package com.samsung.android.authfw.pass.Operation.Cmp;

import a1.g;
import android.content.Context;
import android.os.ParcelFileDescriptor;
import android.support.v4.media.session.f;
import cb.i;
import cc.a;
import com.samsung.android.authfw.common.utils.CryptoUtil;
import com.samsung.android.authfw.common.utils.FileUtil;
import com.samsung.android.authfw.pass.authentication.partner.CertificationToken;
import com.samsung.android.authfw.pass.common.args.AdditionalData;
import com.samsung.android.authfw.pass.common.utils.Encoding;
import com.samsung.android.authfw.pass.logger.PSLog;
import com.samsung.android.authfw.pass.net.message.WhiteListAppInfo;
import com.samsung.android.authfw.pass.signature.Signer;
import com.samsung.android.authfw.pass.signature.TokenVerifier;
import com.samsung.android.authfw.pass.storage.AppInfoStorage;
import com.samsung.android.authfw.pass.storage.KeyInfoStorage;
import com.samsung.android.authfw.pass.storage.SettingStorage;
import com.samsung.android.authfw.trustzone.tlv.TlvAuthAuthToken;
import com.samsung.android.authfw.trustzone.tlv.TlvCertificate;
import com.samsung.android.authfw.trustzone.tlv.TlvNonce;
import com.samsung.android.authfw.trustzone.tlv.TlvServerAuthAuthTokenAssertion;
import com.samsung.android.authfw.trustzone.tlv.TlvSignature;
import dc.b;
import e3.u;
import g3.c;
import g3.e;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import qb.h;
import vb.d;
import vb.k;
import vb.l;

/* loaded from: classes.dex */
public class P7Sign {
    private static final int ERROR_LENGTH = 4;
    private static final String TAG = "P7Sign";
    private AdditionalData mAdditionalData;
    private String mAlgorithm;
    private String mAuthenticator;
    private byte[] mCertificate;
    private CertificationToken mCertificationToken;
    private final Context mContext;
    private boolean mDetachedMode;
    private boolean mNeedPreHash;
    private byte[] mPlainData;
    private int mUid;

    /* loaded from: classes.dex */
    public class TeeContentSigner implements a {
        private TeeOutputStream mOutputStream;
        private byte[] mRawPublicKey;
        private BaseTeeSigner mSigner;
        private BaseTeePrivateKey mWrappedPrivateKey;

        /* loaded from: classes.dex */
        public class TeeOutputStream extends OutputStream {
            private BaseTeeSigner mSigner;

            public TeeOutputStream(BaseTeeSigner baseTeeSigner, BaseTeePrivateKey baseTeePrivateKey) {
                this.mSigner = baseTeeSigner;
                try {
                    baseTeeSigner.engineInit(baseTeePrivateKey);
                } catch (IllegalArgumentException unused) {
                    PSLog.e(P7Sign.TAG, "engine init fail");
                }
            }

            public byte[] getSignature() {
                this.mSigner.setNeedPreHash(P7Sign.this.mNeedPreHash);
                byte[] engineSign = this.mSigner.engineSign();
                this.mSigner.engineDoFinal();
                return engineSign;
            }

            @Override // java.io.OutputStream
            public void write(int i2) throws IOException {
                throw new IOException("not support");
            }

            @Override // java.io.OutputStream
            public void write(byte[] bArr) throws IOException {
                this.mSigner.engineUpdate(bArr);
            }

            @Override // java.io.OutputStream
            public void write(byte[] bArr, int i2, int i6) throws IOException {
                this.mSigner.engineUpdate(bArr, i2, i6);
            }
        }

