package com.tencent.weishi.base.network.transfer;

import com.tencent.router.core.Router;
import com.tencent.weishi.base.config.ConfigConst;
import com.tencent.weishi.lib.logger.Logger;
import com.tencent.weishi.service.ConfigService;
import com.tencent.weishi.service.ToggleService;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes11.dex */
public class CertificateManager {
    private static final String DEFAULT_SECONDARY_CERT_SIGNATURE = "8efc898b6f30c05d885d69992dd34077c3baff7e90aa5edfc1f33887f65b046610441f678d8b3c3c18e23208686f2fe04f9c010551dbb1cb764446b252b6450f2f3664cb7b5b06124c264e5998637e4a8b4676ede13fcbd1fceb7045dadf352c46350c89ec6edf4f77f6ac095cd367a1d9415fca6b93cc1e563c0e0af19dd29538c97bde939d1e2568afad7729818cb932d3f2e73b4a857ae5fc7e36c4e58128350a8113f4b2551db97472bdd8352cdc995bcf2a0b29caad5593b90c73d80428720dec7a467977170d754cae82edfccef2b7bb3f07b2aedcde69904e59f69e825399c6f28349b6e3d0a215cf942c647e612afb8668cfb7773d959837b31a0f34";
    private static final String KEY_HTTP_CHANNEL_VERIFY_HOSTNAME = "http_channel_verify_hostname";
    private static final String KEY_HTTP_CHANNEL_VERIFY_SERVER_CERT = "http_channel_verify_server_cert";
    public static final String PRIMARY_CERT_SIGNATURE = "b42ca3e73e69d5f80ce6046d0454226a35a2dd6dbba33d4f1efa6a790be6682a66117d1bec64be34fa7054a6e36441c7238be490de9d671c77fe410c1d59736b8a9e20cf9fc07af6fe9fabf25bb701ab1a54d90dd520a97b4cc6df7f6e82bd8cc8253b64b389a7bd726f198207a168f8af4b26383093d2392386d53e09d2775c3631b0016209872a0c39bf5f6c6ac88f9342209f57bb9e4ba9b2d61d9c8aac4f4553068d07bd05aec74b64eb0866a6b7e96ba04f0f37badd83d3b7db8f55464248d4161911f948c7d690aa50e9d58fdfe016daaae8e6d654936de3b58186701433312bd4183b7b2e4a3713c10a85ca8af3d9e7c876cdfd30b470622b25f26045";
    private static final String TAG = "CertificateManager";

    public static /* synthetic */ String access$100() {
        return getSecondaryCertSignature();
    }

    private static String bin2hex(byte[] bArr) {
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(String.format("%02x", Integer.valueOf(b & 255)));
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean checkCertSignature(X509Certificate x509Certificate, String str) {
        String bin2hex = bin2hex(x509Certificate.getSignature());
        Logger.i(TAG, "checkCertificate，signature = " + bin2hex + "，localSignature = " + str);
        return bin2hex.equals(str);
    }

    private static String getSecondaryCertSignature() {
        return ((ConfigService) Router.getService(ConfigService.class)).getString("WeishiAppConfig", ConfigConst.WeiShiAppConfig.SECONDARY_HTTP_CHANNEL_CERT_SIGNATURE, DEFAULT_SECONDARY_CERT_SIGNATURE);
    }

    public static HostnameVerifier newHostnameVerifier() {
        return new HostnameVerifier() { // from class: com.tencent.weishi.base.network.transfer.CertificateManager.2
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str, SSLSession sSLSession) {
                if (((ToggleService) Router.getService(ToggleService.class)).isEnable(CertificateManager.KEY_HTTP_CHANNEL_VERIFY_HOSTNAME, true)) {
                    return str.equals("report.weishi.qq.com");
                }
                Logger.i(CertificateManager.TAG, "verify hostname Toggle false");
                return true;
            }
        };
    }

    public static X509TrustManager[] newTrustManagers() {
        return new X509TrustManager[]{new X509TrustManager() { // from class: com.tencent.weishi.base.network.transfer.CertificateManager.1
            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                if (!((ToggleService) Router.getService(ToggleService.class)).isEnable(CertificateManager.KEY_HTTP_CHANNEL_VERIFY_SERVER_CERT, true)) {
                    Logger.i(CertificateManager.TAG, "checkServerTrusted Toggle false");
                    return;
                }
                if (x509CertificateArr != null && x509CertificateArr.length > 0) {
                    for (X509Certificate x509Certificate : x509CertificateArr) {
                        x509Certificate.checkValidity();
                        if (CertificateManager.checkCertSignature(x509Certificate, CertificateManager.PRIMARY_CERT_SIGNATURE) || CertificateManager.checkCertSignature(x509Certificate, CertificateManager.access$100())) {
                            return;
                        }
                    }
                    Logger.i(CertificateManager.TAG, "checkServerTrusted verify primary and secondary cert failure，throw CertificateException");
                    throw new CertificateException("checkServerTrusted handshake not match server cert");
                }
            }

            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
        }};
    }
}
