package com.microsoft.intune.cryptography.implementation;

import android.content.Context;
import android.content.pm.PackageManager;
import android.content.pm.SigningInfo;
import android.os.Build;
import androidx.annotation.RequiresApi;
import androidx.annotation.VisibleForTesting;
import androidx.exifinterface.media.ExifInterface;
import com.microsoft.identity.common.java.providers.microsoft.MicrosoftAuthorizationResponse;
import com.microsoft.intune.core.common.domain.EqByteArray;
import com.microsoft.intune.core.common.domain.IDeviceBuildInfo;
import com.microsoft.intune.core.common.domain.Version;
import com.microsoft.intune.core.utils.LoggingExtensionsKt;
import com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore;
import com.microsoft.intune.cryptography.domain.IKeyAttester;
import com.microsoft.intune.cryptography.domain.KeyAttestation;
import com.microsoft.intune.cryptography.domain.KeyAttestationValidationExpectations;
import com.microsoft.intune.cryptography.signingcerts.domain.ICertChainVerifier;
import com.microsoft.intune.cryptography.utils.ASN1Utils;
import com.wolfssl.WolfSSL;
import java.security.KeyException;
import java.security.MessageDigest;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Logger;
import javax.inject.Inject;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt__CollectionsJVMKt;
import kotlin.collections.CollectionsKt__IterablesKt;
import kotlin.collections.CollectionsKt___CollectionsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Reflection;
import kotlin.reflect.KClass;
import kotlin.text.StringsKt__StringsJVMKt;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.ASN1Set;
import org.conscrypt.NativeCrypto;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

