package com.huawei.security.pkisdk;

import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import android.util.Log;
import com.huawei.hms.network.ai.a0;
import com.huawei.phoneservice.feedbackcommon.network.FeedbackWebConstants;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.MGF1ParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.UUID;
import javax.crypto.Cipher;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Destroyable;

/* loaded from: classes14.dex */
public class PKIAuthClientImpl implements PKIAuthClient {
    public static final Object a = new Object();
    public static final Object b = new Object();

    /* loaded from: classes14.dex */
    public enum Purpose {
        SIGN,
        ENCRYPT
    }

    /* loaded from: classes14.dex */
    public static /* synthetic */ class a {
        public static final /* synthetic */ int[] a;

        static {
            int[] iArr = new int[Purpose.values().length];
            a = iArr;
            try {
                iArr[Purpose.ENCRYPT.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                a[Purpose.SIGN.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    static {
        try {
            Class.forName("com.huawei.security.keystore.HwUniversalKeyStoreProvider").getMethod("install", new Class[0]).invoke(null, new Object[0]);
            Log.i("PKIAuthClientImpl", "HwUniversalKeyStore: install success.");
        } catch (ClassNotFoundException unused) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: no found.");
        } catch (IllegalAccessException unused2) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: can not access.");
        } catch (NoSuchMethodException unused3) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: function not found.");
        } catch (InvocationTargetException unused4) {
            Log.e("PKIAuthClientImpl", "HwUniversalKeyStore: invocation target exception.");
        }
    }

    public final AlgorithmParameterSpec a(String str, Purpose purpose) {
        KeyGenParameterSpec.Builder builder;
        KeyGenParameterSpec.Builder builder2;
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
        gregorianCalendar2.add(1, 10);
        byte[] decode = Base64.decode(UUID.randomUUID().toString().replace(a0.n, "").substring(0, 12), 2);
        int i = a.a[purpose.ordinal()];
        if (i == 1) {
            builder = new KeyGenParameterSpec.Builder(str, 3);
            builder.setEncryptionPaddings("OAEPPadding");
        } else {
            if (i != 2) {
                builder2 = null;
                return builder2.setDigests(FeedbackWebConstants.SHA_256).setCertificateSerialNumber(BigInteger.valueOf(1337L)).setCertificateNotBefore(gregorianCalendar.getTime()).setCertificateNotAfter(gregorianCalendar2.getTime()).setAttestationChallenge(decode).setUserAuthenticationRequired(false).build();
            }
            builder = new KeyGenParameterSpec.Builder(str, 12);
            builder.setSignaturePaddings("PSS");
        }
        builder2 = builder;
        return builder2.setDigests(FeedbackWebConstants.SHA_256).setCertificateSerialNumber(BigInteger.valueOf(1337L)).setCertificateNotBefore(gregorianCalendar.getTime()).setCertificateNotAfter(gregorianCalendar2.getTime()).setAttestationChallenge(decode).setUserAuthenticationRequired(false).build();
    }

    public final String b(Certificate[] certificateArr) {
        StringBuilder sb = new StringBuilder(0);
        for (int i = 0; i < certificateArr.length - 1; i++) {
            try {
                Certificate certificate = certificateArr[i];
                if (certificate == null) {
                    Log.e("PKIAuthClientImpl", "One of certificates is null.");
                    return "";
                }
                sb.append(Base64.encodeToString(certificate.getEncoded(), 2));
                sb.append(";");
            } catch (CertificateEncodingException unused) {
                Log.e("PKIAuthClientImpl", "Build authorization error, have a certificate encoding exception");
                return "";
            }
        }
        sb.deleteCharAt(sb.length() - 1);
        Log.i("PKIAuthClientImpl", "Build authorization success.");
        return sb.toString();
    }

    public final boolean c(String str) {
        if (str == null) {
            Log.e("PKIAuthClientImpl", "Certificate alias is null.");
            return true;
        }
        if (str.trim().length() == 0) {
            Log.e("PKIAuthClientImpl", "Certificate alias is empty.");
            return true;
        }
        if (str.length() <= 48) {
            return false;
        }
        Log.e("PKIAuthClientImpl", "Certificate alias length exceeds 48.");
        return true;
    }

