package com.microsoft.omadm.platforms.android.certmgr;

import com.microsoft.intune.common.database.Table;
import com.microsoft.omadm.Services;
import com.microsoft.omadm.database.TableRepository;
import com.microsoft.omadm.exception.OMADMException;
import com.microsoft.omadm.platforms.ICertificateStoreManager;
import com.microsoft.omadm.platforms.android.certmgr.data.CertStateData;
import com.microsoft.omadm.platforms.android.certmgr.data.PfxCertificateData;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificate;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificateState;
import com.microsoft.omadm.utils.CertUtils;
import com.microsoft.omadm.utils.DataEncryptionUtils;
import com.microsoft.omadm.utils.ScepRequestIdUtils;
import com.samsung.android.knox.keystore.CertificateProvisioning;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.Enumeration;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;
import org.apache.commons.lang3.ArrayUtils;
import org.bouncycastle.cms.CMSException;

/* loaded from: classes.dex */
public class PfxCertificateManager {
    private static final String CERT_ALIAS_TAG = "User";
    private final CertStateData certStateData;
    private final ICertificateStoreManager certStoreMgr;
    private final Logger logger = Logger.getLogger(PfxCertificateManager.class.getName());
    private final TableRepository tr;

    @Inject
    public PfxCertificateManager(TableRepository tableRepository, ICertificateStoreManager iCertificateStoreManager, CertStateData certStateData) {
        this.tr = tableRepository;
        this.certStoreMgr = iCertificateStoreManager;
        this.certStateData = certStateData;
    }

    private String getFirstKeystoreAliasWithPrivateKey(KeyStore keyStore) throws KeyStoreException {
        String str = null;
        if (keyStore == null) {
            return null;
        }
        Enumeration<String> aliases = keyStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            boolean isCertificateEntry = keyStore.isCertificateEntry(nextElement);
            boolean isKeyEntry = keyStore.isKeyEntry(nextElement);
            this.logger.info(MessageFormat.format("Found [{0}] alias, IsCert: [{1}], IsKey: [{2}]", nextElement, Boolean.valueOf(isCertificateEntry), Boolean.valueOf(isKeyEntry)));
            if (isKeyEntry && str == null) {
                str = nextElement;
            }
        }
        return str;
    }

    public PfxCertificateData addOrGetPfxCertificateByRequestId(String str, Long l) {
        PfxCertificateData pfxCertificateByRequestId = getPfxCertificateByRequestId(str, l);
        if (pfxCertificateByRequestId != null) {
            return pfxCertificateByRequestId;
        }
        PfxCertificateData pfxCertificateData = new PfxCertificateData(ScepRequestIdUtils.escapeScepRequestId(str), l);
        insert(pfxCertificateData);
        return pfxCertificateData;
    }

    public boolean delete(PfxCertificateData.Key key) {
        return this.tr.delete(key);
    }

    public boolean delete(PfxCertificateData pfxCertificateData) {
        return delete(pfxCertificateData.getKey());
    }

    public boolean deleteCertificateByRequestId(String str, Long l) throws OMADMException {
        String escapeScepRequestId = ScepRequestIdUtils.escapeScepRequestId(str);
        PfxCertificateData pfxCertificateByRequestId = getPfxCertificateByRequestId(escapeScepRequestId, l);
        ScepCertificateState userCertificateByRequestId = this.certStateData.getUserCertificateByRequestId(escapeScepRequestId, l);
        if (pfxCertificateByRequestId == null && userCertificateByRequestId == null) {
            return false;
        }
        if (pfxCertificateByRequestId != null && !delete(pfxCertificateByRequestId)) {
            throw new OMADMException("Failed to delete PfxCertificateData for request id: " + str);
        }
        if (userCertificateByRequestId != null) {
            this.certStoreMgr.tryRemoveUserCertificate(new ScepCertificate(userCertificateByRequestId));
            userCertificateByRequestId.pendingDelete = true;
            if (!this.certStateData.update(userCertificateByRequestId)) {
                throw new OMADMException("Failed to mark certificate state as pending delete for request id: " + str);
            }
        }
        return true;
    }

