package com.accfun.cloudclass;

import com.accfun.cloudclass.bhv;
import com.accfun.cloudclass.bks;
import com.accfun.cloudclass.bkv;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.security.cert.CertificateEncodingException;

/* compiled from: DaneVerifier.java */
/* loaded from: classes.dex */
public class bhw {
    private static final Logger a = Logger.getLogger(bhw.class.getName());
    private final bho b;

    public bhw() {
        this(new bio());
    }

    public bhw(bho bhoVar) {
        this.b = bhoVar;
    }

    private static boolean a(X509Certificate x509Certificate, bkv bkvVar, String str) throws CertificateException {
        byte[] encoded;
        if (bkvVar.b == null) {
            a.warning("TLSA certificate usage byte " + ((int) bkvVar.a) + " is not supported while verifying " + str);
            return false;
        }
        switch (bkvVar.b) {
            case serviceCertificateConstraint:
            case domainIssuedCertificate:
                if (bkvVar.d == null) {
                    a.warning("TLSA selector byte " + ((int) bkvVar.c) + " is not supported while verifying " + str);
                    return false;
                }
                switch (bkvVar.d) {
                    case fullCertificate:
                        encoded = x509Certificate.getEncoded();
                        break;
                    case subjectPublicKeyInfo:
                        encoded = x509Certificate.getPublicKey().getEncoded();
                        break;
                    default:
                        a.warning("TLSA selector " + bkvVar.d + " (" + ((int) bkvVar.c) + ") not supported while verifying " + str);
                        return false;
                }
                if (bkvVar.f == null) {
                    a.warning("TLSA matching type byte " + ((int) bkvVar.e) + " is not supported while verifying " + str);
                    return false;
                }
                switch (bkvVar.f) {
                    case noHash:
                        break;
                    case sha256:
                        try {
                            encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                            break;
                        } catch (NoSuchAlgorithmException e) {
                            throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e);
                        }
                    case sha512:
                        try {
                            encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                            break;
                        } catch (NoSuchAlgorithmException e2) {
                            throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e2);
                        }
                    default:
                        a.warning("TLSA matching type " + bkvVar.f + " not supported while verifying " + str);
                        return false;
                }
                if (bkvVar.a(encoded)) {
                    return bkvVar.b == bkv.a.domainIssuedCertificate;
                }
                throw new bhv.a(bkvVar, encoded);
            default:
                a.warning("TLSA certificate usage " + bkvVar.b + " (" + ((int) bkvVar.a) + ") not supported while verifying " + str);
                return false;
        }
    }

    private static X509Certificate[] a(javax.security.cert.X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i = 0; i < x509CertificateArr.length; i++) {
            try {
                x509CertificateArr2[i] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e) {
                a.log(Level.WARNING, "Could not convert", e);
            }
        }
        return x509CertificateArr2;
    }

    public boolean a(SSLSession sSLSession) throws CertificateException {
        try {
            return a(a(sSLSession.getPeerCertificateChain()), sSLSession.getPeerHost(), sSLSession.getPeerPort());
        } catch (SSLPeerUnverifiedException e) {
            throw new CertificateException("Peer not verified", e);
        }
    }

    public boolean a(SSLSocket sSLSocket) throws CertificateException {
        if (sSLSocket.isConnected()) {
            return a(sSLSocket.getSession());
        }
        throw new IllegalStateException("Socket not yet connected.");
    }

    public boolean a(X509Certificate[] x509CertificateArr, String str, int i) throws CertificateException {
        bil a2 = bil.a("_" + i + "._tcp." + str);
        try {
            bij a3 = this.b.a(a2, bks.b.TLSA);
            if (!a3.i) {
                String str2 = "Got TLSA response from DNS server, but was not signed properly.";
                if (a3 instanceof bip) {
                    str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                    Iterator<bit> it = ((bip) a3).k().iterator();
                    while (it.hasNext()) {
                        str2 = str2 + " " + it.next();
                    }
                }
                a.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z = false;
            for (bks<? extends bkf> bksVar : a3.l) {
                if (bksVar.b == bks.b.TLSA && bksVar.a.equals(a2)) {
                    try {
                        z |= a(x509CertificateArr[0], (bkv) bksVar.f, str);
                    } catch (bhv.a e) {
                        linkedList.add(e);
                    }
                    if (z) {
                        break;
                    }
                }
            }
            if (z || linkedList.isEmpty()) {
                return z;
            }
            throw new bhv.b(linkedList);
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }
}
