package defpackage;

import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import android.util.Log;
import com.huawei.openalliance.ad.constant.m;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.UUID;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.security.auth.DestroyFailedException;

/* compiled from: PKIAuthClientImpl.java */
/* loaded from: classes.dex */
public class yc0 implements wc0 {

    /* renamed from: a, reason: collision with root package name */
    public static final Object f2697a = new Object();

    /* compiled from: PKIAuthClientImpl.java */
    /* loaded from: classes.dex */
    public static /* synthetic */ class a {

        /* renamed from: a, reason: collision with root package name */
        public static final /* synthetic */ int[] f2698a = new int[b.values().length];

        static {
            try {
                f2698a[b.ENCRYPT.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f2698a[b.SIGN.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    /* compiled from: PKIAuthClientImpl.java */
    /* loaded from: classes.dex */
    public enum b {
        SIGN,
        ENCRYPT
    }

    static {
        try {
            Class.forName("com.huawei.security.keystore.HwUniversalKeyStoreProvider").getMethod("install", new Class[0]).invoke(null, new Object[0]);
            Log.i("PKIAuthClientImpl", "HwUniversalKeyStore: install success.");
        } catch (ClassNotFoundException unused) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: no found.");
        } catch (IllegalAccessException unused2) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: can not access.");
        } catch (NoSuchMethodException unused3) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: function not found.");
        } catch (InvocationTargetException unused4) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: invocation target exception.");
        }
    }

    @Override // defpackage.wc0
    public String a(String str) {
        synchronized (f2697a) {
            Log.i("PKIAuthClientImpl", "Generate certificate chain with alias.");
            if (!b(str)) {
                return "";
            }
            Certificate[] d = d(str);
            if (d.length == 0) {
                Log.e("PKIAuthClientImpl", "Get certificate chain failed.");
                return "";
            }
            try {
                Certificate certificate = d[0];
                if (certificate instanceof X509Certificate) {
                    ((X509Certificate) certificate).checkValidity();
                }
            } catch (CertificateExpiredException | CertificateNotYetValidException unused) {
                Log.e("PKIAuthClientImpl", "Certificate is expired.");
                c(str);
                d = d(str);
                if (d.length == 0) {
                    Log.e("PKIAuthClientImpl", "Get certificate chain failed.");
                    return "";
                }
            }
            if (d.length < 2) {
                Log.e("PKIAuthClientImpl", "The number of certificates is not right " + d.length);
                return "";
            }
            if (a(d[0], str)) {
                return a(d);
            }
            Log.e("PKIAuthClientImpl", "The attestation certificate is invalid");
            return "";
        }
    }

    public final String a(Certificate[] certificateArr) {
        StringBuilder sb = new StringBuilder(0);
        for (int i = 0; i < certificateArr.length - 1; i++) {
            try {
                Certificate certificate = certificateArr[i];
                if (certificate == null) {
                    Log.e("PKIAuthClientImpl", "One of certificates is null.");
                    return "";
                }
                sb.append(Base64.encodeToString(certificate.getEncoded(), 2));
                sb.append(m.aq);
            } catch (CertificateEncodingException unused) {
                Log.e("PKIAuthClientImpl", "Build authorization error, have a certificate encoding exception");
                return "";
            }
        }
        sb.deleteCharAt(sb.length() - 1);
        Log.i("PKIAuthClientImpl", "Build authorization success.");
        return sb.toString();
    }

    public final AlgorithmParameterSpec a(String str, b bVar) {
        KeyGenParameterSpec.Builder builder;
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
        gregorianCalendar2.add(1, 10);
        byte[] decode = Base64.decode(UUID.randomUUID().toString().replace("-", "").substring(0, 12), 2);
        int i = a.f2698a[bVar.ordinal()];
        if (i == 1) {
            builder = new KeyGenParameterSpec.Builder(str, 3);
            builder.setEncryptionPaddings("OAEPPadding");
        } else if (i != 2) {
            builder = null;
        } else {
            builder = new KeyGenParameterSpec.Builder(str, 12);
            builder.setSignaturePaddings("PSS");
        }
        return builder.setDigests("SHA-256").setCertificateSerialNumber(BigInteger.valueOf(1337L)).setCertificateNotBefore(gregorianCalendar.getTime()).setCertificateNotAfter(gregorianCalendar2.getTime()).setAttestationChallenge(decode).setUserAuthenticationRequired(false).build();
    }