    public List<PfxCertificateData> getAllPfxCertificates(Long l) {
        return this.tr.getTable(PfxCertificateData.class).get(Table.makeSelectionStatementForColumn("User"), new String[]{l.toString()});
    }

    public ScepCertificateState getCertificateStateByRequestId(String str, Long l) {
        return this.certStateData.getUserCertificateByRequestId(str, l);
    }

    public PfxCertificateData getPfxCertificateByRequestId(String str, Long l) {
        return (PfxCertificateData) this.tr.get(new PfxCertificateData.Key(ScepRequestIdUtils.escapeScepRequestId(str), l));
    }

    public boolean insert(PfxCertificateData pfxCertificateData) {
        return this.tr.insert(pfxCertificateData);
    }

    public boolean isFromPfxCertificate(ScepCertificateState scepCertificateState) {
        return getPfxCertificateByRequestId(scepCertificateState.requestId, scepCertificateState.user) != null;
    }

    public boolean processPfxCertificate(PfxCertificateData pfxCertificateData) throws OMADMException {
        String str;
        if (!shouldProcessPfxCertificate(pfxCertificateData)) {
            return false;
        }
        try {
            ScepCertificateState scepCertificateState = new ScepCertificateState(pfxCertificateData.requestId, pfxCertificateData.user);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(pfxCertificateData.certBlob);
            String decryptUsingEnrollmentCert = DataEncryptionUtils.decryptUsingEnrollmentCert(pfxCertificateData.encodedCertPassword);
            if (decryptUsingEnrollmentCert == null) {
                this.logger.warning("Unable to process PfxCertificateData. Could not retrieve valid password.");
                return false;
            }
            char[] charArray = decryptUsingEnrollmentCert.toCharArray();
            KeyStore keyStore = KeyStore.getInstance(CertificateProvisioning.TYPE_PKCS12);
            keyStore.load(byteArrayInputStream, charArray);
            String firstKeystoreAliasWithPrivateKey = getFirstKeystoreAliasWithPrivateKey(keyStore);
            if (firstKeystoreAliasWithPrivateKey == null) {
                throw new OMADMException("Could not find alias with private key from pfx blob.");
            }
            Certificate[] certificateArr = {keyStore.getCertificate(firstKeystoreAliasWithPrivateKey)};
            if (certificateArr[0] == null) {
                throw new OMADMException("Could not extract certificate from pfx blob.");
            }
            Key key = keyStore.getKey(firstKeystoreAliasWithPrivateKey, charArray);
            scepCertificateState.privateKey = key.getEncoded();
            scepCertificateState.thumbprint = CertUtils.getThumbPrint(certificateArr[0]);
            ScepCertificateState userCertificateByRequestId = this.certStateData.getUserCertificateByRequestId(pfxCertificateData.requestId, pfxCertificateData.user);
            if (userCertificateByRequestId == null) {
                str = "User" + scepCertificateState.thumbprint;
            } else {
                str = userCertificateByRequestId.alias;
            }
            scepCertificateState.alias = str;
            scepCertificateState.opType = userCertificateByRequestId == null ? CertOperation.CERT_ENROLL : CertOperation.CERT_REPLACE;
            CertStorePasswords certStorePasswords = Services.get().getCertStorePasswords();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            KeyStore keyStore2 = KeyStore.getInstance(CertificateProvisioning.TYPE_PKCS12);
            keyStore2.load(null, null);
            keyStore2.setKeyEntry(scepCertificateState.alias, key, certStorePasswords.getEntryPassword(), certificateArr);
            keyStore2.store(byteArrayOutputStream, certStorePasswords.getStorePassword());
            scepCertificateState.certStoreBlob = byteArrayOutputStream.toByteArray();
            if (certificateArr[0] instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificateArr[0];
                scepCertificateState.issuers = x509Certificate.getIssuerDN().getName();
                scepCertificateState.hasDigitalSignatureKeyUsage = Boolean.valueOf(CertUtils.hasDigitalSignatureKeyUsage(x509Certificate));
                scepCertificateState.hasKeyEnciphermentKeyUsage = Boolean.valueOf(CertUtils.hasKeyEnciphermentKeyUsage(x509Certificate));
                scepCertificateState.hasExtendedKeyUsage = Boolean.valueOf(CertUtils.hasEKU(x509Certificate));
                scepCertificateState.hasAnyPurposeEKU = Boolean.valueOf(CertUtils.hasAnyPurposeEKU(x509Certificate));
                scepCertificateState.hasEmailProtectionEKU = Boolean.valueOf(CertUtils.hasEmailProtectionEKU(x509Certificate));
            } else {
                this.logger.warning("Unable to get certificate issuers, key usage, and extended key usage from pfx certificate. Certificate was not an instance of X509Certificate");
            }
            scepCertificateState.status = CertStatus.CERT_INSTALL_REQUESTED;
            scepCertificateState.lastError = 0;
            this.certStoreMgr.addUserCert(scepCertificateState);
            return removeCertAndPasswordBlobs(pfxCertificateData);
        } catch (OMADMException e) {
            throw e;
        } catch (KeyStoreException e2) {
            this.logger.log(Level.WARNING, "Could not create keystore instance or keystore instance was not initialized.", (Throwable) e2);
            throw new OMADMException(e2);
        } catch (NoSuchAlgorithmException e3) {
            this.logger.log(Level.WARNING, "Required algorithm to parse pfx certificate was not available.", (Throwable) e3);
            throw new OMADMException(e3);
        } catch (UnrecoverableKeyException e4) {
            this.logger.log(Level.WARNING, "Could not recover private key from keystore.", (Throwable) e4);
            throw new OMADMException(e4);
        } catch (CertificateException e5) {
            this.logger.log(Level.WARNING, "Cannot open pfx certificate. Exception occurred while loading the certificates.", (Throwable) e5);
            throw new OMADMException(e5);
        } catch (CMSException e6) {
            this.logger.log(Level.WARNING, "Decoding cert password threw CMS exception.", (Throwable) e6);
            throw new OMADMException(e6);
        } catch (Exception e7) {
            this.logger.log(Level.WARNING, "Caught exception processing pfx certificate.", (Throwable) e7);
            throw new OMADMException(e7);
        }
    }

