package android.security;

import android.content.Context;
import android.media.tv.interactive.TvInteractiveAppView;
import android.os.IBinder;
import android.os.Process;
import android.os.UserHandle;
import android.sec.enterprise.EnterpriseDeviceManager;
import android.sec.enterprise.auditlog.AuditEvents;
import android.sec.enterprise.auditlog.AuditLog;
import android.sec.enterprise.certificate.CertificatePolicy;
import android.security.KeyStoreAuditLog;
import android.system.keystore2.KeyDescriptor;
import android.text.format.DateFormat;
import android.util.Log;
import android.util.Pair;
import com.samsung.android.security.mdf.MdfUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.function.Consumer;

/* loaded from: classes.dex */
public class KeyStoreAuditLog {
    public static final int CLEAR = 1;
    public static final int DELETE = 2;
    public static final int EXECUTION_EXCEPTION = 201;
    public static final int GENERATE = 4;
    public static final int IMPORT = 5;
    public static final int INSERT = 3;
    private static final int INVALID_DOMAIN = -1;
    private static final int INVALID_NAMESPACE = 0;
    public static final int NO_ERROR = 1;
    public static final int NO_ERROR2 = 0;
    public static final int REMOTE_EXCEPTION = 200;
    private static final String TAG = "KeyStoreAuditLog";
    private static Pair<Long, KeyDescriptor> mKeyDescriptorBeforeImportKey = null;

    /* loaded from: classes.dex */
    public static class AuditLogParams {
        private final String mAlias;
        private final String mClassName;
        private Context mContext;
        private byte[] mEncodedCerts;
        private int mOperationType;
        private List<X509Certificate> mX509Certificates;
        private long mNamespace = 0;
        private int mDomain = -1;
        private int mUserId = KeyStoreAuditLog.getUserId(Process.myUid());
        private int mErrorCode = 1;

        public AuditLogParams(String str, String str2) {
            this.mAlias = str;
            this.mClassName = str2;
        }

        public static AuditLogParams init(KeyDescriptor keyDescriptor, int i, String str) {
            return init(keyDescriptor, i, str, 1);
        }

        public static AuditLogParams init(KeyDescriptor keyDescriptor, int i, String str, int i2) {
            return init(keyDescriptor.alias, keyDescriptor.nspace, keyDescriptor.domain, i, str, i2);
        }

        public static AuditLogParams init(String str, long j, int i, int i2, String str2, int i3) {
            AuditLogParams auditLogParams = new AuditLogParams(str, str2);
            auditLogParams.setNamespace(j);
            auditLogParams.setDomain(i);
            auditLogParams.setOperationType(i2);
            auditLogParams.setErrorCode(i3);
            return auditLogParams;
        }

        public String getAlias() {
            return this.mAlias;
        }

        public byte[] getChainBytes() {
            byte[] bArr = this.mEncodedCerts;
            if (bArr != null) {
                return bArr;
            }
            List<X509Certificate> list = this.mX509Certificates;
            if (list != null) {
                return KeyStoreAuditLog.convertCertificatesToPem((Certificate[]) list.toArray(new X509Certificate[list.size()]));
            }
            return null;
        }

        public String getClassName() {
            return this.mClassName;
        }

        public Context getContext() {
            return this.mContext;
        }

        public int getDomain() {
            return this.mDomain;
        }

        public int getErrorCode() {
            return this.mErrorCode;
        }

        public long getNamespace() {
            return this.mNamespace;
        }

        public int getOperationType() {
            return this.mOperationType;
        }

        public int getUserId() {
            return this.mUserId;
        }

        public List<X509Certificate> getX509Certificates() {
            List<X509Certificate> list = this.mX509Certificates;
            if (list != null) {
                return list;
            }
            byte[] bArr = this.mEncodedCerts;
            return bArr != null ? KeyStoreAuditLog.toCertificates(bArr) : Collections.emptyList();
        }

        public boolean hasCertificates() {
            List<X509Certificate> list = this.mX509Certificates;
            return ((list == null || list.isEmpty()) && this.mEncodedCerts == null) ? false : true;
        }

        public void setContext(Context context) {
            this.mContext = context;
        }

        public void setDomain(int i) {
            this.mDomain = i;
        }

        public void setEncodedCerts(byte[] bArr) {
            this.mEncodedCerts = bArr;
        }

