package com.allawn.cryptography.keymanager;

import com.allawn.cryptography.EncryptException;
import com.allawn.cryptography.algorithm.EccUtil;
import com.allawn.cryptography.algorithm.HashUtil;
import com.allawn.cryptography.authentication.AuthenticationSignatureMethod;
import com.allawn.cryptography.authentication.ChallengeClient;
import com.allawn.cryptography.digitalenvelope.EciesDigitalEnvelope;
import com.allawn.cryptography.digitalenvelope.RsaDigitalEnvelope;
import com.allawn.cryptography.digitalenvelope.entity.DigitalEnvelopeCipherEnum;
import com.allawn.cryptography.digitalenvelope.entity.EciesNegotiationParam;
import com.allawn.cryptography.exception.InvalidAccountException;
import com.allawn.cryptography.exception.InvalidArgumentException;
import com.allawn.cryptography.exception.InvalidChallengeException;
import com.allawn.cryptography.exception.InvalidTimestampException;
import com.allawn.cryptography.groupkey.entity.GukConfig;
import com.allawn.cryptography.keymanager.entity.KeyRegisterParameters;
import com.allawn.cryptography.keymanager.entity.KeyRegisterResponse;
import com.allawn.cryptography.security.attestation.AttestationManager;
import com.allawn.cryptography.security.attestation.AttestationParameters;
import com.allawn.cryptography.security.attestation.AttestationProperties$ApplicationKeyAlgorithmEnum;
import com.allawn.cryptography.util.Base64Utils;
import com.allawn.cryptography.util.DateUtil;
import com.allawn.cryptography.util.HttpUtil;
import com.allawn.cryptography.util.LogUtil;
import com.allawn.cryptography.util.PackUtil;
import com.allawn.cryptography.util.ThreadUtil;
import com.heytap.baselib.utils.SecurityUtils;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes.dex */
public class KeyRegisterManager {
    public boolean isSignWithTrustRoot = false;
    public int mExpireDays;
    public final String mHostname;
    public final KeyRegisterParameters mParameters;

    public KeyRegisterManager(KeyRegisterParameters keyRegisterParameters) {
        this.mParameters = keyRegisterParameters;
        this.mHostname = keyRegisterParameters.getHostname();
        this.mExpireDays = keyRegisterParameters.getExpireDays();
    }

    public final void checkParameter() {
        if (this.mParameters == null) {
            throw new InvalidArgumentException("Parameter cannot be empty");
        }
        String str = this.mHostname;
        if (str == null || str.isEmpty()) {
            throw new InvalidArgumentException("Hostname cannot be empty");
        }
        if (this.mParameters.getDevice() == null || this.mParameters.getDevice().isEmpty()) {
            throw new InvalidArgumentException("Device id cannot be empty");
        }
        if (this.mParameters.getBiz() == null || this.mParameters.getBiz().isEmpty()) {
            throw new InvalidArgumentException("Biz name cannot be empty");
        }
    }

    public KeyRegisterResponse commit(String str, PrivateKey privateKey) {
        KeyRegisterResponse keyRegisterResponse = new KeyRegisterResponse();
        try {
            checkParameter();
        } catch (EncryptException | InvalidArgumentException | InvalidChallengeException | InvalidTimestampException | IOException | JSONException e) {
            LogUtil.e("KeyRegisterManager", "commit error. " + e);
            keyRegisterResponse.setException(e);
        }
        if (str == null) {
            throw new InvalidArgumentException("AccessId cannot be empty");
        }
        if (privateKey == null) {
            throw new InvalidArgumentException("Key for sign cannot be empty");
        }
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("accessId", str);
        jSONObject.put("bizId", this.mParameters.getBiz());
        jSONObject.put("deviceId", this.mParameters.getDevice());
        jSONObject.put("sign", Base64Utils.encodeToString(EccUtil.ecdsaSignWithSha256((str + this.mParameters.getBiz() + this.mParameters.getDevice() + getAntiReplayParamInCommit(jSONObject)).getBytes(StandardCharsets.UTF_8), privateKey)));
        String organizeURL = HttpUtil.organizeURL(this.mParameters.getHostname(), "/crypto/cert/register/commit");
        LogUtil.d("KeyRegisterManager", "commit start to send " + this.mParameters.getBiz() + " register commit");
        HttpUtil.HttpResponse postAndGetBody = HttpUtil.postAndGetBody(jSONObject.toString(), organizeURL);
        if (postAndGetBody.isSuccess()) {
            keyRegisterResponse.setSuccess(true);
            LogUtil.d("KeyRegisterManager", "commit " + this.mParameters.getBiz() + " application public key success");
            return keyRegisterResponse;
        }
        int code = postAndGetBody.getCode();
        keyRegisterResponse.setExceptionCode(code);
        if (code == 3001508) {
            throw new InvalidTimestampException("Key commit error: " + postAndGetBody.getBody());
        }
        if (code == 3001509) {
            throw new InvalidChallengeException("Key commit error: " + postAndGetBody.getBody());
        }
        throw new IOException("Key register commit error: " + postAndGetBody.getBody());
    }

