package com.microsoft.mmx.agents.ypp.authclient.trust;

import android.net.Uri;
import androidx.annotation.NonNull;
import com.microsoft.appmanager.telemetry.TraceContext;
import com.microsoft.mmx.agents.ypp.authclient.crypto.AndroidCAStore;
import com.microsoft.mmx.agents.ypp.authclient.crypto.CryptoException;
import com.microsoft.mmx.agents.ypp.authclient.telemetry.CryptoTrustCertChainManagerTelemetry;
import com.microsoft.mmx.agents.ypp.configuration.PlatformConfiguration;
import com.microsoft.mmx.agents.ypp.services.YppSharedBaseUrl;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import javax.inject.Inject;

/* loaded from: classes3.dex */
public class CertChainValidator {
    private static final String ISSUER_DN = "IssuerDN";
    private final KeyStore androidCAStore;
    private final PlatformConfiguration configuration;
    private final CryptoTrustCertChainManagerTelemetry telemetry;
    private final String yppBaseUrl;

    @Inject
    public CertChainValidator(@NonNull @YppSharedBaseUrl String str, @NonNull @AndroidCAStore KeyStore keyStore, @NonNull CryptoTrustCertChainManagerTelemetry cryptoTrustCertChainManagerTelemetry, @NonNull PlatformConfiguration platformConfiguration) {
        this.yppBaseUrl = str;
        this.androidCAStore = keyStore;
        this.telemetry = cryptoTrustCertChainManagerTelemetry;
        this.configuration = platformConfiguration;
    }

    private URI getOCSPResponderUri(@NonNull X509Certificate x509Certificate, @NonNull TraceContext traceContext) {
        try {
            return new URI(Uri.parse(this.yppBaseUrl + this.configuration.getOCSPServiceEndpoint()).buildUpon().appendQueryParameter(ISSUER_DN, x509Certificate.getIssuerDN().getName()).build().toString());
        } catch (UnsupportedOperationException | URISyntaxException e2) {
            this.telemetry.createOCSPUriException(e2, traceContext);
            throw new CryptoException(e2);
        }
    }

    private CertValidityStatus mapCertPathValidatorReason(@NonNull CertPathValidatorException.Reason reason) {
        return CertPathValidatorException.BasicReason.REVOKED.equals(reason) ? CertValidityStatus.REVOKED : CertPathValidatorException.BasicReason.EXPIRED.equals(reason) ? CertValidityStatus.EXPIRED : CertPathValidatorException.BasicReason.INVALID_SIGNATURE.equals(reason) ? CertValidityStatus.INVALID_SIGNATURE : CertValidityStatus.UNDETERMINED_REVOCATION_STATUS;
    }

    public CertValidityStatus requestCertValidityStatus(@NonNull CryptoTrustCertChain cryptoTrustCertChain, @NonNull TraceContext traceContext) {
        try {
            PKIXParameters pKIXParameters = new PKIXParameters(this.androidCAStore);
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
            pKIXRevocationChecker.setOptions(EnumSet.of(PKIXRevocationChecker.Option.NO_FALLBACK, PKIXRevocationChecker.Option.ONLY_END_ENTITY));
            pKIXRevocationChecker.setOcspResponder(getOCSPResponderUri(cryptoTrustCertChain.getLeafCert(), traceContext));
            pKIXParameters.addCertPathChecker(pKIXRevocationChecker);
            certPathValidator.validate(CertificateFactory.getInstance("X.509").generateCertPath(cryptoTrustCertChain.getCertChain()), pKIXParameters);
            return CertValidityStatus.VALID;
        } catch (InvalidAlgorithmParameterException e2) {
            e = e2;
            this.telemetry.certPathValidationException(e, traceContext);
            return CertValidityStatus.UNDETERMINED_REVOCATION_STATUS;
        } catch (KeyStoreException e3) {
            e = e3;
            this.telemetry.certPathValidationException(e, traceContext);
            return CertValidityStatus.UNDETERMINED_REVOCATION_STATUS;
        } catch (NoSuchAlgorithmException e4) {
            e = e4;
            this.telemetry.certPathValidationException(e, traceContext);
            return CertValidityStatus.UNDETERMINED_REVOCATION_STATUS;
        } catch (CertPathValidatorException e5) {
            CertPathValidatorException.Reason reason = e5.getReason();
            this.telemetry.certPathValidationExceptionWithReason(e5, traceContext);
            return mapCertPathValidatorReason(reason);
        } catch (CertificateException e6) {
            e = e6;
            this.telemetry.certPathValidationException(e, traceContext);
            return CertValidityStatus.UNDETERMINED_REVOCATION_STATUS;
        }
    }
}
