package de.authada.eid.core.tls;

import de.authada.mobile.org.spongycastle.asn1.ASN1ObjectIdentifier;
import de.authada.mobile.org.spongycastle.cert.X509CertificateHolder;
import de.authada.mobile.org.spongycastle.cert.jcajce.JcaX509CertificateConverter;
import de.authada.mobile.org.spongycastle.est.jcajce.JsseDefaultHostnameAuthorizer;
import de.authada.mobile.org.spongycastle.jce.provider.BouncyCastleProvider;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Collections;

/* loaded from: classes3.dex */
class CertificateValidator {
    private static final int EC = 64;
    private static final int RSA = 1;
    private final String hostName;
    private final JsseDefaultHostnameAuthorizer jsseDefaultHostnameAuthorizer = new JsseDefaultHostnameAuthorizer(Collections.emptySet());

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateValidator(String str) {
        this.hostName = str;
    }

    private void validateHostname(X509Certificate x509Certificate) throws IOException {
        if (!this.jsseDefaultHostnameAuthorizer.verify(this.hostName, x509Certificate)) {
            throw new IOException("Hostname validation failed");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validate(AuthadaTlsCertificate authadaTlsCertificate) throws IOException {
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(new X509CertificateHolder(authadaTlsCertificate.getCertificate()));
            validateHostname(certificate);
            validateValidityPeriod(certificate);
            validateKey(authadaTlsCertificate);
        } catch (CertificateException e) {
            throw new IOException("Failed to convert to x509certificate", e);
        }
    }

    void validateKey(AuthadaTlsCertificate authadaTlsCertificate) throws IOException {
        short clientCertificateType = authadaTlsCertificate.getClientCertificateType();
        boolean z = false;
        if (clientCertificateType != 1) {
            if (clientCertificateType == 64) {
                z = TlsUtils.VALID_CERT_CURVES.contains(ASN1ObjectIdentifier.getInstance(authadaTlsCertificate.getCertificate().getSubjectPublicKeyInfo().getAlgorithm().getParameters()));
            }
        } else if (authadaTlsCertificate.getPubKeyRSA().getModulus().bitLength() >= 2048) {
            z = true;
        }
        if (!z) {
            throw new IOException("Unsupported Public Key");
        }
    }

    void validateValidityPeriod(X509Certificate x509Certificate) throws IOException {
        try {
            x509Certificate.checkValidity();
        } catch (CertificateExpiredException | CertificateNotYetValidException e) {
            throw new IOException("Certificate is not valid", e);
        }
    }
}