    public final boolean d(Certificate certificate, String str) {
        byte[] bytes = UUID.randomUUID().toString().replace(a0.n, "").substring(12).getBytes(StandardCharsets.UTF_8);
        byte[] sign = sign(bytes, str);
        if (sign.length == 0) {
            Log.e("PKIAuthClientImpl", "The number of signature challenge is 0");
            return false;
        }
        if (i(certificate.getPublicKey(), sign, bytes)) {
            return true;
        }
        Log.e("PKIAuthClientImpl", "Verify signature failed.");
        deleteCertChain(str);
        return false;
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public byte[] decryptCipher(byte[] bArr, String str) {
        Log.i("PKIAuthClientImpl", "Begin to decrypt cipher text");
        if (bArr != null) {
            try {
                if (bArr.length != 0) {
                    if (c(str)) {
                        return new byte[0];
                    }
                    KeyStore keyStore = KeyStore.getInstance("HwKeystore");
                    keyStore.load(null);
                    Log.i("PKIAuthClientImpl", "Load  keystore success!");
                    KeyStore.Entry entry = keyStore.getEntry(str, null);
                    if (entry == null) {
                        Log.w("PKIAuthClientImpl", "Entry is not existence");
                        return new byte[0];
                    }
                    if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                        Log.w("PKIAuthClientImpl", "Not an instance of a PrivateKeyEntry");
                        return new byte[0];
                    }
                    PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                    Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding", "HwUniversalKeyStoreProvider");
                    cipher.init(2, privateKey, new OAEPParameterSpec(FeedbackWebConstants.SHA_256, "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
                    cipher.update(bArr);
                    return cipher.doFinal();
                }
            } catch (IOException e) {
                e = e;
                Log.e("PKIAuthClientImpl", "Decrypt Cipher failed, the detail: " + e.getMessage());
                return new byte[0];
            } catch (GeneralSecurityException e2) {
                e = e2;
                Log.e("PKIAuthClientImpl", "Decrypt Cipher failed, the detail: " + e.getMessage());
                return new byte[0];
            } catch (ProviderException e3) {
                e = e3;
                Log.e("PKIAuthClientImpl", "Decrypt Cipher failed, the detail: " + e.getMessage());
                return new byte[0];
            }
        }
        Log.e("PKIAuthClientImpl", "Decryption message is invalid");
        return new byte[0];
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public boolean deleteCertChain(String str) {
        Log.i("PKIAuthClientImpl", "Start to delete cert chain.");
        if (c(str)) {
            Log.i("PKIAuthClientImpl", "Certificate alias name is invalid");
            return true;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("HwKeystore");
            keyStore.load(null);
            keyStore.deleteEntry(str);
            return true;
        } catch (IOException unused) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a IOException.");
            return false;
        } catch (KeyStoreException unused2) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a KeyStoreException.");
            return false;
        } catch (NoSuchAlgorithmException unused3) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a NoSuchAlgorithmException.");
            return false;
        } catch (CertificateException unused4) {
            Log.e("PKIAuthClientImpl", "Delete cert chain error, have a CertificateException.");
            return false;
        }
    }

