package de.measite.minidns.dane;

import de.measite.minidns.dane.DaneCertificateException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.cert.CertificateEncodingException;
import qr1.c;
import qr1.f;
import qr1.g;
import tr1.b;
import tr1.e;
import zr1.t;

/* compiled from: DaneVerifier.java */
/* loaded from: classes4.dex */
public final class a {

    /* renamed from: b, reason: collision with root package name */
    public static final Logger f33246b = Logger.getLogger(a.class.getName());

    /* renamed from: a, reason: collision with root package name */
    public final qr1.a f33247a = new tr1.a();

    public static boolean a(X509Certificate x509Certificate, t tVar, String str) throws CertificateException {
        byte[] encoded;
        byte b12 = tVar.f95802c;
        Logger logger = f33246b;
        if (b12 != 1 && b12 != 3) {
            logger.warning("TLSA certificate usage " + ((int) b12) + " not supported while verifying " + str);
            return false;
        }
        byte b13 = tVar.f95803d;
        if (b13 == 0) {
            encoded = x509Certificate.getEncoded();
        } else {
            if (b13 != 1) {
                logger.warning("TLSA selector " + ((int) b13) + " not supported while verifying " + str);
                return false;
            }
            encoded = x509Certificate.getPublicKey().getEncoded();
        }
        byte b14 = tVar.f95804e;
        if (b14 != 0) {
            if (b14 == 1) {
                try {
                    encoded = MessageDigest.getInstance("SHA-256").digest(encoded);
                } catch (NoSuchAlgorithmException e12) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-256 for matching", e12);
                }
            } else {
                if (b14 != 2) {
                    logger.warning("TLSA matching type " + ((int) b14) + " not supported while verifying " + str);
                    return false;
                }
                try {
                    encoded = MessageDigest.getInstance("SHA-512").digest(encoded);
                } catch (NoSuchAlgorithmException e13) {
                    throw new CertificateException("Verification using TLSA failed: could not SHA-512 for matching", e13);
                }
            }
        }
        if (Arrays.equals(tVar.f95805f, encoded)) {
            return b12 == 3;
        }
        throw new DaneCertificateException.CertificateMismatch();
    }

    public static X509Certificate[] b(javax.security.cert.X509Certificate[] x509CertificateArr) {
        X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length];
        for (int i12 = 0; i12 < x509CertificateArr.length; i12++) {
            try {
                x509CertificateArr2[i12] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509CertificateArr[i12].getEncoded()));
            } catch (CertificateException | CertificateEncodingException e12) {
                f33246b.log(Level.WARNING, "Could not convert", e12);
            }
        }
        return x509CertificateArr2;
    }

    public final boolean c(X509Certificate[] x509CertificateArr, String str, int i12) throws CertificateException {
        String str2;
        de.measite.minidns.a b12 = de.measite.minidns.a.b("_" + i12 + "._tcp." + str);
        try {
            qr1.a aVar = this.f33247a;
            g.c cVar = g.c.TLSA;
            aVar.getClass();
            c g12 = aVar.g(new f(b12, cVar, g.b.IN));
            if (!g12.f71571i) {
                if (g12 instanceof b) {
                    Iterator<e> it = ((b) g12).f78723x.iterator();
                    str2 = "Got TLSA response from DNS server, but was not signed properly. Reasons:";
                    while (it.hasNext()) {
                        str2 = str2 + " " + it.next();
                    }
                } else {
                    str2 = "Got TLSA response from DNS server, but was not signed properly.";
                }
                f33246b.info(str2);
                return false;
            }
            LinkedList linkedList = new LinkedList();
            boolean z12 = false;
            for (g<? extends zr1.g> gVar : g12.f71574l) {
                if (gVar.f71614b == g.c.TLSA && gVar.f71613a.equals(b12)) {
                    try {
                        z12 |= a(x509CertificateArr[0], (t) gVar.f71618f, str);
                    } catch (DaneCertificateException.CertificateMismatch e12) {
                        linkedList.add(e12);
                    }
                    if (z12) {
                        break;
                    }
                }
            }
            if (z12 || linkedList.isEmpty()) {
                return z12;
            }
            throw new DaneCertificateException.MultipleCertificateMismatchExceptions(linkedList);
        } catch (IOException e13) {
            throw new RuntimeException(e13);
        }
    }
}
