package com.microsoft.identity.common.internal.ui.webview.challengehandlers;

import android.annotation.TargetApi;
import android.app.Activity;
import android.security.KeyChain;
import android.security.KeyChainAliasCallback;
import android.security.KeyChainException;
import android.webkit.ClientCertRequest;
import com.microsoft.identity.common.R;
import com.microsoft.identity.common.internal.ui.webview.challengehandlers.SmartcardCertPickerDialog;
import com.microsoft.identity.common.internal.ui.webview.challengehandlers.SmartcardPinDialog;
import com.microsoft.identity.common.java.exception.BaseException;
import com.microsoft.identity.common.java.providers.RawAuthorizationResult;
import com.microsoft.identity.common.java.telemetry.Telemetry;
import com.microsoft.identity.common.java.telemetry.TelemetryEventStrings;
import com.microsoft.identity.common.java.telemetry.events.CertBasedAuthResultEvent;
import com.microsoft.identity.common.java.telemetry.events.ErrorEvent;
import com.microsoft.identity.common.java.telemetry.events.PivProviderStatusEvent;
import com.microsoft.identity.common.logging.Logger;
import com.yubico.yubikit.android.transport.usb.h;
import com.yubico.yubikit.android.transport.usb.j.g;
import com.yubico.yubikit.core.application.ApplicationNotAvailableException;
import com.yubico.yubikit.core.application.BadResponseException;
import com.yubico.yubikit.core.smartcard.ApduException;
import com.yubico.yubikit.piv.InvalidPinException;
import com.yubico.yubikit.piv.e;
import com.yubico.yubikit.piv.f;
import com.yubico.yubikit.piv.i.y;
import com.yubico.yubikit.piv.i.z;
import g.g.a.a.d;
import g.g.a.b.h.a;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.Callable;

/* loaded from: classes2.dex */
public final class ClientCertAuthChallengeHandler implements IChallengeHandler<ClientCertRequest, Void> {
    private static final String ACCEPTABLE_ISSUER = "CN=MS-Organization-Access";
    private static final String MDEVICE_NULL_ERROR_MESSAGE = "Instance UsbYubiKitDevice variable (mDevice) is null.";
    private static final String TAG = "ClientCertAuthChallengeHandler";
    private static final String YUBIKEY_PROVIDER = "YKPiv";
    private static final Object sDeviceLock = new Object();
    private final Activity mActivity;
    private h mDevice;
    private final DialogHolder mDialogHolder;
    private boolean mIsOnDeviceCertBasedAuthProceeding = false;
    private boolean mIsSmartcardCertBasedAuthProceeding = false;
    private final d mYubiKitManager;

    /* loaded from: classes2.dex */
    public interface IPivSessionCallback {
        void onGetSession(e eVar);
    }

    /* loaded from: classes2.dex */
    public static class YubiKitCertDetails {
        private final X509Certificate cert;
        private final f slot;

        public YubiKitCertDetails(X509Certificate x509Certificate, f fVar) {
            this.cert = x509Certificate;
            this.slot = fVar;
        }

        public X509Certificate getCertificate() {
            return this.cert;
        }

