package com.xiam.consia.client.queryapi.auth;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Maps;
import com.google.common.primitives.UnsignedBytes;
import com.xiam.consia.logging.Logger;
import com.xiam.consia.logging.LoggerFactory;
import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.RSAPublicKeySpec;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import javax.crypto.Cipher;
import javax.security.auth.x500.X500Principal;
import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;

/* loaded from: classes.dex */
public final class KeyAuthenticator {
    public static final String CERT_FINGERPRINT_DIGEST_ALGORITHM = "SHA-1";
    private static final String CHARACTER_ENCODING = "UTF-8";
    public static final String DEV_PUBLIC_KEY = "BF:22:ED:A1:9F:0F:2D:DD:08:44:FD:E4:19:B9:E5:B1:D3:53:41:81";
    public static final String PROD_PUBLIC_KEY = "15:F2:31:63:2E:14:62:4F:A4:49:9D:E9:32:A0:D8:50:5B:53:96:EC";
    private static final int SIZE_OF_HEX_ENCODED_SALT_IN_BYTES = 16;
    private final String apiKey;
    private final Collection<byte[]> appDigitalSignatures;
    private final boolean requireApiKeyForDebugApps;
    private final String uniqueAppId;
    private static final X500Principal DEBUG_DN = new X500Principal("CN=Android Debug,O=Android,C=US");
    private static final Logger logger = LoggerFactory.getLogger();
    private static final Map<String, Boolean> authenticatedUsers = Maps.newConcurrentMap();
    private static final String EMBEDDED_PUBLIC_KEY = "rO0ABXNyABRqYXZhLm1hdGguQmlnSW50ZWdlcoz8nx+pO/sdAwAGSQAIYml0Q291bnRJAAliaXRMZW5ndGhJABNmaXJzdE5vbnplcm9CeXRlTnVtSQAMbG93ZXN0U2V0Qml0SQAGc2lnbnVtWwAJbWFnbml0dWRldAACW0J4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHD///////////////7////+AAAAAXVyAAJbQqzzF/gGCFTgAgAAeHAAAAEArXwkww5OWwQFgXJORAfVpoyd9bOm8s8D7re4XUazWtLakDF4N5Rh5kowjHozvVdcKi2DTONiYOYyZNTu++cvoQyPKC9yqWaDieO3b0KmSk7TI4mLJs5M4yDvk1pFjbXJv7dYhJaktUvcH6gOxhr9qNsO7kK26xHX/AhbR8uN99Ypp+vnJKyMBO3kSfwQF4g2rUon/wk+B7YhA4Z231NPloVFtVSNRgH0WhJIQw1MyCyeBAtkUpu6vaneorxKEA3snL0nicRmzl8aPGRJQQSHDfIMccDqq9C6JOwcPF3cEEg+7aYldbsI49KmcciwQbbbwxPfQ3kQOtNqZ6JL3vhjoXhzcQB+AAD///////////////7////+AAAAAXVxAH4ABAAAAAMBAAF4";
    private static final Key pubKey = extractPublicKey(EMBEDDED_PUBLIC_KEY);

    public KeyAuthenticator(String str, Collection<byte[]> collection, String str2, boolean z) {
        this.apiKey = str;
        this.appDigitalSignatures = collection;
        this.uniqueAppId = str2;
        this.requireApiKeyForDebugApps = z;
    }

    private static byte[] copyOfRange(byte[] bArr, int i, int i2) {
        int i3 = i2 - i;
        if (i3 < 0) {
            throw new IllegalArgumentException(i + " > " + i2);
        }
        byte[] bArr2 = new byte[i3];
        System.arraycopy(bArr, i, bArr2, 0, Math.min(bArr.length - i, i3));
        return bArr2;
    }

    private static Key extractPublicKey(String str) {
        try {
            ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(Base64.decodeBase64(str.getBytes())));
            BigInteger bigInteger = (BigInteger) objectInputStream.readObject();
            BigInteger bigInteger2 = (BigInteger) objectInputStream.readObject();
            objectInputStream.close();
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(bigInteger, bigInteger2));
        } catch (Exception e) {
            throw new RuntimeException("Problem encountered while reading our public key.", e);
        }
    }

