package at.bitfire.cert4android;

import android.app.PendingIntent;
import android.app.Service;
import android.content.Intent;
import android.util.Log;
import android.widget.Toast;
import androidx.core.app.m;
import at.bitfire.cert4android.ICustomCertService;
import g8.l;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509TrustManager;
import kotlin.Metadata;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.collections.a0;
import kotlin.collections.v;
import kotlin.collections.x;
import kotlin.io.a;
import kotlin.jvm.internal.r;
import kotlin.u;
import org.conscrypt.Conscrypt;

/* compiled from: CustomCertService.kt */
@Metadata(bv = {}, d1 = {"\u0000q\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\b\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010%\n\u0002\u0010!\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\b\u0007*\u0001)\u0018\u0000 .2\u00020\u0001:\u0001.B\u0007¢\u0006\u0004\b,\u0010-J\u0010\u0010\u0005\u001a\u00020\u00042\u0006\u0010\u0003\u001a\u00020\u0002H\u0002J\u0018\u0010\b\u001a\u00020\u00072\u0006\u0010\u0003\u001a\u00020\u00022\u0006\u0010\u0006\u001a\u00020\u0004H\u0002J\b\u0010\t\u001a\u00020\u0007H\u0002J\b\u0010\n\u001a\u00020\u0007H\u0016J\b\u0010\u000b\u001a\u00020\u0007H\u0016J\"\u0010\u0011\u001a\u00020\u000e2\b\u0010\r\u001a\u0004\u0018\u00010\f2\u0006\u0010\u000f\u001a\u00020\u000e2\u0006\u0010\u0010\u001a\u00020\u000eH\u0016J\u0012\u0010\u0013\u001a\u00020\u00122\b\u0010\r\u001a\u0004\u0018\u00010\fH\u0016R\u0016\u0010\u0015\u001a\u00020\u00148\u0002@\u0002X\u0082.¢\u0006\u0006\n\u0004\b\u0015\u0010\u0016R\u001c\u0010\u0019\u001a\n \u0018*\u0004\u0018\u00010\u00170\u00178\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0019\u0010\u001aR\u0014\u0010\u001c\u001a\u00020\u001b8\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u001c\u0010\u001dR\u0018\u0010\u001f\u001a\u0004\u0018\u00010\u001e8\u0002@\u0002X\u0082\u000e¢\u0006\u0006\n\u0004\b\u001f\u0010 R\u001c\u0010\"\u001a\b\u0012\u0004\u0012\u00020\u00020!8\u0002@\u0002X\u0082\u000e¢\u0006\u0006\n\u0004\b\"\u0010#R&\u0010'\u001a\u0014\u0012\u0004\u0012\u00020\u0002\u0012\n\u0012\b\u0012\u0004\u0012\u00020&0%0$8\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b'\u0010(R\u0014\u0010*\u001a\u00020)8\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b*\u0010+¨\u0006/"}, d2 = {"Lat/bitfire/cert4android/CustomCertService;", "Landroid/app/Service;", "Ljava/security/cert/X509Certificate;", "cert", "", "inTrustStore", CustomCertService.EXTRA_TRUSTED, "Lkotlin/u;", "onReceiveDecision", "saveKeyStore", "onCreate", "onDestroy", "Landroid/content/Intent;", "intent", "", "flags", "id", "onStartCommand", "Lat/bitfire/cert4android/ICustomCertService$Stub;", "onBind", "Ljava/io/File;", "keyStoreFile", "Ljava/io/File;", "Ljava/security/cert/CertificateFactory;", "kotlin.jvm.PlatformType", "certFactory", "Ljava/security/cert/CertificateFactory;", "Ljava/security/KeyStore;", "trustedKeyStore", "Ljava/security/KeyStore;", "Ljavax/net/ssl/X509TrustManager;", "customTrustManager", "Ljavax/net/ssl/X509TrustManager;", "Ljava/util/HashSet;", "untrustedCerts", "Ljava/util/HashSet;", "", "", "Lat/bitfire/cert4android/IOnCertificateDecision;", "pendingDecisions", "Ljava/util/Map;", "at/bitfire/cert4android/CustomCertService$binder$1", "binder", "Lat/bitfire/cert4android/CustomCertService$binder$1;", "<init>", "()V", "Companion", "cert4android_release"}, k = 1, mv = {1, 7, 1})
/* loaded from: classes.dex */
public final class CustomCertService extends Service {
    public static final String CMD_CERTIFICATION_DECISION = "certificateDecision";
    public static final String CMD_RESET_CERTIFICATES = "resetCertificates";
    public static final String EXTRA_CERTIFICATE = "certificate";
    public static final String EXTRA_TRUSTED = "trusted";
    public static final String KEYSTORE_DIR = "KeyStore";
    public static final String KEYSTORE_NAME = "KeyStore.bks";
    private final CustomCertService$binder$1 binder;
    private final CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
    private X509TrustManager customTrustManager;
    private File keyStoreFile;
    private final Map<X509Certificate, List<IOnCertificateDecision>> pendingDecisions;
    private final KeyStore trustedKeyStore;
    private HashSet<X509Certificate> untrustedCerts;

