package com.huawei.security.pkisdk;

import a0.d;
import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import android.util.Log;
import com.huawei.phoneservice.feedbackcommon.network.FeedbackWebConstants;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.UUID;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Destroyable;

/* compiled from: Proguard */
/* loaded from: classes4.dex */
public class PKIAuthClientImpl implements PKIAuthClient {
    private static final int CERTIFICATE_CHAIN_ALIAS_MAX_LENGTH = 48;
    private static final int CERTIFICATE_CHAIN_LENGTH = 2;
    private static final int CERTIFICATE_SERIAL_NUMBER = 1337;
    private static final String CERTIFICATE_STRING_SEPARATOR = ";";
    private static final int CERTIFICATE_VALIDITY = 10;
    private static final int CHALLENGE_LENGTH = 12;
    private static final String EMPTY_CERT = "";
    private static final String ENCRYPT_ALGORITHM = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
    private static final String HUKS_PROVIDER = "HwUniversalKeyStoreProvider";
    private static final String HW_STORE_ALIAS = "HwKeystore";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA/PSS";
    private static final String TAG = "PKIAuthClientImpl";
    private static final String UUID_SEPARATOR = "-";

    /* renamed from: a, reason: collision with root package name */
    public static final /* synthetic */ int f17769a = 0;
    private static final Object CERTIFICATE_LOCK = new Object();
    private static final Object ENCRYPT_LOCK = new Object();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* compiled from: Proguard */
    /* renamed from: com.huawei.security.pkisdk.PKIAuthClientImpl$1, reason: invalid class name */
    /* loaded from: classes4.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$huawei$security$pkisdk$PKIAuthClientImpl$Purpose;

        static {
            int[] iArr = new int[Purpose.values().length];
            $SwitchMap$com$huawei$security$pkisdk$PKIAuthClientImpl$Purpose = iArr;
            try {
                iArr[Purpose.ENCRYPT.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$huawei$security$pkisdk$PKIAuthClientImpl$Purpose[Purpose.SIGN.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* compiled from: Proguard */
    /* loaded from: classes4.dex */
    public enum Purpose {
        SIGN,
        ENCRYPT
    }

    static {
        try {
            Class.forName("com.huawei.security.keystore.HwUniversalKeyStoreProvider").getMethod("install", new Class[0]).invoke(null, new Object[0]);
            Log.i(TAG, "HwUniversalKeyStore: install success.");
        } catch (ClassNotFoundException unused) {
            Log.e(TAG, "HwUniversalKeyStore: no found.");
        } catch (IllegalAccessException unused2) {
            Log.e(TAG, "HwUniversalKeyStore: can not access.");
        } catch (NoSuchMethodException unused3) {
            Log.e(TAG, "HwUniversalKeyStore: function not found.");
        } catch (InvocationTargetException unused4) {
            Log.e(TAG, "HwUniversalKeyStore: invocation target exception.");
        }
    }

    private AlgorithmParameterSpec buildAlgoParam(String str, Purpose purpose) {
        KeyGenParameterSpec.Builder builder;
        KeyGenParameterSpec.Builder builder2;
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
        gregorianCalendar2.add(1, 10);
        byte[] decode = Base64.decode(UUID.randomUUID().toString().replace("-", "").substring(0, 12), 2);
        int i10 = AnonymousClass1.$SwitchMap$com$huawei$security$pkisdk$PKIAuthClientImpl$Purpose[purpose.ordinal()];
        if (i10 == 1) {
            builder = new KeyGenParameterSpec.Builder(str, 3);
            builder.setEncryptionPaddings("OAEPPadding");
        } else {
            if (i10 != 2) {
                builder2 = null;
                return builder2.setDigests(FeedbackWebConstants.SHA_256).setCertificateSerialNumber(BigInteger.valueOf(1337L)).setCertificateNotBefore(gregorianCalendar.getTime()).setCertificateNotAfter(gregorianCalendar2.getTime()).setAttestationChallenge(decode).setUserAuthenticationRequired(false).build();
            }
            builder = new KeyGenParameterSpec.Builder(str, 12);
            builder.setSignaturePaddings("PSS");
        }
        builder2 = builder;
        return builder2.setDigests(FeedbackWebConstants.SHA_256).setCertificateSerialNumber(BigInteger.valueOf(1337L)).setCertificateNotBefore(gregorianCalendar.getTime()).setCertificateNotAfter(gregorianCalendar2.getTime()).setAttestationChallenge(decode).setUserAuthenticationRequired(false).build();
    }