    public boolean removeCertAndPasswordBlobs(PfxCertificateData pfxCertificateData) {
        pfxCertificateData.certBlob = null;
        pfxCertificateData.encodedCertPassword = null;
        return update(pfxCertificateData);
    }

    public boolean shouldProcessPfxCertificate(PfxCertificateData pfxCertificateData) {
        if (ArrayUtils.isEmpty(pfxCertificateData.certBlob) || ArrayUtils.isEmpty(pfxCertificateData.encodedCertPassword)) {
            return false;
        }
        ScepCertificateState userCertificateByRequestId = this.certStateData.getUserCertificateByRequestId(pfxCertificateData.requestId, pfxCertificateData.user);
        if (userCertificateByRequestId == null || CertStatus.CERT_ACCESS_GRANTED == userCertificateByRequestId.status) {
            return true;
        }
        this.logger.info("Waiting to process PFX certificate until user gives us access to existing certificate. RequestId=" + pfxCertificateData.requestId);
        return false;
    }

    public void tryProcessAllPfxCertificates(Long l) {
        for (PfxCertificateData pfxCertificateData : getAllPfxCertificates(l)) {
            try {
                if (processPfxCertificate(pfxCertificateData)) {
                    this.logger.fine("Successfully processed pfx certificate. PfxCertificateData converted into ClientCertificateState for install.");
                } else if (shouldProcessPfxCertificate(pfxCertificateData)) {
                    this.logger.fine("Processing pfx certificate returned unsuccessfully.");
                }
            } catch (OMADMException unused) {
                this.logger.warning("Unable to process pfx certificate policy. Removing from database. RequestId=" + pfxCertificateData.requestId);
                delete(pfxCertificateData);
            }
        }
    }

    public boolean update(PfxCertificateData pfxCertificateData) {
        return this.tr.update(pfxCertificateData);
    }
}
