package com.appmattus.certificatetransparency.internal.verifier;

import com.appmattus.certificatetransparency.CTPolicy;
import com.appmattus.certificatetransparency.SctVerificationResult;
import com.appmattus.certificatetransparency.VerificationResult;
import com.appmattus.certificatetransparency.cache.DiskCache;
import com.appmattus.certificatetransparency.chaincleaner.CertificateChainCleaner;
import com.appmattus.certificatetransparency.chaincleaner.CertificateChainCleanerFactory;
import com.appmattus.certificatetransparency.datasource.DataSource;
import com.appmattus.certificatetransparency.internal.utils.Base64;
import com.appmattus.certificatetransparency.internal.utils.CertificateExtKt;
import com.appmattus.certificatetransparency.internal.utils.X509CertificateExtKt;
import com.appmattus.certificatetransparency.internal.verifier.model.Host;
import com.appmattus.certificatetransparency.internal.verifier.model.SignedCertificateTimestamp;
import com.appmattus.certificatetransparency.loglist.LogListDataSourceFactory;
import com.appmattus.certificatetransparency.loglist.LogListResult;
import com.appmattus.certificatetransparency.loglist.LogListService;
import com.appmattus.certificatetransparency.loglist.LogServer;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.X509TrustManager;
import lm.q;
import xl.m;
import yl.a0;
import yl.i0;
import yl.o;

/* loaded from: classes.dex */
public class CertificateTransparencyBase {
    private final CertificateChainCleanerFactory certificateChainCleanerFactory;
    private final xl.j cleaner$delegate;
    private final Set<Host> excludeHosts;
    private final Set<Host> includeHosts;
    private final DataSource<LogListResult> logListDataSource;
    private final CTPolicy policy;

    public CertificateTransparencyBase() {
        this(null, null, null, null, null, null, null, null, 255, null);
    }

    public CertificateTransparencyBase(Set<Host> set, Set<Host> set2, CertificateChainCleanerFactory certificateChainCleanerFactory, X509TrustManager x509TrustManager, LogListService logListService, DataSource<LogListResult> dataSource, CTPolicy cTPolicy, DiskCache diskCache) {
        DataSource<LogListResult> dataSource2;
        q.f(set, "includeHosts");
        q.f(set2, "excludeHosts");
        this.includeHosts = set;
        this.excludeHosts = set2;
        this.certificateChainCleanerFactory = certificateChainCleanerFactory;
        for (Host host : set) {
            if (!(!host.getMatchAll())) {
                throw new IllegalArgumentException("Certificate transparency is enabled by default on all domain names".toString());
            }
            if (!(!this.excludeHosts.contains(host))) {
                throw new IllegalArgumentException("Certificate transparency inclusions must not match exclude directly".toString());
            }
        }
        if (dataSource != null && logListService != null) {
            throw new IllegalArgumentException("LogListService is ignored when overriding logListDataSource".toString());
        }
        if (dataSource != null && diskCache != null) {
            throw new IllegalArgumentException("DiskCache is ignored when overriding logListDataSource".toString());
        }
        this.cleaner$delegate = xl.k.b(new CertificateTransparencyBase$cleaner$2(x509TrustManager, this));
        if (dataSource == null) {
            LogListDataSourceFactory logListDataSourceFactory = LogListDataSourceFactory.INSTANCE;
            dataSource2 = LogListDataSourceFactory.createDataSource$default(logListDataSourceFactory, logListService == null ? LogListDataSourceFactory.createLogListService$default(logListDataSourceFactory, (String) null, (km.a) null, 0L, x509TrustManager, 7, (Object) null) : logListService, diskCache, null, null, 12, null);
        } else {
            dataSource2 = dataSource;
        }
        this.logListDataSource = dataSource2;
        this.policy = cTPolicy == null ? new DefaultPolicy() : cTPolicy;
    }

    public CertificateTransparencyBase(Set set, Set set2, CertificateChainCleanerFactory certificateChainCleanerFactory, X509TrustManager x509TrustManager, LogListService logListService, DataSource dataSource, CTPolicy cTPolicy, DiskCache diskCache, int i2, lm.j jVar) {
        this((i2 & 1) != 0 ? a0.f19926m : set, (i2 & 2) != 0 ? a0.f19926m : set2, (i2 & 4) != 0 ? null : certificateChainCleanerFactory, (i2 & 8) != 0 ? null : x509TrustManager, (i2 & 16) != 0 ? null : logListService, (i2 & 32) != 0 ? null : dataSource, (i2 & 64) != 0 ? null : cTPolicy, (i2 & 128) == 0 ? diskCache : null);
    }

    private final boolean enabledForCertificateTransparency(String str) {
        Set<Host> set = this.excludeHosts;
        if (!(set instanceof Collection) || !set.isEmpty()) {
            Iterator<T> it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (((Host) it.next()).matches(str)) {
                    Set<Host> set2 = this.includeHosts;
                    if (!(set2 instanceof Collection) || !set2.isEmpty()) {
                        Iterator<T> it2 = set2.iterator();
                        while (it2.hasNext()) {
                            if (((Host) it2.next()).matches(str)) {
                            }
                        }
                    }
                    return false;
                }
            }
        }
        return true;
    }

