package com.tunnelbear.sdk.api;

import android.content.Context;
import android.security.KeyStoreException;
import com.fullstory.FS;
import com.google.net.cronet.okhttptransport.CronetInterceptor;
import com.moengage.core.internal.storage.database.contract.DeprecatedContractsKt;
import com.tunnelbear.sdk.api.PolarbearInterceptor;
import com.tunnelbear.sdk.api.ech.EchSocketFactory;
import com.tunnelbear.sdk.api.ssocks.SSocks;
import com.tunnelbear.sdk.auth.Credential;
import com.tunnelbear.sdk.security.CertificateTrustChecker;
import com.tunnelbear.sdk.security.PinnedHostCertificateSet;
import com.usabilla.sdk.ubform.telemetry.TelemetryDataKt;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import kotlin.Metadata;
import kotlin.jvm.JvmStatic;
import kotlin.jvm.internal.Intrinsics;
import okhttp3.CertificatePinner;
import okhttp3.ConnectionPool;
import okhttp3.Interceptor;
import okhttp3.OkHttpClient;
import okhttp3.internal.tls.OkHostnameVerifier;
import okhttp3.logging.HttpLoggingInterceptor;
import org.chromium.net.CronetEngine;
import org.conscrypt.Conscrypt;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

@Metadata(d1 = {"\u0000f\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010$\n\u0002\u0010\"\n\u0000\n\u0002\u0018\u0002\n\u0002\b\b\bÀ\u0002\u0018\u00002\u00020\u0001B\t\b\u0002¢\u0006\u0004\b(\u0010)Ji\u0010\u0015\u001a\u00020\u00142\u0006\u0010\u0003\u001a\u00020\u00022\u0006\u0010\u0005\u001a\u00020\u00042\u0006\u0010\u0007\u001a\u00020\u00062\b\u0010\t\u001a\u0004\u0018\u00010\b2\u0006\u0010\u000b\u001a\u00020\n2\u0006\u0010\r\u001a\u00020\f2\u0006\u0010\u000f\u001a\u00020\u000e2\b\b\u0002\u0010\u0010\u001a\u00020\u000e2\n\b\u0002\u0010\u0012\u001a\u0004\u0018\u00010\u00112\b\b\u0002\u0010\u0013\u001a\u00020\u000eH\u0007¢\u0006\u0004\b\u0015\u0010\u0016J'\u0010\u001a\u001a\n \u0019*\u0004\u0018\u00010\u00180\u00182\u0006\u0010\u000b\u001a\u00020\n2\u0006\u0010\u0017\u001a\u00020\u0004H\u0002¢\u0006\u0004\b\u001a\u0010\u001bJ\u000f\u0010\u001d\u001a\u00020\u001cH\u0002¢\u0006\u0004\b\u001d\u0010\u001eJ)\u0010#\u001a\u00020\"2\u0018\u0010!\u001a\u0014\u0012\u0004\u0012\u00020\u0004\u0012\n\u0012\b\u0012\u0004\u0012\u00020\u00040 0\u001fH\u0002¢\u0006\u0004\b#\u0010$J\u0019\u0010&\u001a\u0004\u0018\u00010\u00042\u0006\u0010%\u001a\u00020\u0004H\u0002¢\u0006\u0004\b&\u0010'¨\u0006*"}, d2 = {"Lcom/tunnelbear/sdk/api/PolarOkHttpClient;", "", "Lcom/tunnelbear/sdk/auth/Credential;", "holder", "", "hostname", "Lcom/tunnelbear/sdk/security/PinnedHostCertificateSet;", "certificateSet", "Ljava/io/InputStream;", "certificateInputStream", "Landroid/content/Context;", DeprecatedContractsKt.INAPP_V2_MSG_CONTEXT, "Lokhttp3/ConnectionPool;", "connectionPool", "", "enableOkHttpRequestLogging", "ech", "Lcom/tunnelbear/sdk/api/ssocks/SSocks;", "ssocks", "quic", "Lokhttp3/OkHttpClient$Builder;", "builder", "(Lcom/tunnelbear/sdk/auth/Credential;Ljava/lang/String;Lcom/tunnelbear/sdk/security/PinnedHostCertificateSet;Ljava/io/InputStream;Landroid/content/Context;Lokhttp3/ConnectionPool;ZZLcom/tunnelbear/sdk/api/ssocks/SSocks;Z)Lokhttp3/OkHttpClient$Builder;", "host", "Lorg/chromium/net/CronetEngine;", "kotlin.jvm.PlatformType", "b", "(Landroid/content/Context;Ljava/lang/String;)Lorg/chromium/net/CronetEngine;", "Ljavax/net/ssl/X509TrustManager;", "c", "()Ljavax/net/ssl/X509TrustManager;", "", "", "certs", "Lokhttp3/CertificatePinner;", TelemetryDataKt.TELEMETRY_EXTRA_ACTION, "(Ljava/util/Map;)Lokhttp3/CertificatePinner;", "url", "d", "(Ljava/lang/String;)Ljava/lang/String;", "<init>", "()V", "sdk_release"}, k = 1, mv = {1, 7, 1})
/* loaded from: classes12.dex */
public final class PolarOkHttpClient {

    @NotNull
    public static final PolarOkHttpClient INSTANCE = new PolarOkHttpClient();

    private PolarOkHttpClient() {
    }

    private final CertificatePinner a(Map<String, ? extends Set<String>> certs) {
        CertificatePinner.Builder builder = new CertificatePinner.Builder();
        for (String str : certs.keySet()) {
            Set<String> set = certs.get(str);
            if (set == null) {
                set = Collections.emptySet();
            }
            for (String str2 : set) {
                if (str2.length() > 0) {
                    builder.add(str, str2);
                }
            }
        }
        return builder.build();
    }

    private final CronetEngine b(Context context, String host) {
        return new CronetEngine.Builder(context).enableBrotli(false).enableHttp2(true).enableQuic(true).addQuicHint(host, 443, 443).build();
    }

