package com.microsoft.omadm.platforms.android.certmgr;

import android.security.KeyChainException;
import com.microsoft.intune.common.http.SDLSSLSocketFactory;
import com.microsoft.omadm.exception.OMADMException;
import com.microsoft.omadm.platforms.ICertificateStoreManager;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificate;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificateRequest;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificateState;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepEnrollCertificateRequest;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepRenewCertificateRequest;
import com.microsoft.omadm.utils.CertUtils;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.jscep.client.Client;
import org.jscep.client.EnrollmentResponse;
import org.jscep.transport.TransportException;
import org.jscep.transport.TransportFactory;
import org.jscep.transport.UrlConnectionTransportFactory;
import org.jscep.transport.request.GetCaCapsRequest;
import org.jscep.transport.response.Capabilities;
import org.jscep.transport.response.GetCaCapsResponseHandler;
import org.spongycastle.pkcs.PKCS10CertificationRequest;

/* loaded from: classes.dex */
public class CertificateRequestHandler {
    static final int CERTIFICATE_CUSTOM_ERROR_BAD_ALGORTHIM = 17;
    static final int CERTIFICATE_CUSTOM_ERROR_BASE = 16;
    static final int CERTIFICATE_CUSTOM_ERROR_CREATE_REQUEST = 20;
    static final int CERTIFICATE_CUSTOM_ERROR_GENERATE_CERTIFICATE = 23;
    static final int CERTIFICATE_CUSTOM_ERROR_GET_PRIVATE_KEY = 22;
    static final int CERTIFICATE_CUSTOM_ERROR_KEYSTORE_LOCKED = 34;
    static final int CERTIFICATE_CUSTOM_ERROR_MALFORMED_URL = 18;
    static final int CERTIFICATE_CUSTOM_ERROR_NOT_FOUND = 32;
    static final int CERTIFICATE_CUSTOM_ERROR_OPEN_STORE = 24;
    static final int CERTIFICATE_CUSTOM_ERROR_REQUEST_FAILED = 21;
    static final int CERTIFICATE_CUSTOM_ERROR_RETRIEVING_CERT_FROM_STORE = 33;
    static final int CERTIFICATE_CUSTOM_ERROR_SAVE_STORE = 25;
    static final int CERTIFICATE_CUSTOM_ERROR_SIGN_CERTIFICATE = 19;
    static final int CERTIFICATE_CUSTOM_ERROR_SUCCESS = 0;
    private static final String PROFILE = "ca";
    private final ICertificateStoreManager certMgr;
    private final Logger logger = Logger.getLogger(CertificateRequestHandler.class.getName());
    private final CertStorePasswords passwords;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class NdesServerInfo {
        public Capabilities capabilities;
        public Client client;
        public URL url;

        private NdesServerInfo() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CertificateRequestHandler(ICertificateStoreManager iCertificateStoreManager, CertStorePasswords certStorePasswords) {
        this.certMgr = iCertificateStoreManager;
        this.passwords = certStorePasswords;
    }

    private NdesServerInfo findValidNdesServer(ScepCertificateRequest scepCertificateRequest) throws OMADMException {
        NdesServerInfo ndesServerInfo = new NdesServerInfo();
        ArrayList arrayList = new ArrayList(Arrays.asList(scepCertificateRequest.ndesUrls));
        Collections.shuffle(arrayList);
        for (int i = 0; i < arrayList.size(); i++) {
            try {
                ndesServerInfo.url = new URL((String) arrayList.get(i));
                ndesServerInfo.capabilities = tryGetCaCapabilities(ndesServerInfo.url);
            } catch (MalformedURLException e) {
                this.logger.log(Level.WARNING, "Malformed NDES Url: " + ndesServerInfo.url, (Throwable) e);
            }
            if (ndesServerInfo.capabilities != null) {
                ndesServerInfo.client = getClient(scepCertificateRequest, ndesServerInfo.url);
                return ndesServerInfo;
            }
        }
        return null;
    }

    private static KeyPair generateKeyPair(int i) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(i);
        return keyPairGenerator.genKeyPair();
    }

    private Client getClient(ScepCertificateRequest scepCertificateRequest, String str) throws MalformedURLException, OMADMException {
        return getClient(scepCertificateRequest, new URL(str));
    }

    private Client getClient(ScepCertificateRequest scepCertificateRequest, URL url) throws OMADMException {
        Client client = new Client(url, new CertificateChainVerifier(scepCertificateRequest.caThumbPrint));
        client.setTransportFactory(getTransportFactory());
        return client;
    }