@RequiresApi(28)
@Metadata(d1 = {"\u0000¼\u0001\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010 \n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0006\b\u0007\u0018\u0000 K2\u00020\u0001:\u0001KB'\b\u0007\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0006\u0010\u0006\u001a\u00020\u0007\u0012\u0006\u0010\b\u001a\u00020\t¢\u0006\u0002\u0010\nJ\u0010\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0002JH\u0010\u000f\u001a\u0004\u0018\u0001H\u0010\"\u0004\b\u0000\u0010\u00102\u0006\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u00142!\u0010\u0015\u001a\u001d\u0012\u0013\u0012\u00110\u0017¢\u0006\f\b\u0018\u0012\b\b\u0019\u0012\u0004\b\b(\u001a\u0012\u0004\u0012\u0002H\u00100\u0016H\u0002¢\u0006\u0002\u0010\u001bJ\u0010\u0010\u001c\u001a\u00020\u00122\u0006\u0010\u001d\u001a\u00020\u001eH\u0016J\u0016\u0010\u001c\u001a\u00020\u00122\f\u0010\u001f\u001a\b\u0012\u0004\u0012\u00020\u000e0 H\u0016J\u0012\u0010!\u001a\u00020\"2\b\u0010#\u001a\u0004\u0018\u00010\u001eH\u0016J\u0010\u0010$\u001a\u00020\u00142\u0006\u0010%\u001a\u00020&H\u0002J\u0015\u0010'\u001a\u00020(2\u0006\u0010)\u001a\u00020*H\u0001¢\u0006\u0002\b+J\u0010\u0010,\u001a\u00020-2\u0006\u0010)\u001a\u00020*H\u0002J\u001e\u0010.\u001a\u00020\u00122\u0006\u0010/\u001a\u00020\f2\f\u0010\u001f\u001a\b\u0012\u0004\u0012\u00020\u000e0 H\u0002J\u0010\u00100\u001a\u00020\u00172\u0006\u0010/\u001a\u00020*H\u0002J\u0015\u00101\u001a\u0002022\u0006\u0010)\u001a\u00020*H\u0001¢\u0006\u0002\b3J\u0010\u00104\u001a\u0002052\u0006\u0010)\u001a\u00020*H\u0002J\u0010\u00106\u001a\u0002072\u0006\u0010)\u001a\u00020*H\u0002J\u0017\u00108\u001a\u0004\u0018\u0001092\u0006\u0010)\u001a\u00020*H\u0001¢\u0006\u0002\b:J\u0016\u0010;\u001a\b\u0012\u0004\u0012\u0002090<2\u0006\u0010)\u001a\u00020*H\u0002J\u0010\u0010=\u001a\u00020>2\u0006\u0010)\u001a\u00020*H\u0002J\u0015\u0010?\u001a\u00020&2\u0006\u0010)\u001a\u00020*H\u0001¢\u0006\u0002\b@J\u0010\u0010A\u001a\u00020B2\u0006\u0010)\u001a\u00020*H\u0002J\u001e\u0010C\u001a\u00020D2\f\u0010\u001f\u001a\b\u0012\u0004\u0012\u00020\u000e0 2\u0006\u0010E\u001a\u00020FH\u0002J\u0018\u0010G\u001a\u00020D2\u0006\u0010\u0011\u001a\u00020\u00122\u0006\u0010E\u001a\u00020FH\u0016J\u0018\u0010H\u001a\u00020D2\u0006\u0010I\u001a\u00020\u00142\u0006\u0010J\u001a\u00020\u001eH\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006L"}, d2 = {"Lcom/microsoft/intune/cryptography/implementation/KeyAttester;", "Lcom/microsoft/intune/cryptography/domain/IKeyAttester;", "androidKeyStore", "Lcom/microsoft/intune/cryptography/androidapicomponent/abstraction/ILocalKeyStore;", "buildInfo", "Lcom/microsoft/intune/core/common/domain/IDeviceBuildInfo;", "context", "Landroid/content/Context;", "certChainVerifier", "Lcom/microsoft/intune/cryptography/signingcerts/domain/ICertChainVerifier;", "(Lcom/microsoft/intune/cryptography/androidapicomponent/abstraction/ILocalKeyStore;Lcom/microsoft/intune/core/common/domain/IDeviceBuildInfo;Landroid/content/Context;Lcom/microsoft/intune/cryptography/signingcerts/domain/ICertChainVerifier;)V", "findAttestationExtension", "Lorg/bouncycastle/asn1/ASN1Sequence;", "cert", "Ljava/security/cert/X509Certificate;", "getAuthListProperty", ExifInterface.GPS_DIRECTION_TRUE, "attestation", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation;", "allowSoftwareEnforced", "", "getter", "Lkotlin/Function1;", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$AuthorizationList;", "Lkotlin/ParameterName;", "name", "authList", "(Lcom/microsoft/intune/cryptography/domain/KeyAttestation;ZLkotlin/jvm/functions/Function1;)Ljava/lang/Object;", "getKeyAttestation", "keyAlias", "", "chain", "", "getSignatureDigest", "", "packageName", "isSecureHardware", "level", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$SecurityLevel;", "parseAlgorithm", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$KeyAlgorithm;", "value", "Lorg/bouncycastle/asn1/ASN1Encodable;", "parseAlgorithm$cryptography_release", "parseApps", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$AppId;", "parseAttestionExtension", "seq", "parseAuthorizationList", "parseOrigin", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$KeyOrigin;", "parseOrigin$cryptography_release", "parseOsPatch", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$OsPatch;", "parseOsVersion", "Lcom/microsoft/intune/core/common/domain/Version;", "parsePurpose", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$KeyPurpose;", "parsePurpose$cryptography_release", "parsePurposes", "Ljava/util/EnumSet;", "parseRootOfTrust", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$RootOfTrust;", "parseSecurityLevel", "parseSecurityLevel$cryptography_release", "parseVerifiedBoot", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation$VerifiedBootState;", "validateCertChain", "", "expectations", "Lcom/microsoft/intune/cryptography/domain/KeyAttestationValidationExpectations;", "validateHardwareKeyAttestation", "validationAssert", "pass", MicrosoftAuthorizationResponse.MESSAGE, "Companion", "cryptography_release"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class KeyAttester implements IKeyAttester {

    @NotNull
    private static final Logger LOGGER = LoggingExtensionsKt.logger((KClass<?>) Reflection.getOrCreateKotlinClass(KeyAttester.class));

    @NotNull
    private final ILocalKeyStore androidKeyStore;

    @NotNull
    private final IDeviceBuildInfo buildInfo;

    @NotNull
    private final ICertChainVerifier certChainVerifier;

    @NotNull
    private final Context context;

    @Inject
    public KeyAttester(@NotNull ILocalKeyStore iLocalKeyStore, @NotNull IDeviceBuildInfo iDeviceBuildInfo, @NotNull Context context, @NotNull ICertChainVerifier iCertChainVerifier) {
        Intrinsics.checkNotNullParameter(iLocalKeyStore, "");
        Intrinsics.checkNotNullParameter(iDeviceBuildInfo, "");
        Intrinsics.checkNotNullParameter(context, "");
        Intrinsics.checkNotNullParameter(iCertChainVerifier, "");
        this.androidKeyStore = iLocalKeyStore;
        this.buildInfo = iDeviceBuildInfo;
        this.context = context;
        this.certChainVerifier = iCertChainVerifier;
    }