        public TeeContentSigner(BaseTeePrivateKey baseTeePrivateKey, byte[] bArr) throws IllegalArgumentException {
            this.mSigner = null;
            this.mOutputStream = null;
            this.mWrappedPrivateKey = null;
            this.mRawPublicKey = null;
            PSLog.v(P7Sign.TAG, "TeeContentSigner");
            if (baseTeePrivateKey == null) {
                throw new IllegalArgumentException("Illegal wrapped privateKey");
            }
            if (bArr == null || bArr.length == 0) {
                throw new IllegalArgumentException("Illegal rawPublickey");
            }
            this.mWrappedPrivateKey = baseTeePrivateKey;
            this.mRawPublicKey = bArr;
            if (P7Sign.this.mCertificationToken == null) {
                PSLog.e(P7Sign.TAG, "aop is null");
                throw new IllegalArgumentException("aop is null");
            }
            byte[] hash = Encoding.hash((P7Sign.this.mCertificationToken.getSamsungEventId() + P7Sign.this.mCertificationToken.getSvcEventId()).getBytes(StandardCharsets.UTF_8));
            if (hash == null) {
                PSLog.e(P7Sign.TAG, "nonce is null");
                throw new IllegalArgumentException("nonce is null");
            }
            byte[] fidoAuthVerifyToken = P7Sign.this.mCertificationToken.getFidoAuthVerifyToken();
            if (fidoAuthVerifyToken == null || fidoAuthVerifyToken.length == 0) {
                PSLog.e(P7Sign.TAG, "avt is null");
                throw new IllegalArgumentException("avt is null");
            }
            this.mSigner = new BaseTeeSigner(P7Sign.this.mAlgorithm, this.mRawPublicKey, hash, fidoAuthVerifyToken);
            this.mOutputStream = new TeeOutputStream(this.mSigner, this.mWrappedPrivateKey);
        }

        private boolean tryStoreAuthVerifyToken(byte[] bArr) {
            if (P7Sign.this.mAdditionalData == null) {
                PSLog.e(P7Sign.TAG, "additionalData is null");
                return false;
            }
            if (Signer.isNotNonVolatileFidoAuthVerifyTokenRequired(P7Sign.this.mAdditionalData)) {
                return true;
            }
            byte[] hash = Encoding.hash(bArr);
            if (hash == null || hash.length == 0) {
                PSLog.e(P7Sign.TAG, "hakkh is null");
                return false;
            }
            byte[] verifyAuthAuthToken = verifyAuthAuthToken(hash);
            if (verifyAuthAuthToken != null && verifyAuthAuthToken.length != 0) {
                return KeyInfoStorage.update(P7Sign.this.mCertificationToken, verifyAuthAuthToken);
            }
            PSLog.e(P7Sign.TAG, "avt is invalid");
            return false;
        }

        private byte[] verifyAuthAuthToken(byte[] bArr) {
            f.g(P7Sign.this.mCertificationToken.getSamsungEventId().length() > 0);
            f.g(P7Sign.this.mCertificationToken.getSvcEventId().length() > 0);
            f.g(P7Sign.this.mCertificationToken.getFidoAuthAuthToken() != null && P7Sign.this.mCertificationToken.getFidoAuthAuthToken().length > 0);
            f.g(P7Sign.this.mCertificationToken.getFidoAuthAuthTokenSignature() != null && P7Sign.this.mCertificationToken.getFidoAuthAuthTokenSignature().length > 0);
            f.g(bArr != null && 32 == bArr.length);
            byte[] hash = Encoding.hash((P7Sign.this.mCertificationToken.getSamsungEventId() + P7Sign.this.mCertificationToken.getSvcEventId()).getBytes(Charset.forName("UTF-8")));
            if (hash == null || 32 != hash.length) {
                PSLog.e(P7Sign.TAG, "fullNonce is null");
                return new byte[0];
            }
            TlvNonce build = TlvNonce.newBuilder(hash).build();
            WhiteListAppInfo whiteListAppInfo = AppInfoStorage.get(P7Sign.this.mCertificationToken.getAppId());
            if (whiteListAppInfo == null) {
                PSLog.e(P7Sign.TAG, "appInfo is null");
                return new byte[0];
            }
            byte[] hash2 = Encoding.hash((whiteListAppInfo.getAppCertHash() + whiteListAppInfo.getAppGroupId() + P7Sign.this.mCertificationToken.getSvcUserId()).getBytes(Charset.forName("UTF-8")));
            if (hash2 == null || hash2.length == 0) {
                PSLog.e(P7Sign.TAG, "accessToken is null");
                return new byte[0];
            }
            byte[] bArr2 = new byte[64];
            System.arraycopy(hash2, 0, bArr2, 0, hash2.length);
            System.arraycopy(bArr, 0, bArr2, hash2.length, bArr.length);
            byte[] hash3 = Encoding.hash(bArr2);
            if (hash3 == null || 32 != hash3.length) {
                PSLog.e(P7Sign.TAG, "continuousNonce is null");
                return new byte[0];
            }
            TlvAuthAuthToken build2 = TlvAuthAuthToken.newBuilder(P7Sign.this.mCertificationToken.getFidoAuthAuthToken()).build();
            TlvSignature build3 = TlvSignature.newBuilder(P7Sign.this.mCertificationToken.getFidoAuthAuthTokenSignature()).build();
            PSLog.v(P7Sign.TAG, "serverCert = " + SettingStorage.getServerCert());
            PSLog.v(P7Sign.TAG, "serviceRootCert = " + SettingStorage.getServiceRootCert());
            ArrayList arrayList = new ArrayList();
            c cVar = e.f5643c;
            arrayList.add(TlvCertificate.newBuilder(cVar.a(SettingStorage.getServerCert())).build());
            arrayList.add(TlvCertificate.newBuilder(cVar.a(SettingStorage.getServiceRootCert())).build());
            return TokenVerifier.verifyAuthAuthToken(TlvServerAuthAuthTokenAssertion.newBuilder(build, build2, build3, arrayList).build().encode(), hash3);
        }

