package com.android.identity.credential;

import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborDecoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.builder.ArrayBuilder;
import co.nstant.in.cbor.builder.MapBuilder;
import co.nstant.in.cbor.model.Array;
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.Map;
import co.nstant.in.cbor.model.UnicodeString;
import com.android.identity.credential.Credential;
import com.android.identity.credential.NameSpacedData;
import com.android.identity.internal.Util;
import com.android.identity.securearea.SecureArea;
import com.android.identity.securearea.SecureAreaRepository;
import com.android.identity.storage.StorageEngine;
import com.android.identity.util.ApplicationData;
import com.android.identity.util.Logger;
import com.android.identity.util.SimpleApplicationData;
import com.android.identity.util.Timestamp;
import java.io.ByteArrayInputStream;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

/* loaded from: classes3.dex */
public class Credential {
    static final String AUTHENTICATION_KEY_ALIAS_PREFIX = "IC_AuthenticationKey_";
    static final String CREDENTIAL_KEY_ALIAS_PREFIX = "IC_CredentialKey_";
    static final String CREDENTIAL_PREFIX = "IC_Credential_";
    private static final String TAG = "Credential";
    private long mAuthenticationKeyCounter;
    private String mCredentialKeyAlias;
    private String mName;
    private SecureArea mSecureArea;
    private final SecureAreaRepository mSecureAreaRepository;
    private final StorageEngine mStorageEngine;
    private NameSpacedData mNameSpacedData = new NameSpacedData.Builder().build();
    private SimpleApplicationData mApplicationData = new SimpleApplicationData(new Credential$$ExternalSyntheticLambda0(this));
    private List<PendingAuthenticationKey> mPendingAuthenticationKeys = new ArrayList();
    private List<AuthenticationKey> mAuthenticationKeys = new ArrayList();

    /* loaded from: classes3.dex */
    public static class AuthenticationKey {
        private String mAlias;
        private SimpleApplicationData mApplicationData;
        private Credential mCredential;
        private byte[] mData;
        private String mReplacementAlias;
        private String mSecureAreaName;
        private int mUsageCount;
        private Timestamp mValidFrom;
        private Timestamp mValidUntil;

        static AuthenticationKey create(PendingAuthenticationKey pendingAuthenticationKey, byte[] bArr, Timestamp timestamp, Timestamp timestamp2, Credential credential) {
            AuthenticationKey authenticationKey = new AuthenticationKey();
            authenticationKey.mAlias = pendingAuthenticationKey.mAlias;
            authenticationKey.mData = bArr;
            authenticationKey.mValidFrom = timestamp;
            authenticationKey.mValidUntil = timestamp2;
            authenticationKey.mCredential = credential;
            authenticationKey.mSecureAreaName = pendingAuthenticationKey.mSecureAreaName;
            authenticationKey.mApplicationData = pendingAuthenticationKey.mApplicationData;
            return authenticationKey;
        }

        static AuthenticationKey fromCbor(DataItem dataItem, Credential credential) {
            AuthenticationKey authenticationKey = new AuthenticationKey();
            authenticationKey.mAlias = Util.cborMapExtractString(dataItem, "alias");
            authenticationKey.mSecureAreaName = Util.cborMapExtractString(dataItem, "secureAreaName");
            authenticationKey.mUsageCount = (int) Util.cborMapExtractNumber(dataItem, "usageCount");
            authenticationKey.mData = Util.cborMapExtractByteString(dataItem, "data");
            authenticationKey.mValidFrom = Timestamp.ofEpochMilli(Util.cborMapExtractNumber(dataItem, "validFrom"));
            authenticationKey.mValidUntil = Timestamp.ofEpochMilli(Util.cborMapExtractNumber(dataItem, "validUntil"));
            if (Util.cborMapHasKey(dataItem, "replacementAlias")) {
                authenticationKey.mReplacementAlias = Util.cborMapExtractString(dataItem, "replacementAlias");
            }
            DataItem cborMapExtract = Util.cborMapExtract(dataItem, "applicationData");
            if (!(cborMapExtract instanceof ByteString)) {
                throw new IllegalStateException("applicationData not found or not byte[]");
            }
            authenticationKey.mCredential = credential;
            authenticationKey.mApplicationData = SimpleApplicationData.decodeFromCbor(((ByteString) cborMapExtract).getBytes(), new SimpleApplicationData.Listener() { // from class: com.android.identity.credential.Credential$AuthenticationKey$$ExternalSyntheticLambda0
                @Override // com.android.identity.util.SimpleApplicationData.Listener
                public final void onDataSet() {
                    Credential.AuthenticationKey.this.mCredential.saveCredential();
                }
            });
            return authenticationKey;
        }

