package com.android.internal.net.ipsec.ike.message;

import android.annotation.Nullable;
import android.net.ipsec.ike.exceptions.AuthenticationFailedException;
import android.net.ipsec.ike.exceptions.IkeProtocolException;
import java.io.IOException;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.nio.ByteBuffer;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.ProviderException;
import java.security.cert.CertificateException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/android/internal/net/ipsec/ike/message/IkeCertPayload.class */
public abstract class IkeCertPayload extends IkePayload {
    protected static final int CERT_ENCODING_LEN = 1;
    private static final String KEY_STORE_TYPE_PKCS12 = "PKCS12";
    private static final String CERT_PATH_ALGO_PKIX = "PKIX";
    private static final String CERT_AUTH_TYPE_RSA = "RSA";
    public static final int CERTIFICATE_ENCODING_X509_CERT_SIGNATURE = 4;
    public static final int CERTIFICATE_ENCODING_CRL = 7;
    public static final int CERTIFICATE_ENCODING_X509_CERT_HASH_URL = 12;
    public final int certEncodingType;

    @Retention(RetentionPolicy.SOURCE)
    /* loaded from: input_file:com/android/internal/net/ipsec/ike/message/IkeCertPayload$CertificateEncoding.class */
    public @interface CertificateEncoding {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IkeCertPayload(int i) {
        this(false, i);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IkeCertPayload(boolean z, int i) {
        super(37, z);
        this.certEncodingType = i;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static IkeCertPayload getIkeCertPayload(boolean z, byte[] bArr) throws IkeProtocolException {
        ByteBuffer wrap = ByteBuffer.wrap(bArr);
        int unsignedInt = Byte.toUnsignedInt(wrap.get());
        byte[] bArr2 = new byte[bArr.length - 1];
        wrap.get(bArr2);
        switch (unsignedInt) {
            case 4:
                return new IkeCertX509CertPayload(z, bArr2);
            case 7:
                throw new AuthenticationFailedException("CERTIFICATE_ENCODING_CRL decoding is unsupported.");
            case 12:
                throw new AuthenticationFailedException("CERTIFICATE_ENCODING_X509_CERT_HASH_URL decoding is unsupported");
            default:
                throw new AuthenticationFailedException("Unrecognized certificate encoding type.");
        }
    }

    public static void validateCertificates(X509Certificate x509Certificate, List<X509Certificate> list, @Nullable List<X509CRL> list2, Set<TrustAnchor> set) throws AuthenticationFailedException {
        KeyStore keyStore = null;
        if (set != null) {
            try {
                if (!set.isEmpty()) {
                    keyStore = KeyStore.getInstance("PKCS12");
                    keyStore.load(null);
                    Iterator<TrustAnchor> it = set.iterator();
                    while (it.hasNext()) {
                        X509Certificate trustedCert = it.next().getTrustedCert();
                        keyStore.setCertificateEntry(trustedCert.getSubjectX500Principal().getName() + trustedCert.hashCode(), trustedCert);
                    }
                }
            } catch (IOException | KeyStoreException e) {
                throw new IllegalStateException(e);
            } catch (NoSuchAlgorithmException e2) {
                throw new ProviderException("Algorithm is not supported by the provider", e2);
            } catch (CertificateException e3) {
                throw new AuthenticationFailedException(e3);
            }
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERT_PATH_ALGO_PKIX, IkeMessage.getTrustManagerProvider());
        trustManagerFactory.init(keyStore);
        X509TrustManager x509TrustManager = null;
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                x509TrustManager = (X509TrustManager) trustManager;
            }
        }
        if (x509TrustManager == null) {
            throw new ProviderException("X509TrustManager is not supported by " + IkeMessage.getTrustManagerProvider().getName());
        }
        x509TrustManager.checkServerTrusted((X509Certificate[]) list.toArray(new X509Certificate[list.size()]), "RSA");
    }
}
