package au.gov.dfat.lib.vdsncchecker;

import am.d;
import android.os.Build;
import android.util.Base64;
import android.util.Log;
import androidx.annotation.Keep;
import dq.b;
import dq.e;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.Signature;
import java.security.cert.CRL;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import jo.k;
import org.json.JSONObject;
import xn.p;
import z5.c;
import z5.i;
import zp.c0;
import zp.h;
import zp.q;
import zp.r1;
import zp.w;

@Keep
/* loaded from: classes.dex */
public class VDSAuthenticator implements x5.a {
    public static final a Companion = new a();
    private static final String TAG = x5.a.class.getSimpleName();
    private boolean isRevocationEnabled;
    private boolean skipCRLCheck;
    private boolean useAkiForComparison;

    /* loaded from: classes.dex */
    public static final class a {
    }

    public VDSAuthenticator() {
        setupSecurity();
    }

    private final byte[] getBSCCertDataFromVDS(VDS vds) {
        byte[] bArr;
        try {
            bArr = Base64.decode(vds.getSig().getCer(), 8);
        } catch (Exception unused) {
            bArr = null;
        }
        if (bArr != null) {
            return bArr;
        }
        throw new VDSVerifyException(VDSVerifyError.PARSE_BSC_CERT_ERROR);
    }

    private final X509Certificate getBSCCertFromBSCCertData(byte[] bArr) {
        X509Certificate x509Certificate = null;
        try {
            Certificate generateCertificate = getCertFactory().generateCertificate(new ByteArrayInputStream(bArr));
            if (generateCertificate instanceof X509Certificate) {
                x509Certificate = (X509Certificate) generateCertificate;
            }
        } catch (Exception unused) {
        }
        if (x509Certificate != null) {
            return x509Certificate;
        }
        throw new VDSVerifyException(VDSVerifyError.LOAD_BSC_CERT_ERROR);
    }

    private final CRL getCRLFromCRLData(byte[] bArr) {
        X509CRL x509crl = null;
        try {
            CRL generateCRL = getCertFactory().generateCRL(new ByteArrayInputStream(bArr));
            if (generateCRL instanceof X509CRL) {
                x509crl = (X509CRL) generateCRL;
            }
        } catch (Exception unused) {
        }
        if (x509crl != null) {
            return x509crl;
        }
        throw new VDSVerifyException(VDSVerifyError.LOAD_CRL_ERROR);
    }

    private final X509Certificate getCSCACertFromCSCACertData(byte[] bArr) {
        X509Certificate x509Certificate = null;
        try {
            Certificate generateCertificate = getCertFactory().generateCertificate(new ByteArrayInputStream(bArr));
            if (generateCertificate instanceof X509Certificate) {
                x509Certificate = (X509Certificate) generateCertificate;
            }
        } catch (Exception unused) {
        }
        if (x509Certificate != null) {
            return x509Certificate;
        }
        throw new VDSVerifyException(VDSVerifyError.LOAD_CSCA_CERT_ERROR);
    }

    private final String getCanonicalJsonFromVDS(VDS vds) {
        String str;
        try {
            str = new oq.a(new JSONObject(vds.getOriginalJson()).get("data").toString()).f19441a.toString();
        } catch (Exception unused) {
            str = null;
        }
        if (str != null) {
            return str;
        }
        throw new VDSVerifyException(VDSVerifyError.PARSE_JSON_ERROR);
    }

    private final CertificateFactory getCertFactory() {
        CertificateFactory certificateFactory;
        try {
            certificateFactory = onGetCertificateFactory();
        } catch (Exception unused) {
            certificateFactory = null;
        }
        if (certificateFactory != null) {
            return certificateFactory;
        }
        throw new VDSVerifyException(VDSVerifyError.CREATE_CERTIFICATE_FACTORY_ERROR);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private final List<Byte> getCertificateAKI(X509Certificate x509Certificate) {
        try {
            byte[] bArr = w.J(x509Certificate.getExtensionValue(b.f10392n.f30609i)).f30616i;
            w wVar = (bArr instanceof dq.a ? (dq.a) bArr : bArr != 0 ? new dq.a(c0.L(bArr)) : null).f10388i;
            byte[] bArr2 = wVar != null ? wVar.f30616i : null;
            k.e(bArr2, "aki.keyIdentifier");
            return new xn.k(bArr2);
        } catch (Exception e5) {
            Log.e(TAG, "getCertificateAKI:" + e5);
            return null;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private final List<Byte> getCertificateSKI(X509Certificate x509Certificate) {
        try {
            byte[] bArr = w.J(x509Certificate.getExtensionValue(b.f10391i.f30609i)).f30616i;
            byte[] a10 = eq.a.a((bArr instanceof e ? (e) bArr : bArr != 0 ? new e(w.J(bArr)) : null).f10396i);
            k.e(a10, "skisubjectKeyIdentifier.keyIdentifier");
            return new xn.k(a10);
        } catch (Exception e5) {
            Log.e(TAG, "getCertificateSKI:" + e5);
            return null;
        }
    }