    private String buildCertChainString(Certificate[] certificateArr) {
        StringBuilder sb2 = new StringBuilder(0);
        for (int i10 = 0; i10 < certificateArr.length - 1; i10++) {
            try {
                Certificate certificate = certificateArr[i10];
                if (certificate == null) {
                    Log.e(TAG, "One of certificates is null.");
                    return "";
                }
                sb2.append(Base64.encodeToString(certificate.getEncoded(), 2));
                sb2.append(";");
            } catch (CertificateEncodingException unused) {
                Log.e(TAG, "Build authorization error, have a certificate encoding exception");
                return "";
            }
        }
        sb2.deleteCharAt(sb2.length() - 1);
        Log.i(TAG, "Build authorization success.");
        return sb2.toString();
    }

    private boolean checkArguments(String str) {
        if (str == null) {
            Log.e(TAG, "Certificate alias is null.");
            return true;
        }
        if (str.trim().length() == 0) {
            Log.e(TAG, "Certificate alias is empty.");
            return true;
        }
        if (str.length() <= 48) {
            return false;
        }
        Log.e(TAG, "Certificate alias length exceeds 48.");
        return true;
    }

    private boolean checkValidate(Certificate certificate, String str) {
        byte[] bytes = UUID.randomUUID().toString().replace("-", "").substring(12).getBytes(StandardCharsets.UTF_8);
        byte[] sign = sign(bytes, str);
        if (sign.length == 0) {
            Log.e(TAG, "The number of signature challenge is 0");
            return false;
        }
        if (verifySignature(certificate.getPublicKey(), sign, bytes)) {
            return true;
        }
        Log.e(TAG, "Verify signature failed.");
        deleteCertChain(str);
        return false;
    }

    private Certificate[] generateCertificateChain(String str) {
        Log.i(TAG, "Start to generate certificate chain.");
        try {
            ArrayList arrayList = new ArrayList(0);
            if (isCertificateExist(str, arrayList)) {
                Certificate[] certificateArr = new Certificate[arrayList.size()];
                arrayList.toArray(certificateArr);
                return certificateArr;
            }
            Log.i(TAG, "Start to generate a new certificate chain.");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", HUKS_PROVIDER);
            keyPairGenerator.initialize(buildAlgoParam(str, Purpose.SIGN));
            keyPairGenerator.generateKeyPair();
            KeyStore keyStore = KeyStore.getInstance(HW_STORE_ALIAS);
            keyStore.load(null);
            Log.i(TAG, "Generate certificate chain successfully.");
            return keyStore.getCertificateChain(str);
        } catch (IOException | GeneralSecurityException e10) {
            d.v(e10, new StringBuilder("Generate certificate chain error, detail: "), TAG);
            return new Certificate[0];
        } catch (ProviderException e11) {
            Log.w(TAG, "Device dose not support HUKS, detail: " + e11.getMessage());
            return new Certificate[0];
        }
    }

    private boolean generateEncryptKeyPair(String str) {
        Log.i(TAG, "Start to generate encryption certificate");
        synchronized (ENCRYPT_LOCK) {
            try {
                try {
                    if (isCertificateExist(str, new ArrayList(0))) {
                        return true;
                    }
                    Log.i(TAG, "Start to generate a new encryption certificate.");
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", HUKS_PROVIDER);
                    keyPairGenerator.initialize(buildAlgoParam(str, Purpose.ENCRYPT));
                    keyPairGenerator.generateKeyPair();
                    return true;
                } catch (IOException e10) {
                    Log.e(TAG, "Generate certificate chain error, have an IOException, the detail: " + e10.getMessage());
                    return false;
                }
            } catch (GeneralSecurityException e11) {
                Log.e(TAG, "Generate certificate chain error, have a general security exception, the detail: " + e11.getMessage());
                return false;
            } catch (ProviderException unused) {
                Log.w(TAG, "Device dose not support HUKS.");
                return false;
            }
        }
    }

