package com.samsung.android.authfw.pass;

import android.util.Base64;
import com.samsung.android.authfw.pass.logger.PSLog;
import com.samsung.android.authfw.sdk.pass.message.KmxGenerateCredentialRequest;
import com.samsung.android.authfw.sdk.pass.message.KmxGenerateCredentialResponse;
import com.samsung.android.authfw.sdk.pass.message.KmxPreRecoverCredentialRequest;
import com.samsung.android.authfw.sdk.pass.message.KmxPreRecoverCredentialResponse;
import com.samsung.android.authfw.sdk.pass.message.KmxRecoverCredentialRequest;
import com.samsung.android.authfw.sdk.pass.message.KmxRecoverCredentialResponse;
import com.samsung.android.authfw.trustzone.DeviceAttestationKeySpec;
import com.samsung.android.authfw.trustzone.TzApp;
import com.samsung.android.authfw.trustzone.tlv.TlvByteArray;
import com.samsung.android.authfw.trustzone.tlv.TlvCertificate;
import com.samsung.android.authfw.trustzone.tlv.TlvChallenge;
import com.samsung.android.authfw.trustzone.tlv.TlvDrkKeyHandle;
import com.samsung.android.authfw.trustzone.tlv.TlvEncryptedKey;
import com.samsung.android.authfw.trustzone.tlv.TlvGuid;
import com.samsung.android.authfw.trustzone.tlv.TlvKmxGenerateCredentialCommand;
import com.samsung.android.authfw.trustzone.tlv.TlvKmxGenerateCredentialResponse;
import com.samsung.android.authfw.trustzone.tlv.TlvKmxPreRecoverCredentialCommand;
import com.samsung.android.authfw.trustzone.tlv.TlvKmxPreRecoverCredentialResponse;
import com.samsung.android.authfw.trustzone.tlv.TlvKmxRecoverCredentialCommand;
import com.samsung.android.authfw.trustzone.tlv.TlvKmxRecoverCredentialResponse;
import com.samsung.android.authfw.trustzone.tlv.TlvPublicKey;
import com.samsung.android.authfw.trustzone.tlv.TlvSignature;
import com.samsung.android.authfw.trustzone.tlv.TlvWrappedData;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;

/* loaded from: classes.dex */
public class PassKmxEscrowOperation {
    private static final String TAG = "PassKmxEscrowOperation";

    private PassKmxEscrowOperation() {
    }

    public static String convertDerToPem(byte[] bArr) throws CertificateException {
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        String str = "-----BEGIN CERTIFICATE-----\n" + Base64.encodeToString(x509Certificate.getEncoded(), 0) + "-----END CERTIFICATE-----";
        PSLog.d(TAG, "der to pem:" + str);
        return "-----BEGIN CERTIFICATE-----\n" + Base64.encodeToString(x509Certificate.getEncoded(), 0) + "-----END CERTIFICATE-----";
    }

    public static byte[] convertPemToDer(String str) throws CertificateException {
        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
        String str2 = TAG;
        PSLog.d(str2, "originCert:".concat(str));
        PSLog.d(str2, "convertedCert:" + Base64.encodeToString(x509Certificate.getEncoded(), 2));
        return x509Certificate.getEncoded();
    }

