package com.samsung.android.kmxservice.sdk.util;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.util.Log;
import androidx.annotation.Nullable;
import com.google.android.material.textfield.h;
import com.microsoft.identity.common.java.crypto.IDevicePopManager;
import com.microsoft.identity.common.java.platform.AbstractDevicePopManager;
import com.samsung.android.kmxservice.sdk.e2ee.data.LogTag;
import com.samsung.android.sdk.smp.common.constants.MarketingConstants;
import com.samsung.android.security.keystore.AttestParameterSpec;
import com.samsung.android.security.keystore.AttestationUtils;
import com.samsung.android.security.keystore.DeviceIdAttestationException;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;

/* loaded from: classes3.dex */
public class SksAttestation {
    private static final int SAK_CERT_CHAIN_COUNT = 3;
    private static final String TAG = LogTag.getTag("SksAttestation");
    public static final String WRAPPING_KEY = "WRAPPING_KEY";

    @Nullable
    private final AttestationUtils mAttestationUtils;

    /* loaded from: classes3.dex */
    public static class LazyHolder {
        private static final SksAttestation INSTANCE = new SksAttestation(0);

        private LazyHolder() {
        }
    }

    private SksAttestation() {
        this.mAttestationUtils = (AttestationUtils) KmxFaultBarrier.get(new h(10), null);
    }

    public /* synthetic */ SksAttestation(int i) {
        this();
    }

    public static /* synthetic */ AttestationUtils a() {
        return new AttestationUtils();
    }

    private boolean checkChallengeOfAttestationCert(byte[] bArr, byte[] bArr2) {
        String str;
        String str2;
        if (bArr == null || bArr.length == 0) {
            str = TAG;
            str2 = "No challenge in the certificate";
        } else {
            if (Arrays.equals(bArr, bArr2)) {
                return true;
            }
            String str3 = new String(bArr, StandardCharsets.UTF_8);
            str = TAG;
            str2 = "Challenge in different with certificate : ".concat(str3);
        }
        Log.e(str, str2);
        return false;
    }

    private int checkIntegrityStatus(IntegrityStatus integrityStatus) {
        if (integrityStatus != null && integrityStatus.isNormal()) {
            return integrityStatus.getStatus();
        }
        Log.e(TAG, "integrityStatus is abnormal : " + integrityStatus);
        return -1;
    }

    private boolean checkKeyOrigin(int i) {
        if (i == 0) {
            return true;
        }
        Log.e(TAG, "The key was not generated in hardware-backed keystore");
        return false;
    }

    private boolean checkRootOfTrust(RootOfTrust rootOfTrust) {
        String str;
        String str2;
        if (rootOfTrust.getVerifiedBootState() != 0) {
            str = TAG;
            str2 = "ROT : VerifiedBootState is invalid";
        } else {
            if (rootOfTrust.isDeviceLocked()) {
                return true;
            }
            str = TAG;
            str2 = "ROT : Device is unlocked";
        }
        Log.e(str, str2);
        return false;
    }

    public static SksAttestation getInstance() {
        return LazyHolder.INSTANCE;
    }

    private byte[] hexStringToByteArray(String str) {
        int length = str.length();
        byte[] bArr = new byte[length / 2];
        for (int i = 0; i < length; i += 2) {
            bArr[i / 2] = (byte) (Character.digit(str.charAt(i + 1), 16) + (Character.digit(str.charAt(i), 16) << 4));
        }
        return bArr;
    }

    private byte[] makeRandomChallenge() {
        byte[] bArr = new byte[4];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    private String parseSakUid(String str, boolean z4) {
        String str2;
        int indexOf;
        if (z4) {
            Log.i(TAG, "[parseSakUid] SAKm Model");
            indexOf = str.indexOf(MarketingConstants.REFERRER_DELIMITER_U003D, str.indexOf("UID")) + 1;
            str2 = ":CA";
        } else {
            str2 = "\"";
            indexOf = str.indexOf("\"", str.indexOf("CN=")) + 1;
        }
        return str.substring(indexOf, str.indexOf(str2, indexOf));
    }

