package com.minhui.vpn.certificate;

import android.support.annotation.Keep;
import com.minhui.vpn.log.VPNLog;
import defpackage.adj;
import defpackage.akd;
import defpackage.ba;
import defpackage.bb;
import defpackage.gu;
import defpackage.gv;
import defpackage.gw;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.Writer;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;

@Keep
/* loaded from: classes.dex */
public class CertificateManager {
    private static final String KEY_STORE_FILE_EXTENSION = ".p12";
    private static final String KEY_STORE_TYPE = "PKCS12";
    private static final String TAG = "CertificateManager";
    private Authority authority;
    private Certificate caCert;
    private PrivateKey caPrivKey;
    private boolean sendCerts;
    private ba<String, SSLContext> serverSSLContexts;
    private SSLContext sslContext;

    /* loaded from: classes.dex */
    static class a {
        static CertificateManager a = new CertificateManager(null);
    }

    /* loaded from: classes.dex */
    class b implements Callable<SSLContext> {
        final /* synthetic */ String a;

        b(String str) {
            this.a = str;
        }

        @Override // java.util.concurrent.Callable
        /* renamed from: a, reason: merged with bridge method [inline-methods] */
        public SSLContext call() {
            return CertificateManager.this.createServerContext(this.a);
        }
    }

    private CertificateManager() {
    }

    /* synthetic */ CertificateManager(b bVar) {
        this();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SSLContext createServerContext(String str) {
        gw gwVar = new gw();
        SSLContext a2 = gu.a(gu.a(gu.a(str, this.authority, this.caCert, this.caPrivKey), this.authority));
        VPNLog.d(TAG, "Impersonated {} in " + str + gwVar);
        return a2;
    }

    private void exportPem(File file, Object... objArr) {
        FileWriter fileWriter;
        akd akdVar;
        try {
            fileWriter = new FileWriter(file);
            try {
                akdVar = new akd(fileWriter);
            } catch (Throwable th) {
                th = th;
                akdVar = null;
            }
        } catch (Throwable th2) {
            th = th2;
            fileWriter = null;
            akdVar = null;
        }
        try {
            for (Object obj : objArr) {
                akdVar.a(obj);
                akdVar.flush();
            }
            adj.a((Writer) akdVar);
            adj.a((Writer) fileWriter);
        } catch (Throwable th3) {
            th = th3;
            adj.a((Writer) akdVar);
            adj.a((Writer) fileWriter);
            throw th;
        }
    }

    private void filterWeakCipherSuites(SSLEngine sSLEngine) {
        LinkedList linkedList = new LinkedList();
        for (String str : sSLEngine.getEnabledCipherSuites()) {
            if (str.equals("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") || str.equals("TLS_DHE_RSA_WITH_AES_256_CBC_SHA")) {
                VPNLog.d(TAG, "Removed cipher {}" + str);
            } else {
                linkedList.add(str);
            }
        }
        sSLEngine.setEnabledCipherSuites((String[]) linkedList.toArray(new String[linkedList.size()]));
        if (sSLEngine.getUseClientMode()) {
            VPNLog.d(TAG, "Enabled server cipher suites:");
        } else {
            VPNLog.d(TAG, "Enabled client {}:{} cipher suites:" + sSLEngine.getPeerHost() + sSLEngine.getPeerPort());
        }
        Iterator it = linkedList.iterator();
        while (it.hasNext()) {
            VPNLog.d(TAG, (String) it.next());
        }
    }

    public static CertificateManager getInstance() {
        return a.a;
    }

    private static ba<String, SSLContext> initDefaultCertificateCache() {
        return bb.a().a(5L, TimeUnit.MINUTES).a(16).o();
    }