        public f getSlot() {
            return this.slot;
        }
    }

    public ClientCertAuthChallengeHandler(Activity activity) {
        this.mActivity = activity;
        this.mDialogHolder = new DialogHolder(activity);
        d dVar = new d(activity.getApplicationContext());
        this.mYubiKitManager = dVar;
        dVar.c(new com.yubico.yubikit.android.transport.usb.f(), new a<h>() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.1
            @Override // g.g.a.b.h.a
            public void invoke(h hVar) {
                Logger.verbose(ClientCertAuthChallengeHandler.TAG, "A YubiKey device was connected");
                synchronized (ClientCertAuthChallengeHandler.sDeviceLock) {
                    ClientCertAuthChallengeHandler.this.mDevice = hVar;
                    ClientCertAuthChallengeHandler.this.mDialogHolder.dismissDialog();
                    ClientCertAuthChallengeHandler.this.mDevice.j(new Runnable() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.1.1
                        @Override // java.lang.Runnable
                        public void run() {
                            synchronized (ClientCertAuthChallengeHandler.sDeviceLock) {
                                Logger.verbose(ClientCertAuthChallengeHandler.TAG, "A YubiKey device was disconnected");
                                ClientCertAuthChallengeHandler.this.mDevice = null;
                                PivProviderStatusEvent pivProviderStatusEvent = new PivProviderStatusEvent();
                                if (Security.getProvider(ClientCertAuthChallengeHandler.YUBIKEY_PROVIDER) != null) {
                                    Security.removeProvider(ClientCertAuthChallengeHandler.YUBIKEY_PROVIDER);
                                    Telemetry.emit(pivProviderStatusEvent.putPivProviderRemoved(true));
                                    Logger.info(ClientCertAuthChallengeHandler.TAG, "An instance of PivProvider was removed from Security static list upon YubiKey device connection being closed.");
                                } else {
                                    Telemetry.emit(pivProviderStatusEvent.putPivProviderRemoved(false));
                                    Logger.info(ClientCertAuthChallengeHandler.TAG, "An instance of PivProvider was not present in Security static list upon YubiKey device connection being closed.");
                                }
                                if (ClientCertAuthChallengeHandler.this.mDialogHolder.isDialogShowing()) {
                                    ClientCertAuthChallengeHandler.this.mDialogHolder.onCancelCba();
                                    ClientCertAuthChallengeHandler.this.mDialogHolder.showErrorDialog(R.string.smartcard_early_unplug_dialog_title, R.string.smartcard_early_unplug_dialog_message);
                                    Logger.verbose(ClientCertAuthChallengeHandler.TAG, "YubiKey was disconnected while dialog was still displayed.");
                                }
                            }
                        }
                    });
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void clearPin(char[] cArr) {
        Arrays.fill(cArr, (char) 0);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void getActivePivSessionAsync(final ClientCertRequest clientCertRequest, final IPivSessionCallback iPivSessionCallback) {
        final String str = TAG + "getActivePivSessionAsync:";
        synchronized (sDeviceLock) {
            h hVar = this.mDevice;
            if (hVar != null) {
                hVar.i(g.class, new a<g.g.a.b.h.d<g, IOException>>() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.3
                    @Override // g.g.a.b.h.a
                    public void invoke(g.g.a.b.h.d<g, IOException> dVar) {
                        try {
                            iPivSessionCallback.onGetSession(new e(dVar.b()));
                        } catch (ApplicationNotAvailableException | ApduException | IOException e2) {
                            Logger.error(str, e2.getMessage(), e2);
                            ClientCertAuthChallengeHandler.this.mDialogHolder.showErrorDialog(R.string.smartcard_general_error_dialog_title, R.string.smartcard_general_error_dialog_message);
                            Telemetry.emit(new ErrorEvent().putException(e2));
                            clientCertRequest.cancel();
                        }
                    }
                });
                return;
            }
            Logger.error(str, MDEVICE_NULL_ERROR_MESSAGE, null);
            this.mDialogHolder.showErrorDialog(R.string.smartcard_general_error_dialog_title, R.string.smartcard_general_error_dialog_message);
            clientCertRequest.cancel();
        }
    }

    private void getAndPutCertDetailsInList(f fVar, e eVar, List<YubiKitCertDetails> list) throws IOException, ApduException, BadResponseException {
        String str = TAG + ":getAndPutCertDetailsInList";
        try {
            list.add(new YubiKitCertDetails(eVar.i(fVar), fVar));
        } catch (ApduException e2) {
            if (e2.a() != 27266) {
                throw e2;
            }
            Logger.verbose(str, fVar + " slot is empty.");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<YubiKitCertDetails> getCertDetailsFromKey(e eVar) throws IOException, ApduException, BadResponseException {
        ArrayList arrayList = new ArrayList();
        getAndPutCertDetailsInList(f.AUTHENTICATION, eVar, arrayList);
        getAndPutCertDetailsInList(f.SIGNATURE, eVar, arrayList);
        getAndPutCertDetailsInList(f.KEY_MANAGEMENT, eVar, arrayList);
        getAndPutCertDetailsInList(f.CARD_AUTH, eVar, arrayList);
        return arrayList;
    }

