package com.okta.android.mobile.oktamobile.security.scep;

import android.app.Activity;
import android.app.admin.DevicePolicyManager;
import android.content.Context;
import android.content.Intent;
import android.security.KeyChain;
import com.okta.android.mobile.oktamobile.callbackinterface.ActivityResultListener;
import com.okta.android.mobile.oktamobile.callbackinterface.SCEPEnrollCallback;
import com.okta.android.mobile.oktamobile.callbackinterface.SimpleCallback;
import com.okta.android.mobile.oktamobile.command.model.SCEPPayloadModel;
import com.okta.android.mobile.oktamobile.framework.OktaActivity;
import com.okta.android.mobile.oktamobile.framework.exceptions.SCEPException;
import com.okta.android.mobile.oktamobile.security.KeyStoreManager;
import com.okta.android.mobile.oktamobile.security.scep.SCEPEnrollTask;
import com.okta.android.mobile.oktamobile.spydrsafe.core.deviceadmin.SpydrsafeDeviceAdminReceiver;
import com.okta.android.mobile.oktamobile.utilities.ActivityLifecycleTracker;
import com.okta.android.mobile.oktamobile.utilities.EnrollmentStateCollector;
import com.okta.lib.android.common.utilities.Log;
import com.okta.mobile.android.scep.client.DefaultCallbackHandler;
import com.okta.mobile.android.scep.client.verification.CertificateVerifier;
import dagger.Lazy;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Locale;
import javax.inject.Inject;
import javax.inject.Named;
import javax.security.auth.callback.CallbackHandler;
import org.spongycastle.asn1.DERPrintableString;
import org.spongycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.spongycastle.cert.CertIOException;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;
import org.spongycastle.pkcs.PKCS10CertificationRequest;
import org.spongycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

/* loaded from: classes.dex */
public class SCEPManager {
    protected static final String TAG = "SCEPManager";
    private final ActivityLifecycleTracker activityLifecycleTracker;
    private final Context context;
    private final DevicePolicyManager devicePolicyManager;
    private final EnrollmentStateCollector enrollmentStateCollector;
    private final KeyStoreManager keyStoreManager;
    private final Lazy<SCEPEnrollTask> scepEnrollTaskLazy;

    @Inject
    public SCEPManager(@Named("contextAdmin") DevicePolicyManager devicePolicyManager, Context context, ActivityLifecycleTracker activityLifecycleTracker, EnrollmentStateCollector enrollmentStateCollector, Lazy<SCEPEnrollTask> lazy, KeyStoreManager keyStoreManager) {
        this.devicePolicyManager = devicePolicyManager;
        this.context = context;
        this.activityLifecycleTracker = activityLifecycleTracker;
        this.enrollmentStateCollector = enrollmentStateCollector;
        this.scepEnrollTaskLazy = lazy;
        this.keyStoreManager = keyStoreManager;
    }

    public void enroll(String str, URL url, CallbackHandler callbackHandler, X509Certificate x509Certificate, KeyPair keyPair, PKCS10CertificationRequest pKCS10CertificationRequest, SCEPEnrollCallback sCEPEnrollCallback) {
        this.scepEnrollTaskLazy.get().execute(new SCEPEnrollTask.Params(str, url, x509Certificate, keyPair, pKCS10CertificationRequest, callbackHandler, sCEPEnrollCallback));
    }

    public void generateSCEPCertificate(String str, SCEPPayloadModel sCEPPayloadModel, SCEPEnrollCallback sCEPEnrollCallback) {
        try {
            URL url = new URL(sCEPPayloadModel.getScepServerURI().toString());
            try {
                KeyPair generateNonTEEKeypair = this.keyStoreManager.generateNonTEEKeypair(sCEPPayloadModel.getKeyType(), sCEPPayloadModel.getKeySize());
                X509Certificate createCertificate = this.keyStoreManager.createCertificate(generateNonTEEKeypair, sCEPPayloadModel.getKeyUsages(), sCEPPayloadModel.getSubjectDNAsX500Name());
                try {
                    enroll(str, url, new DefaultCallbackHandler(new CertificateVerifier() { // from class: com.okta.android.mobile.oktamobile.security.scep.SCEPManager.1
                        @Override // com.okta.mobile.android.scep.client.verification.CertificateVerifier
                        public boolean verify(X509Certificate x509Certificate) {
                            return true;
                        }
                    }), createCertificate, generateNonTEEKeypair, getCsr(generateNonTEEKeypair, createCertificate, sCEPPayloadModel.getPlainTextChallenge()), sCEPEnrollCallback);
                } catch (SCEPException e) {
                    sCEPEnrollCallback.onFailure(str, e);
                }
            } catch (GeneralSecurityException | CertIOException | OperatorCreationException e2) {
                sCEPEnrollCallback.onFailure(str, new SCEPException(e2));
            }
        } catch (MalformedURLException e3) {
            sCEPEnrollCallback.onFailure(str, new SCEPException(e3));
        }
    }

