package o;

import android.os.Build;
import com.huawei.hms.support.api.entity.tss.EnrollCertRequ;
import com.huawei.hms.support.api.entity.tss.EnrollCertResp;
import com.huawei.hms.support.api.entity.tss.base.BaseResp;
import com.huawei.hms.tss.TssCaLib;
import com.huawei.phoneservice.feedback.network.FeedbackWebConstants;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashMap;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.cmp.PKIStatusInfo;
import org.bouncycastle.cert.cmp.CMPException;
import org.bouncycastle.cert.cmp.GeneralPKIMessage;
import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;

/* loaded from: classes3.dex */
public final class axk implements axu {
    private EnrollCertRequ amM;

    public axk(EnrollCertRequ enrollCertRequ) {
        this.amM = enrollCertRequ;
    }

    private X509Certificate[] a(PKIMessage pKIMessage, byte[] bArr, String str) throws awt {
        if (pKIMessage.getBody().getType() == 23) {
            PKIStatusInfo pKIStatusInfo = ErrorMsgContent.getInstance(pKIMessage.getBody().getContent()).getPKIStatusInfo();
            throw new awt("201008", "Server returned error: errorCode:" + pKIStatusInfo.getStatus().intValue() + " errorDetail: " + pKIStatusInfo.getStatusString().getStringAt(0));
        }
        if (pKIMessage.getBody().getType() != 1) {
            throw new awt("201008", "response body type error : " + pKIMessage.getBody().getType());
        }
        if (pKIMessage.getHeader().getRecipNonce() == null || !Arrays.equals(bArr, pKIMessage.getHeader().getRecipNonce().getOctets())) {
            throw new awt("201008", "The receipt nonce should be the same as the sender nonce!");
        }
        X509Certificate[] d = d(pKIMessage, str);
        c(pKIMessage, d[0]);
        return d;
    }

    private PKIMessage c(String str, byte[] bArr) throws awt {
        aya ayaVar = new aya();
        ayaVar.setUrl(this.amM.getCaUrl());
        ayaVar.setMethod("POST");
        ayaVar.F(bArr);
        HashMap hashMap = new HashMap();
        hashMap.put(FeedbackWebConstants.CONTENT_TYPE, "application/pkixcmp");
        if (this.amM.getAccessToken() != null && this.amM.getAccessToken().length() != 0) {
            hashMap.put(FeedbackWebConstants.AUTHORIZATION, "AccessToken " + this.amM.getAccessToken());
        }
        hashMap.put("X-Request-ID", ea(24));
        hashMap.put(com.huawei.feedback.logic.v.l, str);
        hashMap.put("build-version", Build.VERSION.SDK_INT + "");
        hashMap.put("tss-version-code", "100010100");
        ayaVar.setHeaders(hashMap);
        ayc e = axz.e(ayaVar);
        if (200 != e.getStatusCode()) {
            throw new awt("201007", "cmp req error, return " + e.getStatusCode());
        }
        return PKIMessage.getInstance(e.Dp());
    }

    private void c(PKIMessage pKIMessage, X509Certificate x509Certificate) throws awt {
        try {
            GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage(pKIMessage);
            if (!generalPKIMessage.hasProtection()) {
                throw new awt("201008", "The response PKIMessage was not protected!");
            }
            if (!new ProtectedPKIMessage(generalPKIMessage).verify(new JcaContentVerifierProviderBuilder().build(x509Certificate.getPublicKey()))) {
                throw new awt("201008", "cmp response verify pki protection fail");
            }
        } catch (CMPException e) {
            throw new awt("201008", "verifyCmpRspSignature fail with CMPException, message : " + e.getMessage());
        } catch (OperatorCreationException e2) {
            throw new awt("201008", "verifyCmpRspSignature fail with OperatorCreationException, message : " + e2.getMessage());
        }
    }

