package com.synology.sylib.sycertificatemanager.interceptor;

import android.content.Context;
import android.text.TextUtils;
import com.synology.sylib.sycertificatemanager.CertificateItem;
import com.synology.sylib.sycertificatemanager.CertificateStorageManager;
import com.synology.sylib.sycertificatemanager.exceptions.CertificateHostNotMatchException;
import com.synology.sylib.sycertificatemanager.trustmanager.SynoTrustManager;
import com.synology.sylib.sycertificatemanager.util.CertificateUtil;
import com.synology.sylib.syhttp3.SyHttpClient;
import com.synology.sylib.syhttp3.interceptors.RelayInterceptor;
import com.synology.sylib.syhttp3.relay.RelayRecord;
import com.synology.sylib.syhttp3.relay.utils.RelayUtil;
import java.io.IOException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import okhttp3.Handshake;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.apache.http.conn.ssl.StrictHostnameVerifier;

/* loaded from: classes.dex */
public class SynoCertificateInterceptor implements Interceptor {
    private Context mContext;
    private StrictHostnameVerifier mHostnameVerifier = new StrictHostnameVerifier();
    private SynoTrustManager mTrustManager;
    private String mUserInputAddress;

    public SynoCertificateInterceptor(SyHttpClient syHttpClient, Context context, String str) {
        this.mContext = context.getApplicationContext();
        this.mUserInputAddress = str;
        setSSlSocketFactory(syHttpClient);
        setFakeHostNameVerifier(syHttpClient);
    }

    public SynoCertificateInterceptor(OkHttpClient.Builder builder, Context context, String str) {
        this.mContext = context.getApplicationContext();
        this.mUserInputAddress = str;
        setSSlSocketFactory(builder);
        setFakeHostNameVerifier(builder);
    }

    private SSLSocketFactory getSocketFactory() {
        this.mTrustManager = new SynoTrustManager(this.mContext, this.mUserInputAddress);
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, new TrustManager[]{this.mTrustManager}, new SecureRandom());
            return sSLContext.getSocketFactory();
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    private void handleCertificateHostNotMatch(X509Certificate x509Certificate) throws CertificateHostNotMatchException {
        CertificateStorageManager certificateStorageManager = CertificateStorageManager.getInstance(this.mContext);
        CertificateStorageManager.setIsLegalCertificate(false);
        CertificateItem build = new CertificateItem.Builder().parse(x509Certificate, this.mUserInputAddress).build();
        if (!certificateStorageManager.containCertificate(build)) {
            throw new CertificateHostNotMatchException(build);
        }
    }

    private void setFakeHostNameVerifier(SyHttpClient syHttpClient) {
        syHttpClient.setHostnameVerifier(new HostnameVerifier() { // from class: com.synology.sylib.sycertificatemanager.interceptor.SynoCertificateInterceptor.1
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str, SSLSession sSLSession) {
                return true;
            }
        });
    }

    private void setFakeHostNameVerifier(OkHttpClient.Builder builder) {
        builder.hostnameVerifier(new HostnameVerifier() { // from class: com.synology.sylib.sycertificatemanager.interceptor.SynoCertificateInterceptor.2
            @Override // javax.net.ssl.HostnameVerifier
            public boolean verify(String str, SSLSession sSLSession) {
                return true;
            }
        });
    }

    private void setSSlSocketFactory(SyHttpClient syHttpClient) {
        SSLSocketFactory socketFactory = getSocketFactory();
        if (socketFactory != null) {
            syHttpClient.setSslSocketFactory(socketFactory);
        }
    }

    private void setSSlSocketFactory(OkHttpClient.Builder builder) {
        SSLSocketFactory socketFactory = getSocketFactory();
        if (socketFactory != null) {
            builder.sslSocketFactory(socketFactory);
        }
    }

    private void verifyHostname(String str, List<Certificate> list) throws CertificateHostNotMatchException {
        if (list == null || list.size() == 0) {
            return;
        }
        X509Certificate x509Certificate = (X509Certificate) list.get(0);
        try {
            this.mHostnameVerifier.verify(str, x509Certificate);
        } catch (SSLException unused) {
            handleCertificateHostNotMatch(x509Certificate);
        }
    }

    private void verifyQuickConnectFingerPrint(List<Certificate> list, List<String> list2) throws IOException {
        X509Certificate x509Certificate = (X509Certificate) list.get(0);
        if (list2.contains(CertificateUtil.toSHA256String(x509Certificate).replaceAll("\\s", "").toLowerCase())) {
            return;
        }
        handleCertificateHostNotMatch(x509Certificate);
    }

    @Override // okhttp3.Interceptor
    public Response intercept(Interceptor.Chain chain) throws IOException {
        Request request = chain.request();
        boolean z = !TextUtils.isEmpty(request.header(RelayInterceptor.SYNO_REQUEST_HOST));
        boolean isHttps = request.url().isHttps();
        String host = request.url().host();
        this.mTrustManager.setVerify(isHttps && !z);
        Response proceed = chain.proceed(request);
        Handshake handshake = proceed.handshake();
        if (isHttps && handshake != null) {
            List<Certificate> peerCertificates = handshake.peerCertificates();
            if (z) {
                String header = request.header(RelayInterceptor.SYNO_REQUEST_HOST);
                RelayRecord relayRecord = RelayUtil.getRelayRecord(header);
                if (relayRecord == null) {
                    return proceed;
                }
                if (relayRecord.getDSExpectedFingerPrints() == null || relayRecord.getDSExpectedFingerPrints().size() == 0) {
                    verifyHostname(header, peerCertificates);
                } else {
                    verifyQuickConnectFingerPrint(peerCertificates, relayRecord.getDSExpectedFingerPrints());
                }
            } else {
                verifyHostname(host, peerCertificates);
            }
        }
        return proceed;
    }
}