    public static String generateCredential(String str) {
        String str2 = TAG;
        PSLog.d(str2, "generateCredential start");
        try {
            KmxGenerateCredentialRequest fromJson = KmxGenerateCredentialRequest.fromJson(str);
            byte[] execSecurelyWithDeviceKey = TzApp.getInstance().execSecurelyWithDeviceKey(new b(TlvGuid.newBuilder(fromJson.getSaGuid()).build(), TlvByteArray.newBuilder(fromJson.getServiceName()).build(), TlvCertificate.newBuilder(convertPemToDer(fromJson.getHsmEncCredCert())).build(), TlvChallenge.newBuilder(fromJson.getChallenge()).build(), fromJson, 2), DeviceAttestationKeySpec.SECP384R1_SHA384withECDSA);
            if (execSecurelyWithDeviceKey.length == 0) {
                throw new Exception("execSecurelyWithDrk() failed");
            }
            TlvKmxGenerateCredentialResponse tlvKmxGenerateCredentialResponse = new TlvKmxGenerateCredentialResponse(execSecurelyWithDeviceKey);
            short statusCode = tlvKmxGenerateCredentialResponse.getTlvStatusCode().getStatusCode();
            if (statusCode != 0) {
                PSLog.e(str2, "process failed : " + ((int) statusCode));
                return "";
            }
            byte[] wrappedKey = tlvKmxGenerateCredentialResponse.getTlvWrappedPkek().getWrappedKey();
            if (wrappedKey != null && wrappedKey.length != 0) {
                byte[] encryptedKey = tlvKmxGenerateCredentialResponse.getTlvEncryptedPkek().getEncryptedKey();
                if (encryptedKey != null && encryptedKey.length != 0) {
                    byte[] signature = tlvKmxGenerateCredentialResponse.getTlvPkekSignature().getSignature();
                    if (signature != null && signature.length != 0) {
                        List<TlvCertificate> tlvCertificates = tlvKmxGenerateCredentialResponse.getTlvCertificates();
                        if (tlvCertificates != null && tlvCertificates.size() != 0) {
                            ArrayList arrayList = new ArrayList();
                            Iterator<TlvCertificate> it = tlvCertificates.iterator();
                            while (it.hasNext()) {
                                arrayList.add(convertDerToPem(it.next().getCertificate()));
                            }
                            return KmxGenerateCredentialResponse.newBuilder(wrappedKey, encryptedKey, signature, arrayList).build().toJson();
                        }
                        PSLog.e(str2, "tlvCertificates is null");
                        return "";
                    }
                    PSLog.e(str2, "pkekSignature is null");
                    return "";
                }
                PSLog.e(str2, "encryptedPkek is null");
                return "";
            }
            PSLog.e(str2, "wrappedPkek is null");
            return "";
        } catch (Exception e2) {
            PSLog.e(TAG, "generateCredential key fail : " + e2.getMessage(), e2);
            return "";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ byte[] lambda$generateCredential$0(TlvGuid tlvGuid, TlvByteArray tlvByteArray, TlvCertificate tlvCertificate, TlvChallenge tlvChallenge, KmxGenerateCredentialRequest kmxGenerateCredentialRequest, q4.c cVar, byte[] bArr) {
        TlvKmxGenerateCredentialCommand.Builder newBuilder = TlvKmxGenerateCredentialCommand.newBuilder(tlvGuid, tlvByteArray, tlvCertificate, tlvChallenge, TlvDrkKeyHandle.newBuilder(bArr).build());
        if (kmxGenerateCredentialRequest.getSakCert() != null) {
            try {
                newBuilder.setTlvSakCert(TlvCertificate.newBuilder(convertPemToDer(kmxGenerateCredentialRequest.getSakCert())).build());
            } catch (CertificateException unused) {
                PSLog.e(TAG, "sak cert encoding fail");
                return new byte[0];
            }
        }
        if (kmxGenerateCredentialRequest.getSignature() != null) {
            newBuilder.setTlvSignature(TlvSignature.newBuilder(kmxGenerateCredentialRequest.getSignature()).build());
        }
        if (kmxGenerateCredentialRequest.getEncodedPublicKey() != null) {
            newBuilder.setTlvEncodedPublicKey(TlvPublicKey.newBuilder(kmxGenerateCredentialRequest.getEncodedPublicKey()).build());
        }
        byte[] encode = newBuilder.build().encode();
        if (encode != null && encode.length != 0) {
            return encode;
        }
        PSLog.e(TAG, "getting tlvKmxGenerateCredentialCommand failed");
        return new byte[0];
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static /* synthetic */ byte[] lambda$preRecoverCredential$1(q4.c cVar, byte[] bArr) {
        byte[] encode = TlvKmxPreRecoverCredentialCommand.newBuilder(TlvDrkKeyHandle.newBuilder(bArr).build()).build().encode();
        if (encode != null && encode.length != 0) {
            return encode;
        }
        PSLog.e(TAG, "getting tlvKmxPreRecoverCredentialCommand failed");
        return new byte[0];
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v2, types: [com.samsung.android.authfw.trustzone.CommandGenerator, java.lang.Object] */
    public static String preRecoverCredential(String str) {
        String str2 = TAG;
        PSLog.d(str2, "preRecoverCredential start");
        try {
            KmxPreRecoverCredentialRequest.fromJson(str);
            byte[] execSecurelyWithDeviceKey = TzApp.getInstance().execSecurelyWithDeviceKey(new Object(), DeviceAttestationKeySpec.RSA4096_OAEPwithSHA1andMGF1PaddingSHA1);
            if (execSecurelyWithDeviceKey.length == 0) {
                throw new Exception("execSecurelyWithDrk() failed");
            }
            TlvKmxPreRecoverCredentialResponse tlvKmxPreRecoverCredentialResponse = new TlvKmxPreRecoverCredentialResponse(execSecurelyWithDeviceKey);
            short statusCode = tlvKmxPreRecoverCredentialResponse.getTlvStatusCode().getStatusCode();
            if (statusCode != 0) {
                PSLog.e(str2, "process failed : " + ((int) statusCode));
                return "";
            }
            byte[] challenge = tlvKmxPreRecoverCredentialResponse.getTlvChallenge().getChallenge();
            if (challenge != null && challenge.length != 0) {
                byte[] wrappedData = tlvKmxPreRecoverCredentialResponse.getTlvWrappedData().getWrappedData();
                if (wrappedData != null && wrappedData.length != 0) {
                    List<TlvCertificate> tlvCertificates = tlvKmxPreRecoverCredentialResponse.getTlvCertificates();
                    if (tlvCertificates != null && tlvCertificates.size() != 0) {
                        ArrayList arrayList = new ArrayList();
                        Iterator<TlvCertificate> it = tlvCertificates.iterator();
                        while (it.hasNext()) {
                            arrayList.add(convertDerToPem(it.next().getCertificate()));
                        }
                        return KmxPreRecoverCredentialResponse.newBuilder(challenge, wrappedData, arrayList).build().toJson();
                    }
                    PSLog.e(str2, "tlvCertificates is null");
                    return "";
                }
                PSLog.e(str2, "wrappedData is null");
                return "";
            }
            PSLog.e(str2, "challenge is null");
            return "";
        } catch (Exception e2) {
            PSLog.e(TAG, "preRecoverCredential fail : " + e2.getMessage(), e2);
            return "";
        }
    }

