package com.microsoft.intune.mam.http;

import com.microsoft.intune.mam.client.telemetry.TelemetryLogger;
import com.microsoft.intune.mam.client.telemetry.events.TrackedOccurrence;
import com.microsoft.intune.mam.log.MAMLogger;
import com.microsoft.intune.mam.log.MAMLoggerProvider;
import java.lang.reflect.Array;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes3.dex */
public class MAMTrustManager implements X509TrustManager {
    private static final MAMLogger LOGGER = MAMLoggerProvider.getLogger((Class<?>) MAMTrustManager.class);
    protected byte[][] mIntermediateCertPubkeys;
    private X509TrustManager mManager;
    private String mPackageName;
    protected byte[][] mRootCertPubkey;
    private TelemetryLogger mTelemetryLogger;

    protected MAMTrustManager(X509TrustManager x509TrustManager, String str, TelemetryLogger telemetryLogger, String str2) throws GeneralSecurityException {
        this.mManager = x509TrustManager;
        this.mTelemetryLogger = telemetryLogger;
        this.mPackageName = str2;
        mapAuthorityToCerts(str);
    }

    public static SSLContext createSslContext(String str, TelemetryLogger telemetryLogger, String str2) throws GeneralSecurityException {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        TrustManager[] trustManagerArr = new TrustManager[Array.getLength(trustManagers)];
        int i = 0;
        for (TrustManager trustManager : trustManagers) {
            trustManagerArr[i] = new MAMTrustManager((X509TrustManager) trustManager, str, telemetryLogger, str2);
            i++;
        }
        sSLContext.init(null, trustManagerArr, null);
        return sSLContext;
    }

    private void logCertificateError(TrackedOccurrence trackedOccurrence, X509Certificate x509Certificate) {
        this.mTelemetryLogger.logTrackedOccurrence(this.mPackageName, trackedOccurrence, x509Certificate == null ? "empty" : x509Certificate.getSubjectDN().getName());
    }

    private void mapAuthorityToCerts(String str) {
        KnownClouds fromAuthority = KnownClouds.fromAuthority(str);
        this.mIntermediateCertPubkeys = fromAuthority.getIntermediateCertPubkeys();
        this.mRootCertPubkey = fromAuthority.getRootCertPubkey();
    }

    private void validateCertAgainstRoot(X509Certificate x509Certificate, byte[][] bArr) throws CertificateException {
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= bArr.length) {
                break;
            }
            try {
                x509Certificate.verify(KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(bArr[i])));
                z = true;
                break;
            } catch (Exception unused) {
                i++;
            }
        }
        if (z) {
            return;
        }
        logCertificateError(TrackedOccurrence.SSL_CERT_VALIDATION_FAILED_NOT_SIGNED_BY_ROOT, x509Certificate);
        throw new CertificateException("Unable to verify certificate.");
    }

    private void validateChain(X509Certificate[] x509CertificateArr) throws CertificateException {
        int length = Array.getLength(x509CertificateArr);
        boolean z = false;
        for (int i = 1; i < length; i++) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            X509Certificate x509Certificate2 = x509CertificateArr[i - 1];
            PublicKey publicKey = x509Certificate.getPublicKey();
            try {
                x509Certificate2.verify(publicKey);
                if (!z) {
                    byte[] encoded = publicKey.getEncoded();
                    byte[][] bArr = this.mIntermediateCertPubkeys;
                    int length2 = bArr.length;
                    int i2 = 0;
                    while (true) {
                        if (i2 >= length2) {
                            break;
                        }
                        if (Arrays.equals(encoded, bArr[i2])) {
                            z = true;
                            break;
                        }
                        i2++;
                    }
                }
            } catch (Exception unused) {
                logCertificateError(TrackedOccurrence.SSL_CERT_VALIDATION_FAILED_WRONG_PUBLIC_KEY, x509Certificate2);
                throw new CertificateException("Unable to verify certificate.");
            }
        }
        if (!z) {
            logCertificateError(TrackedOccurrence.SSL_CERT_VALIDATION_FAILED_MSIT_CERT_NOT_FOUND, null);
            throw new CertificateException("Unable to verify certificate.");
        }
        validateCertAgainstRoot(x509CertificateArr[length - 1], this.mRootCertPubkey);
        LOGGER.fine("cert validated");
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.mManager.checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.mManager.checkServerTrusted(x509CertificateArr, str);
        validateChain(x509CertificateArr);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.mManager.getAcceptedIssuers();
    }
}