    private TransportFactory getTransportFactory() throws OMADMException {
        SDLSSLSocketFactory sDLSSLSocketFactory;
        try {
            try {
                sDLSSLSocketFactory = new SDLSSLSocketFactory(PolicyCertificatesTrustManager.getSslContext());
            } catch (Exception e) {
                throw new OMADMException("Could not get TransportFactory with a secure socket factory.", e);
            }
        } catch (OMADMException e2) {
            this.logger.warning("Unable to construct transport factory with PolicyCertificatesTrustManager; using transport factory without.");
            sDLSSLSocketFactory = new SDLSSLSocketFactory();
            return new UrlConnectionTransportFactory(sDLSSLSocketFactory);
        } catch (KeyManagementException e3) {
            this.logger.warning("Unable to construct transport factory with PolicyCertificatesTrustManager; using transport factory without.");
            sDLSSLSocketFactory = new SDLSSLSocketFactory();
            return new UrlConnectionTransportFactory(sDLSSLSocketFactory);
        } catch (NoSuchAlgorithmException e4) {
            this.logger.warning("Unable to construct transport factory with PolicyCertificatesTrustManager; using transport factory without.");
            sDLSSLSocketFactory = new SDLSSLSocketFactory();
            return new UrlConnectionTransportFactory(sDLSSLSocketFactory);
        }
        return new UrlConnectionTransportFactory(sDLSSLSocketFactory);
    }

    public static boolean isUnrecoverableError(int i) {
        switch (i) {
            case 19:
                return true;
            default:
                return false;
        }
    }

    private ScepCertificateState processResponseAndReturnResult(ScepCertificateRequest scepCertificateRequest, EnrollmentResponse enrollmentResponse, PrivateKey privateKey, X509Certificate x509Certificate, String str) {
        if (!enrollmentResponse.isSuccess()) {
            if (!enrollmentResponse.isPending()) {
                scepCertificateRequest.status = CertStatus.CERT_ENROLL_ERROR;
                scepCertificateRequest.lastError = Integer.valueOf(enrollmentResponse.getFailInfo().getValue());
                return null;
            }
            scepCertificateRequest.status = CertStatus.CERT_ENROLL_PENDING;
            scepCertificateRequest.lastError = 0;
            scepCertificateRequest.transactId = enrollmentResponse.getTransactionId();
            scepCertificateRequest.pendingCertificate = x509Certificate;
            scepCertificateRequest.privateKey = privateKey;
            if (str != null) {
                scepCertificateRequest.pendingCertNdesServer = str;
            }
            return null;
        }
        try {
            X509Certificate[] x509CertificateArr = (X509Certificate[]) enrollmentResponse.getCertStore().getCertificates(null).toArray(new X509Certificate[0]);
            ScepCertificateState scepCertificateState = new ScepCertificateState(scepCertificateRequest.requestId, scepCertificateRequest.userId);
            try {
                try {
                    scepCertificateState.thumbprint = CertUtils.getThumbPrint(x509CertificateArr[0]);
                } catch (OMADMException e) {
                    scepCertificateState.thumbprint = "";
                }
                if (scepCertificateRequest.isReplaceRequest() || scepCertificateRequest.isRenewRequest()) {
                    scepCertificateState.alias = scepCertificateRequest.getAlias();
                } else {
                    scepCertificateState.alias = "User" + scepCertificateState.thumbprint;
                }
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                keyStore.load(null, null);
                keyStore.setKeyEntry(scepCertificateState.alias, privateKey, this.passwords.getEntryPassword(), x509CertificateArr);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                keyStore.store(byteArrayOutputStream, this.passwords.getStorePassword());
                scepCertificateState.certStoreBlob = byteArrayOutputStream.toByteArray();
                scepCertificateState.status = CertStatus.CERT_ENROLLED;
                scepCertificateState.lastError = 0;
                scepCertificateState.issuers = x509CertificateArr[0].getIssuerDN().getName();
                scepCertificateState.privateKey = privateKey.getEncoded();
                if (scepCertificateRequest.isReplaceRequest()) {
                    scepCertificateState.opType = CertOperation.CERT_REPLACE;
                    return scepCertificateState;
                }
                if (scepCertificateRequest.isRenewRequest()) {
                    scepCertificateState.opType = CertOperation.CERT_RENEW;
                    return scepCertificateState;
                }
                scepCertificateState.opType = CertOperation.CERT_ENROLL;
                return scepCertificateState;
            } catch (Exception e2) {
                return setErrorCodeAndReturnNull(scepCertificateRequest, e2, "Couldn't retrieve the PKCS12 keystore instance", 24, CertStatus.CERT_ENROLL_ERROR);
            }
        } catch (CertStoreException e3) {
            return setErrorCodeAndReturnNull(scepCertificateRequest, e3, "Couldn't retrieve the certificates from the store", 33, CertStatus.CERT_ENROLL_ERROR);
        }
    }