    public final boolean a(String str, List<Certificate> list) throws GeneralSecurityException, IOException {
        Log.i("PKIAuthClientImpl", "Check certificate chain is existence or not.");
        KeyStore keyStore = KeyStore.getInstance("HwKeystore");
        keyStore.load(null);
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length < 2) {
            Log.i("PKIAuthClientImpl", "certificate chain is not existence, need to generate new one.");
        } else {
            Certificate certificate = certificateChain[0];
            if (!(certificate instanceof X509Certificate)) {
                Log.e("PKIAuthClientImpl", "Fail to change keyAttentionCert to X509!");
                return true;
            }
            if (a((X509Certificate) certificate)) {
                Log.i("PKIAuthClientImpl", "Generate certificate chain successfully, use existence cert.");
                list.addAll(Arrays.asList(certificateChain));
                return true;
            }
            Log.i("PKIAuthClientImpl", "Certificate is invalid");
            c(str);
        }
        return false;
    }

    public final boolean a(PublicKey publicKey, byte[] bArr, byte[] bArr2) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA/PSS");
            signature.initVerify(publicKey);
            signature.update(bArr2);
            return signature.verify(bArr);
        } catch (InvalidKeyException unused) {
            Log.e("PKIAuthClientImpl", "verify signature error, have a InvalidKeyException.");
            return false;
        } catch (NoSuchAlgorithmException unused2) {
            Log.e("PKIAuthClientImpl", "verify signature error, have a NoSuchAlgorithmException.");
            return false;
        } catch (SignatureException unused3) {
            Log.e("PKIAuthClientImpl", "verify signature error, have a SignatureException.");
            return false;
        }
    }

    public final boolean a(Certificate certificate, String str) {
        byte[] bytes = UUID.randomUUID().toString().replace("-", "").substring(12).getBytes(StandardCharsets.UTF_8);
        byte[] c = c(bytes, str);
        if (c.length == 0) {
            Log.e("PKIAuthClientImpl", "The number of signature challenge is 0");
            return false;
        }
        if (a(certificate.getPublicKey(), c, bytes)) {
            return true;
        }
        Log.e("PKIAuthClientImpl", "Verify signature failed.");
        c(str);
        return false;
    }

    public final boolean a(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
            return true;
        } catch (CertificateExpiredException unused) {
            Log.e("PKIAuthClientImpl", "isCertificateValidity : certificate expired exception.");
            return false;
        } catch (CertificateNotYetValidException unused2) {
            Log.e("PKIAuthClientImpl", "isCertificateValidity : certificate not yet valid exception.");
            return false;
        }
    }

    @Override // defpackage.wc0
    public byte[] a(byte[] bArr, String str) {
        try {
            if (!e(str)) {
                Log.e("PKIAuthClientImpl", "Get encrypt key pair failed");
                return new byte[0];
            }
            KeyStore keyStore = KeyStore.getInstance("HwKeystore");
            keyStore.load(null);
            if (!(keyStore.getEntry(str, null) instanceof KeyStore.PrivateKeyEntry)) {
                Log.e("PKIAuthClientImpl", "PrivateKeyEntry is not exist， need generate a new");
                return new byte[0];
            }
            PublicKey publicKey = keyStore.getCertificateChain(str)[0].getPublicKey();
            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
            cipher.init(1, publicKey, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
            cipher.update(bArr);
            return cipher.doFinal();
        } catch (IOException | GeneralSecurityException unused) {
            Log.e("PKIAuthClientImpl", "Encrypt message failed");
            return new byte[0];
        }
    }

    public final boolean b(String str) {
        if (str == null) {
            Log.e("PKIAuthClientImpl", "App alias is null.");
            return false;
        }
        if (str.trim().length() == 0) {
            Log.e("PKIAuthClientImpl", "App alias is empty.");
            return false;
        }
        if (str.length() <= 48) {
            return true;
        }
        Log.e("PKIAuthClientImpl", "App alias length exceeds 48.");
        return false;
    }

    @Override // defpackage.wc0
    public byte[] b(byte[] bArr, String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance("HwKeystore");
            keyStore.load(null);
            Log.i("PKIAuthClientImpl", "Load  keystore success!");
            KeyStore.Entry entry = keyStore.getEntry(str, null);
            if (entry == null) {
                Log.w("PKIAuthClientImpl", "Entry is not existence");
                return new byte[0];
            }
            if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                Log.w("PKIAuthClientImpl", "Not an instance of a PrivateKeyEntry");
                return new byte[0];
            }
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
            Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding", "HwUniversalKeyStoreProvider");
            cipher.init(2, privateKey, new OAEPParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
            cipher.update(bArr);
            return cipher.doFinal();
        } catch (IOException | GeneralSecurityException e) {
            e.printStackTrace();
            return new byte[0];
        }
    }

