package com.amazon.devicesetupservice.deviceauth;

import amazon.DeviceMaster.service.AuthMaterialAssociationSource;
import com.amazon.coral.service.InternalFailure;
import com.amazon.coral.validate.ValidationException;
import com.amazon.devicesetupservice.DeviceSetupServiceException;
import com.amazon.devicesetupservice.deviceauth.model.DAKCertificateBundle;
import com.amazon.devicesetupservice.dpds.DeviceProductDefinitionServiceFacade;
import com.amazon.devicesetupservice.exceptions.InvalidProductException;
import com.amazon.devicesetupservice.reporting.ProvisioningMethod;
import com.amazon.devicesetupservice.whispernet.WhispernetKeyServiceFacade;
import com.amazon.ffn.crypto.CryptoUtils;
import com.amazon.ffn.crypto.DakTypeEnum;
import com.amazon.ffn.crypto.x509.X509CertificateUtils;
import com.amazon.metrics.declarative.metrics.Applies;
import com.amazon.metrics.declarative.metrics.MetricLine;
import com.amazon.metrics.declarative.servicemetrics.Availability;
import com.amazon.metrics.declarative.servicemetrics.Latency;
import com.amazon.metrics.declarative.servicemetrics.ServiceMetric;
import com.amazon.metrics.declarative.servicemetrics.Timeout;
import com.google.common.collect.ImmutableMap;
import java.beans.ConstructorProperties;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import javax.inject.Inject;
import kotlinx.serialization.json.internal.AbstractJsonLexerKt;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: classes.dex */
public class DHAv2DeviceAuthenticatorImpl implements DeviceHardwareAuthenticator {
    private static final Logger logger = LogManager.getLogger();
    private static final Map<ProvisioningFlow, Boolean> provisioningFlowToZtsMap = ImmutableMap.builder().put(new ProvisioningFlow(ProvisioningMethod.MANUAL, Optional.empty()), Boolean.FALSE).put(new ProvisioningFlow(ProvisioningMethod.MANUAL, Optional.of(AuthMaterialAssociationSource.Inner2DBarcode)), Boolean.FALSE).put(new ProvisioningFlow(ProvisioningMethod.WIFI_FFS, Optional.of(AuthMaterialAssociationSource.Inner2DBarcode)), Boolean.FALSE).put(new ProvisioningFlow(ProvisioningMethod.WIFI_FFS, Optional.of(AuthMaterialAssociationSource.LightTouchSetupAssociation)), Boolean.FALSE).put(new ProvisioningFlow(ProvisioningMethod.FFS, Optional.of(AuthMaterialAssociationSource.Outer1DBarcode)), Boolean.TRUE).put(new ProvisioningFlow(ProvisioningMethod.WIFI_FFS, Optional.of(AuthMaterialAssociationSource.Outer1DBarcode)), Boolean.TRUE).put(new ProvisioningFlow(ProvisioningMethod.FFS, Optional.of(AuthMaterialAssociationSource.Outer2DBarcode)), Boolean.TRUE).put(new ProvisioningFlow(ProvisioningMethod.WIFI_FFS, Optional.of(AuthMaterialAssociationSource.Outer2DBarcode)), Boolean.TRUE).build();
    private final CryptoUtils cryptoUtils;
    private final WhispernetKeyServiceFacade keyServiceFacade;
    private final DeviceProductDefinitionServiceFacade pdsFacade;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class ProvisioningFlow {
        private Optional<AuthMaterialAssociationSource> optionalSource;
        private String provisioningMethod;