    private boolean isCertificateExist(String str, List<Certificate> list) throws GeneralSecurityException, IOException {
        Log.i(TAG, "Check certificate chain is existence or not.");
        KeyStore keyStore = KeyStore.getInstance(HW_STORE_ALIAS);
        keyStore.load(null);
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length < 2) {
            Log.i(TAG, "certificate chain is not existence, need to generate new one.");
        } else {
            Certificate certificate = certificateChain[0];
            if (!(certificate instanceof X509Certificate)) {
                Log.e(TAG, "Fail to change keyAttentionCert to X509!");
                return true;
            }
            if (isCertificateValidity((X509Certificate) certificate)) {
                Log.i(TAG, "Certificate chain is existence, skip to generate new one.");
                list.addAll(Arrays.asList(certificateChain));
                return true;
            }
            Log.i(TAG, "Certificate is invalid");
            deleteCertChain(str);
        }
        return false;
    }

    private boolean isCertificateValidity(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
            return true;
        } catch (CertificateExpiredException unused) {
            Log.e(TAG, "isCertificateValidity : certificate expired exception.");
            return false;
        } catch (CertificateNotYetValidException unused2) {
            Log.e(TAG, "isCertificateValidity : certificate not yet valid exception.");
            return false;
        }
    }

    private boolean verifySignature(PublicKey publicKey, byte[] bArr, byte[] bArr2) {
        try {
            Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM);
            signature.initVerify(publicKey);
            signature.update(bArr2);
            return signature.verify(bArr);
        } catch (InvalidKeyException | ProviderException unused) {
            Log.e(TAG, "Verify signature error, have a InvalidKeyException or ProviderException.");
            return false;
        } catch (NoSuchAlgorithmException unused2) {
            Log.e(TAG, "Verify signature error, have a NoSuchAlgorithmException.");
            return false;
        } catch (SignatureException unused3) {
            Log.e(TAG, "Verify signature error, have a SignatureException.");
            return false;
        }
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public byte[] decryptCipher(byte[] bArr, String str) {
        Log.i(TAG, "Begin to decrypt cipher text");
        if (bArr != null) {
            try {
                if (bArr.length != 0) {
                    if (checkArguments(str)) {
                        return new byte[0];
                    }
                    KeyStore keyStore = KeyStore.getInstance(HW_STORE_ALIAS);
                    keyStore.load(null);
                    Log.i(TAG, "Load  keystore success!");
                    KeyStore.Entry entry = keyStore.getEntry(str, null);
                    if (entry == null) {
                        Log.w(TAG, "Entry is not existence");
                        return new byte[0];
                    }
                    if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                        Log.w(TAG, "Not an instance of a PrivateKeyEntry");
                        return new byte[0];
                    }
                    PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                    Cipher cipher = Cipher.getInstance(ENCRYPT_ALGORITHM, HUKS_PROVIDER);
                    cipher.init(2, privateKey, new OAEPParameterSpec(FeedbackWebConstants.SHA_256, "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
                    cipher.update(bArr);
                    return cipher.doFinal();
                }
            } catch (IOException | GeneralSecurityException | ProviderException e10) {
                d.v(e10, new StringBuilder("Decrypt Cipher failed, the detail: "), TAG);
                return new byte[0];
            }
        }
        Log.e(TAG, "Decryption message is invalid");
        return new byte[0];
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public boolean deleteCertChain(String str) {
        Log.i(TAG, "Start to delete cert chain.");
        if (checkArguments(str)) {
            Log.i(TAG, "Certificate alias name is invalid");
            return true;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(HW_STORE_ALIAS);
            keyStore.load(null);
            keyStore.deleteEntry(str);
            return true;
        } catch (IOException unused) {
            Log.e(TAG, "Delete cert chain error, have a IOException.");
            return false;
        } catch (KeyStoreException unused2) {
            Log.e(TAG, "Delete cert chain error, have a KeyStoreException.");
            return false;
        } catch (NoSuchAlgorithmException unused3) {
            Log.e(TAG, "Delete cert chain error, have a NoSuchAlgorithmException.");
            return false;
        } catch (CertificateException unused4) {
            Log.e(TAG, "Delete cert chain error, have a CertificateException.");
            return false;
        }
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public byte[] encryptMsg(byte[] bArr, String str) {
        Log.i(TAG, "Begin to encrypt message");
        if (bArr != null) {
            try {
                if (bArr.length != 0) {
                    if (checkArguments(str)) {
