package at.bitfire.cert4android;

import android.annotation.SuppressLint;
import android.content.Context;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;
import kotlin.Lazy;
import kotlin.LazyKt__LazyJVMKt;
import kotlin.Unit;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.coroutines.EmptyCoroutineContext;
import kotlin.io.CloseableKt;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlinx.coroutines.BuildersKt;
import kotlinx.coroutines.flow.StateFlow;
import net.fortuna.ical4j.util.Dates;
import org.conscrypt.Conscrypt;

/* compiled from: CustomCertStore.kt */
/* loaded from: classes.dex */
public final class CustomCertStore {
    public static final String KEYSTORE_DIR = "KeyStore";
    public static final String KEYSTORE_NAME = "KeyStore.bks";

    @SuppressLint({"StaticFieldLeak"})
    private static CustomCertStore instance;
    private final Context context;
    private final Lazy systemKeyStore$delegate;
    private HashSet<X509Certificate> untrustedCerts;
    private final KeyStore userKeyStore;
    private final File userKeyStoreFile;
    private final long userTimeout;
    public static final Companion Companion = new Companion(null);
    public static final int $stable = 8;

    /* compiled from: CustomCertStore.kt */
    /* loaded from: classes.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        public final synchronized CustomCertStore getInstance(Context context) {
            Intrinsics.checkNotNullParameter(context, "context");
            CustomCertStore instance$cert4android_release = getInstance$cert4android_release();
            if (instance$cert4android_release != null) {
                return instance$cert4android_release;
            }
            Context applicationContext = context.getApplicationContext();
            Intrinsics.checkNotNullExpressionValue(applicationContext, "getApplicationContext(...)");
            CustomCertStore customCertStore = new CustomCertStore(applicationContext, 0L, 2, null);
            setInstance$cert4android_release(customCertStore);
            return customCertStore;
        }

        public final CustomCertStore getInstance$cert4android_release() {
            return CustomCertStore.instance;
        }

        public final void setInstance$cert4android_release(CustomCertStore customCertStore) {
            CustomCertStore.instance = customCertStore;
        }
    }

    static {
        Security.insertProviderAt(Conscrypt.newProvider(), 1);
        Conscrypt.Version version = Conscrypt.version();
        Cert4Android cert4Android = Cert4Android.INSTANCE;
        cert4Android.getLog().info("Using Conscrypt/" + version.major() + "." + version.minor() + "." + version.patch() + " for TLS");
        SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
        Logger log = cert4Android.getLog();
        String[] enabledProtocols = createSSLEngine.getEnabledProtocols();
        Intrinsics.checkNotNullExpressionValue(enabledProtocols, "getEnabledProtocols(...)");
        log.info("Enabled protocols: ".concat(ArraysKt___ArraysKt.joinToString$default(enabledProtocols, ", ", 62)));
        Logger log2 = cert4Android.getLog();
        String[] enabledCipherSuites = createSSLEngine.getEnabledCipherSuites();
        Intrinsics.checkNotNullExpressionValue(enabledCipherSuites, "getEnabledCipherSuites(...)");
        log2.info("Enabled ciphers: ".concat(ArraysKt___ArraysKt.joinToString$default(enabledCipherSuites, ", ", 62)));
    }

    public CustomCertStore(Context context, long j) {
        Intrinsics.checkNotNullParameter(context, "context");
        this.context = context;
        this.userTimeout = j;
        this.systemKeyStore$delegate = LazyKt__LazyJVMKt.m809lazy((Function0) new Function0<X509TrustManager>() { // from class: at.bitfire.cert4android.CustomCertStore$systemKeyStore$2
            @Override // kotlin.jvm.functions.Function0
            public final X509TrustManager invoke() {
                return Conscrypt.getDefaultX509TrustManager();
            }
        });
        this.userKeyStoreFile = new File(context.getDir(KEYSTORE_DIR, 0), KEYSTORE_NAME);
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        Intrinsics.checkNotNull(keyStore);
        this.userKeyStore = keyStore;
        this.untrustedCerts = new HashSet<>();
        loadUserKeyStore();
    }

    public /* synthetic */ CustomCertStore(Context context, long j, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this(context, (i & 2) != 0 ? Dates.MILLIS_PER_MINUTE : j);
    }

    private final X509TrustManager getSystemKeyStore() {
        return (X509TrustManager) this.systemKeyStore$delegate.getValue();
    }

