package android.net.http;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import org.apache.harmony.xnet.provider.jsse.SSLParameters;

/* loaded from: classes.dex */
class CertificateChainValidator {
    private static final CertificateChainValidator sInstance = new CertificateChainValidator();

    private CertificateChainValidator() {
    }

    private void closeSocketThrowException(SSLSocket sSLSocket, String str) throws IOException {
        if (sSLSocket != null) {
            SSLSession session = sSLSocket.getSession();
            if (session != null) {
                session.invalidate();
            }
            sSLSocket.close();
        }
        throw new SSLHandshakeException(str);
    }

    private void closeSocketThrowException(SSLSocket sSLSocket, String str, String str2) throws IOException {
        if (str == null) {
            str = str2;
        }
        closeSocketThrowException(sSLSocket, str);
    }

    public static CertificateChainValidator getInstance() {
        return sInstance;
    }

    public SslError doHandshakeAndValidateServerCertificates(HttpsConnection httpsConnection, SSLSocket sSLSocket, String str) throws IOException {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) null;
        try {
            sSLSocket.setUseClientMode(true);
            sSLSocket.startHandshake();
        } catch (IOException e) {
            closeSocketThrowException(sSLSocket, e.getMessage(), "failed to perform SSL handshake");
        }
        Certificate[] peerCertificates = sSLSocket.getSession().getPeerCertificates();
        if (peerCertificates == null || peerCertificates.length <= 0) {
            closeSocketThrowException(sSLSocket, "failed to retrieve peer certificates");
        } else {
            x509CertificateArr = new X509Certificate[peerCertificates.length];
            for (int i = 0; i < peerCertificates.length; i++) {
                x509CertificateArr[i] = (X509Certificate) peerCertificates[i];
            }
            if (httpsConnection != null && x509CertificateArr[0] != null) {
                httpsConnection.setCertificate(new SslCertificate(x509CertificateArr[0]));
            }
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        if (x509Certificate == null) {
            closeSocketThrowException(sSLSocket, "certificate for this site is null");
        } else if (!DomainNameChecker.match(x509Certificate, str)) {
            String str2 = "certificate not for this host: " + str;
            sSLSocket.getSession().invalidate();
            return new SslError(2, x509Certificate);
        }
        try {
            SSLParameters.getDefaultTrustManager().checkServerTrusted(x509CertificateArr, "RSA");
            return null;
        } catch (CertificateException e2) {
            sSLSocket.getSession().invalidate();
            SslError sslError = null;
            X509Certificate x509Certificate2 = x509CertificateArr[x509CertificateArr.length - 1];
            if (x509Certificate2 == null) {
                closeSocketThrowException(sSLSocket, "root certificate is null");
            }
            try {
                SSLParameters.getDefaultTrustManager().checkServerTrusted(new X509Certificate[]{x509Certificate2}, "RSA");
            } catch (CertificateExpiredException e3) {
                if (e3.getMessage() == null) {
                }
                sslError = new SslError(1, x509Certificate2);
            } catch (CertificateNotYetValidException e4) {
                if (e4.getMessage() == null) {
                }
                sslError = new SslError(0, x509Certificate2);
            } catch (CertificateException e5) {
                if (e5.getMessage() == null) {
                }
                return new SslError(3, x509Certificate2);
            }
            X509Certificate x509Certificate3 = x509CertificateArr[x509CertificateArr.length - 1];
            for (int length = x509CertificateArr.length - 2; length >= 0; length--) {
                X509Certificate x509Certificate4 = x509CertificateArr[length];
                if (x509Certificate4 == null) {
                    closeSocketThrowException(sSLSocket, "null certificate in the chain");
                }
                if (!x509Certificate3.getSubjectDN().equals(x509Certificate4.getIssuerDN())) {
                    return new SslError(3, x509Certificate4);
                }
                try {
                    x509Certificate4.verify(x509Certificate3.getPublicKey());
                    try {
                        x509Certificate4.checkValidity();
                    } catch (CertificateExpiredException e6) {
                        if (e6.getMessage() == null) {
                        }
                        if (sslError == null || sslError.getPrimaryError() < 1) {
                            sslError = new SslError(1, x509Certificate4);
                        }
                    } catch (CertificateNotYetValidException e7) {
                        if (e7.getMessage() == null) {
                        }
                        if (sslError == null || sslError.getPrimaryError() < 0) {
                            sslError = new SslError(0, x509Certificate4);
                        }
                    }
                    x509Certificate3 = x509Certificate4;
                } catch (GeneralSecurityException e8) {
                    if (e8.getMessage() == null) {
                    }
                    return new SslError(3, x509Certificate4);
                }
            }
            if (sslError != null) {
                return sslError;
            }
            closeSocketThrowException(sSLSocket, "failed to pre-validate the certificate chain due to a non-standard error");
            return sslError;
        }
    }
}