                        return new byte[0];
                    }
                    if (!generateEncryptKeyPair(str)) {
                        Log.e(TAG, "Get encrypt key pair failed");
                        return new byte[0];
                    }
                    KeyStore keyStore = KeyStore.getInstance(HW_STORE_ALIAS);
                    keyStore.load(null);
                    if (!(keyStore.getEntry(str, null) instanceof KeyStore.PrivateKeyEntry)) {
                        Log.e(TAG, "PrivateKeyEntry is not exist， need generate a new");
                        return new byte[0];
                    }
                    PublicKey publicKey = keyStore.getCertificateChain(str)[0].getPublicKey();
                    Cipher cipher = Cipher.getInstance(ENCRYPT_ALGORITHM);
                    cipher.init(1, publicKey, new OAEPParameterSpec(FeedbackWebConstants.SHA_256, "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
                    cipher.update(bArr);
                    return cipher.doFinal();
                }
            } catch (IOException | GeneralSecurityException | ProviderException e10) {
                d.v(e10, new StringBuilder("Encrypt message failed, the detail:"), TAG);
                return new byte[0];
            }
        }
        Log.e(TAG, "Encryption message is invalid");
        return new byte[0];
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public String getAppAuthCert(String str) {
        synchronized (CERTIFICATE_LOCK) {
            try {
                Log.i(TAG, "Generate certificate chain with alias.");
                if (checkArguments(str)) {
                    return "";
                }
                Certificate[] generateCertificateChain = generateCertificateChain(str);
                if (generateCertificateChain.length == 0) {
                    Log.e(TAG, "Get certificate chain failed.");
                    return "";
                }
                try {
                    Certificate certificate = generateCertificateChain[0];
                    if (certificate instanceof X509Certificate) {
                        ((X509Certificate) certificate).checkValidity();
                    }
                } catch (CertificateExpiredException | CertificateNotYetValidException unused) {
                    Log.e(TAG, "Certificate is expired.");
                    deleteCertChain(str);
                    generateCertificateChain = generateCertificateChain(str);
                    if (generateCertificateChain.length == 0) {
                        Log.e(TAG, "Get certificate chain failed.");
                        return "";
                    }
                }
                if (generateCertificateChain.length < 2) {
                    Log.e(TAG, "The number of certificates is not right " + generateCertificateChain.length);
                    return "";
                }
                if (checkValidate(generateCertificateChain[0], str)) {
                    return buildCertChainString(generateCertificateChain);
                }
                Log.e(TAG, "The attestation certificate is invalid");
                return "";
            } catch (Throwable th) {
                throw th;
            }
        }
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public byte[] sign(byte[] bArr, String str) {
        Log.i(TAG, "Begin to sign text info");
        if (bArr == null || bArr.length == 0) {
            Log.e(TAG, "Signature text is invalid");
            return new byte[0];
        }
        if (checkArguments(str)) {
            return new byte[0];
        }
        Destroyable destroyable = null;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance(HW_STORE_ALIAS);
                keyStore.load(null);
                KeyStore.Entry entry = keyStore.getEntry(str, null);
                if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                    Log.e(TAG, "Entry is not existence, the alias is " + str);
                    return new byte[0];
                }
                Signature signature = Signature.getInstance(SIGNATURE_ALGORITHM, HUKS_PROVIDER);
                PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                signature.initSign(privateKey);
                signature.update(bArr);
                byte[] sign = signature.sign();
                if (privateKey != null) {
                    try {
                        privateKey.destroy();
                    } catch (DestroyFailedException unused) {
                        Log.w(TAG, "Destroy private key failed!");
                    }
                }
                return sign;
            } catch (IOException | GeneralSecurityException | ProviderException unused2) {
                Log.e(TAG, "Sign challenge error, have a general security exception.");
                if (0 != 0) {
                    try {
                        destroyable.destroy();
                    } catch (DestroyFailedException unused3) {
                        Log.w(TAG, "Destroy private key failed!");
                    }
                }
                return new byte[0];
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    destroyable.destroy();
                } catch (DestroyFailedException unused4) {
                    Log.w(TAG, "Destroy private key failed!");
                }
            }
            throw th;
        }
    }
}
