package com.ts.common.internal.core.utils;

import com.ts.common.internal.core.logger.Log;
import com.ts.mobile.sdk.util.Util;
import com.ts.org.bouncycastle.pqc.jcajce.spec.McElieceCCA2KeyGenParameterSpec;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.InvalidKeyException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public class XmaFile {
    private static final String TAG = "com.ts.common.internal.core.utils.XmaFile";
    private static final String TRANSMIT_CERTIFICATE_NAME = "CN=Transmit Security Ltd,OU=Development,O=Transmit Security Ltd,L=Tel Aviv,C=IL";
    private static final byte[] TRANSMIT_CERT_FP = {51, 101, 50, 57, 100, 53, 100, 54, 98, 102, 51, 97, 54, 52, 51, 52, 97, 55, 98, 50, 101, 54, 48, 102, 57, 49, 49, 54, 51, 98, 48, 102, 98, 55, 55, 51, 57, 102, 48, 51, 50, 55, 55, 100, 99, 53, 50, 49, 101, 55, 98, 57, 54, 55, 49, 53, 99, 51, 101, 101, 98, 97, 99, 97};
    private static PublicKey validationPublicKey;
    private byte[] fileData;

    public XmaFile(InputStream inputStream) throws IOException {
        readFile(inputStream);
    }

    public static void loadValidationCert(InputStream inputStream) throws Exception {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Certificate[] certificateArr = (Certificate[]) certificateFactory.generateCertificates(inputStream).toArray(new Certificate[0]);
        CertPath generateCertPath = certificateFactory.generateCertPath(Arrays.asList(certificateArr));
        if (!((X509Certificate) certificateArr[0]).getSubjectX500Principal().getName().equals(TRANSMIT_CERTIFICATE_NAME)) {
            throw new CertificateException("You are using a certificate with invalid distinguished name.");
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        HashSet hashSet = new HashSet();
        trustManagerFactory.init((KeyStore) null);
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                for (X509Certificate x509Certificate : ((X509TrustManager) trustManager).getAcceptedIssuers()) {
                    hashSet.add(new TrustAnchor(x509Certificate, null));
                }
            }
        }
        CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
        PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
        pKIXParameters.setRevocationEnabled(false);
        try {
            certPathValidator.validate(generateCertPath, pKIXParameters);
        } catch (Exception e) {
            if (!Arrays.equals(Util.hexStringFromByteArray(MessageDigest.getInstance(McElieceCCA2KeyGenParameterSpec.SHA256).digest(certificateArr[0].getEncoded())).getBytes(), TRANSMIT_CERT_FP)) {
                throw e;
            }
            Log.w(TAG, "XMA signature validation certificate fingerprint is valid, but the certificate CA is untrusted on this device." + e);
        }
        validationPublicKey = generateCertPath.getCertificates().get(0).getPublicKey();
    }

    private void readFile(InputStream inputStream) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(inputStream);
        byte[] bArr = new byte[4];
        if (dataInputStream.read(bArr) != 4) {
            throw new IOException("Can't read file header.");
        }
        if (bArr[0] != 25 || bArr[1] != 17 || bArr[2] != 25 || bArr[3] != Byte.MIN_VALUE) {
            throw new IOException("Invalid XMA header.");
        }
        int readInt = dataInputStream.readInt();
        if (readInt != 1) {
            throw new IOException("Invalid XMA version: " + readInt + ".");
        }
        byte[] bArr2 = new byte[dataInputStream.readInt()];
        if (dataInputStream.read(bArr2) != bArr2.length) {
            throw new IOException("Can't read XMA signature.");
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(dataInputStream.available());
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(validationPublicKey);
            byte[] bArr3 = new byte[1024];
            while (true) {
                int read = dataInputStream.read(bArr3);
                if (read == -1) {
                    break;
                }
                signature.update(bArr3, 0, read);
                byteArrayOutputStream.write(bArr3, 0, read);
            }
            if (!signature.verify(bArr2)) {
                throw new SignatureException("Signature mismatch.");
            }
            this.fileData = byteArrayOutputStream.toByteArray();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new IOException("Can't validate signature.", e);
        }
    }

    public InputStream dataStream() {
        return new ByteArrayInputStream(this.fileData);
    }
}