    public final int createUniProofApplicationKeyInfo(final JSONArray jSONArray, final String str, long j, final JSONArray jSONArray2) {
        if (this.mParameters.getPeerPublicKey4Encrypt() != null && this.mParameters.getPeerPublicKeyVersion() != 0) {
            if (j == -1) {
                j = DateUtil.now();
            }
            final long j2 = j;
            try {
                return ((Integer) ThreadUtil.postOnBackgroundThread(new Callable() { // from class: com.allawn.cryptography.keymanager.KeyRegisterManager.1
                    @Override // java.util.concurrent.Callable
                    public Integer call() {
                        JSONObject jSONObject = new JSONObject();
                        JSONObject jSONObject2 = new JSONObject();
                        KeyRegisterManager.this.createUniProofApplicationKeyInfo("SIGN", str, j2, jSONObject, jSONArray2);
                        KeyRegisterManager.this.createUniProofApplicationKeyInfo("ENCRYPT", str, j2, jSONObject2, null);
                        jSONArray.put(jSONObject);
                        jSONArray.put(jSONObject2);
                        return 5;
                    }
                }).get(1L, TimeUnit.SECONDS)).intValue();
            } catch (InterruptedException | ExecutionException | TimeoutException e) {
                LogUtil.d("KeyRegisterManager", "createUniProofApplicationKeyInfo fail. " + e);
            }
        }
        return -1;
    }

    public final void createUniProofApplicationKeyInfo(String str, String str2, long j, JSONObject jSONObject, JSONArray jSONArray) {
        X509Certificate signingCertEntity;
        String publicKey4Sign = "SIGN".equals(str) ? this.mParameters.getPublicKey4Sign() : this.mParameters.getPublicKey4Encrypt();
        AttestationProperties$ApplicationKeyAlgorithmEnum attestationProperties$ApplicationKeyAlgorithmEnum = AttestationProperties$ApplicationKeyAlgorithmEnum.P_256;
        if (this.mParameters.getPublicKeyAlgorithm() != null) {
            attestationProperties$ApplicationKeyAlgorithmEnum = AttestationProperties$ApplicationKeyAlgorithmEnum.fromName(this.mParameters.getPublicKeyAlgorithm());
        }
        AttestationParameters build = new AttestationParameters.Builder().setApplicationCustomizeData(this.mParameters.getApplicationCustomizeData()).setApplicationPublicKey(publicKey4Sign).setNonce(str2).setDeviceId(this.mParameters.getDevice()).setExpireDays(Math.min(this.mExpireDays, 90)).setApplicationKeyAlias(str).setApplicationKeyAlgorithm(attestationProperties$ApplicationKeyAlgorithmEnum).setTimestamp(j).setSigningKeyAlias(2).build();
        AttestationManager attestationManager = new AttestationManager();
        if (this.mParameters.getUniProofTargetFormat() == 2) {
            attestationManager.generateX509(build);
            jSONObject.put("attestationData", encryptAttestationData(Base64Utils.encodeToString(attestationManager.getAttestCertificate().getEncoded())));
            jSONObject.put("format", "x.509v3");
        } else {
            attestationManager.generateRaw(build);
            byte[] attestationDataSignature = attestationManager.getAttestationDataSignature();
            String encodeToString = attestationDataSignature != null ? Base64Utils.encodeToString(attestationDataSignature) : null;
            jSONObject.put("attestationData", encryptAttestationData(attestationManager.getAttestationData()));
            jSONObject.put("authMsg", encodeToString);
            jSONObject.put("format", "raw");
        }
        if (jSONArray == null || (signingCertEntity = attestationManager.getSigningCertEntity()) == null) {
            return;
        }
        jSONArray.put(Base64Utils.encodeToString(signingCertEntity.getEncoded()));
    }