    private void initializeKeyStore() {
        FileOutputStream fileOutputStream;
        if (this.authority.aliasFile(KEY_STORE_FILE_EXTENSION).exists() && this.authority.aliasFile(".pem").exists()) {
            return;
        }
        gw gwVar = new gw();
        KeyStore a2 = gu.a(this.authority, KEY_STORE_TYPE);
        VPNLog.d(TAG, "Created root certificate authority key store in " + gwVar);
        try {
            fileOutputStream = new FileOutputStream(this.authority.aliasFile(KEY_STORE_FILE_EXTENSION));
        } catch (Exception e) {
            e = e;
            fileOutputStream = null;
        } catch (Throwable th) {
            th = th;
            fileOutputStream = null;
        }
        try {
            a2.store(fileOutputStream, this.authority.password());
        } catch (Exception e2) {
            e = e2;
            try {
                VPNLog.d(TAG, "failed to save faile " + e.getMessage());
                adj.a((OutputStream) fileOutputStream);
                exportPem(this.authority.aliasFile(".pem"), a2.getCertificate(this.authority.alias()));
            } catch (Throwable th2) {
                th = th2;
                adj.a((OutputStream) fileOutputStream);
                throw th;
            }
        } catch (Throwable th3) {
            th = th3;
            adj.a((OutputStream) fileOutputStream);
            throw th;
        }
        adj.a((OutputStream) fileOutputStream);
        exportPem(this.authority.aliasFile(".pem"), a2.getCertificate(this.authority.alias()));
    }

    private void initializeSSLContext() {
        KeyStore loadKeyStore = loadKeyStore();
        this.caCert = loadKeyStore.getCertificate(this.authority.alias());
        this.caPrivKey = (PrivateKey) loadKeyStore.getKey(this.authority.alias(), this.authority.password());
        this.sslContext = gu.a(this.sendCerts ? gu.a(loadKeyStore, this.authority) : new KeyManager[0], new TrustManager[]{new gv(loadKeyStore)});
        if (tryHostNameVerificationJava7(this.sslContext.createSSLEngine())) {
            return;
        }
        VPNLog.d(TAG, "Host Name Verification is not supported, causes insecure HTTPS connection to upstream servers.");
    }

    private KeyStore loadKeyStore() {
        FileInputStream fileInputStream;
        KeyStore keyStore = KeyStore.getInstance(KEY_STORE_TYPE);
        try {
            fileInputStream = new FileInputStream(this.authority.aliasFile(KEY_STORE_FILE_EXTENSION));
        } catch (Throwable th) {
            th = th;
            fileInputStream = null;
        }
        try {
            keyStore.load(fileInputStream, this.authority.password());
            adj.a((InputStream) fileInputStream);
            return keyStore;
        } catch (Throwable th2) {
            th = th2;
            adj.a((InputStream) fileInputStream);
            throw th;
        }
    }

    private boolean tryHostNameVerificationJava7(SSLEngine sSLEngine) {
        for (Method method : SSLParameters.class.getMethods()) {
            if ("setEndpointIdentificationAlgorithm".equals(method.getName())) {
                SSLParameters sSLParameters = new SSLParameters();
                try {
                    Object[] objArr = new Object[1];
                    objArr[0] = "HTTPS";
                    method.invoke(sSLParameters, objArr);
                    sSLEngine.setSSLParameters(sSLParameters);
                    return true;
                } catch (IllegalAccessException e) {
                    VPNLog.e(TAG, "SSLParameters#setEndpointIdentificationAlgorithm" + e.getMessage());
                    return false;
                } catch (InvocationTargetException e2) {
                    VPNLog.d(TAG, "SSLParameters#setEndpointIdentificationAlgorithm" + e2.getMessage());
                    return false;
                }
            }
        }
        return false;
    }

    public synchronized SSLEngine createCertForHost(String str) {
        ba<String, SSLContext> baVar;
        if (str == null) {
            throw new IllegalArgumentException("Error, 'commonName' is not allowed to be null!");
        }
        baVar = this.serverSSLContexts;
        return (baVar == null ? createServerContext(str) : baVar.a(str, new b(str))).createSSLEngine();
    }

    public void init() {
        this.serverSSLContexts = bb.a().a(5L, TimeUnit.MINUTES).a(16).o();
        this.authority = new Authority();
        initializeKeyStore();
        initializeSSLContext();
    }

    public SSLEngine newSslEngine() {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine();
        filterWeakCipherSuites(createSSLEngine);
        return createSSLEngine;
    }

    public SSLEngine newSslEngine(String str, int i) {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine(str, i);
        createSSLEngine.setUseClientMode(true);
        if (!tryHostNameVerificationJava7(createSSLEngine)) {
            VPNLog.d(TAG, "Host Name Verification is not supported, causes insecure HTTPS connection");
        }
        filterWeakCipherSuites(createSSLEngine);
        return createSSLEngine;
    }
}