    @JvmStatic
    @NotNull
    public static final OkHttpClient.Builder builder(@NotNull Credential holder, @NotNull String hostname, @NotNull PinnedHostCertificateSet certificateSet, @Nullable InputStream certificateInputStream, @NotNull Context context, @NotNull ConnectionPool connectionPool, boolean enableOkHttpRequestLogging, boolean ech, @Nullable SSocks ssocks, boolean quic) {
        Intrinsics.checkNotNullParameter(holder, "holder");
        Intrinsics.checkNotNullParameter(hostname, "hostname");
        Intrinsics.checkNotNullParameter(certificateSet, "certificateSet");
        Intrinsics.checkNotNullParameter(context, "context");
        Intrinsics.checkNotNullParameter(connectionPool, "connectionPool");
        PolarbearInterceptor.GhostbearTech ghostbearTech = PolarbearInterceptor.GhostbearTech.Standard.INSTANCE;
        if (certificateSet.getPinCount(hostname) < 2) {
            throw new IllegalArgumentException("Certificate set must contain hostname (or a superseding wildcard if hostname is of form x.y.z) and at least one backup pin.".toString());
        }
        OkHttpClient.Builder builder = new OkHttpClient.Builder();
        FS.okhttp_addInterceptors(builder);
        PolarOkHttpClient polarOkHttpClient = INSTANCE;
        OkHttpClient.Builder connectionPool2 = builder.certificatePinner(polarOkHttpClient.a(certificateSet.getCertificateSet())).hostnameVerifier(new PolarHostnameVerifier(OkHostnameVerifier.INSTANCE, certificateSet.getCertificateSet().keySet())).followRedirects(false).followSslRedirects(false).retryOnConnectionFailure(true).connectionPool(connectionPool);
        TimeUnit timeUnit = TimeUnit.SECONDS;
        OkHttpClient.Builder pingInterval = connectionPool2.connectTimeout(30L, timeUnit).readTimeout(30L, timeUnit).writeTimeout(30L, timeUnit).pingInterval(1L, timeUnit);
        if (ech) {
            ghostbearTech = PolarbearInterceptor.GhostbearTech.ECH.INSTANCE;
            X509TrustManager c6 = polarOkHttpClient.c();
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.3");
            sSLContext.init(null, new TrustManager[]{c6}, null);
            SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
            Intrinsics.checkNotNullExpressionValue(socketFactory, "sslContext.socketFactory");
            pingInterval.sslSocketFactory(new EchSocketFactory(socketFactory), c6);
        }
        if (ssocks != null) {
            ghostbearTech = new PolarbearInterceptor.GhostbearTech.Socks(ssocks);
            pingInterval.proxy(ssocks.getProxy());
        }
        String d6 = polarOkHttpClient.d(hostname);
        if (d6 != null && d6.length() != 0) {
            ghostbearTech = new PolarbearInterceptor.GhostbearTech.AWS(d6);
        }
        if (quic) {
            ghostbearTech = PolarbearInterceptor.GhostbearTech.QUIC.INSTANCE;
        }
        if (certificateInputStream != null) {
            try {
                CertificateTrustChecker certificateTrustChecker = CertificateTrustChecker.INSTANCE;
                X509TrustManager buildCertificateCheckingTrustManager = certificateTrustChecker.buildCertificateCheckingTrustManager(certificateInputStream);
                pingInterval.sslSocketFactory(certificateTrustChecker.getSSLSocketFactory(context, buildCertificateCheckingTrustManager), buildCertificateCheckingTrustManager);
            } catch (GeneralSecurityException e6) {
                throw new RuntimeException(e6);
            }
        }
        pingInterval.addInterceptor(new PolarbearInterceptor(ghostbearTech, holder, context));
        if (enableOkHttpRequestLogging) {
            HttpLoggingInterceptor httpLoggingInterceptor = new HttpLoggingInterceptor(null, 1, null);
            httpLoggingInterceptor.level(HttpLoggingInterceptor.Level.HEADERS);
            pingInterval.addInterceptor(httpLoggingInterceptor);
        }
        if (quic) {
            Object build = CronetInterceptor.newBuilder(polarOkHttpClient.b(context, hostname)).build();
            Intrinsics.checkNotNullExpressionValue(build, "newBuilder(buildCronetEn…ntext, hostname)).build()");
            pingInterval.addInterceptor((Interceptor) build);
        }
        return pingInterval;
    }

    private final X509TrustManager c() throws NoSuchAlgorithmException, KeyStoreException {
        Security.insertProviderAt(Conscrypt.newProvider(), 1);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        TrustManager trustManager = trustManagers[0];
        if (trustManager instanceof X509TrustManager) {
            Intrinsics.checkNotNull(trustManager, "null cannot be cast to non-null type javax.net.ssl.X509TrustManager");
            return (X509TrustManager) trustManager;
        }
        throw new IllegalStateException(("Unexpected trust managers:" + Arrays.toString(trustManagers)).toString());
    }

    private final String d(String url) {
        Matcher matcher = Pattern.compile("([A-Za-z0-9]+)\\.execute-api\\..*\\.amazonaws\\.com", 2).matcher(url);
        return matcher.matches() ? matcher.group(1) : "";
    }
}