    public final String encryptAttestationData(String str) {
        String encrypt;
        PublicKey peerPublicKey4Encrypt = this.mParameters.getPeerPublicKey4Encrypt();
        long peerPublicKeyVersion = this.mParameters.getPeerPublicKeyVersion();
        JSONObject jSONObject = new JSONObject();
        String algorithm = peerPublicKey4Encrypt.getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals(SecurityUtils.ECDSA.KEY_ALGORITHM)) {
            EciesDigitalEnvelope eciesDigitalEnvelope = new EciesDigitalEnvelope(DigitalEnvelopeCipherEnum.AES256GCM);
            eciesDigitalEnvelope.setEncryptPublicKey(peerPublicKey4Encrypt);
            EciesNegotiationParam eciesNegotiationParam = new EciesNegotiationParam();
            eciesNegotiationParam.setUseSalt(true);
            eciesDigitalEnvelope.setNegotiationParam(eciesNegotiationParam);
            encrypt = eciesDigitalEnvelope.encrypt(str.getBytes(StandardCharsets.UTF_8));
        } else {
            if (!algorithm.equals("RSA")) {
                throw new IllegalArgumentException("Unsupported " + peerPublicKey4Encrypt.getAlgorithm() + " key type");
            }
            RsaDigitalEnvelope rsaDigitalEnvelope = new RsaDigitalEnvelope(DigitalEnvelopeCipherEnum.AES256GCM);
            rsaDigitalEnvelope.setEncryptPublicKey(peerPublicKey4Encrypt);
            encrypt = rsaDigitalEnvelope.encrypt(str.getBytes(StandardCharsets.UTF_8));
        }
        JSONObject jSONObject2 = new JSONObject(encrypt);
        jSONObject.put("attestationCipher", jSONObject2.getJSONObject("cipherInfo"));
        jSONObject2.remove("cipherInfo");
        jSONObject2.put("certVersion", peerPublicKeyVersion);
        jSONObject.put("pack", jSONObject2);
        return jSONObject.toString();
    }

    public final String getAntiReplayParamInCommit(JSONObject jSONObject) {
        if (!this.mParameters.isNeedAntiReplay()) {
            return "";
        }
        String challenge = getChallenge("/crypto/cert/register/commit");
        jSONObject.put("nonce", challenge);
        long timestamp = getTimestamp();
        String concatWithoutSeparator = PackUtil.concatWithoutSeparator(String.valueOf(timestamp), challenge);
        jSONObject.put("timeStamp", timestamp);
        return concatWithoutSeparator;
    }

    public final String getChallenge(String str) {
        return new ChallengeClient(this.mParameters.getBiz(), this.mParameters.getDevice(), this.mHostname).getChallenge(str);
    }

    public final String getCommonAttestationData(String str, long j) {
        JSONObject jSONObject = new JSONObject();
        if (str != null) {
            jSONObject.put("nonce", str);
        }
        if (j != -1) {
            jSONObject.put("timeStamp", j);
        } else {
            j = DateUtil.now();
        }
        jSONObject.put("applicationId", HashUtil.sha256(this.mParameters.getApplicationId()));
        jSONObject.put("deviceId", this.mParameters.getDevice());
        jSONObject.put("publicKey4Encrypt", this.mParameters.getPublicKey4Encrypt());
        jSONObject.put("publicKey4Sign", this.mParameters.getPublicKey4Sign());
        jSONObject.put("expireTime", j + TimeUnit.DAYS.toMillis(this.mExpireDays));
        return jSONObject.toString();
    }

    public int getExpireDays() {
        return this.mExpireDays;
    }

    public KeyRegisterParameters getParameters() {
        return this.mParameters;
    }

    public final JSONObject getPskApplicationKeyInfo(String str) {
        try {
            JSONObject jSONObject = new JSONObject();
            jSONObject.put("attestationData", str);
            byte[] bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
            GukConfig gukConfig = new GukConfig();
            gukConfig.setInfo(this.mParameters.getBiz().getBytes(StandardCharsets.UTF_8));
            gukConfig.setSalt(bArr);
            jSONObject.put("authMsg", AuthenticationSignatureMethod.pskSign(str, gukConfig));
            return jSONObject;
        } catch (InterruptedException | ExecutionException | TimeoutException e) {
            LogUtil.d("KeyRegisterManager", "getPskApplicationKeyInfo pskSign fail. " + e);
            return null;
        } catch (JSONException e2) {
            LogUtil.w("KeyRegisterManager", "getPskApplicationKeyInfo fail. " + e2);
            return null;
        }
    }

    public final JSONObject getSimpleApplicationKeyInfo(String str) {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("attestationData", str);
        this.mParameters.getCustomSimpleAuthCallback();
        jSONObject.put("authMsg", AuthenticationSignatureMethod.simpleSign(str, this.mParameters.getBiz()));
        return jSONObject;
    }

    public final int getSimpleAuthType() {
        this.mParameters.getCustomSimpleAuthCallback();
        return 3;
    }

    public final long getTimestamp() {
        long serviceTime = DateUtil.getServiceTime(this.mHostname);
        if (serviceTime == -1 && DateUtil.updateOpenServiceTime(this.mHostname)) {
            serviceTime = DateUtil.getServiceTime(this.mHostname);
        }
        return serviceTime == -1 ? DateUtil.now() : serviceTime;
    }