    public static String recoverCredential(String str) {
        String str2 = TAG;
        PSLog.d(str2, "recoverCredential start");
        try {
            KmxRecoverCredentialRequest fromJson = KmxRecoverCredentialRequest.fromJson(str);
            TlvKmxRecoverCredentialCommand.Builder newBuilder = TlvKmxRecoverCredentialCommand.newBuilder(TlvEncryptedKey.newBuilder(fromJson.getEncryptedPkek()).build(), TlvSignature.newBuilder(fromJson.getEncryptedPkekSignature()).build(), TlvCertificate.newBuilder(convertPemToDer(fromJson.getHsmVerificationCert())).build(), TlvWrappedData.newBuilder(fromJson.getWrappedData()).build());
            if (fromJson.getSakCert() != null) {
                try {
                    newBuilder.setTlvSakCert(TlvCertificate.newBuilder(convertPemToDer(fromJson.getSakCert())).build());
                } catch (CertificateException unused) {
                    PSLog.e(TAG, "sak cert encoding fail");
                    return "";
                }
            }
            byte[] encode = newBuilder.build().encode();
            if (encode != null && encode.length != 0) {
                byte[] execSecurely = TzApp.getInstance().execSecurely(encode);
                if (execSecurely.length == 0) {
                    PSLog.e(str2, "failed to securely tz-execute");
                    return "";
                }
                TlvKmxRecoverCredentialResponse tlvKmxRecoverCredentialResponse = new TlvKmxRecoverCredentialResponse(execSecurely);
                short statusCode = tlvKmxRecoverCredentialResponse.getTlvStatusCode().getStatusCode();
                if (statusCode != 0) {
                    PSLog.e(str2, "process failed : " + ((int) statusCode));
                    return "";
                }
                byte[] wrappedKey = tlvKmxRecoverCredentialResponse.getTlvWrappedPkek().getWrappedKey();
                if (wrappedKey != null && wrappedKey.length != 0) {
                    return KmxRecoverCredentialResponse.newBuilder(wrappedKey).build().toJson();
                }
                PSLog.e(str2, "wrappedPkek is null");
                return "";
            }
            PSLog.e(str2, "getting tlvProvisionKekCommand failed");
            return "";
        } catch (Exception e2) {
            PSLog.e(TAG, "recoverCredential key fail : " + e2.getMessage(), e2);
            return "";
        }
    }
}