    private a<a<g.g.a.b.h.d<e, Exception>>> getPivProviderCallback() {
        final String str = TAG + "getPivProviderCallback:";
        return new a<a<g.g.a.b.h.d<e, Exception>>>() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.6
            @Override // g.g.a.b.h.a
            public void invoke(final a<g.g.a.b.h.d<e, Exception>> aVar) {
                synchronized (ClientCertAuthChallengeHandler.sDeviceLock) {
                    if (ClientCertAuthChallengeHandler.this.mDevice != null) {
                        ClientCertAuthChallengeHandler.this.mDevice.i(g.class, new a<g.g.a.b.h.d<g, IOException>>() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.6.1
                            @Override // g.g.a.b.h.a
                            public void invoke(final g.g.a.b.h.d<g, IOException> dVar) {
                                aVar.invoke(g.g.a.b.h.d.c(new Callable<e>() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.6.1.1
                                    /* JADX WARN: Can't rename method to resolve collision */
                                    @Override // java.util.concurrent.Callable
                                    public e call() throws Exception {
                                        return new e((com.yubico.yubikit.core.smartcard.d) dVar.b());
                                    }
                                }));
                            }
                        });
                    } else {
                        Logger.error(str, ClientCertAuthChallengeHandler.MDEVICE_NULL_ERROR_MESSAGE, null);
                        aVar.invoke(g.g.a.b.h.d.a(new Exception(ClientCertAuthChallengeHandler.MDEVICE_NULL_ERROR_MESSAGE)));
                    }
                }
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SmartcardCertPickerDialog.PositiveButtonListener getSmartcardCertPickerDialogPositiveButtonListener(final ClientCertRequest clientCertRequest) {
        return new SmartcardCertPickerDialog.PositiveButtonListener() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.4
            @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.SmartcardCertPickerDialog.PositiveButtonListener
            public void onClick(YubiKitCertDetails yubiKitCertDetails) {
                ClientCertAuthChallengeHandler.this.mDialogHolder.showPinDialog(ClientCertAuthChallengeHandler.this.getSmartcardPinDialogPositiveButtonListener(yubiKitCertDetails, clientCertRequest), new SmartcardPinDialog.CancelCbaCallback() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.4.1
                    @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.SmartcardPinDialog.CancelCbaCallback
                    public void onCancel() {
                        ClientCertAuthChallengeHandler.this.mDialogHolder.dismissDialog();
                        clientCertRequest.cancel();
                    }
                });
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SmartcardPinDialog.PositiveButtonListener getSmartcardPinDialogPositiveButtonListener(final YubiKitCertDetails yubiKitCertDetails, final ClientCertRequest clientCertRequest) {
        final String str = TAG + ":getSmartcardPinDialogPositiveButtonListener";
        return new SmartcardPinDialog.PositiveButtonListener() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.5
            @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.SmartcardPinDialog.PositiveButtonListener
            public void onClick(final char[] cArr) {
                ClientCertAuthChallengeHandler.this.getActivePivSessionAsync(clientCertRequest, new IPivSessionCallback() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.5.1
                    @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.IPivSessionCallback
                    public void onGetSession(e eVar) {
                        try {
                            try {
                                AnonymousClass5 anonymousClass5 = AnonymousClass5.this;
                                ClientCertAuthChallengeHandler.this.tryUsingSmartcardWithPin(cArr, yubiKitCertDetails, clientCertRequest, eVar);
                                ClientCertAuthChallengeHandler.this.clearPin(cArr);
                            } finally {
                                ClientCertAuthChallengeHandler.this.clearPin(cArr);
                            }
                        } catch (BadResponseException | ApduException | IOException e2) {
                            Logger.error(str, e2.getMessage(), e2);
                            ClientCertAuthChallengeHandler.this.mDialogHolder.showErrorDialog(R.string.smartcard_general_error_dialog_title, R.string.smartcard_general_error_dialog_message);
                            Telemetry.emit(new ErrorEvent().putException(e2));
                            clientCertRequest.cancel();
                        }
                    }
                });
            }
        };
    }