    public final int makeApplicationKeysInfo(JSONObject jSONObject) {
        String str;
        long timestamp;
        JSONObject pskApplicationKeyInfo;
        String str2 = null;
        if (this.mParameters.isNeedAntiReplay()) {
            try {
                str = getChallenge("/crypto/cert/register/prepare");
            } catch (EncryptException e) {
                LogUtil.e("KeyRegisterManager", "makeApplicationKeysInfo getChallenge fail: " + e);
                str = null;
            }
            timestamp = getTimestamp();
        } else {
            timestamp = -1;
            str = null;
        }
        JSONArray jSONArray = new JSONArray();
        JSONArray jSONArray2 = new JSONArray();
        int createUniProofApplicationKeyInfo = createUniProofApplicationKeyInfo(jSONArray, str, timestamp, jSONArray2);
        if (createUniProofApplicationKeyInfo != -1) {
            jSONObject.put("signingCert", jSONArray2);
            this.isSignWithTrustRoot = true;
            this.mExpireDays = Math.min(this.mExpireDays, 90);
        } else {
            str2 = getCommonAttestationData(str, timestamp);
        }
        if (createUniProofApplicationKeyInfo == -1 && (pskApplicationKeyInfo = getPskApplicationKeyInfo(str2)) != null) {
            jSONArray.put(pskApplicationKeyInfo);
            this.isSignWithTrustRoot = true;
            createUniProofApplicationKeyInfo = 2;
        }
        if (createUniProofApplicationKeyInfo == -1) {
            try {
                jSONArray.put(getSimpleApplicationKeyInfo(str2));
                createUniProofApplicationKeyInfo = getSimpleAuthType();
            } catch (EncryptException e2) {
                throw new SignatureException("Sign error: " + e2);
            }
        }
        jSONObject.put("applicationKeysInfo", jSONArray);
        jSONObject.put("authType", createUniProofApplicationKeyInfo);
        return createUniProofApplicationKeyInfo;
    }

    public KeyRegisterResponse register(boolean z) {
        KeyRegisterResponse keyRegisterResponse = new KeyRegisterResponse();
        try {
            this.isSignWithTrustRoot = false;
            checkParameter();
        } catch (EncryptException | InvalidAccountException | InvalidArgumentException | InvalidChallengeException | InvalidTimestampException | IOException | SignatureException | JSONException e) {
            LogUtil.e("KeyRegisterManager", "register error. " + e);
            keyRegisterResponse.setException(e);
        }
        if (this.mParameters.getPublicKey4Encrypt() == null || this.mParameters.getPublicKey4Sign() == null) {
            throw new InvalidArgumentException("Public key cannot be empty");
        }
        JSONObject jSONObject = new JSONObject();
        String accountAuthMsg = this.mParameters.getAccountAuthMsg();
        String str = "";
        if (accountAuthMsg != null) {
            this.isSignWithTrustRoot = true;
            jSONObject.put("accountAuthMsg", accountAuthMsg);
            str = " with account info";
        }
        jSONObject.put("bizId", this.mParameters.getBiz());
        jSONObject.put("force", z ? 1 : 0);
        int makeApplicationKeysInfo = makeApplicationKeysInfo(jSONObject);
        keyRegisterResponse.setSignWithTrustRoot(this.isSignWithTrustRoot);
        String organizeURL = HttpUtil.organizeURL(this.mParameters.getHostname(), "/crypto/cert/register/prepare");
        LogUtil.d("KeyRegisterManager", "register start to register " + this.mParameters.getBiz() + " application public key online" + str + ", auth type is " + makeApplicationKeysInfo);
        HttpUtil.HttpResponse post = HttpUtil.post(jSONObject.toString(), organizeURL);
        if (post.isSuccess()) {
            keyRegisterResponse.setSuccess(true);
            keyRegisterResponse.setAccessId(post.getData());
            LogUtil.d("KeyRegisterManager", "register prepare " + this.mParameters.getBiz() + " application public key success");
        } else {
            int code = post.getCode();
            if (code != 3001511) {
                keyRegisterResponse.setExceptionCode(code);
                if (code == 3001601 || code == 3001602 || code == 3001603) {
                    throw new InvalidAccountException("Key register error: " + post.getBody());
                }
                if (code == 3001508) {
                    throw new InvalidTimestampException("Key register error: " + post.getBody());
                }
                if (code == 3001509) {
                    throw new InvalidChallengeException("Key register error: " + post.getBody());
                }
                throw new IOException("Key register error: " + post.getBody());
            }
            keyRegisterResponse.setSuccess(true);
            keyRegisterResponse.setNoNeedReset(true);
            LogUtil.d("KeyRegisterManager", "register prepare " + this.mParameters.getBiz() + " application public key no need reset");
        }
        return keyRegisterResponse;
    }
}