    private final ASN1Sequence findAttestationExtension(X509Certificate cert) {
        byte[] extensionValue = cert.getExtensionValue(KeyAttesterKt.KEY_ATTESTATION_X509_EXTENSION_OID);
        if (extensionValue != null) {
            if (!(extensionValue.length == 0)) {
                ASN1InputStream aSN1InputStream = new ASN1InputStream(extensionValue);
                try {
                    ASN1Primitive readObject = aSN1InputStream.readObject();
                    if (!(readObject instanceof ASN1OctetString)) {
                        throw new CertificateParsingException("Attestation extension does not contain ASN.1 octet string");
                    }
                    aSN1InputStream = new ASN1InputStream(((ASN1OctetString) readObject).getOctets());
                    try {
                        ASN1Primitive readObject2 = aSN1InputStream.readObject();
                        if (!(readObject2 instanceof ASN1Sequence)) {
                            throw new CertificateParsingException("Attestation extension does not contain ASN.1 sequence");
                        }
                        ASN1Sequence aSN1Sequence = (ASN1Sequence) readObject2;
                        CloseableKt.closeFinally(aSN1InputStream, null);
                        CloseableKt.closeFinally(aSN1InputStream, null);
                        return aSN1Sequence;
                    } finally {
                    }
                } finally {
                }
            }
        }
        throw new KeyException("Key is not attested");
    }

    private final <T> T getAuthListProperty(KeyAttestation attestation, boolean allowSoftwareEnforced, Function1<? super KeyAttestation.AuthorizationList, ? extends T> getter) {
        T invoke = getter.invoke(attestation.getTeeEnforced());
        if (invoke != null) {
            return invoke;
        }
        if (allowSoftwareEnforced) {
            return getter.invoke(attestation.getSoftwareEnforced());
        }
        return null;
    }

    private final boolean isSecureHardware(KeyAttestation.SecurityLevel level) {
        return level == KeyAttestation.SecurityLevel.TEE || level == KeyAttestation.SecurityLevel.STRONGBOX;
    }

    private final KeyAttestation.AppId parseApps(ASN1Encodable value) {
        if (!(value instanceof ASN1OctetString)) {
            throw new CertificateParsingException("Expected ASN1OctetString for applicationId, found " + value.getClass().getSimpleName());
        }
        ASN1Primitive fromByteArray = ASN1Primitive.fromByteArray(((ASN1OctetString) value).getOctets());
        if (fromByteArray == null) {
            throw new NullPointerException("null cannot be cast to non-null type org.bouncycastle.asn1.ASN1Sequence");
        }
        ASN1Sequence aSN1Sequence = (ASN1Sequence) fromByteArray;
        ASN1Encodable objectAt = aSN1Sequence.getObjectAt(0);
        ASN1Encodable objectAt2 = aSN1Sequence.getObjectAt(1);
        if (!(objectAt instanceof ASN1Set) || !(objectAt2 instanceof ASN1Set)) {
            throw new CertificateParsingException("Expected ASNSet inner fields of AttestationApplicationId");
        }
        ASN1Encodable[] array = ((ASN1Set) objectAt).toArray();
        Intrinsics.checkNotNullExpressionValue(array, "");
        ArrayList arrayList = new ArrayList(array.length);
        for (ASN1Encodable aSN1Encodable : array) {
            ASN1Utils aSN1Utils = ASN1Utils.INSTANCE;
            Intrinsics.checkNotNullExpressionValue(aSN1Encodable, "");
            ASN1Encodable objectAt3 = aSN1Utils.asSequence(aSN1Encodable).getObjectAt(0);
            Intrinsics.checkNotNullExpressionValue(objectAt3, "");
            arrayList.add(aSN1Utils.getString(objectAt3));
        }
        ASN1Encodable[] array2 = ((ASN1Set) objectAt2).toArray();
        Intrinsics.checkNotNullExpressionValue(array2, "");
        ArrayList arrayList2 = new ArrayList(array2.length);
        for (ASN1Encodable aSN1Encodable2 : array2) {
            ASN1Utils aSN1Utils2 = ASN1Utils.INSTANCE;
            Intrinsics.checkNotNullExpressionValue(aSN1Encodable2, "");
            arrayList2.add(new EqByteArray(aSN1Utils2.getBytes(aSN1Encodable2)));
        }
        return new KeyAttestation.AppId(arrayList, arrayList2);
    }

