package com.amazon.bison.frank.playback;

import android.content.Context;
import android.os.Build;
import android.os.Handler;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import c.c;
import com.amazon.bison.ALog;
import com.amazon.bison.CorrelationIdGenerator;
import com.amazon.bison.frank.FrankPairingManager;
import com.amazon.fcl.CertificateManager;
import com.amazon.fcl.SimpleCertificateManagerObserver;
import com.amazon.whispercloak.KeyUtils;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import java.util.concurrent.Executor;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes.dex */
public class SslCertificateManager {
    private static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n";
    private static final String CLIENT_ALIAS = "Frank-Client-Cert";
    private static final int DAYS_VALID = 120;
    private static final String END_CERTIFICATE = "-----END CERTIFICATE-----";
    private static final String KEYSTORE_TYPE = "AndroidKeyStore";
    private static final int RSA_KEY_SIZE = 2048;
    private static final String SERVER_ALIAS = "Frank-Server-Cert-";
    private static final String SUBJECT_NAME_PREFIX = "ANDROID_BSN_";
    private static final String TAG = "SslCertificateManager";
    private KeyStore mAndroidKeystore;
    private final Context mApplicationContext;
    private final String mClientDsn = Build.SERIAL;
    private final CorrelationIdGenerator mCorrelationIdGenerator;
    private final Executor mExecutor;
    private final Handler mHandler;
    private final c<CertificateManager> mLazyCertificateManager;
    private final FrankPairingManager mPairingManager;

    /* loaded from: classes2.dex */
    private final class ExchangeObserver extends SimpleCertificateManagerObserver {
        private final ISslExchangeCallback mCallback;
        private final CertificateManager mCertificateManager;
        final SslCertificateManager this$0;

        private ExchangeObserver(SslCertificateManager sslCertificateManager, CertificateManager certificateManager, ISslExchangeCallback iSslExchangeCallback) {
            this.this$0 = sslCertificateManager;
            this.mCertificateManager = certificateManager;
            this.mCallback = iSslExchangeCallback;
        }

        @Override // com.amazon.fcl.SimpleCertificateManagerObserver, com.amazon.fcl.CertificateManager.CertificateManagerObserver
        public void onCertificateExchangeFailed(String str, int i2) {
            ALog.i(SslCertificateManager.TAG, "SSL exchange failed: " + i2);
            this.mCertificateManager.removeObserver(this);
            if (this.mCallback != null) {
                this.this$0.mHandler.post(new Runnable(this, i2) { // from class: com.amazon.bison.frank.playback.SslCertificateManager.ExchangeObserver.2
                    final ExchangeObserver this$1;
                    final int val$errorCode;

                    {
                        this.this$1 = this;
                        this.val$errorCode = i2;
                    }

                    @Override // java.lang.Runnable
                    public void run() {
                        this.this$1.mCallback.onError(this.val$errorCode);
                    }
                });
            }
        }

        @Override // com.amazon.fcl.SimpleCertificateManagerObserver, com.amazon.fcl.CertificateManager.CertificateManagerObserver
        public void onCertificateExchangeSucceeded(String str, List<String> list) {
            ALog.i(SslCertificateManager.TAG, "SSL exchange succeeded");
            this.this$0.setServerCertificate(list.get(0));
            this.mCertificateManager.removeObserver(this);
            if (this.mCallback != null) {
                this.this$0.mHandler.post(new Runnable(this) { // from class: com.amazon.bison.frank.playback.SslCertificateManager.ExchangeObserver.1
                    final ExchangeObserver this$1;

                    {
                        this.this$1 = this;
                    }

                    @Override // java.lang.Runnable
                    public void run() {
                        this.this$1.mCallback.onSuccess();
                    }
                });
            }
        }
    }

    /* loaded from: classes.dex */
    public interface ISslExchangeCallback {
        void onError(int i2);

        void onSuccess();
    }

    public SslCertificateManager(Context context, c<CertificateManager> cVar, CorrelationIdGenerator correlationIdGenerator, FrankPairingManager frankPairingManager, Executor executor, Handler handler) {
        this.mApplicationContext = context;
        this.mLazyCertificateManager = cVar;
        this.mCorrelationIdGenerator = correlationIdGenerator;
        this.mPairingManager = frankPairingManager;
        this.mExecutor = executor;
        this.mHandler = handler;
        try {
            this.mAndroidKeystore = KeyStore.getInstance(KEYSTORE_TYPE);
        } catch (KeyStoreException e2) {
            ALog.e(TAG, "No KeyStore provider exists for type AndroidKeyStore", e2);
        }
    }

