package com.minhui.vpn.certificate;

import android.app.Activity;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.security.KeyChain;
import com.google.android.gms.measurement.api.AppMeasurementSdk;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.minhui.networkcapture.utils.MyFileUtils;
import com.minhui.vpn.VpnServiceHelper;
import com.minhui.vpn.log.VPNLog;
import com.minhui.vpn.utils.SocketUtils;
import java.io.Closeable;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import okhttp3.internal.Util;
import org.bouncycastle.operator.OperatorCreationException;

/* loaded from: classes2.dex */
public class CertificateManager {
    private static final String CERT_FILE_EXTENSION = ".pem";
    private static final String KEY_STORE_FILE_EXTENSION = ".p12";
    private static final String KEY_STORE_TYPE = "PKCS12";
    private static final int REQUEST_CERT = 105;
    private static final String ROOT_CERT_NAME = "SSLCapture.pem";
    private static final String TAG = "CertificateManager";
    private Authority authority;
    private Certificate caCert;
    private PrivateKey caPrivKey;
    private Context mContext;
    private boolean sendCerts;
    private Cache<String, SSLContext> serverSSLContexts;
    private SSLContext sslContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public static class InnerClass {
        private static final CertificateManager instance = new CertificateManager();

        private InnerClass() {
        }
    }

    private CertificateManager() {
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SSLContext createServerContext(String str) throws GeneralSecurityException, IOException, OperatorCreationException {
        MillisecondsDuration millisecondsDuration = new MillisecondsDuration();
        SSLContext newServerContext = CertificateHelper.newServerContext(CertificateHelper.getKeyManagers(CertificateHelper.createServerCertificate(str, this.authority, this.caCert, this.caPrivKey), this.authority));
        VPNLog.d(TAG, "Impersonated {} in " + str + millisecondsDuration);
        return newServerContext;
    }

    private void filterWeakCipherSuites(SSLEngine sSLEngine) {
        LinkedList linkedList = new LinkedList();
        for (String str : sSLEngine.getEnabledCipherSuites()) {
            if (str.equals("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") || str.equals("TLS_DHE_RSA_WITH_AES_256_CBC_SHA")) {
                VPNLog.d(TAG, "Removed cipher {}" + str);
            } else {
                linkedList.add(str);
            }
        }
        sSLEngine.setEnabledCipherSuites((String[]) linkedList.toArray(new String[linkedList.size()]));
        if (sSLEngine.getUseClientMode()) {
            VPNLog.d(TAG, "Enabled server cipher suites:");
        } else {
            VPNLog.d(TAG, "Enabled client {}:{} cipher suites:" + sSLEngine.getPeerHost() + sSLEngine.getPeerPort());
        }
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            VPNLog.d(TAG, (String) it.next());
        }
    }

    public static CertificateManager getInstance() {
        return InnerClass.instance;
    }

    private static Cache<String, SSLContext> initDefaultCertificateCache() {
        return CacheBuilder.newBuilder().expireAfterAccess(5L, TimeUnit.MINUTES).concurrencyLevel(16).build();
    }

    private void initializeSSLContext() throws GeneralSecurityException, IOException {
        KeyStore loadKeyStore = loadKeyStore();
        this.caCert = loadKeyStore.getCertificate(this.authority.alias());
        this.caPrivKey = (PrivateKey) loadKeyStore.getKey(this.authority.alias(), this.authority.password());
        SSLContext newClientContext = CertificateHelper.newClientContext(this.sendCerts ? CertificateHelper.getKeyManagers(loadKeyStore, this.authority) : new KeyManager[0], new TrustManager[]{new MergeTrustManager(loadKeyStore)});
        this.sslContext = newClientContext;
        if (tryHostNameVerificationJava7(newClientContext.createSSLEngine())) {
            return;
        }
        VPNLog.d(TAG, "Host Name Verification is not supported, causes insecure HTTPS connection to upstream servers.");
    }

    private KeyStore loadKeyStore() throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE);
        InputStream inputStream = null;
        try {
            inputStream = this.mContext.getAssets().open(this.authority.aliasAssert(KEY_STORE_FILE_EXTENSION));
            keyStore.load(inputStream, this.authority.password());
            SocketUtils.closeResources(inputStream);
            return keyStore;
        } catch (Throwable th) {
            SocketUtils.closeResources(inputStream);
            throw th;
        }
    }

    private boolean tryHostNameVerificationJava7(SSLEngine sSLEngine) {
        for (Method method : SSLParameters.class.getMethods()) {
            if ("setEndpointIdentificationAlgorithm".equals(method.getName())) {
                SSLParameters sSLParameters = new SSLParameters();
                try {
                    method.invoke(sSLParameters, "HTTPS");
                    sSLEngine.setSSLParameters(sSLParameters);
                    return true;
                } catch (IllegalAccessException e) {
                    VPNLog.e(TAG, "SSLParameters#setEndpointIdentificationAlgorithm" + e.getMessage());
                    return false;
                } catch (InvocationTargetException e2) {
                    VPNLog.d(TAG, "SSLParameters#setEndpointIdentificationAlgorithm" + e2.getMessage());
                    return false;
                }
            }
        }
        return false;
    }