    private final byte[] getDERSignatureFromECDSASignature(byte[] bArr) {
        BigInteger bigInteger = new BigInteger(1, eq.a.b(bArr, 0, 32));
        BigInteger bigInteger2 = new BigInteger(1, eq.a.b(bArr, 32, 64));
        h hVar = new h();
        hVar.a(new q(bigInteger));
        hVar.a(new q(bigInteger2));
        return new r1(hVar).t();
    }

    private final byte[] getSignatureDataFromVDS(VDS vds) {
        byte[] bArr;
        try {
            bArr = Base64.decode(vds.getSig().getSigvl(), 8);
        } catch (Exception unused) {
            bArr = null;
        }
        if (bArr != null) {
            return bArr;
        }
        throw new VDSVerifyException(VDSVerifyError.PARSE_SIGNATURE_ERROR);
    }

    private final CSCAData verifyCSCAExists(i iVar, VDS vds) {
        CertificateData a10 = iVar.a(getBSCCertDataFromVDS(vds), getCertFactory());
        if (Build.VERSION.SDK_INT < 26 || a10 == null) {
            return null;
        }
        String hash = a10.getHash();
        byte[] certificate = a10.getCertificate();
        c crl = a10.getCrl();
        return new CSCAData(hash, certificate, crl != null ? crl.f29823b : null);
    }

    public String getAlgorithmFromVDS(VDS vds) {
        k.f(vds, "vds");
        String alg = vds.getSig().getAlg();
        int hashCode = alg.hashCode();
        if (hashCode != 66245349) {
            if (hashCode != 66246401) {
                if (hashCode == 66248104 && alg.equals("ES512")) {
                    return "SHA512withECDSA";
                }
            } else if (alg.equals("ES384")) {
                return "SHA384withECDSA";
            }
        } else if (alg.equals("ES256")) {
            return "SHA256withECDSA";
        }
        return null;
    }

    public final boolean getSkipCRLCheck() {
        return this.skipCRLCheck;
    }

    public final boolean getUseAkiForComparison() {
        return this.useAkiForComparison;
    }

    public final boolean isRevocationEnabled() {
        return this.isRevocationEnabled;
    }

    public CertificateFactory onGetCertificateFactory() {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        k.e(certificateFactory, "getInstance(\"X.509\")");
        return certificateFactory;
    }

    public final void setRevocationEnabled(boolean z10) {
        this.isRevocationEnabled = z10;
    }

    public final void setSkipCRLCheck(boolean z10) {
        this.skipCRLCheck = z10;
    }

    public final void setUseAkiForComparison(boolean z10) {
        this.useAkiForComparison = z10;
    }

    public void setupSecurity() {
    }

    public void verifyBSCCertAKIMatchesCSCACertAKI(VDS vds, byte[] bArr) {
        k.f(vds, "vds");
        k.f(bArr, "cscaCertData");
        X509Certificate bSCCertFromBSCCertData = getBSCCertFromBSCCertData(getBSCCertDataFromVDS(vds));
        X509Certificate cSCACertFromCSCACertData = getCSCACertFromCSCACertData(bArr);
        try {
            if (k.a(getCertificateAKI(bSCCertFromBSCCertData), this.useAkiForComparison ? getCertificateAKI(cSCACertFromCSCACertData) : getCertificateSKI(cSCACertFromCSCACertData))) {
            } else {
                throw new Exception();
            }
        } catch (Exception unused) {
            throw new VDSVerifyException(VDSVerifyError.VERIFY_BSC_CERT_AKI_MATCHES_CSCA_CERT_AKI_ERROR);
        }
    }

    public void verifyBSCCertIncludesCSCACertInCertPath(VDS vds, byte[] bArr) {
        k.f(vds, "vds");
        k.f(bArr, "cscaCertData");
        X509Certificate bSCCertFromBSCCertData = getBSCCertFromBSCCertData(getBSCCertDataFromVDS(vds));
        X509Certificate cSCACertFromCSCACertData = getCSCACertFromCSCACertData(bArr);
        try {
            CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
            CertPath generateCertPath = getCertFactory().generateCertPath(bh.w.C(bSCCertFromBSCCertData));
            TrustAnchor[] trustAnchorArr = {new TrustAnchor(cSCACertFromCSCACertData, null)};
            HashSet hashSet = new HashSet(d.p(1));
            p.i0(hashSet, trustAnchorArr);
            PKIXParameters pKIXParameters = new PKIXParameters(hashSet);
            pKIXParameters.setRevocationEnabled(this.isRevocationEnabled);
            if (certPathValidator.validate(generateCertPath, pKIXParameters) != null) {
            } else {
                throw new Exception();
            }
        } catch (Exception unused) {
            throw new VDSVerifyException(VDSVerifyError.VERIFY_BSC_CERT_PATH_INCLUDES_CSCA_CERT_ERROR);
        }
    }