    public boolean c(String str) {
        Log.i("PKIAuthClientImpl", "Start to delete cert chain.");
        try {
            KeyStore keyStore = KeyStore.getInstance("HwKeystore");
            keyStore.load(null);
            keyStore.deleteEntry(str);
            return true;
        } catch (IOException unused) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a IOException.");
            return false;
        } catch (KeyStoreException unused2) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a KeyStoreException.");
            return false;
        } catch (NoSuchAlgorithmException unused3) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a NoSuchAlgorithmException.");
            return false;
        } catch (CertificateException unused4) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a CertificateException.");
            return false;
        }
    }

    public byte[] c(byte[] bArr, String str) {
        PrivateKey privateKey = null;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance("HwKeystore");
                keyStore.load(null);
                KeyStore.Entry entry = keyStore.getEntry(str, null);
                if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                    Log.e("PKIAuthClientImpl", "Entry is not existence, the alias is " + str);
                    return new byte[0];
                }
                Signature signature = Signature.getInstance("SHA256withRSA/PSS", "HwUniversalKeyStoreProvider");
                PrivateKey privateKey2 = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                signature.initSign(privateKey2);
                signature.update(bArr);
                byte[] sign = signature.sign();
                if (privateKey2 != null) {
                    try {
                        privateKey2.destroy();
                    } catch (DestroyFailedException unused) {
                        Log.w("PKIAuthClientImpl", "Destroy private key failed!");
                    }
                }
                return sign;
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        privateKey.destroy();
                    } catch (DestroyFailedException unused2) {
                        Log.w("PKIAuthClientImpl", "Destroy private key failed!");
                    }
                }
                throw th;
            }
        } catch (IOException | GeneralSecurityException unused3) {
            Log.e("PKIAuthClientImpl", "Sign challenge error, have a general security exception.");
            if (0 != 0) {
                try {
                    privateKey.destroy();
                } catch (DestroyFailedException unused4) {
                    Log.w("PKIAuthClientImpl", "Destroy private key failed!");
                }
            }
            return new byte[0];
        }
    }

    public final Certificate[] d(String str) {
        Log.i("PKIAuthClientImpl", "Start to generate certificate chain.");
        try {
            ArrayList arrayList = new ArrayList(0);
            if (a(str, arrayList)) {
                Certificate[] certificateArr = new Certificate[arrayList.size()];
                arrayList.toArray(certificateArr);
                return certificateArr;
            }
            Log.i("PKIAuthClientImpl", "start to generate a new certificate chain.");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "HwUniversalKeyStoreProvider");
            keyPairGenerator.initialize(a(str, b.SIGN));
            keyPairGenerator.generateKeyPair();
            KeyStore keyStore = KeyStore.getInstance("HwKeystore");
            keyStore.load(null);
            Log.i("PKIAuthClientImpl", "Generate certificate chain successfully, use new generate cert.");
            return keyStore.getCertificateChain(str);
        } catch (IOException e) {
            e = e;
            Log.e("PKIAuthClientImpl", "Generate certificate chain error, detail: " + e.getMessage());
            return new Certificate[0];
        } catch (GeneralSecurityException e2) {
            e = e2;
            Log.e("PKIAuthClientImpl", "Generate certificate chain error, detail: " + e.getMessage());
            return new Certificate[0];
        } catch (ProviderException e3) {
            Log.w("PKIAuthClientImpl", "Device dose not support HUKS, detail: " + e3.getMessage());
            return new Certificate[0];
        }
    }

    public final boolean e(String str) {
        Log.i("PKIAuthClientImpl", "Start to generate encryption certificate");
        try {
            if (a(str, new ArrayList(0))) {
                return true;
            }
            Log.i("PKIAuthClientImpl", "Start to generate a new encryption certificate.");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "HwUniversalKeyStoreProvider");
            keyPairGenerator.initialize(a(str, b.ENCRYPT));
            keyPairGenerator.generateKeyPair();
            return true;
        } catch (IOException e) {
            Log.e("PKIAuthClientImpl", "Generate certificate chain error, have an IOException, the detail: " + e.getMessage());
            return false;
        } catch (GeneralSecurityException e2) {
            Log.e("PKIAuthClientImpl", "Generate certificate chain error, have a general security exception, the detail: " + e2.getMessage());
            return false;
        } catch (ProviderException unused) {
            Log.w("PKIAuthClientImpl", "Device dose not support HUKS.");
            return false;
        }
    }
}