    private boolean verifyCertChain(Certificate[] certificateArr, byte[] bArr) {
        if (certificateArr == null) {
            Log.e(TAG, "verifyCertChain certChain is null.");
            return false;
        }
        X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
        for (int i = 0; i < certificateArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateArr[i];
        }
        return verifyCertChain(x509CertificateArr, bArr);
    }

    private boolean verifyCertChain(X509Certificate[] x509CertificateArr, byte[] bArr) {
        if (x509CertificateArr == null) {
            Log.e(TAG, "verifyCertChain certChain is null.");
            return false;
        }
        if (x509CertificateArr.length != 3) {
            Log.e(TAG, "Invalid certification chain size : " + x509CertificateArr.length);
            return false;
        }
        try {
            AttestatedCertParser attestatedCertParser = new AttestatedCertParser(x509CertificateArr[0]);
            if (!checkChallengeOfAttestationCert(attestatedCertParser.getChallenge(), bArr) || !checkKeyOrigin(attestatedCertParser.getOrigin()) || !checkRootOfTrust(attestatedCertParser.getRootOfTrust())) {
                return false;
            }
            try {
                X509Certificate sakRoot = SamsungAttestationRootCert.getSakRoot(attestatedCertParser.getSakUID());
                int length = x509CertificateArr.length - 1;
                while (length >= 0) {
                    X509Certificate x509Certificate = x509CertificateArr[length];
                    x509Certificate.checkValidity();
                    x509Certificate.verify(sakRoot.getPublicKey());
                    length--;
                    sakRoot = x509Certificate;
                }
                return true;
            } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                e.printStackTrace();
                if (e instanceof CertificateNotYetValidException) {
                    Log.e(TAG, e.getMessage() + System.lineSeparator() + System.lineSeparator() + "Please set to the current time (Settings > General management > Date and time)");
                } else {
                    e.printStackTrace();
                }
                return false;
            }
        } catch (CertificateParsingException e3) {
            Log.e(TAG, "verifyCertChain certificate Parsing Error : ", e3);
            return false;
        }
    }

    public int getDeviceIntegrity() {
        byte[] makeRandomChallenge = makeRandomChallenge();
        AttestationUtils attestationUtils = this.mAttestationUtils;
        if (attestationUtils == null) {
            Log.e(TAG, "Not support attestation utils. Need to check build version :" + Build.VERSION.SDK_INT);
            return -1;
        }
        try {
            synchronized (attestationUtils) {
                if (this.mAttestationUtils.getKey("integrity") == null) {
                    Log.i(TAG, "generated key for integrity checking");
                    this.mAttestationUtils.generateKeyPair("integrity", makeRandomChallenge);
                }
                this.mAttestationUtils.storeCertificateChain("integrity", this.mAttestationUtils.attestDevice(new AttestParameterSpec.Builder("integrity", makeRandomChallenge).setDeviceAttestation(true).setVerifiableIntegrity(true).build()));
                Certificate[] certificateChain = this.mAttestationUtils.getCertificateChain("integrity");
                if (certificateChain == null) {
                    Log.e(TAG, "getDeviceIntegrity certChain is null");
                    return -1;
                }
                try {
                    return checkIntegrityStatus(new AttestatedCertParser((X509Certificate) certificateChain[0]).getIngetrityStatus());
                } catch (CertificateParsingException e) {
                    Log.e(TAG, "getDeviceIntegrity certificate Parsing Error : ", e);
                    return -1;
                }
            }
        } catch (DeviceIdAttestationException | KeyStoreException e3) {
            throw new RuntimeException((Throwable) e3);
        }
    }