        public void setErrorCode(int i) {
            this.mErrorCode = i;
        }

        public void setNamespace(long j) {
            this.mNamespace = j;
        }

        public void setOperationType(int i) {
            this.mOperationType = i;
        }

        public void setUserCertAndChain(byte[] bArr, byte[] bArr2) {
            if (bArr != null) {
                setX509Certificates(KeyStoreAuditLog.mergeUserCertAndChain(bArr, bArr2));
            } else {
                if (bArr2 == null) {
                    return;
                }
                setEncodedCerts(bArr2);
            }
        }

        public void setUserId(int i) {
            this.mUserId = i;
        }

        public void setX509Certificates(List<X509Certificate> list) {
            this.mX509Certificates = list;
        }

        public String toString() {
            return "AuditLogParams{mAlias='" + this.mAlias + DateFormat.QUOTE + ", mClassName='" + this.mClassName + DateFormat.QUOTE + ", mUserId=" + this.mUserId + ", mNamespace=" + this.mNamespace + ", mDomain=" + this.mDomain + ", mContext=" + this.mContext + ", mOperationType=" + this.mOperationType + ", mErrorCode=" + this.mErrorCode + ", mX509Certificates=" + this.mX509Certificates + ", mEncodedCerts=" + Arrays.toString(this.mEncodedCerts) + '}';
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes.dex */
    public static class LogMessage {
        public static final String KEEP = null;
        public static final String REMOVE = "";
        String message;
        String redactedMessage;

        public LogMessage(String str, String str2) {
            this.message = str;
            this.redactedMessage = str2;
        }

        public String toString() {
            return "LogMessage{message='" + this.message + DateFormat.QUOTE + ", redactedMessage='" + this.redactedMessage + DateFormat.QUOTE + '}';
        }
    }

    private KeyStoreAuditLog() {
    }

    public static void auditLogPrivilegedAsUser(final AuditLogParams auditLogParams) {
        ArrayList arrayList = new ArrayList();
        boolean z = true;
        if (auditLogParams.getErrorCode() != 1 && auditLogParams.getErrorCode() != 0) {
            z = false;
        }
        final boolean z2 = z;
        String keystoreString = getKeystoreString(auditLogParams.getDomain(), auditLogParams.getNamespace(), auditLogParams.getOperationType());
        switch (auditLogParams.getOperationType()) {
            case 1:
                arrayList.add(new LogMessage(String.format(z2 ? AuditEvents.AUDIT_CLEARING_CREDENTIALS_SUCCEEDED : AuditEvents.AUDIT_CLEARING_CREDENTIALS_FAILED, keystoreString, getErrorMessage(auditLogParams.getErrorCode())), LogMessage.KEEP));
                break;
            case 2:
                if (auditLogParams.hasCertificates()) {
                    for (X509Certificate x509Certificate : auditLogParams.getX509Certificates()) {
                        arrayList.add(new LogMessage(String.format(z2 ? AuditEvents.AUDIT_DELETING_CERTIFICATE_SUCCEEDED : AuditEvents.AUDIT_DELETING_CERTIFICATE_FAILED, getKeyString(auditLogParams.getAlias()), keystoreString, auditLogParams.getAlias(), x509Certificate.getSubjectDN(), x509Certificate.getIssuerDN()), ""));
                    }
                    break;
                } else {
                    arrayList.add(new LogMessage(String.format(z2 ? AuditEvents.AUDIT_KEY_DESTRUCTION_ACTIVITY_SUCCEEDED : AuditEvents.AUDIT_KEY_DESTRUCTION_ACTIVITY_FAILED, keystoreString, auditLogParams.getAlias(), getRequesterInfo(auditLogParams.getContext()), getErrorMessage(auditLogParams.getErrorCode())), ""));
                    break;
                }
            case 3:
                if (!keystoreString.isEmpty()) {
                    for (X509Certificate x509Certificate2 : auditLogParams.getX509Certificates()) {
                        arrayList.add(new LogMessage(String.format(z2 ? AuditEvents.AUDIT_INSTALLING_CERTIFICATE_SUCCEEDED : AuditEvents.AUDIT_INSTALLING_CERTIFICATE_FAILED, getKeyString(auditLogParams.getAlias()), keystoreString, auditLogParams.getAlias(), x509Certificate2.getSubjectDN(), x509Certificate2.getIssuerDN(), getErrorMessage(auditLogParams.getErrorCode())), ""));
                    }
                    break;
                }
                break;
            case 4:
                arrayList.add(new LogMessage(String.format(AuditEvents.AUDIT_KEY_GENERATION_FAILED, getErrorMessage(auditLogParams.getErrorCode())), ""));
                break;
            case 5:
                arrayList.add(new LogMessage(String.format(z2 ? AuditEvents.AUDIT_KEY_IMPORTING_ACTIVITY_SUCCEEDED : AuditEvents.AUDIT_KEY_IMPORTING_ACTIVITY_FAILED, keystoreString, auditLogParams.getAlias(), getRequesterInfo(auditLogParams.getContext()), getErrorMessage(auditLogParams.getErrorCode())), ""));
                break;
            default:
                return;
        }
        final int userIdForDomainOrNamespace = getUserIdForDomainOrNamespace(auditLogParams.getUserId(), auditLogParams.getDomain(), auditLogParams.getNamespace());
        arrayList.forEach(new Consumer() { // from class: android.security.KeyStoreAuditLog$$ExternalSyntheticLambda0
            @Override // java.util.function.Consumer
            public final void accept(Object obj) {
                AuditLog.logPrivilegedAsUser(r9 ? 5 : 1, 1, z2, Process.myPid(), auditLogParams.getClassName(), r4.message, r11 != -1 ? ((KeyStoreAuditLog.LogMessage) obj).redactedMessage : null, userIdForDomainOrNamespace);
            }
        });
    }