    private final KeyAttestation parseAttestionExtension(ASN1Sequence seq, List<? extends X509Certificate> chain) {
        ASN1Encodable objectAt = seq.getObjectAt(1);
        Intrinsics.checkNotNullExpressionValue(objectAt, "");
        KeyAttestation.SecurityLevel parseSecurityLevel$cryptography_release = parseSecurityLevel$cryptography_release(objectAt);
        ASN1Encodable objectAt2 = seq.getObjectAt(3);
        Intrinsics.checkNotNullExpressionValue(objectAt2, "");
        KeyAttestation.SecurityLevel parseSecurityLevel$cryptography_release2 = parseSecurityLevel$cryptography_release(objectAt2);
        ASN1Utils aSN1Utils = ASN1Utils.INSTANCE;
        ASN1Encodable objectAt3 = seq.getObjectAt(4);
        Intrinsics.checkNotNullExpressionValue(objectAt3, "");
        EqByteArray eqByteArray = new EqByteArray(aSN1Utils.getBytes(objectAt3));
        ASN1Encodable objectAt4 = seq.getObjectAt(6);
        Intrinsics.checkNotNullExpressionValue(objectAt4, "");
        KeyAttestation.AuthorizationList parseAuthorizationList = parseAuthorizationList(objectAt4);
        ASN1Encodable objectAt5 = seq.getObjectAt(7);
        Intrinsics.checkNotNullExpressionValue(objectAt5, "");
        return new KeyAttestation(chain, parseSecurityLevel$cryptography_release, parseSecurityLevel$cryptography_release2, eqByteArray, parseAuthorizationList, parseAuthorizationList(objectAt5));
    }

    private final KeyAttestation.AuthorizationList parseAuthorizationList(ASN1Encodable seq) {
        if (!(seq instanceof ASN1Sequence)) {
            throw new CertificateParsingException("Expected ASN1Sequence, found " + seq.getClass().getSimpleName());
        }
        ASN1Utils aSN1Utils = ASN1Utils.INSTANCE;
        HashMap<Integer, ASN1Object> taggedEntries = aSN1Utils.getTaggedEntries((ASN1Sequence) seq);
        ASN1Object aSN1Object = taggedEntries.get(1);
        EnumSet<KeyAttestation.KeyPurpose> parsePurposes = aSN1Object != null ? parsePurposes(aSN1Object) : null;
        ASN1Object aSN1Object2 = taggedEntries.get(2);
        KeyAttestation.KeyAlgorithm parseAlgorithm$cryptography_release = aSN1Object2 != null ? parseAlgorithm$cryptography_release(aSN1Object2) : null;
        ASN1Object aSN1Object3 = taggedEntries.get(3);
        Integer valueOf = aSN1Object3 != null ? Integer.valueOf(aSN1Utils.getInt(aSN1Object3)) : null;
        ASN1Object aSN1Object4 = taggedEntries.get(702);
        KeyAttestation.KeyOrigin parseOrigin$cryptography_release = aSN1Object4 != null ? parseOrigin$cryptography_release(aSN1Object4) : null;
        ASN1Object aSN1Object5 = taggedEntries.get(705);
        Version parseOsVersion = aSN1Object5 != null ? parseOsVersion(aSN1Object5) : null;
        ASN1Object aSN1Object6 = taggedEntries.get(706);
        KeyAttestation.OsPatch parseOsPatch = aSN1Object6 != null ? parseOsPatch(aSN1Object6) : null;
        ASN1Object aSN1Object7 = taggedEntries.get(Integer.valueOf(KeyAttesterKt.TAG_AUTHLIST_MANUFACTURER));
        String string = aSN1Object7 != null ? aSN1Utils.getString(aSN1Object7) : null;
        ASN1Object aSN1Object8 = taggedEntries.get(Integer.valueOf(KeyAttesterKt.TAG_AUTHLIST_MODEL));
        String string2 = aSN1Object8 != null ? aSN1Utils.getString(aSN1Object8) : null;
        ASN1Object aSN1Object9 = taggedEntries.get(704);
        KeyAttestation.RootOfTrust parseRootOfTrust = aSN1Object9 != null ? parseRootOfTrust(aSN1Object9) : null;
        ASN1Object aSN1Object10 = taggedEntries.get(Integer.valueOf(KeyAttesterKt.TAG_AUTHLIST_APPLICATION_ID));
        return new KeyAttestation.AuthorizationList(aSN1Object10 != null ? parseApps(aSN1Object10) : null, parsePurposes, parseAlgorithm$cryptography_release, valueOf, parseOrigin$cryptography_release, parseOsVersion, parseOsPatch, string, string2, parseRootOfTrust);
    }

    private final KeyAttestation.OsPatch parseOsPatch(ASN1Encodable value) {
        int i = ASN1Utils.INSTANCE.getInt(value);
        return new KeyAttestation.OsPatch(i % 100, i / 100);
    }