        public void delete() {
            SecureArea implementation = this.mCredential.mSecureAreaRepository.getImplementation(this.mSecureAreaName);
            if (implementation == null) {
                throw new IllegalArgumentException("Unknown engine " + this.mSecureAreaName);
            }
            implementation.deleteKey(this.mAlias);
            this.mCredential.removeAuthenticationKey(this);
        }

        public String getAlias() {
            return this.mAlias;
        }

        public ApplicationData getApplicationData() {
            return this.mApplicationData;
        }

        public List<X509Certificate> getAttestation() {
            SecureArea implementation = this.mCredential.mSecureAreaRepository.getImplementation(this.mSecureAreaName);
            if (implementation != null) {
                return implementation.getKeyInfo(this.mAlias).getAttestation();
            }
            throw new IllegalArgumentException("Unknown engine " + this.mSecureAreaName);
        }

        public byte[] getIssuerProvidedData() {
            return this.mData;
        }

        public PendingAuthenticationKey getReplacement() {
            if (this.mReplacementAlias == null) {
                return null;
            }
            for (PendingAuthenticationKey pendingAuthenticationKey : this.mCredential.getPendingAuthenticationKeys()) {
                if (pendingAuthenticationKey.getAlias().equals(this.mReplacementAlias)) {
                    return pendingAuthenticationKey;
                }
            }
            Logger.w(Credential.TAG, "Pending key with alias " + this.mReplacementAlias + " which is intended to replace this key does not exist");
            return null;
        }

        public SecureArea getSecureArea() {
            SecureArea implementation = this.mCredential.mSecureAreaRepository.getImplementation(this.mSecureAreaName);
            if (implementation != null) {
                return implementation;
            }
            throw new IllegalArgumentException("Unknown engine " + this.mSecureAreaName);
        }

        public int getUsageCount() {
            return this.mUsageCount;
        }

        public Timestamp getValidFrom() {
            return this.mValidFrom;
        }

        public Timestamp getValidUntil() {
            return this.mValidUntil;
        }

        public void increaseUsageCount() {
            this.mUsageCount++;
            this.mCredential.saveCredential();
        }

        void setReplacementAlias(String str) {
            this.mReplacementAlias = str;
            this.mCredential.saveCredential();
        }

        DataItem toCbor() {
            CborBuilder cborBuilder = new CborBuilder();
            MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
            addMap.put("alias", this.mAlias).put("secureAreaName", this.mSecureAreaName).put("usageCount", this.mUsageCount).put("data", this.mData).put("validFrom", this.mValidFrom.toEpochMilli()).put("validUntil", this.mValidUntil.toEpochMilli()).put("applicationData", this.mApplicationData.encodeAsCbor());
            String str = this.mReplacementAlias;
            if (str != null) {
                addMap.put("replacementAlias", str);
            }
            return cborBuilder.build().get(0);
        }
    }

