package com.avaya.clientservices.provider.certificate.internal;

import com.avaya.clientservices.client.Log;
import io.netty.handler.codec.http.HttpConstants;
import io.netty.handler.codec.memcache.binary.BinaryMemcacheOpcodes;
import io.netty.handler.codec.memcache.binary.DefaultBinaryMemcacheRequest;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes30.dex */
public class AndroidHostnameValidator {
    private static final String AUTHORITY_KEY_IDENTIFIER_OID = "2.5.29.35";
    private static final String TAG = AndroidHostnameValidator.class.getSimpleName();
    private static final byte[] AVAYA_SIP_CA_KEY_ID = {-96, -126, 7, 41, 92, HttpConstants.COLON, -96, -60, 41, -72, HttpConstants.EQUALS, -61, BinaryMemcacheOpcodes.GAT, -71, 6, 85, BinaryMemcacheOpcodes.REPLACEQ, -66, 86, 42};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes30.dex */
    public static class ASN1Helper {
        private static final int BYTE_LENGTH = 8;
        private static final int BYTE_MASK = 255;
        private static final byte CONSTRUCTED_SEQUENCE_TAG = 48;
        private static final byte LENGTH_INDICATOR = Byte.MIN_VALUE;
        private static final byte LONG_FORM_LENGTH_FLAG = Byte.MIN_VALUE;
        private static final byte LONG_FORM_LENGTH_MASK = Byte.MAX_VALUE;
        private static final byte OCTET_STRING_TAG = 4;
        private int current = 0;
        private final byte[] raw;

        ASN1Helper(byte[] bArr) {
            this.raw = bArr;
        }

        private int parseLength() {
            byte[] bArr = this.raw;
            int i = this.current;
            this.current = i + 1;
            byte b = bArr[i];
            if ((b & DefaultBinaryMemcacheRequest.REQUEST_MAGIC_BYTE) == 0) {
                return b;
            }
            int i2 = 0;
            for (int i3 = b & LONG_FORM_LENGTH_MASK; i3 > 0; i3--) {
                byte[] bArr2 = this.raw;
                int i4 = this.current;
                this.current = i4 + 1;
                i2 = (i2 << 8) + (bArr2[i4] & 255);
            }
            return i2;
        }

        byte[] extractAuthorityKeyIdentifier() {
            if (this.raw == null) {
                return null;
            }
            byte[] bArr = this.raw;
            int i = this.current;
            this.current = i + 1;
            if (bArr[i] != 4) {
                return null;
            }
            parseLength();
            byte[] bArr2 = this.raw;
            int i2 = this.current;
            this.current = i2 + 1;
            if (bArr2[i2] != 48) {
                return null;
            }
            parseLength();
            byte[] bArr3 = this.raw;
            int i3 = this.current;
            this.current = i3 + 1;
            if (bArr3[i3] != Byte.MIN_VALUE) {
                return null;
            }
            return Arrays.copyOfRange(this.raw, this.current, this.current + parseLength());
        }

        byte[] extractSubjectKeyIdentifier() {
            if (this.raw == null) {
                return null;
            }
            byte[] bArr = this.raw;
            int i = this.current;
            this.current = i + 1;
            if (bArr[i] != 4) {
                return null;
            }
            parseLength();
            byte[] bArr2 = this.raw;
            int i2 = this.current;
            this.current = i2 + 1;
            if (bArr2[i2] != 4) {
                return null;
            }
            return Arrays.copyOfRange(this.raw, this.current, this.current + parseLength());
        }
    }

    private static boolean containsOnlyValidIPAddrChars(String str) {
        int length = str.length();
        char[] charArray = str.toCharArray();
        if (length == 0) {
            return false;
        }
        for (int i = 0; i < length; i++) {
            if (!isxdigit(charArray[i]) && charArray[i] != '.' && charArray[i] != ':' && charArray[i] != '[' && charArray[i] != ']') {
                return false;
            }
        }
        return true;
    }

    private static byte[] extractAuthorityKeyIdentifier(X509Certificate x509Certificate) {
        return new ASN1Helper(x509Certificate.getExtensionValue(AUTHORITY_KEY_IDENTIFIER_OID)).extractAuthorityKeyIdentifier();
    }

    private String getDomainStringFromSIPIdentity(String str) {
        if (str.indexOf(64) > -1) {
            return "";
        }
        int indexOf = str.indexOf(58);
        return indexOf > -1 ? str.substring(indexOf + 1, str.length()) : "";
    }

    private boolean isCertIssuedByAvayaSIPCA(X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            return false;
        }
        if (Arrays.equals(extractAuthorityKeyIdentifier(x509Certificate), AVAYA_SIP_CA_KEY_ID)) {
            Log.d("Certificate is issued by Avaya SIP CA ");
            return true;
        }
        Log.d("Certificate is NOT issued by Avaya SIP CA ");
        return false;
    }

    private boolean isSIPIdentityRFC5922Compliant(String str) {
        if (str.indexOf(64) > -1) {
            return false;
        }
        String[] split = str.split(":");
        return split.length > 1 && "sip".equalsIgnoreCase(split[0]);
    }

    private static boolean isxdigit(char c) {
        return Character.digit(c, 16) != -1;
    }