    private final synchronized void loadUserKeyStore() {
        FileInputStream fileInputStream;
        try {
            fileInputStream = new FileInputStream(this.userKeyStoreFile);
        } catch (Exception unused) {
            Cert4Android.INSTANCE.getLog().fine("No key store for trusted certificates (yet); creating in-memory key store.");
            try {
                this.userKeyStore.load(null, null);
            } catch (Exception e) {
                Cert4Android.INSTANCE.getLog().log(Level.SEVERE, "Couldn't initialize in-memory key store", (Throwable) e);
            }
        }
        try {
            this.userKeyStore.load(fileInputStream, null);
            Cert4Android.INSTANCE.getLog().fine("Loaded " + this.userKeyStore.size() + " trusted certificate(s)");
            Unit unit = Unit.INSTANCE;
            CloseableKt.closeFinally(fileInputStream, null);
        } finally {
        }
    }

    private final synchronized void saveUserKeyStore() {
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(this.userKeyStoreFile);
            try {
                this.userKeyStore.store(fileOutputStream, null);
                Unit unit = Unit.INSTANCE;
                CloseableKt.closeFinally(fileOutputStream, null);
            } finally {
            }
        } catch (Exception e) {
            Cert4Android.INSTANCE.getLog().log(Level.SEVERE, "Couldn't save custom certificate key store", (Throwable) e);
        }
    }

    public final synchronized void clearUserDecisions() {
        try {
            Cert4Android.INSTANCE.getLog().info("Clearing user-(dis)trusted certificates");
            Enumeration<String> aliases = this.userKeyStore.aliases();
            Intrinsics.checkNotNullExpressionValue(aliases, "aliases(...)");
            while (aliases.hasMoreElements()) {
                this.userKeyStore.deleteEntry(aliases.nextElement());
            }
            saveUserKeyStore();
            this.untrustedCerts.clear();
        } catch (Throwable th) {
            throw th;
        }
    }

    public final HashSet<X509Certificate> getUntrustedCerts$cert4android_release() {
        return this.untrustedCerts;
    }

    public final KeyStore getUserKeyStore$cert4android_release() {
        return this.userKeyStore;
    }

    public final boolean isTrusted(X509Certificate[] chain, String authType, boolean z, StateFlow<Boolean> stateFlow) {
        Intrinsics.checkNotNullParameter(chain, "chain");
        Intrinsics.checkNotNullParameter(authType, "authType");
        if (chain.length == 0) {
            throw new IllegalArgumentException("Certificate chain must not be empty");
        }
        X509Certificate x509Certificate = chain[0];
        synchronized (this) {
            if (isTrustedByUser(x509Certificate)) {
                return true;
            }
            if (this.untrustedCerts.contains(x509Certificate)) {
                return false;
            }
            if (z) {
                try {
                    getSystemKeyStore().checkServerTrusted(chain, authType);
                    return true;
                } catch (CertificateException unused) {
                }
            }
            Unit unit = Unit.INSTANCE;
            if (stateFlow == null) {
                Cert4Android.INSTANCE.getLog().log(Level.INFO, "Certificate not known and running in non-interactive mode, rejecting");
                return false;
            }
            return ((Boolean) BuildersKt.runBlocking(EmptyCoroutineContext.INSTANCE, new CustomCertStore$isTrusted$2(this, x509Certificate, stateFlow, null))).booleanValue();
        }
    }

    public final synchronized boolean isTrustedByUser(X509Certificate cert) {
        Intrinsics.checkNotNullParameter(cert, "cert");
        return this.userKeyStore.getCertificateAlias(cert) != null;
    }

    public final synchronized void setTrustedByUser(X509Certificate cert) {
        Intrinsics.checkNotNullParameter(cert, "cert");
        Cert4Android.INSTANCE.getLog().info("Trusted by user: " + cert);
        this.userKeyStore.setCertificateEntry(CertUtils.INSTANCE.getTag(cert), cert);
        saveUserKeyStore();
        this.untrustedCerts.remove(cert);
    }

    public final synchronized void setUntrustedByUser(X509Certificate cert) {
        Intrinsics.checkNotNullParameter(cert, "cert");
        Cert4Android.INSTANCE.getLog().info("Distrusted by user: " + cert);
        this.userKeyStore.deleteEntry(CertUtils.INSTANCE.getTag(cert));
        saveUserKeyStore();
        this.untrustedCerts.add(cert);
    }

    public final void setUntrustedCerts$cert4android_release(HashSet<X509Certificate> hashSet) {
        Intrinsics.checkNotNullParameter(hashSet, "<set-?>");
        this.untrustedCerts = hashSet;
    }
}