    public String getSakUid() {
        String str = SystemProperties.get("ro.security.keystore.keytype");
        AttestationUtils attestationUtils = this.mAttestationUtils;
        String str2 = null;
        if (attestationUtils == null) {
            Log.e(TAG, "Not support attestation utils. Need to check build version :" + Build.VERSION.SDK_INT);
            return null;
        }
        try {
        } catch (IllegalArgumentException | NullPointerException | ProviderException e) {
            e.printStackTrace();
        }
        synchronized (attestationUtils) {
            Certificate[] certificateChain = this.mAttestationUtils.getCertificateChain("sakUid");
            if (certificateChain == null || certificateChain.length < 3) {
                byte[] makeRandomChallenge = makeRandomChallenge();
                this.mAttestationUtils.generateKeyPair("sakUid", makeRandomChallenge);
                Certificate[] certificateChain2 = this.mAttestationUtils.getCertificateChain("sakUid");
                if (!verifyCertChain(certificateChain2, makeRandomChallenge)) {
                    Log.e(TAG, "certificate chain verification failed.");
                    return null;
                }
                certificateChain = certificateChain2;
            }
            str2 = parseSakUid(((X509Certificate) certificateChain[0]).getIssuerX500Principal().toString(), str.contains("sakm"));
            return str2;
        }
    }

    public X509Certificate[] getWrapKey(String str, byte[] bArr) {
        String str2;
        String str3;
        X509Certificate[] x509CertificateArr = null;
        if (this.mAttestationUtils == null) {
            str2 = TAG;
            str3 = "Not support attestation utils. Need to check build version :" + Build.VERSION.SDK_INT;
        } else {
            if (Build.VERSION.SDK_INT >= 28) {
                AttestParameterSpec build = new AttestParameterSpec.Builder(str, bArr).setAlgorithm(AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA).setKeyGenParameterSpec(new KeyGenParameterSpec.Builder(str, 32).setDigests("SHA-256", IDevicePopManager.SHA_1).setEncryptionPaddings("OAEPPadding").setBlockModes("ECB").build()).setVerifiableIntegrity(true).build();
                try {
                    synchronized (this.mAttestationUtils) {
                        try {
                            if (this.mAttestationUtils.getKey(str) == null) {
                                String str4 = TAG;
                                Log.i(str4, "generate key for wrap key. : " + str);
                                if (this.mAttestationUtils.generateKeyPair(build) == null) {
                                    Log.e(str4, "getWrapKey generateKeyPair is null");
                                    return null;
                                }
                            }
                            Certificate[] certificateChain = this.mAttestationUtils.getCertificateChain(str);
                            if (certificateChain == null) {
                                String str5 = TAG;
                                Log.e(str5, "getWrapKey certChain is NULL. Retry key generation.");
                                if (this.mAttestationUtils.generateKeyPair(build) == null) {
                                    Log.e(str5, "getWrapKey retrying generateKeyPair is null");
                                    return null;
                                }
                                Certificate[] certificateChain2 = this.mAttestationUtils.getCertificateChain(str);
                                if (certificateChain2 == null) {
                                    Log.e(str5, "getWrapKey certChain is NULL.");
                                    return null;
                                }
                                certificateChain = certificateChain2;
                            }
                            X509Certificate[] x509CertificateArr2 = new X509Certificate[certificateChain.length];
                            for (int i = 0; i < certificateChain.length; i++) {
                                try {
                                    x509CertificateArr2[i] = (X509Certificate) certificateChain[i];
                                } catch (Throwable th) {
                                    x509CertificateArr = x509CertificateArr2;
                                    th = th;
                                }
                            }
                            return x509CertificateArr2;
                        } catch (Throwable th2) {
                            th = th2;
                        }
                    }
                    throw th;
                } catch (IllegalArgumentException | NullPointerException | KeyStoreException | ProviderException e) {
                    e.printStackTrace();
                    return x509CertificateArr;
                }
            }
            str2 = TAG;
            str3 = "You need to check os version ! Now under the Pos";
        }
        Log.e(str2, str3);
        return null;
    }

    public void removeKey(String str) {
        AttestationUtils attestationUtils = this.mAttestationUtils;
        if (attestationUtils == null) {
            Log.e(TAG, "Not support attestation utils. Need to check build version :" + Build.VERSION.SDK_INT);
            return;
        }
        try {
            synchronized (attestationUtils) {
                this.mAttestationUtils.deleteKey(str);
            }
        } catch (KeyStoreException e) {
            e.printStackTrace();
            throw new RuntimeException(e);
        }
    }
}