    @TargetApi(21)
    private void handleOnDeviceCertAuth(final ClientCertRequest clientCertRequest) {
        final String str = TAG + ":handleOnDeviceCertAuth";
        Principal[] principals = clientCertRequest.getPrincipals();
        if (principals != null) {
            for (Principal principal : principals) {
                if (principal.getName().contains(ACCEPTABLE_ISSUER)) {
                    Logger.info(str, "Cancelling the TLS request, not respond to TLS challenge triggered by device authentication.");
                    clientCertRequest.cancel();
                    return;
                }
            }
        }
        KeyChain.choosePrivateKeyAlias(this.mActivity, new KeyChainAliasCallback() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.7
            @Override // android.security.KeyChainAliasCallback
            public void alias(String str2) {
                if (str2 == null) {
                    Logger.info(str, "No certificate chosen by user, cancelling the TLS request.");
                    clientCertRequest.cancel();
                    return;
                }
                try {
                    X509Certificate[] certificateChain = KeyChain.getCertificateChain(ClientCertAuthChallengeHandler.this.mActivity.getApplicationContext(), str2);
                    PrivateKey privateKey = KeyChain.getPrivateKey(ClientCertAuthChallengeHandler.this.mActivity, str2);
                    Logger.info(str, "Certificate is chosen by user, proceed with TLS request.");
                    ClientCertAuthChallengeHandler.this.mIsOnDeviceCertBasedAuthProceeding = true;
                    clientCertRequest.proceed(privateKey, certificateChain);
                } catch (KeyChainException e2) {
                    Logger.errorPII(str, "KeyChain exception", e2);
                    clientCertRequest.cancel();
                } catch (InterruptedException e3) {
                    Logger.errorPII(str, "InterruptedException exception", e3);
                    clientCertRequest.cancel();
                }
            }
        }, clientCertRequest.getKeyTypes(), clientCertRequest.getPrincipals(), clientCertRequest.getHost(), clientCertRequest.getPort(), null);
    }

    private void handleSmartcardCertAuth(final ClientCertRequest clientCertRequest) {
        final String str = TAG + ":handleSmartcardCertAuth";
        getActivePivSessionAsync(clientCertRequest, new IPivSessionCallback() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.2
            @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.IPivSessionCallback
            public void onGetSession(e eVar) {
                try {
                    if (eVar.k() == 0) {
                        Logger.info(str, "User has reached the maximum failed attempts allowed.");
                        ClientCertAuthChallengeHandler.this.mDialogHolder.showErrorDialog(R.string.smartcard_max_attempt_dialog_title, R.string.smartcard_max_attempt_dialog_message);
                        clientCertRequest.cancel();
                        return;
                    }
                    List<YubiKitCertDetails> certDetailsFromKey = ClientCertAuthChallengeHandler.this.getCertDetailsFromKey(eVar);
                    if (!certDetailsFromKey.isEmpty()) {
                        ClientCertAuthChallengeHandler.this.mDialogHolder.showCertPickerDialog(certDetailsFromKey, ClientCertAuthChallengeHandler.this.getSmartcardCertPickerDialogPositiveButtonListener(clientCertRequest), new SmartcardCertPickerDialog.CancelCbaCallback() { // from class: com.microsoft.identity.common.internal.ui.webview.challengehandlers.ClientCertAuthChallengeHandler.2.1
                            @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.SmartcardCertPickerDialog.CancelCbaCallback
                            public void onCancel() {
                                ClientCertAuthChallengeHandler.this.mDialogHolder.dismissDialog();
                                clientCertRequest.cancel();
                            }
                        });
                        return;
                    }
                    Logger.info(str, "No PIV certificates found on YubiKey device.");
                    ClientCertAuthChallengeHandler.this.mDialogHolder.showErrorDialog(R.string.smartcard_no_cert_dialog_title, R.string.smartcard_no_cert_dialog_message);
                    clientCertRequest.cancel();
                } catch (BadResponseException | ApduException | IOException e2) {
                    Logger.error(str, e2.getMessage(), e2);
                    ClientCertAuthChallengeHandler.this.mDialogHolder.showErrorDialog(R.string.smartcard_general_error_dialog_title, R.string.smartcard_general_error_dialog_message);
                    Telemetry.emit(new ErrorEvent().putException(e2));
                    clientCertRequest.cancel();
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void tryUsingSmartcardWithPin(char[] cArr, YubiKitCertDetails yubiKitCertDetails, ClientCertRequest clientCertRequest, e eVar) throws IOException, ApduException, BadResponseException {
        String str = TAG + ":tryUsingSmartcardWithPin";
        try {
            eVar.F(cArr);
            useSmartcardCertForAuth(yubiKitCertDetails.getCertificate(), cArr, yubiKitCertDetails.getSlot().getStringAlias(), eVar, clientCertRequest);
        } catch (InvalidPinException unused) {
            if (eVar.k() != 0) {
                this.mDialogHolder.setPinDialogErrorMode();
                return;
            }
            Logger.info(str, "User has reached the maximum failed attempts allowed.");
            this.mDialogHolder.showErrorDialog(R.string.smartcard_max_attempt_dialog_title, R.string.smartcard_max_attempt_dialog_message);
            clientCertRequest.cancel();
        }
    }

