package com.xunmeng.basiccomponent.superlink.internal;

import android.text.TextUtils;
import com.xunmeng.core.config.Configuration;
import com.xunmeng.core.log.Logger;
import com.xunmeng.pinduoduo.apm.crash.data.ExceptionBean;
import com.xunmeng.pinduoduo.basekit.util.JSONFormatUtils;
import com.xunmeng.pinduoduo.basekit.util.TimeStamp;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;

/* compiled from: Pdd */
/* loaded from: classes2.dex */
public class CertificateUtils {
    private static final String CERT_INFO_CONFIG_KEY = "super_link.cert_info";
    private static final String DEFAULT_CERT_INFO_CONFIG = "";
    private static final String KEY_IS_DOWNGRADE_HTTP = "is_downgrade_http";
    private static final String TAG = "SuperLink.CertificateUtils";
    private static SSLContext context;
    private static final String MODULE_CERT_UTILS = "module_cert_utils";
    private static final com.xunmeng.pinduoduo.mmkv.a module = com.xunmeng.pinduoduo.ag.a.a(MODULE_CERT_UTILS, "Network");
    private static boolean isReady = false;
    private static boolean isDownGradeHttp = false;

    private static boolean checkCertValidity(KeyStore keyStore, String str, String str2) {
        String str3;
        String nextElement;
        String str4 = "";
        try {
            Enumeration<String> aliases = keyStore.aliases();
            str3 = "";
            while (aliases.hasMoreElements()) {
                try {
                    nextElement = aliases.nextElement();
                } catch (CertificateExpiredException unused) {
                    str4 = str3;
                } catch (CertificateNotYetValidException unused2) {
                    str4 = str3;
                } catch (Throwable th) {
                    th = th;
                }
                try {
                    Certificate certificate = keyStore.getCertificate(nextElement);
                    if (certificate instanceof X509Certificate) {
                        ((X509Certificate) certificate).checkValidity(new Date(TimeStamp.getRealLocalTimeV2()));
                    }
                    str3 = nextElement;
                } catch (CertificateExpiredException unused3) {
                    str4 = nextElement;
                    Logger.logE("cert:%s is expired", str4, "0");
                    a.a(6001, str2 + ":cert is expired", str4, str);
                    return false;
                } catch (CertificateNotYetValidException unused4) {
                    str4 = nextElement;
                    Logger.logE("cert:%s is not yet valid", str4, "0");
                    a.a(6002, str2 + ":cert is not yet valid", str4, str);
                    return false;
                } catch (Throwable th2) {
                    th = th2;
                    str3 = nextElement;
                    Logger.logE("", "\u0005\u0007DG\u0005\u0007%s", "0", th.toString());
                    a.a(6003, str2 + ":" + th.toString(), str3, str);
                    return true;
                }
            }
            return true;
        } catch (CertificateExpiredException unused5) {
        } catch (CertificateNotYetValidException unused6) {
        } catch (Throwable th3) {
            th = th3;
            str3 = "";
        }
    }

    private static boolean isDowngradeHttp() {
        if (!isReady) {
            isDownGradeHttp = isDowngradeHttpInternal();
            isReady = true;
        }
        return isDownGradeHttp;
    }

    private static boolean isDowngradeHttpInternal() {
        com.xunmeng.pinduoduo.mmkv.a aVar;
        try {
            aVar = module;
        } catch (Throwable th) {
            Logger.logE(TAG, "isDowngradeHttp throw :" + th.toString(), "0");
        }
        if (aVar.getBoolean(KEY_IS_DOWNGRADE_HTTP, false)) {
            return true;
        }
        ExceptionBean M = com.xunmeng.pinduoduo.apm.crash.core.a.l().M();
        if (M != null && M.getCrashStacks().contains("CertificateUtils")) {
            a.b(6004, "https is banned, downgrade http", "");
            aVar.putBoolean(KEY_IS_DOWNGRADE_HTTP, true).apply();
            return true;
        }
        return false;
    }

    public static SSLContext makeSSLContextWithP12CertificateFromConfig() {
        if (isDowngradeHttp()) {
            Logger.logI("", "\u0005\u0007CN", "0");
            return null;
        }
        SSLContext sSLContext = context;
        if (sSLContext != null) {
            return sSLContext;
        }
        String configuration = Configuration.getInstance().getConfiguration(CERT_INFO_CONFIG_KEY, "");
        Logger.logI("", "\u0005\u0007D3\u0005\u0007%s", "0", configuration);
        if (TextUtils.isEmpty(configuration)) {
            return null;
        }
        CertificateInfo certificateInfo = (CertificateInfo) JSONFormatUtils.fromJson(configuration, CertificateInfo.class);
        if (certificateInfo == null) {
            Logger.logE("", "\u0005\u0007De", "0");
            return null;
        }
        String certHost = certificateInfo.getCertHost();
        try {
            SSLContext sSLContext2 = SSLContext.getInstance("TLS");
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            KeyStore keyStore = KeyStore.getInstance("BKS");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(com.xunmeng.pinduoduo.basekit.commonutil.a.b(certificateInfo.getBase64BKSCert()));
            String password = certificateInfo.getPassword();
            keyStore.load(byteArrayInputStream, password.toCharArray());
            if (!checkCertValidity(keyStore, certHost, "BKS")) {
                return null;
            }
            keyManagerFactory.init(keyStore, password.toCharArray());
            sSLContext2.init(keyManagerFactory.getKeyManagers(), null, null);
            context = sSLContext2;
            return sSLContext2;
        } catch (Throwable th) {
            Logger.logE("", "\u0005\u0007Du\u0005\u0007%s\u0005\u0007%s", "0", "BKS", th.toString());
            a.b(6003, "BKS:" + th.toString(), certHost);
            return null;
        }
    }
}