    private ScepCertificateState setErrorCodeAndReturnNull(ScepCertificateRequest scepCertificateRequest, Exception exc, String str, int i, CertStatus certStatus) {
        this.logger.log(Level.SEVERE, str, (Throwable) exc);
        scepCertificateRequest.lastError = Integer.valueOf(i);
        scepCertificateRequest.status = certStatus;
        return null;
    }

    private Capabilities tryGetCaCapabilities(URL url) throws OMADMException {
        try {
            return (Capabilities) getTransportFactory().forMethod(TransportFactory.Method.GET, url).sendRequest(new GetCaCapsRequest(PROFILE), new GetCaCapsResponseHandler());
        } catch (TransportException e) {
            this.logger.log(Level.WARNING, "Connection to '" + url.toString() + "' failed.", (Throwable) e);
            return null;
        }
    }

    public ScepCertificateState enrollCertificate(ScepEnrollCertificateRequest scepEnrollCertificateRequest) throws OMADMException {
        try {
            KeyPair generateKeyPair = generateKeyPair(scepEnrollCertificateRequest.keyLength.intValue());
            scepEnrollCertificateRequest.privateKey = generateKeyPair.getPrivate();
            NdesServerInfo findValidNdesServer = findValidNdesServer(scepEnrollCertificateRequest);
            if (findValidNdesServer == null) {
                return setErrorCodeAndReturnNull(scepEnrollCertificateRequest, new OMADMException("Couldn't find a valid NDES server in the certificate enrollment request"), "Enrollment request failed", 21, CertStatus.CERT_ENROLL_ERROR);
            }
            String strongestSignatureAlgorithm = findValidNdesServer.capabilities.getStrongestSignatureAlgorithm(scepEnrollCertificateRequest.hashAlgorithms);
            try {
                X509Certificate createSelfSignedCertificate = CertificateRequestBuilder.createSelfSignedCertificate(scepEnrollCertificateRequest, generateKeyPair, strongestSignatureAlgorithm);
                try {
                    try {
                        return processResponseAndReturnResult(scepEnrollCertificateRequest, findValidNdesServer.client.enrol(createSelfSignedCertificate, generateKeyPair.getPrivate(), CertificateRequestBuilder.createCertificateEnrollRequest(scepEnrollCertificateRequest, generateKeyPair, strongestSignatureAlgorithm), PROFILE, scepEnrollCertificateRequest.hashAlgorithms), generateKeyPair.getPrivate(), createSelfSignedCertificate, findValidNdesServer.url.toString());
                    } catch (Exception e) {
                        return setErrorCodeAndReturnNull(scepEnrollCertificateRequest, e, "Enrollment request failed", 21, CertStatus.CERT_ENROLL_REQUEST_RETRY);
                    }
                } catch (Exception e2) {
                    return setErrorCodeAndReturnNull(scepEnrollCertificateRequest, e2, "Failed to create the PKCS10 Certificate Enroll Request", 20, CertStatus.CERT_ENROLL_ERROR);
                }
            } catch (Exception e3) {
                return setErrorCodeAndReturnNull(scepEnrollCertificateRequest, e3, "Failed to create the self signed certificate", 19, CertStatus.CERT_ENROLL_ERROR);
            }
        } catch (NoSuchAlgorithmException e4) {
            return setErrorCodeAndReturnNull(scepEnrollCertificateRequest, e4, "Failed to get the RSA algorithm instance", 17, CertStatus.CERT_ENROLL_ERROR);
        }
    }

    public ScepCertificateState pollNdesForCertificate(ScepCertificateRequest scepCertificateRequest) {
        if (scepCertificateRequest.pendingCertNdesServer == null) {
            setErrorCodeAndReturnNull(scepCertificateRequest, new OMADMException("The NDES server url is null"), "The NDES server url is null", 18, CertStatus.CERT_ENROLL_ERROR);
        }
        try {
            try {
                return processResponseAndReturnResult(scepCertificateRequest, getClient(scepCertificateRequest, scepCertificateRequest.pendingCertNdesServer).poll(scepCertificateRequest.pendingCertificate, scepCertificateRequest.privateKey, scepCertificateRequest.getSubjectPrincipal(), scepCertificateRequest.transactId, PROFILE, null), scepCertificateRequest.privateKey, scepCertificateRequest.pendingCertificate, null);
            } catch (Exception e) {
                return setErrorCodeAndReturnNull(scepCertificateRequest, e, "certificate poll failed", 20, CertStatus.CERT_ENROLL_PENDING);
            }
        } catch (OMADMException e2) {
            return setErrorCodeAndReturnNull(scepCertificateRequest, e2, "Unable to get TransportFactory for JSCEP Client.", 21, CertStatus.CERT_ENROLL_ERROR);
        } catch (MalformedURLException e3) {
            return setErrorCodeAndReturnNull(scepCertificateRequest, e3, "Malformed NDES Url: " + scepCertificateRequest.pendingCertNdesServer, 18, CertStatus.CERT_ENROLL_ERROR);
        }
    }