    private final Version parseOsVersion(ASN1Encodable value) {
        int i = ASN1Utils.INSTANCE.getInt(value);
        return new Version(new long[]{i / 10000, (i / 100) % 100, i % 100});
    }

    private final EnumSet<KeyAttestation.KeyPurpose> parsePurposes(ASN1Encodable value) {
        ASN1Set asSet = ASN1Utils.INSTANCE.asSet(value);
        EnumSet<KeyAttestation.KeyPurpose> noneOf = EnumSet.noneOf(KeyAttestation.KeyPurpose.class);
        ASN1Encodable[] array = asSet.toArray();
        Intrinsics.checkNotNullExpressionValue(array, "");
        for (ASN1Encodable aSN1Encodable : array) {
            Intrinsics.checkNotNullExpressionValue(aSN1Encodable, "");
            KeyAttestation.KeyPurpose parsePurpose$cryptography_release = parsePurpose$cryptography_release(aSN1Encodable);
            if (parsePurpose$cryptography_release != null) {
                noneOf.add(parsePurpose$cryptography_release);
            }
        }
        Intrinsics.checkNotNullExpressionValue(noneOf, "");
        return noneOf;
    }

    private final KeyAttestation.RootOfTrust parseRootOfTrust(ASN1Encodable value) {
        ASN1Utils aSN1Utils = ASN1Utils.INSTANCE;
        ASN1Sequence asSequence = aSN1Utils.asSequence(value);
        ASN1Encodable objectAt = asSequence.getObjectAt(1);
        Intrinsics.checkNotNullExpressionValue(objectAt, "");
        boolean bool = aSN1Utils.getBool(objectAt);
        ASN1Encodable objectAt2 = asSequence.getObjectAt(2);
        Intrinsics.checkNotNullExpressionValue(objectAt2, "");
        return new KeyAttestation.RootOfTrust(bool, parseVerifiedBoot(objectAt2));
    }

    private final KeyAttestation.VerifiedBootState parseVerifiedBoot(ASN1Encodable value) {
        int i = ASN1Utils.INSTANCE.getInt(value);
        if (i == 0) {
            return KeyAttestation.VerifiedBootState.VERIFIED;
        }
        if (i == 1) {
            return KeyAttestation.VerifiedBootState.SELF_SIGNED;
        }
        if (i == 2) {
            return KeyAttestation.VerifiedBootState.UNVERIFIED;
        }
        if (i == 3) {
            return KeyAttestation.VerifiedBootState.FAILED;
        }
        throw new CertificateParsingException("Unknown key attestation verified boot status " + i);
    }

    private final void validateCertChain(List<? extends X509Certificate> chain, KeyAttestationValidationExpectations expectations) {
        Object last;
        byte[] google_attestation_root_pubkey;
        List listOf;
        int collectionSizeOrDefault;
        this.certChainVerifier.validateChainNoTrustRoot(chain);
        last = CollectionsKt___CollectionsKt.last((List<? extends Object>) chain);
        byte[] encoded = ((X509Certificate) last).getPublicKey().getEncoded();
        Intrinsics.checkNotNullExpressionValue(encoded, "");
        EqByteArray eqByteArray = new EqByteArray(encoded);
        List<X509Certificate> customRoots$cryptography_release = expectations.getCustomRoots$cryptography_release();
        if (customRoots$cryptography_release != null) {
            collectionSizeOrDefault = CollectionsKt__IterablesKt.collectionSizeOrDefault(customRoots$cryptography_release, 10);
            listOf = new ArrayList(collectionSizeOrDefault);
            Iterator<T> it = customRoots$cryptography_release.iterator();
            while (it.hasNext()) {
                byte[] encoded2 = ((X509Certificate) it.next()).getPublicKey().getEncoded();
                Intrinsics.checkNotNullExpressionValue(encoded2, "");
                listOf.add(new EqByteArray(encoded2));
            }
        } else {
            google_attestation_root_pubkey = KeyAttesterKt.getGOOGLE_ATTESTATION_ROOT_PUBKEY();
            Intrinsics.checkNotNullExpressionValue(google_attestation_root_pubkey, "");
            listOf = CollectionsKt__CollectionsJVMKt.listOf(new EqByteArray(google_attestation_root_pubkey));
        }
        validationAssert(listOf.contains(eqByteArray), "Attestation root cert does not match expected");
    }

    private final void validationAssert(boolean pass, String message) {
        if (!pass) {
            throw new KeyException(message);
        }
    }