    private static byte[] extractSaltFromKey(byte[] bArr) throws DecoderException {
        return Hex.decodeHex(new String(copyOfRange(bArr, 0, 16)).toCharArray());
    }

    public static String getFingerprint(byte[] bArr, String str) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(str);
            messageDigest.update(bArr);
            byte[] digest = messageDigest.digest();
            StringBuilder sb = new StringBuilder();
            for (int i = 0; i < digest.length; i++) {
                if (i != 0) {
                    sb.append(":");
                }
                String hexString = Integer.toHexString(digest[i] & UnsignedBytes.MAX_VALUE);
                if (hexString.length() == 1) {
                    sb.append("0");
                }
                sb.append(hexString);
            }
            return sb.toString();
        } catch (Exception e) {
            System.err.println("Problem calculating APK fingerprint" + e.getMessage());
            e.printStackTrace();
            return null;
        }
    }

    private static Cipher initCipher() {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1PADDING");
            cipher.init(2, pubKey);
            return cipher;
        } catch (GeneralSecurityException e) {
            throw new RuntimeException("Problem initialising decryption cipher", e);
        }
    }

    private static boolean isApplicationSignedWithDebugCert(Collection<byte[]> collection) throws CertificateException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Iterator<byte[]> it = collection.iterator();
        while (it.hasNext()) {
            Iterator<? extends Certificate> it2 = certificateFactory.generateCertificates(new ByteArrayInputStream(it.next())).iterator();
            while (it2.hasNext()) {
                if (((X509Certificate) it2.next()).getSubjectDN().equals(DEBUG_DN)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isApplicationSignedWithSameCert(Collection<byte[]> collection) {
        Iterator<byte[]> it = collection.iterator();
        while (it.hasNext()) {
            if (PROD_PUBLIC_KEY.equalsIgnoreCase(getFingerprint(it.next(), CERT_FINGERPRINT_DIGEST_ALGORITHM))) {
                return true;
            }
        }
        return false;
    }

    private boolean isValidKey() throws UnsupportedEncodingException {
        byte[] rsaDecrypt = rsaDecrypt(new Base64().decode(this.apiKey.getBytes(CHARACTER_ENCODING)));
        Iterator<byte[]> it = this.appDigitalSignatures.iterator();
        while (it.hasNext()) {
            if (verifyKey(rsaDecrypt, getFingerprint(it.next(), CERT_FINGERPRINT_DIGEST_ALGORITHM).toLowerCase(), this.uniqueAppId)) {
                authenticatedUsers.put(this.uniqueAppId, Boolean.TRUE);
                return true;
            }
        }
        return false;
    }

    private byte[] rsaDecrypt(byte[] bArr) {
        try {
            return initCipher().doFinal(bArr);
        } catch (Exception e) {
            throw new SecurityException("Could not verify API key for app package: " + this.uniqueAppId, e);
        }
    }

    public static final boolean userAlreadyAuthenticated(String str) {
        return authenticatedUsers.containsKey(str);
    }

    @VisibleForTesting
    static boolean verifyKey(byte[] bArr, String str, String str2) throws SecurityException {
        try {
            return Arrays.equals(copyOfRange(bArr, 16, bArr.length), CommonSecurityUtils.hashAuthenticationString(str, str2, extractSaltFromKey(bArr)));
        } catch (Exception e) {
            throw new SecurityException("Problem verifying API key.", e);
        }
    }

    public final void authenticateApiKey() throws GeneralSecurityException, UnsupportedEncodingException {
        if (!this.requireApiKeyForDebugApps && isApplicationSignedWithDebugCert(this.appDigitalSignatures)) {
            logger.d("APK is signed with a debug key, or with the same cert of SBG, no need to authenticate", new Object[0]);
            authenticatedUsers.put(this.uniqueAppId, Boolean.TRUE);
        } else if (isApplicationSignedWithSameCert(this.appDigitalSignatures)) {
            logger.d("APK is signed with the same cert of SBG, no need to authenticate", new Object[0]);
            authenticatedUsers.put(this.uniqueAppId, Boolean.TRUE);
        } else if (this.apiKey == null || !isValidKey()) {
            logger.d("API key is not valid for app package: %s", this.uniqueAppId);
            throw new SecurityException("API key is not valid for app package: " + this.uniqueAppId);
        }
    }
}