    private void d(String str, EnrollCertResp enrollCertResp, X509Certificate[] x509CertificateArr, X509Certificate x509Certificate) throws awt {
        X509Certificate[] x509CertificateArr2 = {x509Certificate, x509CertificateArr[0], x509CertificateArr[1], x509CertificateArr[2]};
        try {
            long e = TssCaLib.e(str, this.amM.getAlias(), this.amM.getAlias(), x509Certificate.getEncoded());
            if (e != 0) {
                axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibSaveServiceCert save service cert error , result : 0x" + Long.toHexString(e));
                enrollCertResp.setRtnCode(101002);
                enrollCertResp.setErrorReason(Long.toHexString(e));
            }
            long e2 = TssCaLib.e(str, this.amM.getAlias(), "ca", x509CertificateArr[1].getEncoded());
            if (e2 != 0) {
                axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibSaveServiceCert save ca cert error , result : 0x" + Long.toHexString(e2));
                enrollCertResp.setRtnCode(101002);
                enrollCertResp.setErrorReason(Long.toHexString(e2));
            }
            long e3 = TssCaLib.e(str, this.amM.getAlias(), "cbgRootCert", x509CertificateArr[2].getEncoded());
            if (e3 == 0) {
                enrollCertResp.setRtnCode(0);
                enrollCertResp.setCertChain(x509CertificateArr2);
            } else {
                axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibSaveServiceCert save cbg root cert error , result : 0x" + Long.toHexString(e3));
                enrollCertResp.setRtnCode(101002);
                enrollCertResp.setErrorReason(Long.toHexString(e3));
            }
        } catch (CertificateEncodingException e4) {
            throw new awt("201008", "convert cert fail with CertificateEncodingException, message : " + e4.getMessage());
        }
    }

    private X509Certificate[] d(PKIMessage pKIMessage, String str) throws awt {
        byte[] bArr;
        try {
            X509Certificate[] d = d(pKIMessage.getExtraCerts());
            X509Certificate x509Certificate = d[0];
            X509Certificate x509Certificate2 = d[1];
            X509Certificate x509Certificate3 = d[2];
            x509Certificate.verify(x509Certificate2.getPublicKey());
            x509Certificate2.verify(x509Certificate3.getPublicKey());
            if (str == null || str.length() <= 0) {
                TssCaLib.OutputParam Dg = TssCaLib.Dg();
                long b = TssCaLib.b(0, Dg);
                if (b != 0) {
                    throw new awt("201008", "get cbg root cert fail, result : 0x" + Long.toHexString(b));
                }
                bArr = Dg.bytes;
            } else {
                bArr = ayi.dH(str);
            }
            if (Arrays.equals(bArr, pKIMessage.getExtraCerts()[2].getEncoded())) {
                return d;
            }
            throw new awt("201008", "cmp extra cbg root cert not equal to preset cbg root cert");
        } catch (IOException e) {
            throw new awt("201008", "verifyCertChain fail with IOException, message : " + e.getMessage());
        } catch (InvalidKeyException e2) {
            throw new awt("201008", "verifyCertChain fail with InvalidKeyException, message : " + e2.getMessage());
        } catch (NoSuchAlgorithmException e3) {
            throw new awt("201008", "verifyCertChain fail with NoSuchAlgorithmException, message : " + e3.getMessage());
        } catch (NoSuchProviderException e4) {
            throw new awt("201008", "verifyCertChain fail with NoSuchProviderException, message : " + e4.getMessage());
        } catch (SignatureException e5) {
            throw new awt("201008", "verifyCertChain fail with SignatureException, message : " + e5.getMessage());
        } catch (CertificateException e6) {
            throw new awt("201008", "verifyCertChain fail with CertificateException, message : " + e6.getMessage());
        }
    }

    private X509Certificate[] d(CMPCertificate[] cMPCertificateArr) throws awt {
        try {
            X509Certificate[] x509CertificateArr = new X509Certificate[cMPCertificateArr.length];
            int i = 0;
            while (true) {
                int i2 = i;
                if (i2 >= cMPCertificateArr.length) {
                    return x509CertificateArr;
                }
                x509CertificateArr[i2] = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(cMPCertificateArr[i2].getEncoded()));
                i = i2 + 1;
            }
        } catch (IOException e) {
            throw new awt("201008", "convert cert fail with IOException, message : " + e.getMessage());
        } catch (CertificateException e2) {
            throw new awt("201008", "convert cert fail with CertificateException, message : " + e2.getMessage());
        }
    }

    private X509Certificate e(PKIMessage pKIMessage) throws awt {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((CertRepMessage) pKIMessage.getBody().getContent()).getResponse()[0].getCertifiedKeyPair().getCertOrEncCert().getCertificate().getEncoded()));
        } catch (IOException e) {
            throw new awt("201008", "fail to serialize CMPCertificate");
        } catch (Exception e2) {
            throw new awt("201008", "fail to get cert from cmp response, exception : " + e2.getMessage());
        }
    }