        /* JADX WARN: Type inference failed for: r0v0, types: [java.lang.Object, cc.c] */
        @Override // cc.a
        public qb.a getAlgorithmIdentifier() {
            return new Object().b(P7Sign.this.mAlgorithm);
        }

        @Override // cc.a
        public OutputStream getOutputStream() {
            return this.mOutputStream;
        }

        @Override // cc.a
        public byte[] getSignature() {
            byte[] signature = this.mOutputStream.getSignature();
            if (signature == null || signature.length <= 0 || tryStoreAuthVerifyToken(this.mWrappedPrivateKey.getWrappedPrivateKey())) {
                return signature;
            }
            PSLog.e(P7Sign.TAG, "avt store fail");
            return new byte[0];
        }
    }

    public P7Sign(Context context, String str, byte[] bArr, byte[] bArr2, String str2, boolean z10, ParcelFileDescriptor parcelFileDescriptor, int i2, String str3, String str4) {
        this.mContext = context;
        this.mAlgorithm = str;
        this.mPlainData = bArr;
        this.mCertificate = bArr2;
        this.mAuthenticator = str2;
        this.mDetachedMode = z10;
        this.mUid = i2;
        if (bArr.length == 0) {
            PSLog.d(TAG, "p7sign large data");
            this.mPlainData = FileUtil.readPacelFd(parcelFileDescriptor);
            this.mNeedPreHash = true;
        }
        try {
            this.mCertificationToken = CertificationToken.fromJson(str3);
        } catch (IllegalArgumentException unused) {
            PSLog.e(TAG, "CertToken is invalid {" + str3 + "}");
        }
        try {
            this.mAdditionalData = AdditionalData.fromJson(str4);
        } catch (IllegalArgumentException | NullPointerException unused2) {
            PSLog.e(TAG, "additionalData is invalid");
        }
    }