    /* loaded from: classes3.dex */
    public static class PendingAuthenticationKey {
        String mAlias;
        private SimpleApplicationData mApplicationData;
        Credential mCredential;
        private String mReplacementForAlias;
        String mSecureAreaName;

        static PendingAuthenticationKey create(String str, SecureArea.CreateKeySettings createKeySettings, AuthenticationKey authenticationKey, Credential credential) {
            PendingAuthenticationKey pendingAuthenticationKey = new PendingAuthenticationKey();
            pendingAuthenticationKey.mAlias = str;
            pendingAuthenticationKey.mSecureAreaName = createKeySettings.getSecureAreaClass().getName();
            SecureArea implementation = credential.mSecureAreaRepository.getImplementation(pendingAuthenticationKey.mSecureAreaName);
            if (implementation == null) {
                throw new IllegalArgumentException("Unknown engine " + pendingAuthenticationKey.mSecureAreaName);
            }
            implementation.createKey(str, createKeySettings);
            if (authenticationKey != null) {
                pendingAuthenticationKey.mReplacementForAlias = authenticationKey.getAlias();
            }
            pendingAuthenticationKey.mCredential = credential;
            pendingAuthenticationKey.mApplicationData = new SimpleApplicationData(new SimpleApplicationData.Listener() { // from class: com.android.identity.credential.Credential$PendingAuthenticationKey$$ExternalSyntheticLambda1
                @Override // com.android.identity.util.SimpleApplicationData.Listener
                public final void onDataSet() {
                    Credential.PendingAuthenticationKey.this.mCredential.saveCredential();
                }
            });
            return pendingAuthenticationKey;
        }

        static PendingAuthenticationKey fromCbor(DataItem dataItem, Credential credential) {
            PendingAuthenticationKey pendingAuthenticationKey = new PendingAuthenticationKey();
            pendingAuthenticationKey.mAlias = Util.cborMapExtractString(dataItem, "alias");
            pendingAuthenticationKey.mSecureAreaName = Util.cborMapExtractString(dataItem, "secureAreaName");
            if (Util.cborMapHasKey(dataItem, "replacementForAlias")) {
                pendingAuthenticationKey.mReplacementForAlias = Util.cborMapExtractString(dataItem, "replacementForAlias");
            }
            DataItem cborMapExtract = Util.cborMapExtract(dataItem, "applicationData");
            if (!(cborMapExtract instanceof ByteString)) {
                throw new IllegalStateException("applicationData not found or not byte[]");
            }
            pendingAuthenticationKey.mCredential = credential;
            pendingAuthenticationKey.mApplicationData = SimpleApplicationData.decodeFromCbor(((ByteString) cborMapExtract).getBytes(), new SimpleApplicationData.Listener() { // from class: com.android.identity.credential.Credential$PendingAuthenticationKey$$ExternalSyntheticLambda0
                @Override // com.android.identity.util.SimpleApplicationData.Listener
                public final void onDataSet() {
                    Credential.PendingAuthenticationKey.this.mCredential.saveCredential();
                }
            });
            return pendingAuthenticationKey;
        }

        public AuthenticationKey certify(byte[] bArr, Timestamp timestamp, Timestamp timestamp2) {
            return this.mCredential.certifyPendingAuthenticationKey(this, bArr, timestamp, timestamp2);
        }

        public void delete() {
            SecureArea implementation = this.mCredential.mSecureAreaRepository.getImplementation(this.mSecureAreaName);
            if (implementation == null) {
                throw new IllegalArgumentException("Unknown engine " + this.mSecureAreaName);
            }
            implementation.deleteKey(this.mAlias);
            this.mCredential.removePendingAuthenticationKey(this);
        }

        public String getAlias() {
            return this.mAlias;
        }

        public ApplicationData getApplicationData() {
            return this.mApplicationData;
        }

        public List<X509Certificate> getAttestation() {
            SecureArea implementation = this.mCredential.mSecureAreaRepository.getImplementation(this.mSecureAreaName);
            if (implementation != null) {
                return implementation.getKeyInfo(this.mAlias).getAttestation();
            }
            throw new IllegalArgumentException("Unknown engine " + this.mSecureAreaName);
        }

        public AuthenticationKey getReplacementFor() {
            if (this.mReplacementForAlias == null) {
                return null;
            }
            for (AuthenticationKey authenticationKey : this.mCredential.getAuthenticationKeys()) {
                if (authenticationKey.getAlias().equals(this.mReplacementForAlias)) {
                    return authenticationKey;
                }
            }
            Logger.w(Credential.TAG, "Key with alias " + this.mReplacementForAlias + " which is intended to be replaced does not exist");
            return null;
        }

        public SecureArea getSecureArea() {
            SecureArea implementation = this.mCredential.mSecureAreaRepository.getImplementation(this.mSecureAreaName);
            if (implementation != null) {
                return implementation;
            }
            throw new IllegalArgumentException("Unknown engine " + this.mSecureAreaName);
        }