    public static void checkCertificateTrustful(AuditLogParams auditLogParams) throws KeyStoreException {
        CertificatePolicy certificatePolicy = EnterpriseDeviceManager.getInstance().getCertificatePolicy();
        byte[] chainBytes = auditLogParams.getChainBytes();
        if (certificatePolicy == null || chainBytes == null) {
            return;
        }
        int userId = auditLogParams.getUserId();
        boolean z = true;
        if (certificatePolicy.isCertificateTrustedUntrustedEnabledAsUser(userId) && !certificatePolicy.isCaCertificateTrustedAsUser(chainBytes, false, userId)) {
            z = false;
        }
        if (certificatePolicy.isCertificateValidationAtInstallEnabledAsUser(userId) && certificatePolicy.validateCertificateAtInstallAsUser(chainBytes, userId) != -1) {
            z = false;
        }
        if (!z) {
            throw new KeyStoreException(6, "Certificate not trusted by MDM");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] convertCertificatesToPem(Certificate[] certificateArr) {
        if (certificateArr == null) {
            return null;
        }
        try {
            return Credentials.convertToPem(certificateArr);
        } catch (IOException e) {
            Log.e(TAG, "Could not convert certificate.");
            return null;
        } catch (IllegalArgumentException e2) {
            Log.d(TAG, "Not a certificate " + e2.getMessage());
            return null;
        } catch (CertificateException e3) {
            Log.e(TAG, "Could not convert certificate.");
            return null;
        }
    }

    private static String getErrorMessage(int i) {
        switch (i) {
            case 0:
            case 1:
                return "";
            case 200:
                return " Cannot connect to KeyStore";
            case 201:
                return " Completed with execution exception";
            default:
                return " with error " + i;
        }
    }

    private static String getKeyString(String str) {
        return (str == null || !str.startsWith(Credentials.USER_PRIVATE_KEY)) ? TvInteractiveAppView.BI_INTERACTIVE_APP_KEY_CERTIFICATE : "private key";
    }

    private static String getKeystoreString(int i, long j, int i2) {
        Pair<Long, KeyDescriptor> pair;
        if (i2 == 3 && (pair = mKeyDescriptorBeforeImportKey) != null && pair.first.longValue() == j) {
            KeyDescriptor keyDescriptor = mKeyDescriptorBeforeImportKey.second;
            if (keyDescriptor != null) {
                i = keyDescriptor.domain;
                j = keyDescriptor.nspace;
            }
            mKeyDescriptorBeforeImportKey = null;
        }
        return (i == 2 || j == 102) ? "Wi-Fi" : (i == 0 || j == -1) ? "VPN and Apps" : "";
    }

