package com.sec.enterprise.knox.cloudmdm.smdms.security;

import android.content.Context;
import android.content.SharedPreferences;
import android.os.ConditionVariable;
import android.os.Handler;
import android.os.HandlerThread;
import android.os.UserHandle;
import android.util.Base64;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.sec.enterprise.knox.cloudmdm.smdms.server.GSLBManager;
import com.sec.enterprise.knox.cloudmdm.smdms.server.ServerUtils;
import com.sec.enterprise.knox.cloudmdm.smdms.utilities.Log;
import com.sec.enterprise.knox.cloudmdm.smdms.utilities.Utils;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.Request;
import com.squareup.okhttp.Response;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.io.IOUtils;

/* loaded from: classes.dex */
public class Pinning {
    private static final String BEGIN = "-----BEGIN CERTIFICATE-----";
    private static final String END = "-----END CERTIFICATE-----";
    private static final String MASTER_PINNING_SERVER_CERT = "MASTER_PINNING_SERVER_CERT.PEM";
    private static final String MASTER_PINNING_SERVER_URL = "https://pinning.secb2b.com";
    private static final String MASTER_PINNING_SERVER_URL_CN = "https://pinning.secb2b.com.cn";
    private static final String MASTER_PINNING_STAGE_SERVER_URL = "https://stage-pinning.secb2b.com";
    private static final String MASTER_PINNING_STAGE_SERVER_URL_CN = "https://stage-pinning.secb2b.com.cn";
    public static final String PINNING_EXCEPTION_STRING = "[pinning]";
    private static final String TRUST_PREFERENCE = "pintrust";
    private static final String TRUST_PREFERENCE_KEY = "shelf";
    private static PinningResponseStructure mResponse;
    private Context appContext;
    private ConditionVariable cv = null;
    private static final String TAG = "[" + UserHandle.myUserId() + "]MyKNOX:Pinning";
    private static Pinning instance = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public class CustomTrustManager implements X509TrustManager {
        private String endpointUrl;
        private List<String> trustedCertificates;

        public CustomTrustManager(String str, List<String> list) {
            this.endpointUrl = null;
            this.trustedCertificates = null;
            this.endpointUrl = str;
            this.trustedCertificates = list;
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check CLIENT Trusted--");
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted--");
            if (this.trustedCertificates == null || this.trustedCertificates.isEmpty()) {
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- SERVER IS NOT TRUSTED. NO CERT FOR " + this.endpointUrl);
                throw new CertificateException("[pinning]No trusted certificate for : " + this.endpointUrl);
            }
            if (x509CertificateArr.length == 0) {
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- ...... SERVER DOES NOT PROVIDE A CERTIFICATE CHAIN!");
                throw new IllegalArgumentException("[pinning]This server does not provide a certificate chain");
            }
            Log.d(Pinning.TAG, "WITH LEAF 509");
            boolean z = false;
            PublicKey publicKey = x509CertificateArr[0].getPublicKey();
            Log.d(Pinning.TAG, "Comparing Pub Key");
            Iterator<String> it = this.trustedCertificates.iterator();
            while (true) {
                if (it.hasNext()) {
                    if (publicKey.equals(Pinning.pemToX509(it.next()).getPublicKey())) {
                        z = true;
                        break;
                    }
                } else {
                    break;
                }
            }
            if (!z) {
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- ...... SERVER IS NOT TRUSTED!");
                throw new CertificateException("[pinning]This server does not have the correct certificate");
            }
            try {
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- ...... performing customary SSL/TLS checks...");
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
                trustManagerFactory.init((KeyStore) null);
                for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                    ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, str);
                }
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- ...... SERVER IS TRUSTED");
            } catch (Exception e) {
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- exception when performing customary SSL/TLS check! : " + e.getMessage());
                Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --check SERVER Trusted-- ...... SERVER IS NOT TRUSTED! failed customary SSL/TLS check!");
                throw new CertificateException("[pinning]Server certificate does not pass SSL/TLS check");
            }
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            Log.d(Pinning.TAG, "CustomTrustManager[endpointUrl:" + this.endpointUrl + "] --getAcceptedIssuers--");
            return new X509Certificate[0];
        }
    }