        @ConstructorProperties({"provisioningMethod", "optionalSource"})
        public ProvisioningFlow(String str, Optional<AuthMaterialAssociationSource> optional) {
            this.provisioningMethod = str;
            this.optionalSource = optional;
        }

        protected boolean canEqual(Object obj) {
            return obj instanceof ProvisioningFlow;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof ProvisioningFlow)) {
                return false;
            }
            ProvisioningFlow provisioningFlow = (ProvisioningFlow) obj;
            if (!provisioningFlow.canEqual(this)) {
                return false;
            }
            String provisioningMethod = getProvisioningMethod();
            String provisioningMethod2 = provisioningFlow.getProvisioningMethod();
            if (provisioningMethod != null ? !provisioningMethod.equals(provisioningMethod2) : provisioningMethod2 != null) {
                return false;
            }
            Optional<AuthMaterialAssociationSource> optionalSource = getOptionalSource();
            Optional<AuthMaterialAssociationSource> optionalSource2 = provisioningFlow.getOptionalSource();
            return optionalSource != null ? optionalSource.equals(optionalSource2) : optionalSource2 == null;
        }

        public Optional<AuthMaterialAssociationSource> getOptionalSource() {
            return this.optionalSource;
        }

        public String getProvisioningMethod() {
            return this.provisioningMethod;
        }

        public int hashCode() {
            String provisioningMethod = getProvisioningMethod();
            int hashCode = provisioningMethod == null ? 43 : provisioningMethod.hashCode();
            Optional<AuthMaterialAssociationSource> optionalSource = getOptionalSource();
            return ((hashCode + 59) * 59) + (optionalSource != null ? optionalSource.hashCode() : 43);
        }
    }

    @Inject
    public DHAv2DeviceAuthenticatorImpl(WhispernetKeyServiceFacade whispernetKeyServiceFacade, DeviceProductDefinitionServiceFacade deviceProductDefinitionServiceFacade, CryptoUtils cryptoUtils) {
        this.keyServiceFacade = whispernetKeyServiceFacade;
        this.pdsFacade = deviceProductDefinitionServiceFacade;
        this.cryptoUtils = cryptoUtils;
    }

    private boolean performZtsChecks(String str, String str2, DAKCertificateBundle dAKCertificateBundle, AuthMaterialAssociationSource authMaterialAssociationSource) {
        try {
            DakTypeEnum fromOptionalString = DakTypeEnum.fromOptionalString(this.cryptoUtils.getCertificateFirstSubjectValue(dAKCertificateBundle.getDakCertificate(), "1.3.6.1.4.1.4843.1.5"));
            logger.info("Product ID:{}, AuthMaterialIndex:{}, DAK type:{}, AuthMaterialAssociationSource:{}", str, str2, fromOptionalString, authMaterialAssociationSource);
            if (fromOptionalString.isProductionType() && fromOptionalString.isSoftwareType()) {
                return authMaterialAssociationSource.equals(AuthMaterialAssociationSource.Outer1DBarcode);
            }
            return true;
        } catch (CertificateEncodingException e) {
            logger.error("DHA certificate encoding problem. Product ID {}. AuthMaterialIndex:{}, exception:{}", str, str2, e);
            return false;
        }
    }

    private static boolean shouldDoAdditionalZTSChecks(String str, Optional<AuthMaterialAssociationSource> optional) {
        Boolean bool = provisioningFlowToZtsMap.get(new ProvisioningFlow(str, optional));
        if (bool != null) {
            return bool.booleanValue();
        }
        throw new InternalFailure("Unsupported provisioning flow. ProvisioningMethod: " + str + ", AuthMaterialAssociationSource: " + ((String) optional.map(new Function() { // from class: com.amazon.devicesetupservice.deviceauth.DHAv2DeviceAuthenticatorImpl$$ExternalSyntheticLambda0
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                String value;
                value = ((AuthMaterialAssociationSource) obj).getValue();
                return value;
            }
        }).orElse(AbstractJsonLexerKt.NULL)));
    }

