package com.squareup.okhttp.internal.tls;

import com.squareup.okhttp.CertificatePinner;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.Request;
import com.squareup.okhttp.internal.HeldCertificate;
import com.squareup.okhttp.internal.SslContextBuilder;
import com.squareup.okhttp.mockwebserver.MockResponse;
import com.squareup.okhttp.mockwebserver.MockWebServer;
import com.squareup.okhttp.mockwebserver.SocketPolicy;
import com.squareup.okhttp.testing.RecordingHostnameVerifier;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;

/* loaded from: input_file:com/squareup/okhttp/internal/tls/CertificatePinnerChainValidationTest.class */
public final class CertificatePinnerChainValidationTest {

    @Rule
    public final MockWebServer server = new MockWebServer();

    @Test
    public void pinRootNotPresentInChain() throws Exception {
        HeldCertificate build = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
        HeldCertificate build2 = new HeldCertificate.Builder().issuedBy(build).ca(2).serialNumber("2").commonName("intermediate_ca").build();
        HeldCertificate build3 = new HeldCertificate.Builder().issuedBy(build2).serialNumber("3").commonName(this.server.getHostName()).build();
        OkHttpClient certificatePinner = new OkHttpClient().setSslSocketFactory(new SslContextBuilder().addTrustedCertificate(build.certificate).build().getSocketFactory()).setHostnameVerifier(new RecordingHostnameVerifier()).setCertificatePinner(new CertificatePinner.Builder().add(this.server.getHostName(), new String[]{CertificatePinner.pin(build.certificate)}).build());
        this.server.useHttps(new SslContextBuilder().certificateChain(build3, build2).build().getSocketFactory(), false);
        this.server.enqueue(new MockResponse().setBody("abc").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
        Assert.assertEquals("abc", certificatePinner.newCall(new Request.Builder().url(this.server.url("/")).build()).execute().body().string());
        this.server.enqueue(new MockResponse().setBody("def").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
        Assert.assertEquals("def", certificatePinner.newCall(new Request.Builder().url(this.server.url("/")).build()).execute().body().string());
    }

    @Test
    public void pinIntermediatePresentInChain() throws Exception {
        HeldCertificate build = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
        HeldCertificate build2 = new HeldCertificate.Builder().issuedBy(build).ca(2).serialNumber("2").commonName("intermediate_ca").build();
        HeldCertificate build3 = new HeldCertificate.Builder().issuedBy(build2).serialNumber("3").commonName(this.server.getHostName()).build();
        OkHttpClient certificatePinner = new OkHttpClient().setSslSocketFactory(new SslContextBuilder().addTrustedCertificate(build.certificate).build().getSocketFactory()).setHostnameVerifier(new RecordingHostnameVerifier()).setCertificatePinner(new CertificatePinner.Builder().add(this.server.getHostName(), new String[]{CertificatePinner.pin(build2.certificate)}).build());
        this.server.useHttps(new SslContextBuilder().certificateChain(build3, build2).build().getSocketFactory(), false);
        this.server.enqueue(new MockResponse().setBody("abc").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
        Assert.assertEquals("abc", certificatePinner.newCall(new Request.Builder().url(this.server.url("/")).build()).execute().body().string());
        this.server.enqueue(new MockResponse().setBody("def").setSocketPolicy(SocketPolicy.DISCONNECT_AT_END));
        Assert.assertEquals("def", certificatePinner.newCall(new Request.Builder().url(this.server.url("/")).build()).execute().body().string());
    }

    @Test
    public void unrelatedPinnedLeafCertificateInChain() throws Exception {
        HeldCertificate build = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
        HeldCertificate build2 = new HeldCertificate.Builder().issuedBy(new HeldCertificate.Builder().issuedBy(build).ca(2).serialNumber("2").commonName("good_intermediate_ca").build()).serialNumber("3").commonName(this.server.getHostName()).build();
        OkHttpClient certificatePinner = new OkHttpClient().setSslSocketFactory(new SslContextBuilder().addTrustedCertificate(build.certificate).build().getSocketFactory()).setHostnameVerifier(new RecordingHostnameVerifier()).setCertificatePinner(new CertificatePinner.Builder().add(this.server.getHostName(), new String[]{CertificatePinner.pin(build2.certificate)}).build());
        HeldCertificate build3 = new HeldCertificate.Builder().issuedBy(build).ca(2).serialNumber("4").commonName("bad_intermediate_ca").build();
        this.server.useHttps(new SslContextBuilder().certificateChain(new HeldCertificate.Builder().serialNumber("5").issuedBy(build3).commonName(this.server.getHostName()).build(), build3, build2, build).build().getSocketFactory(), false);
        this.server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
        try {
            certificatePinner.newCall(new Request.Builder().url(this.server.url("/")).build()).execute();
            Assert.fail();
        } catch (SSLPeerUnverifiedException e) {
            String message = e.getMessage();
            Assert.assertTrue(message, message.startsWith("Certificate pinning failure!"));
        }
    }

    @Test
    public void unrelatedPinnedIntermediateCertificateInChain() throws Exception {
        HeldCertificate build = new HeldCertificate.Builder().serialNumber("1").ca(3).commonName("root").build();
        HeldCertificate build2 = new HeldCertificate.Builder().serialNumber("2").ca(3).commonName("compromised_root").build();
        HeldCertificate build3 = new HeldCertificate.Builder().issuedBy(build).ca(2).serialNumber("3").commonName("intermediate_ca").build();
        OkHttpClient certificatePinner = new OkHttpClient().setSslSocketFactory(new SslContextBuilder().addTrustedCertificate(build.certificate).addTrustedCertificate(build2.certificate).build().getSocketFactory()).setHostnameVerifier(new RecordingHostnameVerifier()).setCertificatePinner(new CertificatePinner.Builder().add(this.server.getHostName(), new String[]{CertificatePinner.pin(build3.certificate)}).build());
        HeldCertificate build4 = new HeldCertificate.Builder().issuedBy(build2).ca(2).serialNumber("4").commonName("intermediate_ca").build();
        this.server.useHttps(new SslContextBuilder().certificateChain(new HeldCertificate.Builder().serialNumber("5").issuedBy(build4).commonName(this.server.getHostName()).build(), build3, build4, build2).build().getSocketFactory(), false);
        this.server.enqueue(new MockResponse().setBody("abc").addHeader("Content-Type: text/plain"));
        try {
            certificatePinner.newCall(new Request.Builder().url(this.server.url("/")).build()).execute();
            Assert.fail();
        } catch (SSLHandshakeException e) {
            String message = e.getMessage();
            Assert.assertTrue(message, message.contains("Could not validate certificate"));
        } catch (SSLPeerUnverifiedException e2) {
            String message2 = e2.getMessage();
            Assert.assertTrue(message2, message2.startsWith("Certificate pinning failure!"));
        }
    }
}