    private Pinning(Context context) {
        this.appContext = null;
        Log.d(TAG, "@Pinning constructor");
        this.appContext = context.getApplicationContext();
    }

    public static Pinning getInstance(Context context) {
        Log.d(TAG, "@getInstance");
        if (instance == null) {
            instance = new Pinning(context);
        }
        return instance;
    }

    public static boolean isPinningUrlAllowed(String str) {
        if (str == null) {
            return false;
        }
        for (String str2 : new String[]{MASTER_PINNING_SERVER_URL, MASTER_PINNING_SERVER_URL_CN, MASTER_PINNING_STAGE_SERVER_URL, MASTER_PINNING_STAGE_SERVER_URL_CN}) {
            if (str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    public static X509Certificate pemToX509(String str) {
        Log.d(TAG, "@pemToX509");
        if (str == null) {
            Log.e(TAG, "@pemToX509 - Cert String is Null!");
            return null;
        }
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            byte[] readPemBytes = readPemBytes(str);
            return readPemBytes != null ? (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(readPemBytes)) : null;
        } catch (Throwable th) {
            Log.d(TAG, "@pemToX509 - Exception: " + th.getMessage());
            th.printStackTrace();
            return null;
        }
    }

    private PinningResponseStructure query() {
        Log.d(TAG, "@query");
        final OkHttpClient okHttpClient = new OkHttpClient();
        okHttpClient.setConnectTimeout(30000L, TimeUnit.MILLISECONDS);
        String storedUrl = GSLBManager.getStoredUrl(this.appContext, GSLBManager.PINNING_SERVICE);
        if (storedUrl == null || storedUrl.length() == 0) {
            storedUrl = Utils.isChina(this.appContext) ? ServerUtils.isProd ? MASTER_PINNING_SERVER_URL_CN : MASTER_PINNING_STAGE_SERVER_URL_CN : ServerUtils.isProd ? MASTER_PINNING_SERVER_URL : MASTER_PINNING_STAGE_SERVER_URL;
        }
        final String str = String.valueOf(storedUrl) + "/service/umc/leafcert";
        Log.d(TAG, "@query - url : " + str);
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: com.sec.enterprise.knox.cloudmdm.smdms.security.Pinning.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str2) {
                Log.d(Pinning.TAG, "--check CLIENT Trusted--");
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str2) throws CertificateException {
                Log.d(Pinning.TAG, "--check SERVER Trusted--");
                StringBuilder sb = new StringBuilder();
                try {
                    BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(Pinning.this.appContext.getAssets().open(Pinning.MASTER_PINNING_SERVER_CERT)));
                    while (true) {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            break;
                        } else {
                            sb.append(readLine);
                        }
                    }
                    X509Certificate pemToX509 = Pinning.pemToX509(sb.toString());
                    if (pemToX509 == null) {
                        Log.d(Pinning.TAG, "Fail converting the master pem cert to X509!");
                        throw new CertificateException("Failed to convert master pem to X509!");
                    }
                    if (x509CertificateArr.length == 0) {
                        Log.d(Pinning.TAG, "--check SERVER Trusted-- ...... SERVER DOES NOT PROVIDE A CERTIFICATE CHAIN!");
                        throw new IllegalArgumentException("This server does not provide a certificate chain");
                    }
                    try {
                        Log.d(Pinning.TAG, "--check SERVER Trusted-- ...... performing customary SSL/TLS checks...");
                        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
                        KeyStore keyStore = KeyStore.getInstance("BKS");
                        keyStore.load(null, null);
                        keyStore.setCertificateEntry("THE_MASTER_ALIAS", pemToX509);
                        trustManagerFactory.init(keyStore);
                        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                            ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, str2);
                        }
                        Log.d(Pinning.TAG, "--check SERVER Trusted-- ...... SERVER IS TRUSTED");
                    } catch (Exception e) {
                        e.printStackTrace();