    public ScepCertificateState processRequest(ScepCertificateRequest scepCertificateRequest) throws OMADMException {
        if (scepCertificateRequest.transactId != null) {
            return pollNdesForCertificate(scepCertificateRequest);
        }
        if (scepCertificateRequest.getClass() == ScepEnrollCertificateRequest.class) {
            return enrollCertificate((ScepEnrollCertificateRequest) scepCertificateRequest);
        }
        if (scepCertificateRequest.getClass() == ScepRenewCertificateRequest.class) {
            return renewCertificate((ScepRenewCertificateRequest) scepCertificateRequest);
        }
        throw new OMADMException("Bad certificate request type.");
    }

    public ScepCertificateState renewCertificate(ScepRenewCertificateRequest scepRenewCertificateRequest) throws OMADMException {
        ScepCertificateState errorCodeAndReturnNull;
        ScepCertificate scepCertificate = new ScepCertificate(scepRenewCertificateRequest.requestId);
        scepCertificate.alias = scepRenewCertificateRequest.alias;
        scepCertificate.thumbprint = scepRenewCertificateRequest.certificateHash;
        try {
            if (!this.certMgr.loadUserCertificate(scepCertificate)) {
                return setErrorCodeAndReturnNull(scepRenewCertificateRequest, new OMADMException("Couldn't find the existing certificate"), "Enrollment request failed", 32, CertStatus.CERT_ENROLL_ERROR);
            }
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(scepCertificate.certBlob);
                try {
                    try {
                        X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
                        try {
                            byteArrayInputStream.close();
                        } catch (IOException e) {
                        }
                        KeyPair keyPair = new KeyPair(x509Certificate.getPublicKey(), scepRenewCertificateRequest.privateKey);
                        try {
                            PKCS10CertificationRequest createCertificateRenewRequest = CertificateRequestBuilder.createCertificateRenewRequest(keyPair, x509Certificate, scepRenewCertificateRequest.validityPeriodUnit, scepRenewCertificateRequest.validityPeriod.longValue());
                            NdesServerInfo findValidNdesServer = findValidNdesServer(scepRenewCertificateRequest);
                            if (findValidNdesServer == null) {
                                errorCodeAndReturnNull = setErrorCodeAndReturnNull(scepRenewCertificateRequest, new OMADMException("Couldn't find a valid NDES server in the certificate renewal request"), "Renew request failed", 21, CertStatus.CERT_ENROLL_REQUEST_RETRY);
                            } else {
                                try {
                                    errorCodeAndReturnNull = processResponseAndReturnResult(scepRenewCertificateRequest, findValidNdesServer.client.enrol(x509Certificate, keyPair.getPrivate(), createCertificateRenewRequest, PROFILE, null), keyPair.getPrivate(), x509Certificate, findValidNdesServer.url.toString());
                                } catch (Exception e2) {
                                    errorCodeAndReturnNull = setErrorCodeAndReturnNull(scepRenewCertificateRequest, e2, "Renew request failed for NDES Url: " + findValidNdesServer.url, 21, CertStatus.CERT_ENROLL_REQUEST_RETRY);
                                }
                            }
                        } catch (Exception e3) {
                            errorCodeAndReturnNull = setErrorCodeAndReturnNull(scepRenewCertificateRequest, e3, "Couldn't generate the renew request", 20, CertStatus.CERT_ENROLL_ERROR);
                        }
                    } finally {
                        try {
                            byteArrayInputStream.close();
                        } catch (IOException e4) {
                        }
                    }
                } catch (CertificateException e5) {
                    errorCodeAndReturnNull = setErrorCodeAndReturnNull(scepRenewCertificateRequest, e5, "Couldn't generate x509 certificate", 23, CertStatus.CERT_ENROLL_ERROR);
                }
                return errorCodeAndReturnNull;
            } catch (CertificateException e6) {
                return setErrorCodeAndReturnNull(scepRenewCertificateRequest, e6, "Couldn't get x509 instance", 23, CertStatus.CERT_ENROLL_ERROR);
            }
        } catch (KeyChainException e7) {
            return setErrorCodeAndReturnNull(scepRenewCertificateRequest, new OMADMException("Could not load the existing certificate. Keystore is LOCKED."), "Enrollment request failed", 34, CertStatus.CERT_RENEW_PENDING_EXISTING_CERT);
        }
    }
}
