package com.allawn.cryptography.security.cert;

import android.content.Context;
import com.allawn.cryptography.teesdk.CryptoEngCmd;
import com.allawn.cryptography.util.LogUtil;
import com.allawn.cryptography.util.ThreadUtil;
import com.heytap.baselib.utils.SecurityUtils;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public class CertificateTrustManager {
    public Context mContext;
    public X509Certificate mDeviceCACert;
    public X509Certificate[] mRootCAs;
    public X509Certificate mServiceCACert;
    public final TrustCAListEnum mTrustCAMode;
    public X509TrustManager mX509TrustManager;

    public CertificateTrustManager(TrustCAListEnum trustCAListEnum) {
        this.mTrustCAMode = trustCAListEnum;
    }

    public final void addOplusIntermediateCAs(X509Certificate[] x509CertificateArr) {
        if (this.mDeviceCACert == null) {
            this.mDeviceCACert = CertUtils.getDeviceCA(this.mContext);
        }
        if (this.mServiceCACert == null) {
            this.mServiceCACert = CertUtils.getServiceCA(this.mContext);
        }
        x509CertificateArr[x509CertificateArr.length - 2] = this.mDeviceCACert;
        x509CertificateArr[x509CertificateArr.length - 1] = this.mServiceCACert;
    }

    public void check(final X509Certificate x509Certificate) {
        X509Certificate[] x509CertificateArr;
        if (x509Certificate == null) {
            throw new NullPointerException("the unTrustCertificate parameter must be non-null");
        }
        if (this.mTrustCAMode == TrustCAListEnum.OPLUS_LIST) {
            if (this.mX509TrustManager == null) {
                x509Certificate.checkValidity();
                try {
                    if (((Boolean) ThreadUtil.postOnBackgroundThread(new Callable() { // from class: com.allawn.cryptography.security.cert.CertificateTrustManager.1
                        @Override // java.util.concurrent.Callable
                        public Boolean call() {
                            return Boolean.valueOf(CryptoEngCmd.pkiCertVerify(x509Certificate));
                        }
                    }).get(1L, TimeUnit.SECONDS)).booleanValue()) {
                        return;
                    } else {
                        throw new CertificateException("signature check failed");
                    }
                } catch (InterruptedException | ExecutionException | TimeoutException e) {
                    LogUtil.d("CertificateTrustManager", "check unable to request ta to verify the certificate chain. " + e);
                }
            }
            x509CertificateArr = new X509Certificate[3];
            x509CertificateArr[0] = x509Certificate;
            addOplusIntermediateCAs(x509CertificateArr);
        } else {
            x509CertificateArr = new X509Certificate[]{x509Certificate};
        }
        initTrustManager();
        this.mX509TrustManager.checkServerTrusted(x509CertificateArr, SecurityUtils.ECDSA.KEY_ALGORITHM);
    }

    public final void initTrustManager() {
        X509Certificate[] x509CertificateArr;
        if (this.mX509TrustManager != null) {
            return;
        }
        TrustCAListEnum trustCAListEnum = this.mTrustCAMode;
        KeyStore keyStore = null;
        if (trustCAListEnum != TrustCAListEnum.SYSTEM_LIST) {
            int i = 1;
            if (trustCAListEnum == TrustCAListEnum.OPLUS_LIST) {
                x509CertificateArr = new X509Certificate[]{CertUtils.getRootCA(this.mContext)};
            } else {
                if (trustCAListEnum != TrustCAListEnum.SELF_SIGNED_LIST) {
                    throw new IllegalArgumentException("Invalid CA mode");
                }
                X509Certificate[] x509CertificateArr2 = this.mRootCAs;
                if (x509CertificateArr2 == null) {
                    throw new NullPointerException("the root ca parameter must be non-null");
                }
                x509CertificateArr = (X509Certificate[]) x509CertificateArr2.clone();
            }
            try {
                KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore2.load(null);
                for (X509Certificate x509Certificate : x509CertificateArr) {
                    keyStore2.setCertificateEntry("rootCA" + i, x509Certificate);
                    i++;
                }
                keyStore = keyStore2;
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException e) {
                throw new CertificateException("Init root ca error,", e);
            }
        }
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            trustManagerFactory.init(keyStore);
            this.mX509TrustManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
        } catch (KeyStoreException | NoSuchAlgorithmException e2) {
            throw new CertificateException("Init X509TrustManager error,", e2);
        }
    }

    public void setContext(Context context) {
        this.mContext = context;
    }
}