                        Log.d(Pinning.TAG, "--check SERVER Trusted-- exception when performing customary SSL/TLS check! : " + e.getMessage());
                        Log.d(Pinning.TAG, "--check SERVER Trusted-- ...... SERVER IS NOT TRUSTED! failed customary SSL/TLS check!");
                        throw new CertificateException("Server certificate does not pass SSL/TLS check");
                    }
                } catch (Throwable th) {
                    Log.d(Pinning.TAG, "Caught exception while reading the MASTER PINNING SERVER CERT : " + th.getMessage());
                    th.printStackTrace();
                    throw new CertificateException("Failed to read master pinning cert");
                }
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                Log.d(Pinning.TAG, "--getAcceptedIssuers--");
                return new X509Certificate[0];
            }
        }};
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, trustManagerArr, null);
            SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
            okHttpClient.setHostnameVerifier(HttpsURLConnection.getDefaultHostnameVerifier());
            okHttpClient.setSslSocketFactory(socketFactory);
            HandlerThread handlerThread = new HandlerThread("Pin getter");
            handlerThread.start();
            this.cv = new ConditionVariable(false);
            new Handler(handlerThread.getLooper()).post(new Runnable() { // from class: com.sec.enterprise.knox.cloudmdm.smdms.security.Pinning.2
                @Override // java.lang.Runnable
                public void run() {
                    try {
                        Log.d(Pinning.TAG, "@query - querying with OKHTTP....");
                        Response execute = okHttpClient.newCall(new Request.Builder().url(str).get().build()).execute();
                        if (execute != null) {
                            int code = execute.code();
                            boolean isSuccessful = execute.isSuccessful();
                            Log.d(Pinning.TAG, "@query - code : " + code);
                            Log.d(Pinning.TAG, "@query - successful? : " + isSuccessful);
                            if (isSuccessful) {
                                String string = execute.body().string();
                                Log.d(Pinning.TAG, "@onSuccess - queryAndSaveCertificates");
                                Log.d(Pinning.TAG, "@onSuccess - deserializing....");
                                try {
                                    Pinning.mResponse = (PinningResponseStructure) new GsonBuilder().serializeNulls().setPrettyPrinting().disableHtmlEscaping().create().fromJson(string, PinningResponseStructure.class);
                                } catch (Throwable th) {
                                    Log.d(Pinning.TAG, "@onSuccess, got exception during deserializing object");
                                    th.printStackTrace();
                                    Pinning.mResponse = null;
                                }
                                Log.d(Pinning.TAG, "@onSuccess - deserializing....done");
                            } else {
                                Log.d(Pinning.TAG, "@onFailure - queryAndSaveCertificates");
                            }
                        } else {
                            Log.d(Pinning.TAG, "@query - Null Response !");
                        }
                    } catch (Throwable th2) {
                        Log.d(Pinning.TAG, "@query - got exception : " + th2.getMessage());
                        Pinning.mResponse = null;
                        th2.printStackTrace();
                    }
                    Pinning.this.cv.open();
                }
            });
            this.cv.block();
            Log.d(TAG, "@query - done");
            return mResponse;
        } catch (Throwable th) {
            th.printStackTrace();
            Log.d(TAG, "@query - exception : " + th.getMessage());
            return null;
        }
    }

    private static byte[] readPemBytes(String str) throws IOException {
        String readLine = new BufferedReader(new StringReader(str)).readLine();
        if (readLine == null) {
            return null;
        }
        if (readLine.startsWith(BEGIN)) {
            readLine = readLine.substring(BEGIN.length());
        }
        if (readLine.endsWith(END) || readLine.contains(END)) {
            readLine = readLine.substring(0, readLine.indexOf(END));
        }
        return Base64.decode(readLine.trim(), 0);
    }

