package com.vmware.view.client.android.cdk;

import com.vmware.view.client.android.util.SharedPreferencesUtil;
import com.vmware.view.client.android.z;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashSet;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public class Ssl {
    public static final int CERT_REVOCATION_CHECK_NORMAL = 1;
    public static final int CERT_REVOCATION_CHECK_STRICT = 2;
    public static final int CERT_REVOCATION_WILL_NOT_CHECK = 0;
    public static final String CIPHER_OPTION = "Ssl.CipherOption";
    public static final String DEFAULT_CIPHER_OPTION = "!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES";
    public static final String DEFAULT_FIPS_MODE_CIPHER_OPTION = "!aNULL:ECDHE+AES";
    public static final boolean DEFAULT_TLS_V10_ENABLED = false;
    public static final boolean DEFAULT_TLS_V11_ENABLED = true;
    public static final boolean DEFAULT_TLS_V12_ENABLED = true;
    public static long DISABLE_TLSv10 = 0;
    public static long DISABLE_TLSv11 = 0;
    public static long DISABLE_TLSv12 = 0;
    public static final String ENABLE_TLS_V10 = "Ssl.EnableTLSv10";
    public static final String ENABLE_TLS_V11 = "Ssl.EnableTLSv11";
    public static final String ENABLE_TLS_V12 = "Ssl.EnableTLSv12";
    public static int ERROR_CONFIRM = 0;
    public static int ERROR_CONFIRM_TUNNEL_CERT = 0;
    public static int ERROR_DOWNLOAD_CRLS = 0;
    public static int ERROR_FATAL = 0;
    public static int ERROR_USER_CONFIRMED = 0;
    public static final String PROTOCOL_CERTIFICATE_CHECKING_MODE = "Ssl.ProtocolCertCheckingMode";
    public static int PROTOCOL_CERTIFICATE_CHECKING_MODE_PKI = 0;
    public static int PROTOCOL_CERTIFICATE_CHECKING_MODE_PKI_AND_THUMBPRINT = 0;
    public static int PROTOCOL_CERTIFICATE_CHECKING_MODE_THUMBPRINT = 0;
    public static int PROTOCOL_CERTIFICATE_CHECKING_MODE_THUMBPRINT_OR_PKI = 0;
    public static final String SECURITY_MODE = "Ssl.SecurityMode";
    public static long SSL_ERROR = 0;
    protected static final String TAG = "Ssl";
    public static final String USE_DEFAULT_CIPHER_OPTION = "Ssl.UseDefaultCipherOption";
    public static final boolean USE_DEFAULT_CIPHER_OPTION_ENABLED = true;
    public static int VERIFICATION_MODE_ALLOW_CONFIRMATION = 0;
    public static int VERIFICATION_MODE_FULL = 0;
    public static int VERIFICATION_MODE_INSECURITY = 0;
    private static boolean sEnableTLSv10 = false;
    private static boolean sEnableTLSv11 = true;
    private static boolean sEnableTLSv12 = true;
    protected static TrustManager[] trustManagers;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class CertRevocationStatus {
        public String errorMessage;
        public long lastCheckTime;
        public boolean revoked;

        public CertRevocationStatus(boolean z, long j, String str) {
            this.revoked = z;
            this.lastCheckTime = j;
            this.errorMessage = str;
        }
    }

    private static CertRevocationStatus checkRevocationStatus(X509Certificate[] x509CertificateArr) {
        X509Certificate[] completeChain = getCompleteChain(x509CertificateArr);
        boolean z = false;
        boolean z2 = SharedPreferencesUtil.a() == 2;
        String str = null;
        try {
            HashSet hashSet = new HashSet(completeChain.length);
            for (X509Certificate x509Certificate : completeChain) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            }
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
            if (z2) {
                pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.NO_FALLBACK));
            } else {
                pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.PREFER_CRLS, PKIXRevocationChecker.Option.SOFT_FAIL, PKIXRevocationChecker.Option.NO_FALLBACK));
                z.a(TAG, "Will ignore the undetermined or unknown revocation status");
            }
            pKIXParameters.addCertPathChecker(pKIXRevocationChecker);
            certPathValidator.validate(CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(getChainWithoutRootCA(x509CertificateArr))), pKIXParameters);
            z.a(TAG, "The revocation status is good, not in revoked list.");
        } catch (Exception e2) {
            if (z2 || !e2.getMessage().contains("Could not determine revocation status")) {
                str = e2.getLocalizedMessage();
                z.a(TAG, "Error occurs when checking the revocation status: " + str);
                z = true;
            } else {
                z.a(TAG, "Ignore the undetermined revocation status");
            }
        }
        return new CertRevocationStatus(z, new Date().getTime(), str);
    }