    static {
        String J;
        String J2;
        Security.insertProviderAt(Conscrypt.newProvider(), 1);
        Conscrypt.Version version = Conscrypt.version();
        Log.i("cert4android", "Using Conscrypt/" + version.major() + '.' + version.minor() + '.' + version.patch() + " for TLS");
        SSLEngine createSSLEngine = SSLContext.getDefault().createSSLEngine();
        StringBuilder sb2 = new StringBuilder();
        sb2.append("Enabled protocols: ");
        String[] enabledProtocols = createSSLEngine.getEnabledProtocols();
        r.e(enabledProtocols, "engine.enabledProtocols");
        J = ArraysKt___ArraysKt.J(enabledProtocols, ", ", null, null, 0, null, null, 62, null);
        sb2.append(J);
        Log.i("cert4android", sb2.toString());
        StringBuilder sb3 = new StringBuilder();
        sb3.append("Enabled ciphers: ");
        String[] enabledCipherSuites = createSSLEngine.getEnabledCipherSuites();
        r.e(enabledCipherSuites, "engine.enabledCipherSuites");
        J2 = ArraysKt___ArraysKt.J(enabledCipherSuites, ", ", null, null, 0, null, null, 62, null);
        sb3.append(J2);
        Log.i("cert4android", sb3.toString());
    }

    /* JADX WARN: Type inference failed for: r0v6, types: [at.bitfire.cert4android.CustomCertService$binder$1] */
    public CustomCertService() {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        r.c(keyStore);
        this.trustedKeyStore = keyStore;
        this.untrustedCerts = new HashSet<>();
        this.pendingDecisions = new LinkedHashMap();
        this.binder = new ICustomCertService.Stub() { // from class: at.bitfire.cert4android.CustomCertService$binder$1
            @Override // at.bitfire.cert4android.ICustomCertService
            public void abortCheck(final IOnCertificateDecision callback) {
                Map map;
                Map map2;
                r.f(callback, "callback");
                map = CustomCertService.this.pendingDecisions;
                for (Map.Entry entry : map.entrySet()) {
                    X509Certificate x509Certificate = (X509Certificate) entry.getKey();
                    List list = (List) entry.getValue();
                    a0.E(list, new l<IOnCertificateDecision, Boolean>() { // from class: at.bitfire.cert4android.CustomCertService$binder$1$abortCheck$1
                        /* JADX INFO: Access modifiers changed from: package-private */
                        {
                            super(1);
                        }

                        @Override // g8.l
                        public final Boolean invoke(IOnCertificateDecision it) {
                            r.f(it, "it");
                            return Boolean.valueOf(r.a(it, IOnCertificateDecision.this));
                        }
                    });
                    if (list.isEmpty()) {
                        map2 = CustomCertService.this.pendingDecisions;
                        map2.remove(x509Certificate);
                    }
                }
            }