    public final Certificate[] e(String str) {
        Log.i("PKIAuthClientImpl", "Start to generate certificate chain.");
        try {
            ArrayList arrayList = new ArrayList(0);
            if (g(str, arrayList)) {
                Certificate[] certificateArr = new Certificate[arrayList.size()];
                arrayList.toArray(certificateArr);
                return certificateArr;
            }
            Log.i("PKIAuthClientImpl", "Start to generate a new certificate chain.");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "HwUniversalKeyStoreProvider");
            keyPairGenerator.initialize(a(str, Purpose.SIGN));
            keyPairGenerator.generateKeyPair();
            KeyStore keyStore = KeyStore.getInstance("HwKeystore");
            keyStore.load(null);
            Log.i("PKIAuthClientImpl", "Generate certificate chain successfully.");
            return keyStore.getCertificateChain(str);
        } catch (IOException e) {
            e = e;
            Log.e("PKIAuthClientImpl", "Generate certificate chain error, detail: " + e.getMessage());
            return new Certificate[0];
        } catch (GeneralSecurityException e2) {
            e = e2;
            Log.e("PKIAuthClientImpl", "Generate certificate chain error, detail: " + e.getMessage());
            return new Certificate[0];
        } catch (ProviderException e3) {
            Log.w("PKIAuthClientImpl", "Device dose not support HUKS, detail: " + e3.getMessage());
            return new Certificate[0];
        }
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public byte[] encryptMsg(byte[] bArr, String str) {
        Log.i("PKIAuthClientImpl", "Begin to encrypt message");
        if (bArr != null) {
            try {
                if (bArr.length != 0) {
                    if (c(str)) {
                        return new byte[0];
                    }
                    if (!f(str)) {
                        Log.e("PKIAuthClientImpl", "Get encrypt key pair failed");
                        return new byte[0];
                    }
                    KeyStore keyStore = KeyStore.getInstance("HwKeystore");
                    keyStore.load(null);
                    if (!(keyStore.getEntry(str, null) instanceof KeyStore.PrivateKeyEntry)) {
                        Log.e("PKIAuthClientImpl", "PrivateKeyEntry is not exist， need generate a new");
                        return new byte[0];
                    }
                    PublicKey publicKey = keyStore.getCertificateChain(str)[0].getPublicKey();
                    Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
                    cipher.init(1, publicKey, new OAEPParameterSpec(FeedbackWebConstants.SHA_256, "MGF1", MGF1ParameterSpec.SHA1, PSource.PSpecified.DEFAULT));
                    cipher.update(bArr);
                    return cipher.doFinal();
                }
            } catch (IOException e) {
                e = e;
                Log.e("PKIAuthClientImpl", "Encrypt message failed, the detail:" + e.getMessage());
                return new byte[0];
            } catch (GeneralSecurityException e2) {
                e = e2;
                Log.e("PKIAuthClientImpl", "Encrypt message failed, the detail:" + e.getMessage());
                return new byte[0];
            } catch (ProviderException e3) {
                e = e3;
                Log.e("PKIAuthClientImpl", "Encrypt message failed, the detail:" + e.getMessage());
                return new byte[0];
            }
        }
        Log.e("PKIAuthClientImpl", "Encryption message is invalid");
        return new byte[0];
    }

    public final boolean f(String str) {
        Log.i("PKIAuthClientImpl", "Start to generate encryption certificate");
        synchronized (b) {
            try {
                try {
                    if (g(str, new ArrayList(0))) {
                        return true;
                    }
                    Log.i("PKIAuthClientImpl", "Start to generate a new encryption certificate.");
                    KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "HwUniversalKeyStoreProvider");
                    keyPairGenerator.initialize(a(str, Purpose.ENCRYPT));
                    keyPairGenerator.generateKeyPair();
                    return true;
                } catch (GeneralSecurityException e) {
                    Log.e("PKIAuthClientImpl", "Generate certificate chain error, have a general security exception, the detail: " + e.getMessage());
                    return false;
                }
            } catch (IOException e2) {
                Log.e("PKIAuthClientImpl", "Generate certificate chain error, have an IOException, the detail: " + e2.getMessage());
                return false;
            } catch (ProviderException unused) {
                Log.w("PKIAuthClientImpl", "Device dose not support HUKS.");
                return false;
            }
        }
    }