    public void verifyBSCCertNotRevokedInCRL(VDS vds, Collection<byte[]> collection) {
        k.f(vds, "vds");
        k.f(collection, "crlData");
        X509Certificate bSCCertFromBSCCertData = getBSCCertFromBSCCertData(getBSCCertDataFromVDS(vds));
        Iterator<T> it = collection.iterator();
        while (it.hasNext()) {
            if (getCRLFromCRLData((byte[]) it.next()).isRevoked(bSCCertFromBSCCertData)) {
                if (!this.skipCRLCheck) {
                    throw new VDSVerifyException(VDSVerifyError.VERIFY_BSC_CERT_NOT_IN_CRL_ERROR);
                }
                return;
            }
        }
    }

    public void verifyCRLSignatureUsingCSCACertPublicKey(Collection<byte[]> collection, byte[] bArr) {
        k.f(collection, "crlData");
        k.f(bArr, "cscaCertData");
        X509Certificate cSCACertFromCSCACertData = getCSCACertFromCSCACertData(bArr);
        Iterator<T> it = collection.iterator();
        while (it.hasNext()) {
            CRL cRLFromCRLData = getCRLFromCRLData((byte[]) it.next());
            k.d(cRLFromCRLData, "null cannot be cast to non-null type java.security.cert.X509CRL");
            try {
                ((X509CRL) cRLFromCRLData).verify(cSCACertFromCSCACertData.getPublicKey());
            } catch (Exception unused) {
                if (!this.skipCRLCheck) {
                    throw new VDSVerifyException(VDSVerifyError.VERIFY_CRL_ERROR);
                }
                return;
            }
        }
    }

    public void verifyCSCACertHash(byte[] bArr, String str) {
        String str2;
        k.f(bArr, "cscaCertData");
        k.f(str, "cscaCertSHA256Hash");
        try {
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(bArr);
            k.e(digest, "getInstance(\"SHA-256\")\n\t\t\t\t.digest(cscaCertData)");
            str2 = "";
            for (byte b10 : digest) {
                StringBuilder sb2 = new StringBuilder();
                sb2.append(str2);
                String format = String.format("%02x", Arrays.copyOf(new Object[]{Byte.valueOf(b10)}, 1));
                k.e(format, "format(this, *args)");
                sb2.append(format);
                str2 = sb2.toString();
            }
        } catch (Exception unused) {
            str2 = null;
        }
        if (!k.a(str2, str)) {
            throw new VDSVerifyException(VDSVerifyError.VERIFY_CSCA_CERT_HASH_ERROR);
        }
    }

    public boolean verifyVDS(VDS vds, i iVar) {
        k.f(vds, "vds");
        k.f(iVar, "certificateRepository");
        CSCAData verifyCSCAExists = verifyCSCAExists(iVar, vds);
        if ((verifyCSCAExists != null ? verifyCSCAExists.getCrl() : null) != null) {
            return verifyVDS(vds, verifyCSCAExists.getCertificate(), verifyCSCAExists.getHash(), verifyCSCAExists.getCrl());
        }
        return false;
    }

    public boolean verifyVDS(VDS vds, byte[] bArr, String str, Collection<byte[]> collection) {
        k.f(vds, "vds");
        k.f(bArr, "cscaCertData");
        k.f(str, "cscaCertSHA256Hash");
        k.f(collection, "crlData");
        verifyCSCACertHash(bArr, str);
        verifyCRLSignatureUsingCSCACertPublicKey(collection, bArr);
        verifyBSCCertNotRevokedInCRL(vds, collection);
        verifyBSCCertAKIMatchesCSCACertAKI(vds, bArr);
        verifyBSCCertIncludesCSCACertInCertPath(vds, bArr);
        verifyVDSSignature(vds);
        return true;
    }

    public boolean verifyVDS(VDS vds, byte[] bArr, String str, byte[] bArr2) {
        k.f(vds, "vds");
        k.f(bArr, "cscaCertData");
        k.f(str, "cscaCertSHA256Hash");
        k.f(bArr2, "crlData");
        return verifyVDS(vds, bArr, str, bh.w.c(bArr2));
    }

    public void verifyVDSSignature(VDS vds) {
        k.f(vds, "vds");
        X509Certificate bSCCertFromBSCCertData = getBSCCertFromBSCCertData(getBSCCertDataFromVDS(vds));
        String canonicalJsonFromVDS = getCanonicalJsonFromVDS(vds);
        byte[] signatureDataFromVDS = getSignatureDataFromVDS(vds);
        try {
            Signature signature = Signature.getInstance(getAlgorithmFromVDS(vds));
            signature.initVerify(bSCCertFromBSCCertData);
            k.f(canonicalJsonFromVDS, "<this>");
            byte[] bytes = canonicalJsonFromVDS.getBytes(ro.a.f22138b);
            k.e(bytes, "this as java.lang.String).getBytes(charset)");
            signature.update(bytes);
            if (signature.verify(getDERSignatureFromECDSASignature(signatureDataFromVDS))) {
            } else {
                throw new Exception();
            }
        } catch (Exception unused) {
            throw new VDSVerifyException(VDSVerifyError.VERIFY_SIGNATURE_ERROR);
        }
    }
}