    /* JADX WARN: Type inference failed for: r8v2, types: [vb.b, java.lang.Object] */
    private byte[] doSign(byte[] bArr) {
        String str = TAG;
        PSLog.i(str, "p7s");
        PSLog.d(str, "BaseUtil.getCertificateSubjectDN(certificate):" + BaseUtil.getCertificateSubjectDN(bArr));
        Security.addProvider(new zb.a());
        try {
            PSLog.v(str, "execute(). mPlainData.length:" + this.mPlainData.length);
            r8.a aVar = new r8.a(this.mPlainData);
            X509Certificate x509Certificate = CryptoUtil.toX509Certificate(bArr);
            if (x509Certificate == null) {
                PSLog.e(str, "cert is null");
                return new byte[0];
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(x509Certificate);
            tb.a aVar2 = new tb.a(arrayList);
            TeeContentSigner teeContentSigner = new TeeContentSigner(BaseUtil.getWrappedPrivateKey(bArr), BaseUtil.getRawPublicKey(bArr));
            d dVar = new d();
            g gVar = new g(17, new b());
            ?? obj = new Object();
            qb.b n2 = qb.b.n(x509Certificate.getEncoded());
            h hVar = n2.f8694b.f8743g;
            dVar.b(new k(new i(new cb.g(n2)), teeContentSigner, gVar, obj));
            dVar.a(aVar2);
            vb.c c3 = dVar.c(aVar, !this.mDetachedMode);
            u c10 = c3.c();
            c10.getClass();
            ArrayList arrayList2 = new ArrayList((ArrayList) c10.f4726b);
            if (arrayList2.size() == 0) {
                PSLog.e(str, "signature is null");
                return new byte[0];
            }
            if (arrayList2.size() > 1) {
                PSLog.e(str, "signer size is over then 1. size:" + arrayList2.size());
                return new byte[0];
            }
            if (f6.a.e(((l) arrayList2.get(0)).f9873c).length != 4) {
                byte[] m2 = c3.f9847b.m("DL");
                BaseUtil.setLatestSubjectDN(BaseUtil.getCertificateSubjectDN(bArr));
                return m2;
            }
            PSLog.e(str, "sign fail. errorCode:" + Integer.toHexString(ByteBuffer.wrap(f6.a.e(((l) arrayList2.get(0)).f9873c)).getInt()));
            return f6.a.e(((l) arrayList2.get(0)).f9873c);
        } catch (cc.d | IOException | IllegalArgumentException | NullPointerException | CertificateException | vb.a e2) {
            a0.e.z(e2, new StringBuilder("crypto fail. "), TAG);
            return new byte[0];
        } catch (Exception e10) {
            a0.e.z(e10, new StringBuilder("unhandled exception. "), TAG);
            return new byte[0];
        }
    }

    private void finishFlow() {
    }

    public synchronized byte[] getP7Signature() {
        String str;
        byte[] bArr = new byte[0];
        if (this.mCertificationToken == null) {
            PSLog.e(TAG, "certToken is null");
            finishFlow();
            return new byte[0];
        }
        String str2 = this.mAlgorithm;
        if (str2 != null && str2.length() != 0) {
            byte[] bArr2 = this.mPlainData;
            if (bArr2 != null && bArr2.length != 0) {
                byte[] bArr3 = this.mCertificate;
                if ((bArr3 != null && bArr3.length != 0) || ((str = this.mAuthenticator) != null && str.length() != 0)) {
                    byte[] bArr4 = this.mCertificate;
                    if (bArr4 == null) {
                        Iterator<String> it = BaseUtil.getCertificates().iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            String[] split = it.next().split(":");
                            String str3 = split[2];
                            if (str3 != null) {
                                PSLog.d(TAG, "certAuthenticator:" + str3);
                            } else {
                                str3 = null;
                            }
                            String str4 = this.mAuthenticator;
                            if (str4 == null || str3 == null || str4.compareTo(str3) == 0) {
                                byte[] decode = Encoding.Base64.decode(split[0]);
                                byte[] doSign = doSign(decode);
                                if (doSign != null && doSign.length > 4) {
                                    this.mCertificate = decode;
                                    bArr = doSign;
                                    break;
                                }
                                bArr = doSign;
                            } else {
                                PSLog.d(TAG, "continue");
                            }
                        }
                    } else {
                        bArr = doSign(bArr4);
                    }
                    if (bArr != null && bArr.length > 4) {
                        byte[] unwrapNwData = Crypto.unwrapNwData(BaseUtil.getWrappedRValue(this.mCertificate), Crypto.CERT_RANDOM_KEY, this.mUid, this.mCertificationToken);
                        if (unwrapNwData != null && unwrapNwData.length != 0) {
                            RValueCache.setRValue(BaseUtil.getCertificateSubjectDN(this.mCertificate), unwrapNwData);
                            finishFlow();
                            return bArr;
                        }
                        PSLog.e(TAG, "get rvalue fail");
                        return new byte[0];
                    }
                    PSLog.d(TAG, "p7sign fail");
                    finishFlow();
                    return new byte[0];
                }
                PSLog.e(TAG, "certificate or authenticator is null");
                finishFlow();
                return new byte[0];
            }
            PSLog.e(TAG, "plain data error");
            finishFlow();
            return new byte[0];
        }
        PSLog.e(TAG, "algorithm is null");
        finishFlow();
        return new byte[0];
    }
}