    @Override // com.microsoft.intune.cryptography.domain.IKeyAttester
    @NotNull
    public KeyAttestation getKeyAttestation(@NotNull String keyAlias) {
        Intrinsics.checkNotNullParameter(keyAlias, "");
        List<X509Certificate> certChain = this.androidKeyStore.getCertChain(keyAlias);
        if (certChain != null) {
            return getKeyAttestation(certChain);
        }
        throw new KeyException("Key is not attested");
    }

    @Override // com.microsoft.intune.cryptography.domain.IKeyAttester
    @NotNull
    public KeyAttestation getKeyAttestation(@NotNull List<? extends X509Certificate> chain) {
        Object first;
        Intrinsics.checkNotNullParameter(chain, "");
        if (chain.isEmpty()) {
            throw new KeyException("Attestation chain has no entries");
        }
        first = CollectionsKt___CollectionsKt.first((List<? extends Object>) chain);
        try {
            return parseAttestionExtension(findAttestationExtension((X509Certificate) first), chain);
        } catch (IllegalArgumentException e) {
            throw new CertificateParsingException(e);
        }
    }

    @Override // com.microsoft.intune.cryptography.domain.IKeyAttester
    @NotNull
    public byte[] getSignatureDigest(@Nullable String packageName) {
        if (packageName == null) {
            packageName = this.context.getPackageName();
        }
        PackageManager packageManager = this.context.getPackageManager();
        SigningInfo signingInfo = (Build.VERSION.SDK_INT >= 33 ? packageManager.getPackageInfo(packageName, PackageManager.PackageInfoFlags.of(NativeCrypto.SSL_OP_NO_TLSv1_2)) : packageManager.getPackageInfo(packageName, WolfSSL.SSL_OP_NO_TLSv1_2)).signingInfo;
        if (signingInfo.hasMultipleSigners()) {
            throw new IllegalArgumentException("Packages with multiple signers are unsupported");
        }
        byte[] digest = MessageDigest.getInstance("SHA-256").digest(signingInfo.getApkContentsSigners()[0].toByteArray());
        Intrinsics.checkNotNullExpressionValue(digest, "");
        return digest;
    }

    @VisibleForTesting(otherwise = 2)
    @NotNull
    public final KeyAttestation.KeyAlgorithm parseAlgorithm$cryptography_release(@NotNull ASN1Encodable value) {
        Intrinsics.checkNotNullParameter(value, "");
        int i = ASN1Utils.INSTANCE.getInt(value);
        if (i == 1) {
            return KeyAttestation.KeyAlgorithm.RSA;
        }
        if (i == 3) {
            return KeyAttestation.KeyAlgorithm.EC;
        }
        if (i == 32) {
            return KeyAttestation.KeyAlgorithm.AES;
        }
        if (i == 128) {
            return KeyAttestation.KeyAlgorithm.HMAC;
        }
        throw new CertificateParsingException("Unknown key attestation algorithm " + i);
    }

    @VisibleForTesting(otherwise = 2)
    @NotNull
    public final KeyAttestation.KeyOrigin parseOrigin$cryptography_release(@NotNull ASN1Encodable value) {
        Intrinsics.checkNotNullParameter(value, "");
        int i = ASN1Utils.INSTANCE.getInt(value);
        if (i == 0) {
            return KeyAttestation.KeyOrigin.GENERATED;
        }
        if (i == 1) {
            return KeyAttestation.KeyOrigin.DERIVED;
        }
        if (i == 2) {
            return KeyAttestation.KeyOrigin.IMPORTED;
        }
        if (i == 3) {
            return KeyAttestation.KeyOrigin.UNKNOWN;
        }
        LOGGER.severe("Unknown key origin " + i);
        return KeyAttestation.KeyOrigin.UNKNOWN;
    }

    @VisibleForTesting(otherwise = 2)
    @Nullable
    public final KeyAttestation.KeyPurpose parsePurpose$cryptography_release(@NotNull ASN1Encodable value) {
        Intrinsics.checkNotNullParameter(value, "");
        int i = ASN1Utils.INSTANCE.getInt(value);
        if (i == 0) {
            return KeyAttestation.KeyPurpose.ENCRYPT;
        }
        if (i == 1) {
            return KeyAttestation.KeyPurpose.DECRYPT;
        }
        if (i == 2) {
            return KeyAttestation.KeyPurpose.SIGN;
        }
        if (i == 3) {
            return KeyAttestation.KeyPurpose.VERIFY;
        }
        if (i == 4) {
            return KeyAttestation.KeyPurpose.DERIVE_KEY;
        }
        if (i == 5) {
            return KeyAttestation.KeyPurpose.WRAP_KEY;
        }
        LOGGER.warning("Ignoring unknown key attestation key purpose " + i);
        return null;
    }

