<X509Certificate> it2 = list.iterator();
            while (it2.hasNext()) {
                sb.append(Base64.encodeToString(it2.next().getEncoded(), 0));
                sb.append(SimpleLogcatCollector.LINE_BREAK);
            }
            throw new CertificateException(sb.toString());
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        checkSystemTrust(x509CertificateArr, str);
        checkPinTrust(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.mSystemTrustManager.getAcceptedIssuers();
    }
}