    public static native void clearExceptions();

    public static X509Certificate generateCertificate(byte[] bArr) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (Exception e2) {
            z.a(TAG, "Error occurs when generating the certificate: " + e2.getMessage());
            return null;
        }
    }

    private static X509Certificate[] getChainWithoutRootCA(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < x509CertificateArr.length; i++) {
            if (!isRootCA(x509CertificateArr[i])) {
                arrayList.add(x509CertificateArr[i]);
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    private static X509Certificate[] getCompleteChain(X509Certificate[] x509CertificateArr) {
        X509Certificate[] chainWithoutRootCA;
        int length;
        if (x509CertificateArr == null || (chainWithoutRootCA = getChainWithoutRootCA(x509CertificateArr)) == null || chainWithoutRootCA.length == 0 || chainWithoutRootCA.length - 1 < 0) {
            return null;
        }
        X509Certificate x509Certificate = chainWithoutRootCA[length];
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(Arrays.asList(chainWithoutRootCA));
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            X509Certificate[] acceptedIssuers = ((X509TrustManager) trustManagerFactory.getTrustManagers()[0]).getAcceptedIssuers();
            for (int i = 0; i < acceptedIssuers.length; i++) {
                try {
                    x509Certificate.verify(acceptedIssuers[i].getPublicKey());
                    arrayList.add(acceptedIssuers[i]);
                    break;
                } catch (Exception unused) {
                }
            }
            return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
        } catch (Exception unused2) {
            return null;
        }
    }

    protected static native long getDisableTLSv10Flag();

    protected static native long getDisableTLSv11Flag();

    protected static native long getDisableTLSv12Flag();

    public static boolean getEnableTLSv10() {
        return sEnableTLSv10;
    }

    public static boolean getEnableTLSv11() {
        return sEnableTLSv11;
    }

    public static boolean getEnableTLSv12() {
        return sEnableTLSv12;
    }

    protected static native int getErrorConfirm();

    protected static native int getErrorConfirmTunnelCert();

    protected static native int getErrorDownloadCrls();

    protected static native int getErrorFatal();

    protected static native int getErrorUserConfirmed();

    protected static native int getModeAllowConfirmation();

    protected static native int getModeFull();

    protected static native int getModeInsecure();

    protected static native int getProtocolCertCheckingModePki();

    protected static native int getProtocolCertCheckingModePkiAndThumbprint();

    protected static native int getProtocolCertCheckingModeThumbprint();

    protected static native int getProtocolCertCheckingModeThumbprintOrPki();

    protected static native long getSslError();

    public static native int getVerificationMode();

    public static void init() {
        initFields();
        SSL_ERROR = getSslError();
        ERROR_FATAL = getErrorFatal();
        ERROR_CONFIRM = getErrorConfirm();
        ERROR_CONFIRM_TUNNEL_CERT = getErrorConfirmTunnelCert();
        ERROR_DOWNLOAD_CRLS = getErrorDownloadCrls();
        ERROR_USER_CONFIRMED = getErrorUserConfirmed();
        VERIFICATION_MODE_FULL = getModeFull();
        VERIFICATION_MODE_ALLOW_CONFIRMATION = getModeAllowConfirmation();
        VERIFICATION_MODE_INSECURITY = getModeInsecure();
        PROTOCOL_CERTIFICATE_CHECKING_MODE_THUMBPRINT = getProtocolCertCheckingModeThumbprint();
        PROTOCOL_CERTIFICATE_CHECKING_MODE_THUMBPRINT_OR_PKI = getProtocolCertCheckingModeThumbprintOrPki();
        PROTOCOL_CERTIFICATE_CHECKING_MODE_PKI_AND_THUMBPRINT = getProtocolCertCheckingModePkiAndThumbprint();
        PROTOCOL_CERTIFICATE_CHECKING_MODE_PKI = getProtocolCertCheckingModePki();
        DISABLE_TLSv10 = getDisableTLSv10Flag();
        DISABLE_TLSv11 = getDisableTLSv11Flag();
        DISABLE_TLSv12 = getDisableTLSv12Flag();
    }