        DataItem toCbor() {
            CborBuilder cborBuilder = new CborBuilder();
            MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
            addMap.put("alias", this.mAlias).put("secureAreaName", this.mSecureAreaName);
            String str = this.mReplacementForAlias;
            if (str != null) {
                addMap.put("replacementForAlias", str);
            }
            addMap.put("applicationData", this.mApplicationData.encodeAsCbor());
            return cborBuilder.build().get(0);
        }
    }

    private Credential(StorageEngine storageEngine, SecureAreaRepository secureAreaRepository) {
        this.mStorageEngine = storageEngine;
        this.mSecureAreaRepository = secureAreaRepository;
    }

    public static Credential create(StorageEngine storageEngine, SecureAreaRepository secureAreaRepository, String str, SecureArea.CreateKeySettings createKeySettings) {
        Credential credential = new Credential(storageEngine, secureAreaRepository);
        credential.mName = str;
        String name = createKeySettings.getSecureAreaClass().getName();
        SecureArea implementation = secureAreaRepository.getImplementation(name);
        credential.mSecureArea = implementation;
        if (implementation == null) {
            throw new IllegalStateException("No SecureArea with name " + name);
        }
        String str2 = CREDENTIAL_KEY_ALIAS_PREFIX + str;
        credential.mCredentialKeyAlias = str2;
        credential.mSecureArea.createKey(str2, createKeySettings);
        credential.saveCredential();
        return credential;
    }

    public static Credential createWithExistingKey(StorageEngine storageEngine, SecureAreaRepository secureAreaRepository, String str, SecureArea.CreateKeySettings createKeySettings, String str2) {
        Credential credential = new Credential(storageEngine, secureAreaRepository);
        credential.mName = str;
        String name = createKeySettings.getSecureAreaClass().getName();
        if (!name.equals("com.android.identity.android.securearea.AndroidKeystoreSecureArea")) {
            throw new IllegalStateException("The function must only be called for credentials in AndroidKeystoreSecureArea, not " + name);
        }
        SecureArea implementation = secureAreaRepository.getImplementation(name);
        credential.mSecureArea = implementation;
        if (implementation == null) {
            throw new IllegalStateException("No KeystoreEngine with name " + name);
        }
        credential.mCredentialKeyAlias = str2;
        implementation.createKey(str2, createKeySettings);
        return credential;
    }

