package de.rki.covpass.http;

import android.annotation.SuppressLint;
import java.lang.reflect.Method;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import javax.net.ssl.X509TrustManager;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.collections.CollectionsKt__CollectionsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;

@SuppressLint({"CustomX509TrustManager"})
/* loaded from: classes4.dex */
public final class CustomTrustManager implements X509TrustManager {
    private static final Companion Companion = new Companion(null);

    @Deprecated
    private static final List<String> signatureWhitelist;
    private final X509TrustManager delegate;
    private final Method delegateCheckServerTrusted;

    /* loaded from: classes4.dex */
    private static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    static {
        List<String> listOf;
        listOf = CollectionsKt__CollectionsKt.listOf((Object[]) new String[]{"1.2.840.113549.1.1.11", "1.2.840.113549.1.1.12", "1.2.840.113549.1.1.13", "1.2.840.10045.4.3.2", "1.2.840.10045.4.3.3", "1.2.840.10045.4.3.4"});
        signatureWhitelist = listOf;
    }

    public CustomTrustManager(X509TrustManager delegate) {
        Method method;
        Intrinsics.checkNotNullParameter(delegate, "delegate");
        this.delegate = delegate;
        try {
            method = delegate.getClass().getMethod("checkServerTrusted", X509Certificate[].class, String.class, String.class);
        } catch (NoSuchMethodException unused) {
            method = null;
        }
        this.delegateCheckServerTrusted = method;
    }

    private final void checkCert(X509Certificate x509Certificate) {
        checkKeyLength(x509Certificate);
        checkSignatureAlgorithm(x509Certificate);
    }

    private final void checkChain(X509Certificate[] x509CertificateArr) {
        int length = x509CertificateArr.length;
        int i = 0;
        while (i < length) {
            X509Certificate x509Certificate = x509CertificateArr[i];
            i++;
            checkCert(x509Certificate);
        }
    }

    private final void checkKeyLength(X509Certificate x509Certificate) {
        PublicKey publicKey = x509Certificate.getPublicKey();
        if (publicKey instanceof RSAPublicKey) {
            if (((RSAPublicKey) publicKey).getModulus().bitLength() < 2048) {
                throw new CertificateException("RSA modulus is < 2048 bits");
            }
        } else if (publicKey instanceof ECPublicKey) {
            if (((ECPublicKey) publicKey).getParams().getCurve().getField().getFieldSize() < 256) {
                throw new CertificateException("EC key field size is < 256 bits");
            }
        } else {
            throw new CertificateException("Rejecting unknown key class " + publicKey.getClass().getName());
        }
    }

    private final void checkSignatureAlgorithm(X509Certificate x509Certificate) {
        if (signatureWhitelist.contains(x509Certificate.getSigAlgOID())) {
            return;
        }
        throw new CertificateException("Signature uses an insecure hash function: " + x509Certificate.getSigAlgOID());
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] chain, String str) {
        Intrinsics.checkNotNullParameter(chain, "chain");
        this.delegate.checkClientTrusted(chain, str);
        checkChain(chain);
    }

    public final List<X509Certificate> checkServerTrusted(X509Certificate[] chain, String str, String str2) {
        List<X509Certificate> list;
        Intrinsics.checkNotNullParameter(chain, "chain");
        Method method = this.delegateCheckServerTrusted;
        if (method != null) {
            Object invoke = method.invoke(this.delegate, chain, str, str2);
            list = invoke instanceof List ? (List) invoke : null;
        } else {
            this.delegate.checkServerTrusted(chain, str);
            list = ArraysKt___ArraysKt.toList(chain);
        }
        checkChain(chain);
        return list;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] chain, String str) {
        Intrinsics.checkNotNullParameter(chain, "chain");
        this.delegate.checkServerTrusted(chain, str);
        checkChain(chain);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        X509Certificate[] acceptedIssuers = this.delegate.getAcceptedIssuers();
        Intrinsics.checkNotNullExpressionValue(acceptedIssuers, "delegate.acceptedIssuers");
        return acceptedIssuers;
    }
}