    protected static native void initFields();

    public static boolean isRootCA(X509Certificate x509Certificate) {
        return x509Certificate.getBasicConstraints() != -1 && isSelfSigned(x509Certificate);
    }

    private static boolean isSelfSigned(X509Certificate x509Certificate) {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (Exception unused) {
            return false;
        }
    }

    public static native void setCipherControlString(String str);

    public static void setEnableTLSv10(boolean z) {
        sEnableTLSv10 = z;
        setProtocolDisabled(DISABLE_TLSv10, !z);
    }

    public static void setEnableTLSv11(boolean z) {
        sEnableTLSv11 = z;
        setProtocolDisabled(DISABLE_TLSv11, !z);
    }

    public static void setEnableTLSv12(boolean z) {
        sEnableTLSv12 = z;
        setProtocolDisabled(DISABLE_TLSv12, !z);
    }

    private static native void setProtocolDisabled(long j, boolean z);

    public static native void setSignatureAlgorithms(String str);

    public static native void setSupportedGroups(String str);

    public static native void setTunnelCertificateCheckingMode(int i);

    public static native void setVerificationMode(int i);

    public static native boolean updateFipsMode(boolean z);

    /* JADX WARN: Can't wrap try/catch for region: R(9:36|37|38|(1:40)(3:57|(2:59|(5:61|42|(3:44|(1:46)|47)(4:50|(1:52)|53|54)|48|49)(1:62))|63)|41|42|(0)(0)|48|49) */
    /* JADX WARN: Code restructure failed: missing block: B:55:0x012d, code lost:
    
        r10 = e;
     */
    /* JADX WARN: Code restructure failed: missing block: B:56:0x0131, code lost:
    
        r12[0] = new com.vmware.view.client.android.cdk.ErrorInfo(com.vmware.view.client.android.cdk.Ssl.SSL_ERROR, com.vmware.view.client.android.cdk.Ssl.ERROR_FATAL, r10.getLocalizedMessage());
        com.vmware.view.client.android.z.a(com.vmware.view.client.android.cdk.Ssl.TAG, "The certificates cannot be trusted. Error: " + r10.getLocalizedMessage());
     */
    /* JADX WARN: Removed duplicated region for block: B:44:0x00d2 A[Catch: Exception -> 0x012d, TRY_ENTER, TryCatch #1 {Exception -> 0x012d, blocks: (B:44:0x00d2, B:46:0x00d7, B:47:0x00e4, B:50:0x00fc, B:52:0x0108, B:53:0x0115), top: B:42:0x00d0 }] */
    /* JADX WARN: Removed duplicated region for block: B:50:0x00fc A[Catch: Exception -> 0x012d, TryCatch #1 {Exception -> 0x012d, blocks: (B:44:0x00d2, B:46:0x00d7, B:47:0x00e4, B:50:0x00fc, B:52:0x0108, B:53:0x0115), top: B:42:0x00d0 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static boolean verify(java.security.cert.X509Certificate[] r10, java.security.cert.X509Certificate[] r11, com.vmware.view.client.android.cdk.ErrorInfo[] r12) {
        /*
            Method dump skipped, instructions count: 402
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.vmware.view.client.android.cdk.Ssl.verify(java.security.cert.X509Certificate[], java.security.cert.X509Certificate[], com.vmware.view.client.android.cdk.ErrorInfo[]):boolean");
    }

    private static boolean verifySelfSignedCerts(X509Certificate[] x509CertificateArr, X509Certificate[] x509CertificateArr2) {
        if (SharedPreferencesUtil.h()) {
            z.a(TAG, "The self-signed certificate cannot be trusted in FIPS Mode.");
            return false;
        }
        if (x509CertificateArr2 == null || x509CertificateArr2.length != 1) {
            z.a(TAG, "The self-signed certificate only can be trusted with one trusted issuer. Stopped the verification.");
            return false;
        }
        try {
            HashSet hashSet = new HashSet(x509CertificateArr2.length);
            hashSet.add(new TrustAnchor(x509CertificateArr2[0], null));
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(false);
            CertPathValidator.getInstance("PKIX").validate(CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr)), pKIXParameters);
            return true;
        } catch (Exception e2) {
            z.a(TAG, "Error occurs when verifying the self-signed certificate: " + e2.getMessage());
            return false;
        }
    }
}