    private boolean loadCredential(SecureAreaRepository secureAreaRepository) {
        byte[] bArr = this.mStorageEngine.get(CREDENTIAL_PREFIX + this.mName);
        if (bArr == null) {
            return false;
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1) {
                throw new IllegalStateException("Expected 1 item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Map)) {
                throw new IllegalStateException("Item is not a map");
            }
            Map map = (Map) decode.get(0);
            this.mSecureArea = secureAreaRepository.getImplementation(Util.cborMapExtractString(map, "secureAreaClassName"));
            this.mCredentialKeyAlias = Util.cborMapExtractString(map, "credentialKeyAlias");
            DataItem dataItem = map.get(new UnicodeString("nameSpacedData"));
            if (dataItem == null) {
                throw new IllegalStateException("nameSpacedData not found");
            }
            this.mNameSpacedData = NameSpacedData.fromCbor(dataItem);
            DataItem dataItem2 = map.get(new UnicodeString("applicationData"));
            if (!(dataItem2 instanceof ByteString)) {
                throw new IllegalStateException("applicationData not found or not byte[]");
            }
            this.mApplicationData = SimpleApplicationData.decodeFromCbor(((ByteString) dataItem2).getBytes(), new Credential$$ExternalSyntheticLambda0(this));
            this.mPendingAuthenticationKeys = new ArrayList();
            DataItem dataItem3 = map.get(new UnicodeString("pendingAuthenticationKeys"));
            if (!(dataItem3 instanceof Array)) {
                throw new IllegalStateException("pendingAuthenticationKeys not found or not array");
            }
            Iterator<DataItem> it = ((Array) dataItem3).getDataItems().iterator();
            while (it.hasNext()) {
                this.mPendingAuthenticationKeys.add(PendingAuthenticationKey.fromCbor(it.next(), this));
            }
            this.mAuthenticationKeys = new ArrayList();
            DataItem dataItem4 = map.get(new UnicodeString("authenticationKeys"));
            if (!(dataItem4 instanceof Array)) {
                throw new IllegalStateException("authenticationKeys not found or not array");
            }
            Iterator<DataItem> it2 = ((Array) dataItem4).getDataItems().iterator();
            while (it2.hasNext()) {
                this.mAuthenticationKeys.add(AuthenticationKey.fromCbor(it2.next(), this));
            }
            this.mAuthenticationKeyCounter = Util.cborMapExtractNumber(map, "authenticationKeyCounter");
            return true;
        } catch (CborException e) {
            throw new IllegalStateException("Error decoded CBOR", e);
        }
    }

    public static Credential lookup(StorageEngine storageEngine, SecureAreaRepository secureAreaRepository, String str) {
        Credential credential = new Credential(storageEngine, secureAreaRepository);
        credential.mName = str;
        if (credential.loadCredential(secureAreaRepository)) {
            return credential;
        }
        return null;
    }

    public void saveCredential() {
        CborBuilder cborBuilder = new CborBuilder();
        MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
        addMap.put("secureAreaClassName", this.mSecureArea.getClass().getName());
        addMap.put("credentialKeyAlias", this.mCredentialKeyAlias);
        addMap.put(new UnicodeString("nameSpacedData"), this.mNameSpacedData.toCbor());
        addMap.put("applicationData", this.mApplicationData.encodeAsCbor());
        ArrayBuilder<MapBuilder<CborBuilder>> putArray = addMap.putArray("pendingAuthenticationKeys");
        Iterator<PendingAuthenticationKey> it = this.mPendingAuthenticationKeys.iterator();
        while (it.hasNext()) {
            putArray.add(it.next().toCbor());
        }
        ArrayBuilder<MapBuilder<CborBuilder>> putArray2 = addMap.putArray("authenticationKeys");
        Iterator<AuthenticationKey> it2 = this.mAuthenticationKeys.iterator();
        while (it2.hasNext()) {
            putArray2.add(it2.next().toCbor());
        }
        addMap.put("authenticationKeyCounter", this.mAuthenticationKeyCounter);
        this.mStorageEngine.put(CREDENTIAL_PREFIX + this.mName, Util.cborEncode(cborBuilder.build().get(0)));
    }

    AuthenticationKey certifyPendingAuthenticationKey(PendingAuthenticationKey pendingAuthenticationKey, byte[] bArr, Timestamp timestamp, Timestamp timestamp2) {
        if (!this.mPendingAuthenticationKeys.remove(pendingAuthenticationKey)) {
            throw new IllegalStateException("Error removing pending authentication key");
        }
        AuthenticationKey create = AuthenticationKey.create(pendingAuthenticationKey, bArr, timestamp, timestamp2, this);
        this.mAuthenticationKeys.add(create);
        AuthenticationKey replacementFor = pendingAuthenticationKey.getReplacementFor();
        if (replacementFor != null) {
            replacementFor.delete();
        }
        saveCredential();
        return create;
    }

