package com.synology.sylib.sycertificatemanager.interceptor;

import android.content.Context;
import android.text.TextUtils;
import com.synology.sylib.data.SynoURL;
import com.synology.sylib.sycertificatemanager.CertificateStorageManager;
import com.synology.sylib.sycertificatemanager.exceptions.CertificateHostNotMatchException;
import com.synology.sylib.sycertificatemanager.exceptions.CertificateUntrustedException;
import com.synology.sylib.sycertificatemanager.hostverifier.SynoHostnameVerifier;
import com.synology.sylib.sycertificatemanager.trustmanager.SynoTrustManager;
import com.synology.sylib.sycertificatemanager.util.CertificateDataUtil;
import com.synology.sylib.syhttp3.SyHttpClient;
import com.synology.sylib.syhttp3.relay.RelayManager;
import com.synology.sylib.syhttp3.relay.RelayRecord;
import com.synology.sylib.syhttp3.relay.RelayRecordKey;
import com.synology.sylib.syhttp3.relay.utils.RelayUtil;
import java.io.IOException;
import java.net.MalformedURLException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import okhttp3.Handshake;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

/* loaded from: classes2.dex */
public class SynoCertificateInterceptor implements Interceptor {
    private Context mContext;
    private SynoHostnameVerifier mHostnameVerifier;
    private String mQid;
    private SynoTrustManager mTrustManager;
    private boolean mUpdateCurrentX509Certificate = true;
    private String mUserInputAddress;
    private boolean mUsingQuickConnect;

    public SynoCertificateInterceptor(SyHttpClient syHttpClient, Context context, String str) {
        this.mContext = context.getApplicationContext();
        this.mUserInputAddress = str;
        this.mHostnameVerifier = new SynoHostnameVerifier(this.mContext, this.mUserInputAddress);
        syHttpClient.setHostnameVerifier(this.mHostnameVerifier);
        setSSlSocketFactory(syHttpClient);
        initQuickConnectIDIfNecessary();
    }

    public SynoCertificateInterceptor(OkHttpClient.Builder builder, Context context, String str) {
        this.mContext = context.getApplicationContext();
        this.mUserInputAddress = str;
        this.mHostnameVerifier = new SynoHostnameVerifier(this.mContext, this.mUserInputAddress);
        builder.hostnameVerifier(this.mHostnameVerifier);
        setSSlSocketFactory(builder);
        initQuickConnectIDIfNecessary();
    }

    private String getQuickConnectId() {
        try {
            String host = new SynoURL(this.mUserInputAddress).getHost();
            return RelayUtil.isQuickConnectId(host) ? host : "";
        } catch (MalformedURLException e) {
            e.printStackTrace();
            return "";
        }
    }

    private SSLSocketFactory getSocketFactory() {
        this.mTrustManager = new SynoTrustManager(this.mContext, this.mUserInputAddress);
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, new TrustManager[]{this.mTrustManager}, new SecureRandom());
            return sSLContext.getSocketFactory();
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    private void initQuickConnectIDIfNecessary() {
        this.mQid = getQuickConnectId();
        this.mUsingQuickConnect = !TextUtils.isEmpty(this.mQid);
    }

    private void setCurrentX509Certificate(List<Certificate> list) {
        if (list.size() < 1) {
            return;
        }
        CertificateStorageManager.setCurrentUsedX509Certificate((X509Certificate) list.get(0));
    }

    private void setSSlSocketFactory(SyHttpClient syHttpClient) {
        SSLSocketFactory socketFactory = getSocketFactory();
        if (socketFactory != null) {
            syHttpClient.setSslSocketFactory(socketFactory);
        }
    }

    private void setSSlSocketFactory(OkHttpClient.Builder builder) {
        SSLSocketFactory socketFactory = getSocketFactory();
        if (socketFactory != null) {
            builder.sslSocketFactory(socketFactory);
        }
    }

    private void updateDSExpectedFingerPrint(X509Certificate x509Certificate, String str) throws IOException {
        RelayRecordKey relayRecordKey = RelayRecordKey.getInstance(this.mContext, this.mQid, true);
        if (RelayUtil.getRelayRecord(relayRecordKey) == null) {
            this.mHostnameVerifier.handleCertificateHostNotMatch(x509Certificate);
            return;
        }
        RelayRecord updateRecordFingerPrint = RelayManager.getInstance().updateRecordFingerPrint(relayRecordKey);
        RelayUtil.setRelayRecord(updateRecordFingerPrint);
        List<String> dSExpectedFingerPrints = updateRecordFingerPrint.getDSExpectedFingerPrints();
        if (dSExpectedFingerPrints == null || !dSExpectedFingerPrints.contains(str)) {
            this.mHostnameVerifier.handleCertificateHostNotMatch(x509Certificate);
        }
    }

    private void verify(List<Certificate> list, String str) throws IOException {
        this.mTrustManager.verify(list);
        this.mHostnameVerifier.verify(str, list);
    }

    private void verifyQuickConnectFingerPrint(List<Certificate> list, List<String> list2) throws IOException {
        X509Certificate x509Certificate = (X509Certificate) list.get(0);
        String lowerCase = CertificateDataUtil.toSHA256String(x509Certificate).replaceAll("\\s", "").toLowerCase();
        if (list2.contains(lowerCase)) {
            return;
        }
        updateDSExpectedFingerPrint(x509Certificate, lowerCase);
    }

    @Override // okhttp3.Interceptor
    public Response intercept(Interceptor.Chain chain) throws IOException {
        List<Certificate> peerCertificates;
        Request request = chain.request();
        boolean z = this.mUpdateCurrentX509Certificate;
        boolean z2 = this.mUsingQuickConnect;
        boolean isHttps = request.url().isHttps();
        String host = request.url().host();
        Response proceed = chain.proceed(request);
        Handshake handshake = proceed.handshake();
        if (isHttps && handshake != null && (peerCertificates = handshake.peerCertificates()) != null && peerCertificates.size() != 0) {
            if (z) {
                setCurrentX509Certificate(peerCertificates);
            }
            if (z2) {
                try {
                    verify(peerCertificates, host);
                } catch (CertificateHostNotMatchException | CertificateUntrustedException e) {
                    RelayRecord relayRecord = RelayUtil.getRelayRecord(RelayRecordKey.getInstance(this.mContext, this.mQid, true));
                    if (relayRecord == null || relayRecord.getDSExpectedFingerPrints() == null || relayRecord.getDSExpectedFingerPrints().size() <= 0) {
                        throw e;
                    }
                    verifyQuickConnectFingerPrint(peerCertificates, relayRecord.getDSExpectedFingerPrints());
                }
            } else {
                verify(peerCertificates, host);
            }
        }
        return proceed;
    }

    public void setUpdateCurrentX509Certificate(boolean z) {
        this.mUpdateCurrentX509Certificate = z;
    }
}