    private static boolean checkCertificateExpiry(X509Certificate x509Certificate) {
        StringBuilder sb;
        Date notBefore;
        Date date = new Date();
        if (date.after(x509Certificate.getNotAfter())) {
            sb = new StringBuilder();
            sb.append("certificate expired on ");
            notBefore = x509Certificate.getNotAfter();
        } else {
            if (!date.before(x509Certificate.getNotBefore())) {
                return false;
            }
            sb = new StringBuilder();
            sb.append("certificate not valid till ");
            notBefore = x509Certificate.getNotBefore();
        }
        sb.append(notBefore);
        ALog.i(TAG, sb.toString());
        return true;
    }

    private static X509Certificate convertPemToX509(String str) {
        String str2;
        if (!str.trim().isEmpty()) {
            try {
                try {
                    return (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(Base64.decode(str.replace(BEGIN_CERTIFICATE, "").replace(END_CERTIFICATE, ""), 0)));
                } catch (CertificateException e2) {
                    e = e2;
                    str2 = "Failed to generate an X509 certificate";
                    ALog.e(TAG, str2, e);
                    return null;
                }
            } catch (CertificateException e3) {
                e = e3;
                str2 = "Failed to get an X509 instance";
            }
        }
        return null;
    }

    private static String convertX509ToPem(X509Certificate x509Certificate) {
        try {
            return BEGIN_CERTIFICATE + Base64.encodeToString(x509Certificate.getEncoded(), 0) + END_CERTIFICATE;
        } catch (CertificateEncodingException e2) {
            ALog.e(TAG, "Error in certificate encoding", e2);
            return null;
        }
    }

    private void generateSelfSignedCertificate() {
        String str;
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        GregorianCalendar gregorianCalendar2 = new GregorianCalendar();
        gregorianCalendar2.add(6, 120);
        gregorianCalendar.add(11, -1);
        Date time = gregorianCalendar.getTime();
        Date time2 = gregorianCalendar2.getTime();
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KeyUtils.ALGORITHM_RSA, this.mAndroidKeystore.getProvider());
            BigInteger bigInteger = new BigInteger(64, new SecureRandom());
            String str2 = "CN=ANDROID_BSN_" + this.mClientDsn;
            int i2 = Build.VERSION.SDK_INT;
            try {
                keyPairGenerator.initialize(i2 >= 23 ? new KeyGenParameterSpec.Builder(CLIENT_ALIAS, 15).setDigests("NONE").setEncryptionPaddings("NoPadding").setRandomizedEncryptionRequired(false).setUserAuthenticationRequired(false).setSignaturePaddings("PKCS1").setCertificateSubject(new X500Principal(str2)).setCertificateSerialNumber(bigInteger).setCertificateNotBefore(time).setCertificateNotAfter(time2).setKeySize(2048).build() : new KeyPairGeneratorSpec.Builder(this.mApplicationContext).setAlias(CLIENT_ALIAS).setSubject(new X500Principal(str2)).setSerialNumber(bigInteger).setStartDate(time).setEndDate(time2).setKeySize(2048).build());
                keyPairGenerator.generateKeyPair();
                ALog.i(TAG, "Successfully generated one self-signed certificate for client. Android OS version is " + i2);
            } catch (InvalidAlgorithmParameterException e2) {
                e = e2;
                str = "Failed to initialize the KeyPairGenerator";
                ALog.e(TAG, str, e);
            }
        } catch (NoSuchAlgorithmException e3) {
            e = e3;
            str = "Failed to get the KeyPairGenerator instance";
        }
    }

    private String getCertificate(String str) {
        if (str.isEmpty()) {
            ALog.e(TAG, "Error with empty alias string ");
            return null;
        }
        try {
            this.mAndroidKeystore.load(null);
        } catch (IOException | NoSuchAlgorithmException | CertificateException e2) {
            ALog.e(TAG, "Failed to load certificates to the keystore", e2);
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) this.mAndroidKeystore.getCertificate(str);
            if (x509Certificate == null) {
                ALog.i(TAG, "Certificate not found in key store for " + str);
                return null;
            }
            if (!checkCertificateExpiry(x509Certificate)) {
                return convertX509ToPem(x509Certificate);
            }
            ALog.i(TAG, "Certificate expired, need a new one for " + str);
            return null;
        } catch (KeyStoreException e3) {
            ALog.e(TAG, "Failed to get a certificate from the keystore", e3);
            return null;
        }
    }

    private String getCurrentFrankDsn() {
        if (this.mPairingManager.getSelectedDevice() != null) {
            return this.mPairingManager.getSelectedDevice().getTcommDeviceSerial();
        }
        return null;
    }