    @Override // com.amazon.devicesetupservice.deviceauth.DeviceHardwareAuthenticator
    @Latency
    @MetricLine(applies = Applies.ALWAYS, name = "isDeviceDHACertificateValid", value = 1.0d)
    @ServiceMetric(operation = "isDeviceDHACertificateValid", serviceName = "DHAv2DeviceAuthenticatorImpl")
    @Availability
    @Timeout
    public boolean isDeviceDHAMaterialValid(String str, String str2, String str3, String str4, Optional<AuthMaterialAssociationSource> optional) throws InvalidProductException {
        DAKCertificateBundle dAKCertificateBundle;
        Logger logger2 = logger;
        logger2.debug("DHAv2DeviceAuthenticatorImpl.isDeviceDHAMaterialValid call. productIndex:{}, authMaterialIndex:{}, provisioningMethod:{}, authMaterialSource:{}", str, str2, str4, optional.map(new Function() { // from class: com.amazon.devicesetupservice.deviceauth.DHAv2DeviceAuthenticatorImpl$$ExternalSyntheticLambda1
            @Override // java.util.function.Function
            public final Object apply(Object obj) {
                String value;
                value = ((AuthMaterialAssociationSource) obj).getValue();
                return value;
            }
        }).orElse(AbstractJsonLexerKt.NULL));
        try {
            X509Certificate x509CertificateFromPemString = this.cryptoUtils.getX509CertificateFromPemString(str3);
            String deviceType = this.pdsFacade.getDeviceType(str);
            String devicetypeFromCert = X509CertificateUtils.getDevicetypeFromCert(x509CertificateFromPemString);
            if (!deviceType.equals(devicetypeFromCert)) {
                logger2.error("Device type mismatch. Expected:{}, actual:{}", deviceType, devicetypeFromCert);
                return false;
            }
            String generateAuthMaterialIndex = this.cryptoUtils.generateAuthMaterialIndex(x509CertificateFromPemString.getPublicKey().getEncoded());
            if (!str2.equals(generateAuthMaterialIndex)) {
                logger2.error("Authmaterial index mismatch. Expected:{}, actual:{}", str2, generateAuthMaterialIndex);
                return false;
            }
            String authorityKeyIdentifierFromCertificate = X509CertificateUtils.getAuthorityKeyIdentifierFromCertificate(x509CertificateFromPemString);
            if (StringUtils.isBlank(authorityKeyIdentifierFromCertificate)) {
                logger2.error("Probable self-signed certificate. Missing DAK information.");
                return false;
            }
            List<DAKCertificateBundle> listDAKsForDeviceType = this.keyServiceFacade.listDAKsForDeviceType(devicetypeFromCert);
            if (CollectionUtils.isEmpty(listDAKsForDeviceType)) {
                logger2.error("No PEM DAKs found for device type:{}", devicetypeFromCert);
                throw new DeviceSetupServiceException("No configured PEM DAKs for devicetype:" + devicetypeFromCert);
            }
            Iterator<DAKCertificateBundle> it2 = listDAKsForDeviceType.iterator();
            while (true) {
                if (!it2.hasNext()) {
                    dAKCertificateBundle = null;
                    break;
                }
                dAKCertificateBundle = it2.next();
                if (authorityKeyIdentifierFromCertificate.equals(dAKCertificateBundle.getSubjectKeyIdentifier())) {
                    logger.info("Found the DAK for the leafcert with AKI:{}", authorityKeyIdentifierFromCertificate);
                    break;
                }
            }
            if (dAKCertificateBundle == null) {
                logger.error("DAK not found for AKI:{}", authorityKeyIdentifierFromCertificate);
                return false;
            }
            if (!this.cryptoUtils.isX509CertificateValidForTheChain(x509CertificateFromPemString, dAKCertificateBundle.getChainTillDAK())) {
                logger.error("DHA certificate is not valid for the chain. Product ID:{}. AuthMaterialIndex:{}", str, str2);
                return false;
            }
            if (shouldDoAdditionalZTSChecks(str4, optional)) {
                return performZtsChecks(str, str2, dAKCertificateBundle, optional.get());
            }
            return true;
        } catch (RuntimeException e) {
            Logger logger3 = logger;
            logger3.error("Unparsable DHA material:{}", str3);
            logger3.error("Cannot parse given dha material into a X.509 certificate.", e);
            throw new ValidationException("DHA Material is not valid");
        }
    }
}