            @Override // at.bitfire.cert4android.ICustomCertService
            public void checkTrusted(byte[] raw, boolean z10, boolean z11, IOnCertificateDecision callback) {
                Map map;
                HashSet hashSet;
                boolean inTrustStore;
                Map map2;
                List p10;
                CertificateFactory certificateFactory;
                r.f(raw, "raw");
                r.f(callback, "callback");
                X509Certificate x509Certificate = null;
                try {
                    certificateFactory = CustomCertService.this.certFactory;
                    Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(raw));
                    if (generateCertificate instanceof X509Certificate) {
                        x509Certificate = (X509Certificate) generateCertificate;
                    }
                } catch (Exception e10) {
                    Constants.INSTANCE.getLog().log(Level.SEVERE, "Couldn't handle certificate", (Throwable) e10);
                }
                if (x509Certificate == null) {
                    callback.reject();
                    return;
                }
                map = CustomCertService.this.pendingDecisions;
                List list = (List) map.get(x509Certificate);
                if (list != null) {
                    list.add(callback);
                    return;
                }
                hashSet = CustomCertService.this.untrustedCerts;
                if (hashSet.contains(x509Certificate)) {
                    Constants.INSTANCE.getLog().fine("Certificate is cached as untrusted, rejecting");
                    callback.reject();
                    return;
                }
                inTrustStore = CustomCertService.this.inTrustStore(x509Certificate);
                if (inTrustStore) {
                    Constants.INSTANCE.getLog().fine("Certificate is cached as trusted, accepting");
                    callback.accept();
                    return;
                }
                if (!z10) {
                    Constants.INSTANCE.getLog().fine("Certificate not known and running in non-interactive mode, rejecting");
                    callback.reject();
                    return;
                }
                Constants.INSTANCE.getLog().fine("Certificate not known and running in interactive mode, asking user");
                map2 = CustomCertService.this.pendingDecisions;
                p10 = v.p(callback);
                map2.put(x509Certificate, p10);
                Intent intent = new Intent(CustomCertService.this, (Class<?>) TrustCertificateActivity.class);
                intent.putExtra("certificate", raw);
                Intent intent2 = new Intent(CustomCertService.this, (Class<?>) CustomCertService.class);
                intent2.setAction(CustomCertService.CMD_CERTIFICATION_DECISION);
                intent2.putExtra("certificate", raw);
                intent2.putExtra(CustomCertService.EXTRA_TRUSTED, false);
                int hashCode = Arrays.hashCode(raw);
                NotificationUtils.INSTANCE.createChannels(CustomCertService.this).e(CertUtils.INSTANCE.getTag(x509Certificate), Constants.NOTIFICATION_CERT_DECISION, new m.c(CustomCertService.this, "cert4android").i(R.drawable.ic_lock_open_white).g(CustomCertService.this.getString(R.string.certificate_notification_connection_security)).f(CustomCertService.this.getString(R.string.certificate_notification_user_interaction)).j(x509Certificate.getSubjectDN().getName()).d("service").e(PendingIntent.getActivity(CustomCertService.this, hashCode, intent, 134217728)).h(PendingIntent.getService(CustomCertService.this, hashCode, intent2, 134217728)).a());
                if (z11) {
                    intent.addFlags(268435456);
                    CustomCertService.this.startActivity(intent);
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public final boolean inTrustStore(X509Certificate cert) {
        try {
            return this.trustedKeyStore.getCertificateAlias(cert) != null;
        } catch (KeyStoreException e10) {
            Constants.INSTANCE.getLog().log(Level.WARNING, "Couldn't query custom key store", (Throwable) e10);
            return false;
        }
    }

    private final void onReceiveDecision(X509Certificate x509Certificate, boolean z10) {
        NotificationUtils.INSTANCE.createChannels(this).b(CertUtils.INSTANCE.getTag(x509Certificate), Constants.NOTIFICATION_CERT_DECISION);
        if (z10) {
            this.untrustedCerts.remove(x509Certificate);
            try {
                this.trustedKeyStore.setCertificateEntry(x509Certificate.getSubjectDN().getName(), x509Certificate);
                saveKeyStore();
            } catch (KeyStoreException e10) {
                Constants.INSTANCE.getLog().log(Level.SEVERE, "Couldn't add certificate into key store", (Throwable) e10);
            }
        } else {
            this.untrustedCerts.add(x509Certificate);
            Toast.makeText(this, R.string.service_rejected_temporarily, 1).show();
        }
        List<IOnCertificateDecision> list = this.pendingDecisions.get(x509Certificate);
        if (list != null) {
            Constants.INSTANCE.getLog().fine("Notifying " + list.size() + " certificate decision listener(s)");
            for (IOnCertificateDecision iOnCertificateDecision : list) {
                if (z10) {
                    iOnCertificateDecision.accept();
                } else {
                    iOnCertificateDecision.reject();
                }
            }
            this.pendingDecisions.remove(x509Certificate);
        }
    }