    public PendingAuthenticationKey createPendingAuthenticationKey(SecureArea.CreateKeySettings createKeySettings, AuthenticationKey authenticationKey) {
        if (authenticationKey != null && authenticationKey.getReplacement() != null) {
            throw new IllegalStateException("The given key already has an existing pending key intending to replace it");
        }
        StringBuilder append = new StringBuilder(AUTHENTICATION_KEY_ALIAS_PREFIX).append(this.mName).append("_authKey_");
        long j = this.mAuthenticationKeyCounter;
        this.mAuthenticationKeyCounter = 1 + j;
        PendingAuthenticationKey create = PendingAuthenticationKey.create(append.append(j).toString(), createKeySettings, authenticationKey, this);
        this.mPendingAuthenticationKeys.add(create);
        if (authenticationKey != null) {
            authenticationKey.setReplacementAlias(create.getAlias());
        }
        saveCredential();
        return create;
    }

    public void deleteCredential() {
        Iterator it = new ArrayList(this.mPendingAuthenticationKeys).iterator();
        while (it.hasNext()) {
            ((PendingAuthenticationKey) it.next()).delete();
        }
        Iterator it2 = new ArrayList(this.mAuthenticationKeys).iterator();
        while (it2.hasNext()) {
            ((AuthenticationKey) it2.next()).delete();
        }
        this.mSecureArea.deleteKey(this.mCredentialKeyAlias);
        this.mStorageEngine.delete(CREDENTIAL_PREFIX + this.mName);
    }

    public AuthenticationKey findAuthenticationKey(Timestamp timestamp) {
        AuthenticationKey authenticationKey = null;
        for (AuthenticationKey authenticationKey2 : this.mAuthenticationKeys) {
            if (timestamp == null || (timestamp.toEpochMilli() >= authenticationKey2.getValidFrom().toEpochMilli() && timestamp.toEpochMilli() <= authenticationKey2.getValidUntil().toEpochMilli())) {
                if (authenticationKey == null || authenticationKey2.getUsageCount() < authenticationKey.getUsageCount()) {
                    authenticationKey = authenticationKey2;
                }
            }
        }
        return authenticationKey;
    }

    public ApplicationData getApplicationData() {
        return this.mApplicationData;
    }

    public List<X509Certificate> getAttestation() {
        return this.mSecureArea.getKeyInfo(this.mCredentialKeyAlias).getAttestation();
    }

    public List<AuthenticationKey> getAuthenticationKeys() {
        return new ArrayList(this.mAuthenticationKeys);
    }

    public String getCredentialKeyAlias() {
        return this.mCredentialKeyAlias;
    }

    public SecureArea getCredentialSecureArea() {
        return this.mSecureArea;
    }

    public String getName() {
        return this.mName;
    }

    public NameSpacedData getNameSpacedData() {
        return this.mNameSpacedData;
    }

    public List<PendingAuthenticationKey> getPendingAuthenticationKeys() {
        return new ArrayList(this.mPendingAuthenticationKeys);
    }

    void removeAuthenticationKey(AuthenticationKey authenticationKey) {
        if (!this.mAuthenticationKeys.remove(authenticationKey)) {
            throw new IllegalStateException("Error removing authentication key");
        }
        if (authenticationKey.mReplacementAlias != null) {
            Iterator<PendingAuthenticationKey> it = this.mPendingAuthenticationKeys.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                PendingAuthenticationKey next = it.next();
                if (next.mAlias.equals(authenticationKey.mReplacementAlias)) {
                    next.mReplacementForAlias = null;
                    break;
                }
            }
        }
        saveCredential();
    }

    void removePendingAuthenticationKey(PendingAuthenticationKey pendingAuthenticationKey) {
        if (!this.mPendingAuthenticationKeys.remove(pendingAuthenticationKey)) {
            throw new IllegalStateException("Error removing pending authentication key");
        }
        if (pendingAuthenticationKey.mReplacementForAlias != null) {
            Iterator<AuthenticationKey> it = this.mAuthenticationKeys.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AuthenticationKey next = it.next();
                if (next.mAlias.equals(pendingAuthenticationKey.mReplacementForAlias)) {
                    next.mReplacementAlias = null;
                    break;
                }
            }
        }
        saveCredential();
    }

    public void setNameSpacedData(NameSpacedData nameSpacedData) {
        this.mNameSpacedData = nameSpacedData;
        saveCredential();
    }
}