    @VisibleForTesting(otherwise = 2)
    @NotNull
    public final KeyAttestation.SecurityLevel parseSecurityLevel$cryptography_release(@NotNull ASN1Encodable value) {
        Intrinsics.checkNotNullParameter(value, "");
        int i = ASN1Utils.INSTANCE.getInt(value);
        if (i == 0) {
            return KeyAttestation.SecurityLevel.SOFTWARE;
        }
        if (i == 1) {
            return KeyAttestation.SecurityLevel.TEE;
        }
        if (i == 2) {
            return KeyAttestation.SecurityLevel.STRONGBOX;
        }
        throw new CertificateParsingException("Unknown key attestation security level " + i);
    }

    @Override // com.microsoft.intune.cryptography.domain.IKeyAttester
    public void validateHardwareKeyAttestation(@NotNull KeyAttestation attestation, @NotNull KeyAttestationValidationExpectations expectations) {
        boolean equals;
        boolean equals2;
        Intrinsics.checkNotNullParameter(attestation, "");
        Intrinsics.checkNotNullParameter(expectations, "");
        if (!expectations.getFlags$cryptography_release().contains(KeyAttestationValidationExpectations.Flag.SKIP_ROOT_CERT_CHECK_DANGER_NOT_FOR_PROD)) {
            validateCertChain(attestation.getChain(), expectations);
        }
        EnumSet<KeyAttestationValidationExpectations.Flag> flags$cryptography_release = expectations.getFlags$cryptography_release();
        KeyAttestationValidationExpectations.Flag flag = KeyAttestationValidationExpectations.Flag.REQUIRE_SECURE_HARDWARE;
        if (flags$cryptography_release.contains(flag)) {
            validationAssert(isSecureHardware(attestation.getAttestationSecurityLevel()), "Attestation is not bound to hardware");
            validationAssert(isSecureHardware(attestation.getKeymasterSecurityLevel()), "Keymaster is not in hardware");
        }
        if (expectations.getRequiredChallenge() != null) {
            validationAssert(Intrinsics.areEqual(expectations.getRequiredChallenge(), attestation.getChallenge()), "Attestation challenge did not match. Expected " + expectations.getRequiredChallenge() + " but found " + attestation.getChallenge());
        }
        boolean z = !expectations.getFlags$cryptography_release().contains(flag);
        EnumSet enumSet = (EnumSet) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, EnumSet<KeyAttestation.KeyPurpose>>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$purpose$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final EnumSet<KeyAttestation.KeyPurpose> invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getPurpose();
            }
        });
        KeyAttestation.KeyAlgorithm keyAlgorithm = (KeyAttestation.KeyAlgorithm) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, KeyAttestation.KeyAlgorithm>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$algorithm$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final KeyAttestation.KeyAlgorithm invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getAlgorithm();
            }
        });
        Integer num = (Integer) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, Integer>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$keySize$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final Integer invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getKeySize();
            }
        });
        KeyAttestation.KeyOrigin keyOrigin = (KeyAttestation.KeyOrigin) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, KeyAttestation.KeyOrigin>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$keyOrigin$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final KeyAttestation.KeyOrigin invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getOrigin();
            }
        });
        KeyAttestation.RootOfTrust rootOfTrust = (KeyAttestation.RootOfTrust) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, KeyAttestation.RootOfTrust>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$rootOfTrust$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final KeyAttestation.RootOfTrust invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getRootOfTrust();
            }
        });
        Version version = (Version) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, Version>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$osVersion$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final Version invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getOsVersion();
            }
        });
        KeyAttestation.OsPatch osPatch = (KeyAttestation.OsPatch) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, KeyAttestation.OsPatch>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$osPatch$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final KeyAttestation.OsPatch invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getOsPatch();
            }
        });
        String str = (String) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, String>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$manufacturer$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final String invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getManufacturer();
            }
        });
