package com.wuba.xxzl.xznetsec;

import com.wuba.xxzl.security.XzNetSecCore;
import com.wuba.xxzl.security.jni.DllAgent;
import com.wuba.xxzl.security.log.NetLog;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.UUID;
import javax.net.ssl.SSLPeerUnverifiedException;
import okhttp3.CertificatePinner;
import okhttp3.Interceptor;
import okhttp3.Response;
import okio.ByteString;
import org.json.JSONArray;

/* loaded from: classes5.dex */
public class XzSSLNetInterceptor implements Interceptor {
    private static final String TAG = "NetSecInterceptor";
    private static String bssid = "";
    private static CertificatePinner pinner;
    private String action = "ssl";

    public XzSSLNetInterceptor(String str) {
        bssid = str;
    }

    private void checkSSL(Interceptor.Chain chain) {
        if (!needCheckSSL()) {
            NetLog.wtf(this.action, "cfg off", bssid);
            return;
        }
        initPinner();
        try {
            pinner.check(chain.request().url().host(), chain.connection().handshake().peerCertificates());
        } catch (SSLPeerUnverifiedException unused) {
            NetLog.wtf(this.action, "invalid certificate " + chain.request().url().toString(), bssid);
        } catch (Throwable th) {
            NetLog.wtf(this.action, "exception " + th.getMessage(), bssid);
        }
    }

    private void initPinner() {
        if (pinner != null) {
            return;
        }
        CertificatePinner.Builder builder = new CertificatePinner.Builder();
        JSONArray loadCerCfg = loadCerCfg();
        if (loadCerCfg != null) {
            for (int i = 0; i < loadCerCfg.length(); i++) {
                try {
                    builder.add(loadCerCfg.optJSONObject(i).optString("domain"), CertificatePinner.pin((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(ByteString.decodeHex(loadCerCfg.optJSONObject(i).optString("publicKey")).toByteArray()))));
                } catch (Throwable th) {
                    th.printStackTrace();
                    NetLog.wtf(this.action, "cfg parse fail host name " + loadCerCfg.optJSONObject(i).optString("domain"), bssid);
                }
            }
        } else {
            NetLog.wtf(this.action, "cfg null", bssid);
        }
        pinner = builder.build();
    }

    private static JSONArray loadCerCfg() {
        try {
            return new JSONArray(DllAgent.loadCerCfg(XzNetSecCore.getContext(), UUID.randomUUID().toString().getBytes()));
        } catch (Throwable unused) {
            NetLog.wtf("loadCfg", "load exception", bssid);
            return null;
        }
    }

    private boolean needCheckSSL() {
        return XzNetSecCore.getInstance().switchCfg(XzNetSecCore.SWITCH_SSL);
    }

    @Override // okhttp3.Interceptor
    public Response intercept(Interceptor.Chain chain) throws IOException {
        checkSSL(chain);
        return chain.proceed(chain.request());
    }
}