    private void useSmartcardCertForAuth(X509Certificate x509Certificate, char[] cArr, String str, e eVar, ClientCertRequest clientCertRequest) {
        String str2 = TAG + "useSmartcardCertForAuth:";
        PivProviderStatusEvent pivProviderStatusEvent = new PivProviderStatusEvent();
        if (Security.getProvider(YUBIKEY_PROVIDER) != null) {
            Security.removeProvider(YUBIKEY_PROVIDER);
            Telemetry.emit(pivProviderStatusEvent.putIsExistingPivProviderPresent(true));
            Logger.info(str2, "Existing PivProvider was present in Security static list.");
        } else {
            Telemetry.emit(pivProviderStatusEvent.putIsExistingPivProviderPresent(false));
            Logger.info(str2, "Security static list does not have existing PivProvider.");
        }
        Security.insertProviderAt(new z(getPivProviderCallback()), 1);
        Logger.info(str2, "An instance of PivProvider was added to Security static list.");
        try {
            KeyStore keyStore = KeyStore.getInstance(YUBIKEY_PROVIDER, new z(eVar));
            keyStore.load(null);
            Key key = keyStore.getKey(str, cArr);
            if (key instanceof y) {
                this.mDialogHolder.dismissDialog();
                this.mIsSmartcardCertBasedAuthProceeding = true;
                clientCertRequest.proceed((y) key, new X509Certificate[]{x509Certificate});
            } else {
                Logger.error(str2, "Private key retrieved from YKPiv keystore is not of type PivPrivateKey.", null);
                this.mDialogHolder.showErrorDialog(R.string.smartcard_general_error_dialog_title, R.string.smartcard_general_error_dialog_message);
                clientCertRequest.cancel();
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
            Logger.error(str2, e2.getMessage(), e2);
            this.mDialogHolder.showErrorDialog(R.string.smartcard_general_error_dialog_title, R.string.smartcard_general_error_dialog_message);
            Telemetry.emit(new ErrorEvent().putException(e2));
            clientCertRequest.cancel();
        }
    }

    public void emitTelemetryForCertBasedAuthResults(RawAuthorizationResult rawAuthorizationResult) {
        CertBasedAuthResultEvent certBasedAuthResultEvent;
        boolean z = this.mIsOnDeviceCertBasedAuthProceeding;
        if (z || this.mIsSmartcardCertBasedAuthProceeding) {
            if (z) {
                certBasedAuthResultEvent = new CertBasedAuthResultEvent(TelemetryEventStrings.Event.CERT_BASED_AUTH_RESULT_ON_DEVICE_EVENT);
                this.mIsOnDeviceCertBasedAuthProceeding = false;
            } else {
                certBasedAuthResultEvent = new CertBasedAuthResultEvent(TelemetryEventStrings.Event.CERT_BASED_AUTH_RESULT_SMARTCARD_EVENT);
                this.mIsSmartcardCertBasedAuthProceeding = false;
            }
            Telemetry.emit(certBasedAuthResultEvent.putResponseCode(rawAuthorizationResult.getResultCode().toString()));
            BaseException exception = rawAuthorizationResult.getException();
            if (exception != null) {
                Telemetry.emit(new ErrorEvent().putException(exception));
            }
        }
    }

    @Override // com.microsoft.identity.common.internal.ui.webview.challengehandlers.IChallengeHandler
    public Void processChallenge(ClientCertRequest clientCertRequest) {
        synchronized (sDeviceLock) {
            if (this.mDevice != null) {
                handleSmartcardCertAuth(clientCertRequest);
                return null;
            }
            handleOnDeviceCertAuth(clientCertRequest);
            return null;
        }
    }

    public void stopYubiKitManagerUsbDiscovery() {
        this.mYubiKitManager.e();
    }
}