    private final void saveKeyStore() {
        Logger log = Constants.INSTANCE.getLog();
        StringBuilder sb2 = new StringBuilder();
        sb2.append("Saving custom certificate key store to ");
        File file = this.keyStoreFile;
        if (file == null) {
            r.x("keyStoreFile");
            file = null;
        }
        sb2.append(file);
        log.fine(sb2.toString());
        try {
            File file2 = this.keyStoreFile;
            if (file2 == null) {
                r.x("keyStoreFile");
                file2 = null;
            }
            FileOutputStream fileOutputStream = new FileOutputStream(file2);
            try {
                this.trustedKeyStore.store(fileOutputStream, null);
                u uVar = u.f17772a;
                a.a(fileOutputStream, null);
            } finally {
            }
        } catch (Exception e10) {
            Constants.INSTANCE.getLog().log(Level.SEVERE, "Couldn't save custom certificate key store", (Throwable) e10);
        }
    }

    @Override // android.app.Service
    public ICustomCertService.Stub onBind(Intent intent) {
        return this.binder;
    }

    @Override // android.app.Service
    public void onCreate() {
        Constants.INSTANCE.getLog().info("CustomCertService created");
        this.keyStoreFile = new File(getDir(KEYSTORE_DIR, 0), KEYSTORE_NAME);
        try {
            File file = this.keyStoreFile;
            if (file == null) {
                r.x("keyStoreFile");
                file = null;
            }
            FileInputStream fileInputStream = new FileInputStream(file);
            try {
                this.trustedKeyStore.load(fileInputStream, null);
                u uVar = u.f17772a;
                a.a(fileInputStream, null);
            } finally {
            }
        } catch (Exception e10) {
            Constants.INSTANCE.getLog().log(Level.INFO, "No persistent key store (yet), creating in-memory key store. This is not an error!", (Throwable) e10);
            try {
                this.trustedKeyStore.load(null, null);
            } catch (Exception e11) {
                Constants.INSTANCE.getLog().log(Level.SEVERE, "Couldn't initialize in-memory key store", (Throwable) e11);
            }
        }
        this.customTrustManager = CertUtils.INSTANCE.getTrustManager(this.trustedKeyStore);
    }

    @Override // android.app.Service
    public void onDestroy() {
        Constants.INSTANCE.getLog().info("CustomCertService destroyed");
    }

    @Override // android.app.Service
    public int onStartCommand(Intent intent, int flags, int id) {
        Iterator x10;
        Constants.INSTANCE.getLog().fine("Received command: " + intent);
        String action = intent != null ? intent.getAction() : null;
        if (action != null) {
            int hashCode = action.hashCode();
            if (hashCode != -1728715605) {
                if (hashCode == -1619112301 && action.equals(CMD_CERTIFICATION_DECISION)) {
                    try {
                        Certificate generateCertificate = this.certFactory.generateCertificate(new ByteArrayInputStream(intent.getByteArrayExtra("certificate")));
                        r.d(generateCertificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
                        onReceiveDecision((X509Certificate) generateCertificate, intent.getBooleanExtra(EXTRA_TRUSTED, false));
                    } catch (Exception e10) {
                        Constants.INSTANCE.getLog().log(Level.SEVERE, "Couldn't process certificate", (Throwable) e10);
                    }
                }
            } else if (action.equals(CMD_RESET_CERTIFICATES)) {
                this.untrustedCerts.clear();
                try {
                    Enumeration<String> aliases = this.trustedKeyStore.aliases();
                    r.e(aliases, "trustedKeyStore.aliases()");
                    x10 = x.x(aliases);
                    while (x10.hasNext()) {
                        this.trustedKeyStore.deleteEntry((String) x10.next());
                    }
                    saveKeyStore();
                } catch (KeyStoreException e11) {
                    Constants.INSTANCE.getLog().log(Level.SEVERE, "Couldn't reset custom certificates", (Throwable) e11);
                }
            }
        }
        stopSelf();
        return 2;
    }
}