    public synchronized SSLEngine createCertForHost(final String str) throws GeneralSecurityException, OperatorCreationException, IOException, ExecutionException {
        if (str == null) {
            throw new IllegalArgumentException("Error, 'commonName' is not allowed to be null!");
        }
        return (this.serverSSLContexts == null ? createServerContext(str) : this.serverSSLContexts.get(str, new Callable<SSLContext>() { // from class: com.minhui.vpn.certificate.CertificateManager.1
            @Override // java.util.concurrent.Callable
            public SSLContext call() throws Exception {
                return CertificateManager.this.createServerContext(str);
            }
        })).createSSLEngine();
    }

    public void exportCert(Context context, String str) throws IOException {
        InputStream open = this.mContext.getAssets().open(this.authority.aliasAssert(CERT_FILE_EXTENSION));
        if (Build.VERSION.SDK_INT >= 29) {
            MyFileUtils.copySandFileToExternalUri(VpnServiceHelper.getContext(), open, ROOT_CERT_NAME);
            return;
        }
        File file = new File(context.getExternalFilesDir(null), str);
        MyFileUtils.deleteFile(file, null);
        if (file.exists() || file.mkdir()) {
            MyFileUtils.copyFile(open, new File(file, ROOT_CERT_NAME));
        }
    }

    public InputStream getCert() throws IOException {
        return this.mContext.getAssets().open(this.authority.aliasAssert(CERT_FILE_EXTENSION));
    }

    public String getExportPath() {
        if (Build.VERSION.SDK_INT >= 29) {
            return "sdcard/Download/SSLCapture.pem";
        }
        return "sdcard/" + VpnServiceHelper.getPath() + "/" + ROOT_CERT_NAME;
    }

    public void init(Context context) throws GeneralSecurityException, OperatorCreationException, RootCertificateException, IOException {
        this.mContext = context;
        this.serverSSLContexts = CacheBuilder.newBuilder().expireAfterAccess(5L, TimeUnit.MINUTES).concurrencyLevel(16).build();
        this.authority = new Authority(this.mContext);
        initializeSSLContext();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r2v0 */
    /* JADX WARN: Type inference failed for: r2v1 */
    /* JADX WARN: Type inference failed for: r2v2, types: [java.io.Closeable] */
    /* JADX WARN: Type inference failed for: r2v8 */
    /* JADX WARN: Type inference failed for: r2v9 */
    public void installCert(Activity activity) {
        byte[] bArr;
        InputStream cert;
        ?? r2 = 0;
        byte[] bArr2 = null;
        InputStream inputStream = null;
        try {
            try {
                cert = getInstance().getCert();
            } catch (Throwable th) {
                th = th;
            }
        } catch (Exception e) {
            e = e;
            bArr = null;
        }
        try {
            try {
                bArr2 = new byte[cert.available()];
                cert.read(bArr2);
                Util.closeQuietly(cert);
            } catch (Exception e2) {
                e = e2;
                bArr = bArr2;
                inputStream = cert;
                VPNLog.e(TAG, "failed to installCert " + e.getMessage());
                Util.closeQuietly(inputStream);
                bArr2 = bArr;
                Intent createInstallIntent = KeyChain.createInstallIntent();
                createInstallIntent.putExtra("CERT", bArr2);
                createInstallIntent.putExtra(AppMeasurementSdk.ConditionalUserProperty.NAME, "SSLCapture CA Certificate");
                r2 = 105;
                activity.startActivityForResult(createInstallIntent, 105);
            } catch (Throwable th2) {
                th = th2;
                r2 = cert;
                Util.closeQuietly((Closeable) r2);
                throw th;
            }
            Intent createInstallIntent2 = KeyChain.createInstallIntent();
            createInstallIntent2.putExtra("CERT", bArr2);
            createInstallIntent2.putExtra(AppMeasurementSdk.ConditionalUserProperty.NAME, "SSLCapture CA Certificate");
            r2 = 105;
            activity.startActivityForResult(createInstallIntent2, 105);
        } catch (Exception e3) {
            VPNLog.e(TAG, "failed to installCert " + e3.getMessage());
        }
    }

    public SSLEngine newSslEngine() {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine();
        filterWeakCipherSuites(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSslEngine(String str, int i) {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine(str, i);
        createSSLEngine.setUseClientMode(true);
        if (!tryHostNameVerificationJava7(createSSLEngine)) {
            VPNLog.d(TAG, "Host Name Verification is not supported, causes insecure HTTPS connection");
        }
        filterWeakCipherSuites(createSSLEngine);
        return createSSLEngine;
    }
}