    private static String getPackageNameForUid(Context context, int i) {
        if (context != null) {
            return context.getPackageManager().getNameForUid(i);
        }
        try {
            Object invoke = Class.forName("android.content.pm.IPackageManager$Stub").getMethod("asInterface", IBinder.class).invoke(null, (IBinder) Class.forName("android.os.ServiceManager").getMethod("getService", String.class).invoke(null, "package"));
            return (String) invoke.getClass().getMethod("getNameForUid", Integer.TYPE).invoke(invoke, Integer.valueOf(i));
        } catch (Exception e) {
            Log.e(TAG, "Cannot retrieve package name for uid " + i + " " + e.getMessage());
            return "";
        }
    }

    private static String getRequesterInfo(Context context) {
        int myUid = Process.myUid();
        int myPid = Process.myPid();
        String str = myUid == 1000 ? "SystemApp" : "UserApp";
        String packageNameForUid = getPackageNameForUid(context, myUid);
        return packageNameForUid + ": uid=" + myUid + " pid=" + myPid + " role=" + (isCallerAdmin(packageNameForUid, myUid, myPid) ? str + "|Administrator" : str + "|NonAdministrator");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static int getUserId(int i) {
        return UserHandle.getUserId(i);
    }

    private static int getUserIdForDomainOrNamespace(int i, int i2, long j) {
        if (i2 == 2 || j == 102) {
            return -1;
        }
        return i;
    }

    public static boolean isAuditLogEnabledAsUser() {
        return isAuditLogEnabledAsUser(getUserId(Process.myUid()));
    }

    public static boolean isAuditLogEnabledAsUser(int i) {
        return AuditLog.isAuditLogEnabledAsUser(i);
    }

    private static boolean isCallerAdmin(String str, int i, int i2) {
        try {
            Object invoke = Class.forName("com.samsung.android.knox.IEnterpriseDeviceManager$Stub").getMethod("asInterface", IBinder.class).invoke(null, (IBinder) Class.forName("android.os.ServiceManager").getMethod("getService", String.class).invoke(null, "enterprise_policy"));
            return ((Boolean) invoke.getClass().getMethod("packageHasActiveAdmins", String.class).invoke(invoke, str)).booleanValue();
        } catch (Exception e) {
            Log.e(TAG, "Administrator status cannot be defined for requester: uid=" + i + " pid=" + i2, e);
            return false;
        }
    }

    public static void logMdfKeyGenFailed(String str, String str2) {
        if (MdfUtils.isMdfEnforced()) {
            AuditLog.logPrivileged(3, 1, false, Process.myPid(), str2, String.format(AuditEvents.AUDIT_KEY_GENERATION_FAILED_WITH_ERROR, str));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<X509Certificate> mergeUserCertAndChain(byte[] bArr, byte[] bArr2) {
        X509Certificate certificate = toCertificate(bArr);
        if (certificate == null) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(certificate);
        if (bArr2 != null) {
            arrayList.addAll(toCertificates(bArr2));
        }
        return arrayList;
    }

    public static void notifyCertificateRemovedAsUser(AuditLogParams auditLogParams) {
        List<X509Certificate> x509Certificates = auditLogParams.getX509Certificates();
        int userId = auditLogParams.getUserId();
        if (x509Certificates == null || x509Certificates.size() <= 0) {
            return;
        }
        CertificatePolicy certificatePolicy = EnterpriseDeviceManager.getInstance().getCertificatePolicy();
        Iterator<X509Certificate> it = x509Certificates.iterator();
        while (it.hasNext()) {
            certificatePolicy.notifyCertificateRemovedAsUser(it.next().getSubjectX500Principal().getName(), userId);
        }
    }

    public static void setKeyDescriptorBeforeImportKey(long j, KeyDescriptor keyDescriptor) {
        mKeyDescriptorBeforeImportKey = Pair.create(Long.valueOf(j), keyDescriptor);
    }

    private static X509Certificate toCertificate(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            Log.w(TAG, "Couldn't parse certificate in keystore", e);
            return null;
        }
    }

    public static List<X509Certificate> toCertificates(byte[] bArr) {
        if (bArr == null) {
            return Collections.emptyList();
        }
        try {
            return (List) CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(bArr));
        } catch (CertificateException e) {
            Log.w(TAG, "Couldn't parse certificates in keystore", e);
            return Collections.emptyList();
        }
    }
}