    public PKCS10CertificationRequest getCsr(KeyPair keyPair, X509Certificate x509Certificate, String str) throws SCEPException {
        JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder(x509Certificate.getSubjectX500Principal(), keyPair.getPublic());
        jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, new DERPrintableString(str));
        try {
            return jcaPKCS10CertificationRequestBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
        } catch (OperatorCreationException e) {
            Log.e(TAG, "Failed to create csr signer", e);
            throw new SCEPException(e);
        }
    }

    protected void installCertAFW(String str, KeyPair keyPair, X509Certificate x509Certificate, SimpleCallback simpleCallback) {
        try {
            Log.i(TAG, "install cert using DPM");
            if (this.devicePolicyManager.installKeyPair(SpydrsafeDeviceAdminReceiver.getComponentName(this.context), keyPair.getPrivate(), new Certificate[]{x509Certificate}, str, true)) {
                simpleCallback.onSuccess();
            } else {
                simpleCallback.onError(new SCEPException("Failed to install keypair in keychain"));
            }
        } catch (Exception e) {
            Log.w(TAG, "exception while installing cert", e);
            simpleCallback.onError(e);
        }
    }

    protected void installCertSAFE(String str, X509Certificate x509Certificate, final SimpleCallback simpleCallback) {
        Activity currentActivity = this.activityLifecycleTracker.getCurrentActivity();
        if (currentActivity == null) {
            Log.w(TAG, "Null current activity so unable to install cert to keychain");
            simpleCallback.onError(new SCEPException("Unable to install cert to keychain"));
            return;
        }
        if (!(currentActivity instanceof OktaActivity)) {
            Log.w(TAG, "Current activity is not an instance of OktaActivity so unable to install cert to keychain");
            simpleCallback.onError(new SCEPException("Unable to install cert to keychain"));
            return;
        }
        OktaActivity oktaActivity = (OktaActivity) currentActivity;
        try {
            Log.i(TAG, "Installing the cert in SAFE");
            Intent createInstallIntent = KeyChain.createInstallIntent();
            createInstallIntent.putExtra("CERT", x509Certificate.getEncoded());
            createInstallIntent.putExtra("name", str);
            oktaActivity.setActivityResultListener(new ActivityResultListener() { // from class: com.okta.android.mobile.oktamobile.security.scep.SCEPManager.2
                @Override // com.okta.android.mobile.oktamobile.callbackinterface.ActivityResultListener
                public void onActivityResult(OktaActivity oktaActivity2, int i, int i2, Intent intent) {
                    if (i != 102) {
                        Log.v(SCEPManager.TAG, String.format(Locale.US, "Wrong request code %d, looking for %d", Integer.valueOf(i), 102));
                        return;
                    }
                    Log.v(SCEPManager.TAG, "install keypair result code: " + i2);
                    oktaActivity2.setActivityResultListener(null);
                    if (i2 == -1) {
                        simpleCallback.onSuccess();
                    } else {
                        simpleCallback.onError(new SCEPException("Failed to install signed cert in keychain"));
                    }
                }
            });
            oktaActivity.startActivityForResult(createInstallIntent, 102);
        } catch (CertificateEncodingException unused) {
            simpleCallback.onError(new SCEPException("Failed to install signed cert in keychain"));
        }
    }

    public void installSystemCertificate(String str, KeyPair keyPair, X509Certificate x509Certificate, SimpleCallback simpleCallback) {
        if (!this.enrollmentStateCollector.isWorkProfile() && !this.enrollmentStateCollector.isSamsungSAFEEnrolled()) {
            Log.w(TAG, "Unable to install system cert outside of AFW or SAFE");
            simpleCallback.onError(new SCEPException("Unsupported enrollment type"));
            return;
        }
        String str2 = TAG;
        Log.v(str2, "Installing certificate: " + x509Certificate.toString());
        Log.v(str2, "Client keypair: " + keyPair.getPrivate().toString());
        if (this.enrollmentStateCollector.isWorkProfile()) {
            installCertAFW(str, keyPair, x509Certificate, simpleCallback);
        } else if (this.enrollmentStateCollector.isSamsungSAFEEnrolled()) {
            installCertSAFE(str, x509Certificate, simpleCallback);
        }
    }
}