        String str2 = (String) getAuthListProperty(attestation, z, new Function1<KeyAttestation.AuthorizationList, String>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$model$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final String invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getModel();
            }
        });
        KeyAttestation.AppId appId = (KeyAttestation.AppId) getAuthListProperty(attestation, true, new Function1<KeyAttestation.AuthorizationList, KeyAttestation.AppId>() { // from class: com.microsoft.intune.cryptography.implementation.KeyAttester$validateHardwareKeyAttestation$apps$1
            @Override // kotlin.jvm.functions.Function1
            @Nullable
            public final KeyAttestation.AppId invoke(@NotNull KeyAttestation.AuthorizationList authorizationList) {
                Intrinsics.checkNotNullParameter(authorizationList, "");
                return authorizationList.getApps();
            }
        });
        validationAssert(enumSet != null, "Key purpose is unknown");
        validationAssert(enumSet != null ? enumSet.contains(KeyAttestation.KeyPurpose.SIGN) : false, "Key not known to be valid for signing");
        validationAssert(keyAlgorithm == KeyAttestation.KeyAlgorithm.RSA, "Attestation key algorithm did not match, expected RSA found " + keyAlgorithm);
        validationAssert(num != null && num.intValue() >= 2048, "Unexpected key size " + num);
        validationAssert(keyOrigin == KeyAttestation.KeyOrigin.GENERATED, "Unexpected key origin " + keyOrigin);
        if (expectations.getFlags$cryptography_release().contains(KeyAttestationValidationExpectations.Flag.REQUIRE_VERIFIED_BOOT)) {
            validationAssert(rootOfTrust != null, "Unknown root of trust");
            validationAssert(rootOfTrust != null && rootOfTrust.getBootloaderLocked(), "Bootloader is not locked");
            boolean z2 = rootOfTrust != null && rootOfTrust.getVerifiedBoot() == KeyAttestation.VerifiedBootState.VERIFIED;
            StringBuilder sb = new StringBuilder();
            sb.append("Verified boot failed: ");
            sb.append(rootOfTrust != null ? rootOfTrust.getVerifiedBoot() : null);
            validationAssert(z2, sb.toString());
        }
        if (expectations.getFlags$cryptography_release().contains(KeyAttestationValidationExpectations.Flag.REQUIRE_OS_VERSION)) {
            validationAssert(version != null, "OS Version is not attested");
            validationAssert(osPatch != null, "OS Security Patch is not attested");
        }
        if (version != null) {
            Version osVersion = this.buildInfo.getOsVersion();
            validationAssert(osVersion != null, "OS Version could not be parsed");
            validationAssert(Intrinsics.areEqual(version, osVersion), "Attested OS version does not match software-reported version");
        }
        if (osPatch != null) {
            Date osPatchDate = this.buildInfo.getOsPatchDate();
            validationAssert(osPatchDate != null, "OS Security Patch could not be parsed");
            Calendar calendar = Calendar.getInstance();
            Intrinsics.checkNotNull(osPatchDate);
            calendar.setTime(osPatchDate);
            int i = calendar.get(1);
            int i2 = calendar.get(2) + 1;
            validationAssert(osPatch.getYear() == i, "OS security patch year does not match. " + i + " vs " + osPatch.getYear());
            validationAssert(osPatch.getMonth() == i2, "OS security patch month does not match. " + i2 + " vs " + osPatch.getMonth());
        }
        if (expectations.getAllowedPkg() != null) {
            validationAssert(appId != null, "App with access to the key is not attested");
            Intrinsics.checkNotNull(appId);
            validationAssert(appId.getPkgs().size() == 1, "Expected exactly one allowed app, found " + appId.getPkgs().size());
            validationAssert(Intrinsics.areEqual(appId.getPkgs().get(0), expectations.getAllowedPkg()), "Unexpected allowed app " + appId.getPkgs().get(0));
        }
        if (expectations.getAllowedSignatureDigest() != null) {
            validationAssert(appId != null, "App with access to the key is not attested");
            Intrinsics.checkNotNull(appId);
            validationAssert(appId.getSignatureDigests().size() == 1, "Expected exactly one signature digest, found " + appId.getSignatureDigests().size());
            EqByteArray eqByteArray = appId.getSignatureDigests().get(0);
            byte[] allowedSignatureDigest = expectations.getAllowedSignatureDigest();
            Intrinsics.checkNotNull(allowedSignatureDigest);
            validationAssert(Intrinsics.areEqual(eqByteArray, new EqByteArray(allowedSignatureDigest)), "Signature digest mismatch");
        }
        if (str != null) {
            String manufacturer = this.buildInfo.getManufacturer();
            equals2 = StringsKt__StringsJVMKt.equals(str, manufacturer, true);
            validationAssert(equals2, "Manufacturer does not match. " + str + " vs " + manufacturer);
        }
        if (str2 != null) {
            String model = this.buildInfo.getModel();
            equals = StringsKt__StringsJVMKt.equals(str2, model, true);
            validationAssert(equals, "Model does not match. " + str2 + " vs " + model);
        }
    }
}