    private PinningResponseStructure readPinnedCerts() {
        Log.d(TAG, "@readPinnedCerts");
        String string = this.appContext.getSharedPreferences(TRUST_PREFERENCE, 0).getString(TRUST_PREFERENCE_KEY, "");
        if (string == null || string.equals("")) {
            Log.d(TAG, "@readPinnedCerts - done. Null.");
            return null;
        }
        PinningResponseStructure pinningResponseStructure = (PinningResponseStructure) new GsonBuilder().serializeNulls().setPrettyPrinting().disableHtmlEscaping().create().fromJson(new String(Base64.decode(string, 2)), PinningResponseStructure.class);
        Log.d(TAG, "@readPinnedCerts - done");
        return pinningResponseStructure;
    }

    private boolean savePinnedCerts(PinningResponseStructure pinningResponseStructure) {
        boolean z;
        Log.d(TAG, "@savePinnedCerts");
        Gson create = new GsonBuilder().serializeNulls().setPrettyPrinting().disableHtmlEscaping().create();
        List<ResponseData> data = pinningResponseStructure.getData();
        if (data.isEmpty()) {
            z = false;
            Log.d(TAG, "@savePinnedCerts - not saving since data is empty");
        } else {
            for (ResponseData responseData : data) {
                ArrayList arrayList = new ArrayList();
                Iterator<String> it = responseData.CA.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().trim().replaceAll(IOUtils.LINE_SEPARATOR_UNIX, ""));
                }
                responseData.CA = arrayList;
            }
            String encodeToString = Base64.encodeToString(create.toJson(pinningResponseStructure).getBytes(), 2);
            SharedPreferences.Editor edit = this.appContext.getSharedPreferences(TRUST_PREFERENCE, 0).edit();
            edit.putString(TRUST_PREFERENCE_KEY, encodeToString);
            edit.commit();
            z = true;
        }
        Log.d(TAG, "@savePinnedCerts - saveResult : " + z);
        return z;
    }

    public TrustManager[] getTrustManagers(String str) {
        Log.d(TAG, "@getTrustManagers");
        PinningResponseStructure readPinnedCerts = readPinnedCerts();
        ArrayList arrayList = null;
        if (str.startsWith("https://")) {
            str = str.replace("https://", "");
        }
        if (str.startsWith("http://")) {
            str = str.replace("http://", "");
        }
        String str2 = str.split("/")[0];
        if (str2.contains(":443")) {
            Log.d(TAG, "already with 443");
        } else {
            str2 = String.valueOf(str2) + ":443";
        }
        Log.d(TAG, "@getTrustManagers - " + str2);
        TrustManager[] trustManagerArr = new TrustManager[1];
        if (readPinnedCerts != null) {
            Iterator<ResponseData> it = readPinnedCerts.getData().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ResponseData next = it.next();
                if (next.URL.contains(str2)) {
                    arrayList = new ArrayList(next.CA);
                    break;
                }
            }
        } else {
            Log.d(TAG, "@getTrustManagers - pinned cert store has not been formed yet!");
        }
        if (arrayList == null) {
            Log.d(TAG, "@getTrustManagers - no pinned certificate found for : " + str2);
            Log.d(TAG, "@getTrustManagers - strict mode applied for : " + str2);
            trustManagerArr[0] = new CustomTrustManager(str2, null);
        } else {
            Log.d(TAG, "@getTrustManagers - found pinned certificates for : " + str2);
            trustManagerArr[0] = new CustomTrustManager(str2, arrayList);
        }
        Log.d(TAG, "@getTrustManagers - done");
        return trustManagerArr;
    }

    public boolean queryAndSaveCertificates() {
        boolean z;
        Utils.logCurrentThreadInfo(TAG);
        Log.d(TAG, "@queryAndSaveCertificates");
        PinningResponseStructure query = query();
        if (query != null) {
            savePinnedCerts(query);
            z = true;
        } else {
            Log.d(TAG, "@queryAndSaveCertificates - response is null!");
            z = false;
        }
        Log.d(TAG, "@queryAndSaveCertificates - done");
        return z;
    }
}
