package com.couchbase.lite.internal.replicator;

import android.net.http.X509TrustManagerExtensions;
import androidx.camera.view.PreviewView$1$$ExternalSyntheticBackportWithForwarding0;
import com.couchbase.lite.internal.utils.Fn;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public final class CBLTrustManager implements X509TrustManager {
    private final boolean acceptOnlySelfSignedServerCertificate;
    private final AtomicReference<X509TrustManager> defaultTrustManager = new AtomicReference<>();
    private final byte[] pinnedServerCertificate;
    private final Fn.Consumer<List<Certificate>> serverCertslistener;

    public CBLTrustManager(byte[] bArr, boolean z, Fn.Consumer<List<Certificate>> consumer) {
        this.pinnedServerCertificate = bArr != null ? (byte[]) bArr.clone() : null;
        this.acceptOnlySelfSignedServerCertificate = z;
        this.serverCertslistener = consumer;
    }

    private List<Certificate> asList(X509Certificate[] x509CertificateArr) {
        return x509CertificateArr == null ? Collections.emptyList() : Collections.unmodifiableList(Arrays.asList(x509CertificateArr));
    }

    private void doCheckServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            throw new IllegalArgumentException("No server certificates");
        }
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("Invalid auth type: " + str);
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        x509Certificate.checkValidity();
        byte[] bArr = this.pinnedServerCertificate;
        if (bArr != null) {
            if (!Arrays.equals(bArr, x509Certificate.getEncoded())) {
                throw new CertificateException("Server certificate does not match pinned certificate");
            }
        } else if (x509CertificateArr.length > 1 || !isSelfSignedCertificate(x509Certificate)) {
            throw new CertificateException("Server certificate is not self-signed");
        }
    }

    private X509TrustManager getDefaultTrustManager() {
        X509TrustManager x509TrustManager = this.defaultTrustManager.get();
        if (x509TrustManager != null) {
            return x509TrustManager;
        }
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers == null || trustManagers.length == 0) {
                throw new IllegalStateException("Cannot find the default trust manager");
            }
            PreviewView$1$$ExternalSyntheticBackportWithForwarding0.m(this.defaultTrustManager, null, (X509TrustManager) trustManagers[0]);
            return this.defaultTrustManager.get();
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new IllegalStateException("Cannot find the default trust manager", e);
        }
    }

    private boolean isSelfSignedCertificate(X509Certificate x509Certificate) {
        if (!x509Certificate.getSubjectDN().equals(x509Certificate.getIssuerDN())) {
            return false;
        }
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException unused) {
            return false;
        }
    }

    private boolean useDefaultTrustManager() {
        return this.pinnedServerCertificate == null && !this.acceptOnlySelfSignedServerCertificate;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        throw new UnsupportedOperationException("Checking Client Trust is a server operation");
    }

    public List<X509Certificate> checkServerTrusted(X509Certificate[] x509CertificateArr, String str, String str2) throws CertificateException {
        List<X509Certificate> asList;
        try {
            if (useDefaultTrustManager()) {
                asList = new X509TrustManagerExtensions(getDefaultTrustManager()).checkServerTrusted(x509CertificateArr, str, str2);
            } else {
                doCheckServerTrusted(x509CertificateArr, str);
                asList = Arrays.asList(x509CertificateArr);
            }
            return asList;
        } finally {
            this.serverCertslistener.accept(asList(x509CertificateArr));
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        try {
            if (useDefaultTrustManager()) {
                getDefaultTrustManager().checkServerTrusted(x509CertificateArr, str);
            } else {
                doCheckServerTrusted(x509CertificateArr, str);
            }
        } finally {
            this.serverCertslistener.accept(asList(x509CertificateArr));
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return useDefaultTrustManager() ? getDefaultTrustManager().getAcceptedIssuers() : new X509Certificate[0];
    }
}