    private String getServerAlias() {
        return SERVER_ALIAS + getCurrentFrankDsn();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String renewClientCertificate() {
        try {
            this.mAndroidKeystore.load(null);
        } catch (IOException | NoSuchAlgorithmException | CertificateException e2) {
            ALog.e(TAG, "Failed to load certificates to the keystore", e2);
        }
        try {
            this.mAndroidKeystore.deleteEntry(CLIENT_ALIAS);
        } catch (KeyStoreException e3) {
            ALog.e(TAG, "Failed to delete the old client certificate", e3);
        }
        generateSelfSignedCertificate();
        String certificate = getCertificate(CLIENT_ALIAS);
        ALog.i(TAG, "Successfully renewed the client certificate");
        return certificate;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setServerCertificate(String str) {
        String str2;
        if (str.isEmpty()) {
            str2 = "Invalid server certificate string";
        } else {
            if (getCurrentFrankDsn() != null) {
                String serverAlias = getServerAlias();
                ALog.PII.i(TAG, "Server cert alias:", serverAlias);
                try {
                    this.mAndroidKeystore.load(null);
                } catch (IOException | NoSuchAlgorithmException | CertificateException e2) {
                    ALog.e(TAG, "Failed to load certificates to the keystore", e2);
                }
                try {
                    this.mAndroidKeystore.deleteEntry(serverAlias);
                } catch (KeyStoreException e3) {
                    ALog.e(TAG, "Failed to delete the old server certificate ", e3);
                }
                try {
                    this.mAndroidKeystore.setCertificateEntry(serverAlias, convertPemToX509(str));
                    ALog.i(TAG, "Successfully saved the server certificate into the keystore");
                    return;
                } catch (KeyStoreException e4) {
                    ALog.e(TAG, "Failed to add the server certificate to the keystore", e4);
                    return;
                }
            }
            str2 = "No device selected, unable to set server cert.";
        }
        ALog.e(TAG, str2);
    }

    public void deleteCurrentDeviceCertificates() {
        String str;
        try {
            this.mAndroidKeystore.load(null);
            try {
                this.mAndroidKeystore.deleteEntry(CLIENT_ALIAS);
            } catch (KeyStoreException e2) {
                e = e2;
                str = "Failed to delete client certificate";
            }
            try {
                this.mAndroidKeystore.deleteEntry(getServerAlias());
                ALog.i(TAG, "Finished deleting all certificates");
            } catch (KeyStoreException e3) {
                e = e3;
                str = "Failed to delete server certificate";
                ALog.e(TAG, str, e);
            }
        } catch (IOException | NoSuchAlgorithmException | CertificateException e4) {
            e = e4;
            str = "Failed to load certificates to the keystore";
        }
    }

    public void doCertificateExchange(ISslExchangeCallback iSslExchangeCallback) {
        this.mExecutor.execute(new Runnable(this, iSslExchangeCallback) { // from class: com.amazon.bison.frank.playback.SslCertificateManager.1
            final SslCertificateManager this$0;
            final ISslExchangeCallback val$callback;

            {
                this.this$0 = this;
                this.val$callback = iSslExchangeCallback;
            }

            @Override // java.lang.Runnable
            public void run() {
                String renewClientCertificate = this.this$0.renewClientCertificate();
                CertificateManager certificateManager = (CertificateManager) this.this$0.mLazyCertificateManager.get();
                certificateManager.addObserver(new ExchangeObserver(certificateManager, this.val$callback));
                certificateManager.exchangeCertificates(this.this$0.mCorrelationIdGenerator.newCorrelationId(SslCertificateManager.TAG), Collections.singletonList(renewClientCertificate));
            }
        });
    }

    public boolean validateServerAndClientCertificates() {
        String str;
        String str2;
        try {
            this.mAndroidKeystore.load(null);
        } catch (IOException | NoSuchAlgorithmException | CertificateException e2) {
            ALog.e(TAG, "Failed to load certificates to the keystore", e2);
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) this.mAndroidKeystore.getCertificate(CLIENT_ALIAS);
            if (x509Certificate == null) {
                ALog.i(TAG, "Client certificate is is not found in the keystore");
                return false;
            }
            if (checkCertificateExpiry(x509Certificate)) {
                str2 = "Client certificate is expired";
            } else {
                try {
                    X509Certificate x509Certificate2 = (X509Certificate) this.mAndroidKeystore.getCertificate(getServerAlias());
                    if (x509Certificate2 == null) {
                        ALog.i(TAG, "Server certificate is not found in the keystore");
                        return false;
                    }
                    if (!checkCertificateExpiry(x509Certificate2)) {
                        return true;
                    }
                    str2 = "Server certificate is expired";
                } catch (Exception e3) {
                    e = e3;
                    str = "Failed to get the server certificate from android keystore: ";
                    ALog.e(TAG, str, e);
                    return false;
                }
            }
            ALog.i(TAG, str2);
            return false;
        } catch (KeyStoreException e4) {
            e = e4;
            str = "Failed to get the client certificate from android keystore ";
        }
    }
}