    public final boolean g(String str, List<Certificate> list) throws GeneralSecurityException, IOException {
        Log.i("PKIAuthClientImpl", "Check certificate chain is existence or not.");
        KeyStore keyStore = KeyStore.getInstance("HwKeystore");
        keyStore.load(null);
        Certificate[] certificateChain = keyStore.getCertificateChain(str);
        if (certificateChain == null || certificateChain.length < 2) {
            Log.i("PKIAuthClientImpl", "certificate chain is not existence, need to generate new one.");
        } else {
            Certificate certificate = certificateChain[0];
            if (!(certificate instanceof X509Certificate)) {
                Log.e("PKIAuthClientImpl", "Fail to change keyAttentionCert to X509!");
                return true;
            }
            if (h((X509Certificate) certificate)) {
                Log.i("PKIAuthClientImpl", "Certificate chain is existence, skip to generate new one.");
                list.addAll(Arrays.asList(certificateChain));
                return true;
            }
            Log.i("PKIAuthClientImpl", "Certificate is invalid");
            deleteCertChain(str);
        }
        return false;
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public String getAppAuthCert(String str) {
        synchronized (a) {
            try {
                Log.i("PKIAuthClientImpl", "Generate certificate chain with alias.");
                if (c(str)) {
                    return "";
                }
                Certificate[] e = e(str);
                if (e.length == 0) {
                    Log.e("PKIAuthClientImpl", "Get certificate chain failed.");
                    return "";
                }
                try {
                    Certificate certificate = e[0];
                    if (certificate instanceof X509Certificate) {
                        ((X509Certificate) certificate).checkValidity();
                    }
                } catch (CertificateExpiredException | CertificateNotYetValidException unused) {
                    Log.e("PKIAuthClientImpl", "Certificate is expired.");
                    deleteCertChain(str);
                    e = e(str);
                    if (e.length == 0) {
                        Log.e("PKIAuthClientImpl", "Get certificate chain failed.");
                        return "";
                    }
                }
                if (e.length < 2) {
                    Log.e("PKIAuthClientImpl", "The number of certificates is not right " + e.length);
                    return "";
                }
                if (d(e[0], str)) {
                    return b(e);
                }
                Log.e("PKIAuthClientImpl", "The attestation certificate is invalid");
                return "";
            } catch (Throwable th) {
                throw th;
            }
        }
    }

    public final boolean h(X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity();
            return true;
        } catch (CertificateExpiredException unused) {
            Log.e("PKIAuthClientImpl", "isCertificateValidity : certificate expired exception.");
            return false;
        } catch (CertificateNotYetValidException unused2) {
            Log.e("PKIAuthClientImpl", "isCertificateValidity : certificate not yet valid exception.");
            return false;
        }
    }

    public final boolean i(PublicKey publicKey, byte[] bArr, byte[] bArr2) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA/PSS");
            signature.initVerify(publicKey);
            signature.update(bArr2);
            return signature.verify(bArr);
        } catch (InvalidKeyException | ProviderException unused) {
            Log.e("PKIAuthClientImpl", "Verify signature error, have a InvalidKeyException or ProviderException.");
            return false;
        } catch (NoSuchAlgorithmException unused2) {
            Log.e("PKIAuthClientImpl", "Verify signature error, have a NoSuchAlgorithmException.");
            return false;
        } catch (SignatureException unused3) {
            Log.e("PKIAuthClientImpl", "Verify signature error, have a SignatureException.");
            return false;
        }
    }

    @Override // com.huawei.security.pkisdk.PKIAuthClient
    public byte[] sign(byte[] bArr, String str) {
        Log.i("PKIAuthClientImpl", "Begin to sign text info");
        if (bArr == null || bArr.length == 0) {
            Log.e("PKIAuthClientImpl", "Signature text is invalid");
            return new byte[0];
        }
        if (c(str)) {
            return new byte[0];
        }
        Destroyable destroyable = null;
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance("HwKeystore");
                keyStore.load(null);
                KeyStore.Entry entry = keyStore.getEntry(str, null);
                if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                    Log.e("PKIAuthClientImpl", "Entry is not existence, the alias is " + str);
                    return new byte[0];
                }
                Signature signature = Signature.getInstance("SHA256withRSA/PSS", "HwUniversalKeyStoreProvider");
                PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                signature.initSign(privateKey);
                signature.update(bArr);
                byte[] sign = signature.sign();
                if (privateKey != null) {
                    try {
                        privateKey.destroy();
                    } catch (DestroyFailedException unused) {
                        Log.w("PKIAuthClientImpl", "Destroy private key failed!");
                    }
                }
                return sign;
            } catch (IOException | GeneralSecurityException | ProviderException unused2) {
                Log.e("PKIAuthClientImpl", "Sign challenge error, have a general security exception.");
                if (0 != 0) {
                    try {
                        destroyable.destroy();
                    } catch (DestroyFailedException unused3) {
                        Log.w("PKIAuthClientImpl", "Destroy private key failed!");
                    }
                }
                return new byte[0];
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    destroyable.destroy();
                } catch (DestroyFailedException unused4) {
                    Log.w("PKIAuthClientImpl", "Destroy private key failed!");
                }
            }
            throw th;
        }
    }
}