    private final CertificateChainCleaner getCleaner() {
        return (CertificateChainCleaner) this.cleaner$delegate.getValue();
    }

    private final VerificationResult hasValidSignedCertificateTimestamp(List<? extends X509Certificate> list) {
        LogListResult logListZipFailedLoadingWithException;
        SctVerificationResult sctVerificationResult;
        try {
            logListZipFailedLoadingWithException = (LogListResult) wm.e.c(new CertificateTransparencyBase$hasValidSignedCertificateTimestamp$result$1(this, null));
        } catch (Exception e10) {
            logListZipFailedLoadingWithException = new LogListResult.Invalid.LogListZipFailedLoadingWithException(e10);
        }
        if (!(logListZipFailedLoadingWithException instanceof LogListResult.Valid)) {
            if (logListZipFailedLoadingWithException instanceof LogListResult.DisableChecks) {
                return new VerificationResult.Success.DisabledStaleLogList((LogListResult.DisableChecks) logListZipFailedLoadingWithException);
            }
            if (logListZipFailedLoadingWithException instanceof LogListResult.Invalid) {
                return new VerificationResult.Failure.LogServersFailed((LogListResult.Invalid) logListZipFailedLoadingWithException);
            }
            if (logListZipFailedLoadingWithException == null) {
                return new VerificationResult.Failure.LogServersFailed(LogListResult.Invalid.NoLogServers.INSTANCE);
            }
            throw new m();
        }
        List<LogServer> servers = ((LogListResult.Valid) logListZipFailedLoadingWithException).getServers();
        int a10 = i0.a(o.h(servers, 10));
        int i2 = 16;
        if (a10 < 16) {
            a10 = 16;
        }
        LinkedHashMap linkedHashMap = new LinkedHashMap(a10);
        for (LogServer logServer : servers) {
            linkedHashMap.put(Base64.INSTANCE.toBase64String(logServer.getId()), new LogSignatureVerifier(logServer));
        }
        X509Certificate x509Certificate = list.get(0);
        if (!CertificateExtKt.hasEmbeddedSct(x509Certificate)) {
            return VerificationResult.Failure.NoScts.INSTANCE;
        }
        try {
            List<SignedCertificateTimestamp> signedCertificateTimestamps = X509CertificateExtKt.signedCertificateTimestamps(x509Certificate);
            int a11 = i0.a(o.h(signedCertificateTimestamps, 10));
            if (a11 >= 16) {
                i2 = a11;
            }
            LinkedHashMap linkedHashMap2 = new LinkedHashMap(i2);
            for (Object obj : signedCertificateTimestamps) {
                linkedHashMap2.put(Base64.INSTANCE.toBase64String(((SignedCertificateTimestamp) obj).getId().getKeyId()), obj);
            }
            LinkedHashMap linkedHashMap3 = new LinkedHashMap(i0.a(linkedHashMap2.size()));
            for (Object obj2 : linkedHashMap2.entrySet()) {
                Object key = ((Map.Entry) obj2).getKey();
                Map.Entry entry = (Map.Entry) obj2;
                String str = (String) entry.getKey();
                SignedCertificateTimestamp signedCertificateTimestamp = (SignedCertificateTimestamp) entry.getValue();
                LogSignatureVerifier logSignatureVerifier = (LogSignatureVerifier) linkedHashMap.get(str);
                if (logSignatureVerifier == null || (sctVerificationResult = logSignatureVerifier.verifySignature(signedCertificateTimestamp, list)) == null) {
                    sctVerificationResult = SctVerificationResult.Invalid.NoTrustedLogServerFound.INSTANCE;
                }
                linkedHashMap3.put(key, sctVerificationResult);
            }
            VerificationResult policyVerificationResult = this.policy.policyVerificationResult(x509Certificate, linkedHashMap3);
            return policyVerificationResult instanceof VerificationResult.Success ? ((logListZipFailedLoadingWithException instanceof LogListResult.Valid.StaleNetworkUsingCachedData) || (logListZipFailedLoadingWithException instanceof LogListResult.Valid.StaleNetworkUsingNetworkData)) ? new VerificationResult.Success.StaleNetwork((VerificationResult.Success) policyVerificationResult, logListZipFailedLoadingWithException) : policyVerificationResult : policyVerificationResult;
        } catch (IOException e11) {
            return new VerificationResult.Failure.UnknownIoException(e11);
        }
    }

    public final VerificationResult verifyCertificateTransparency(String str, List<? extends Certificate> list) {
        q.f(str, "host");
        q.f(list, "certificates");
        if (!enabledForCertificateTransparency(str)) {
            return new VerificationResult.Success.DisabledForHost(str);
        }
        if (!list.isEmpty()) {
            CertificateChainCleaner cleaner = getCleaner();
            ArrayList arrayList = new ArrayList();
            for (Object obj : list) {
                if (obj instanceof X509Certificate) {
                    arrayList.add(obj);
                }
            }
            List<X509Certificate> clean = cleaner.clean(arrayList, str);
            if (!clean.isEmpty()) {
                return hasValidSignedCertificateTimestamp(clean);
            }
        }
        return VerificationResult.Failure.NoCertificates.INSTANCE;
    }
}