    public void validateHostname(String str, String str2, String str3, int i) throws CertificateIdentityValidationException {
        validateHostname(CertificateUtils.convertToX509Certificate(str), str3, str2, i);
    }

    public void validateHostname(X509Certificate x509Certificate, String str, String str2, int i) throws CertificateIdentityValidationException {
        validateHostname(x509Certificate, str, str2, i, -1);
    }

    public void validateHostname(X509Certificate x509Certificate, String str, String str2, int i, int i2) throws CertificateIdentityValidationException {
        String str3 = TAG + ".validateHostname() ";
        if (isCertIssuedByAvayaSIPCA(x509Certificate)) {
            Log.secw(str3 + RequestIdLogger.create(i2) + "Avaya SIP CA issued server certificate.");
            return;
        }
        if (str.isEmpty() && str2.isEmpty()) {
            Log.secw(str3 + RequestIdLogger.create(i2) + "Service domain and Remote hostname values are empty, cannot validate server identity");
            return;
        }
        boolean z = false;
        ArrayList arrayList = new ArrayList();
        ArrayList<String> arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        try {
            Log.d(str3 + "Looking for SubjectAltName in " + x509Certificate.getSubjectX500Principal().getName());
            Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
            if (subjectAlternativeNames != null) {
                for (List<?> list : subjectAlternativeNames) {
                    SubjectAlternateNameId subjectAlternateNameId = SubjectAlternateNameId.values()[((Integer) list.get(0)).intValue()];
                    Object obj = list.get(1);
                    switch (subjectAlternateNameId) {
                        case DNS_NAME:
                            arrayList.add(obj.toString());
                            break;
                        case URI:
                            arrayList2.add(obj.toString());
                            break;
                        case IP_ADDRESS:
                            arrayList3.add(obj.toString());
                            break;
                    }
                }
            } else {
                Log.secw(str3 + RequestIdLogger.create(i2) + "Subject Alternative Name extension is not available, using CN for hostname validation");
                z = true;
            }
        } catch (CertificateParsingException e) {
            Log.secw(str3 + RequestIdLogger.create(i2) + "Exception occurred while parsing the certificate.", e);
        }
        if (z && !str.isEmpty()) {
            Log.secw(str3 + RequestIdLogger.create(i2) + "SIP domain validation cannot proceed with incompatible certificate.");
            throw new CertificateServiceDomainValidationException("Incompatible SIP certificate.");
        }
        if (z) {
            X500Principal subjectX500Principal = x509Certificate.getSubjectX500Principal();
            if (subjectX500Principal == null) {
                throw new CertificateIdentityValidationException("Failed to extract Subject DN");
            }
            String find = new DNParser(subjectX500Principal).find("CN");
            if (find.isEmpty()) {
                throw new CertificateIdentityValidationException("Empty CN in the Certificate Subject.");
            }
            if (find.equalsIgnoreCase(str2)) {
                return;
            }
            Log.w(String.format(str3 + "Hostname validation failed, expected \"%1$s\", actual \"%2$s\"", str2, find));
            throw new CertificateIdentityValidationException("Server identity validation failed");
        }
        if (str.isEmpty()) {
            if (containsOnlyValidIPAddrChars(str2)) {
                try {
                    InetAddress byName = InetAddress.getByName(str2);
                    Iterator it = arrayList3.iterator();
                    while (it.hasNext()) {
                        if (InetAddress.getByName((String) it.next()).getHostAddress().equals(byName.getHostAddress())) {
                            Log.d(str3 + "IP address [" + str2 + "] matched.");
                            return;
                        }
                    }
                } catch (UnknownHostException e2) {
                    Log.secw(str3 + RequestIdLogger.create(i2) + "Exception received while parsing IP address values from SubjectAltName extension", e2);
                    throw new CertificateIdentityValidationException(e2.getMessage());
                }
            }
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                if (((String) it2.next()).equalsIgnoreCase(str2)) {
                    Log.d(str3 + "DNS Name [" + str2 + "] matched.");
                    return;
                }
            }
            throw new CertificateIdentityValidationException("Server identity validation failed because of mismatched DNS name.");
        }
        boolean z2 = false;
        for (String str4 : arrayList2) {
            if (isSIPIdentityRFC5922Compliant(str4)) {
                z2 = true;
                if (str4.equalsIgnoreCase(str)) {
                    Log.d(str3 + "Service domain [" + str + "] matched.");
                    return;
                }
            }
        }
        if (!z2) {
            Log.d(str3 + "The certificate does not contain suitable URI parameters for SIP hostname validation, using DNS.");
            String domainStringFromSIPIdentity = getDomainStringFromSIPIdentity(str);
            if (domainStringFromSIPIdentity.isEmpty()) {
                Log.d(str3 + "Configured SIP service domain is incorrectly formatted, cannot proceed with validation.");
            } else {
                Iterator it3 = arrayList.iterator();
                while (it3.hasNext()) {
                    if (((String) it3.next()).equalsIgnoreCase(domainStringFromSIPIdentity)) {
                        Log.d(str3 + "Service domain " + str + " matched with DNS name.");
                        return;
                    }
                }
            }
        }
        throw new CertificateServiceDomainValidationException("Server identity validation failed because service domains match failed.");
    }
}