    private byte[] e(String str, EnrollCertResp enrollCertResp, byte[] bArr) throws awt {
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            TssCaLib.OutputParam Dg = TssCaLib.Dg();
            long a = TssCaLib.a(str, this.amM.getAlias(), Dg);
            if (a != 0) {
                axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibGetAttestationCert error , result : 0x" + Long.toHexString(a));
                enrollCertResp.setRtnCode(101002);
                enrollCertResp.setErrorReason(Long.toHexString(a));
                return new byte[0];
            }
            X509Certificate x509Certificate = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(Dg.bytes));
            long a2 = TssCaLib.a(Dg);
            if (a2 == 0) {
                return new awi(new BigInteger(this.amM.getCertReqId()), this.amM.getIssuer(), this.amM.getSubject(), x509Certificate, (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(Dg.bytes))).ed(this.amM.getKeyType()).ag(awl.amo.get(this.amM.getAlgorithm()).longValue()).hb(str).ha(this.amM.getAlias()).C(eg(16)).z(bArr).Dj().getEncoded();
            }
            axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibGetDeviceCert error , result : 0x" + Long.toHexString(a2));
            enrollCertResp.setRtnCode(101002);
            enrollCertResp.setErrorReason(Long.toHexString(a2));
            return new byte[0];
        } catch (IOException e) {
            throw new awt("201005", "fail to serialize pki message, IOException : " + e.getMessage());
        } catch (IllegalArgumentException e2) {
            throw new awt("201005", "fail to generate cmp request message, IllegalArgumentException ：" + e2.getMessage());
        } catch (CertificateException e3) {
            throw new awt("201006", "fail to generate cert from return bytes");
        } catch (Exception e4) {
            throw new awt("201005", "fail to generate cmp request message, exception : " + e4.getMessage());
        }
    }

    private String ea(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        char[] charArray = "0123456789ABCDEF".toCharArray();
        char[] cArr = new char[bArr.length * 2];
        for (int i2 = 0; i2 < bArr.length; i2++) {
            int i3 = bArr[i2] & 255;
            cArr[i2 * 2] = charArray[i3 >>> 4];
            cArr[(i2 * 2) + 1] = charArray[i3 & 15];
        }
        return new String(cArr);
    }

    private byte[] eg(int i) throws awt {
        try {
            byte[] bArr = new byte[i];
            SecureRandom.getInstance("SHA1PRNG").nextBytes(bArr);
            return bArr;
        } catch (NoSuchAlgorithmException e) {
            throw new awt("201005", "fail to generateRandomBytes, NoSuchAlgorithmException " + e.getMessage());
        }
    }

    private boolean hf(String str) throws awt {
        if (TssCaLib.d(str, this.amM.getAlias(), this.amM.getAlias(), TssCaLib.Dg()) != 0) {
            return false;
        }
        axw.w("InnerEnrollCertHandler", "service cert " + this.amM.getAlias() + " is exist");
        return true;
    }

    @Override // o.axu
    public BaseResp gZ(String str) throws awt {
        axw.i("InnerEnrollCertHandler", "TSS inner service enroll cert begin, appId : " + str);
        try {
            try {
                EnrollCertResp enrollCertResp = new EnrollCertResp();
                axb.Df();
                axy.aI(str, "CERT");
                if (this.amM == null || !this.amM.isValid()) {
                    enrollCertResp.setRtnCode(101001);
                    enrollCertResp.setErrorReason("param illegal.");
                } else if (hf(str)) {
                    BaseResp baseResp = new BaseResp();
                    X509Certificate[] a = axo.a(str, this.amM.getAlias(), baseResp);
                    if (baseResp.getRtnCode() == 0) {
                        enrollCertResp.setCertChain(a);
                    }
                    enrollCertResp.setRtnCode(baseResp.getRtnCode());
                    enrollCertResp.setErrorReason(baseResp.getErrorReason());
                } else {
                    long k = TssCaLib.k(this.amM.getKeyType(), str, this.amM.getAlias());
                    if (k == 0 || k == 4294770697L) {
                        long aL = TssCaLib.aL(str, this.amM.getAlias());
                        if (aL == 0 || aL == 4294770704L) {
                            byte[] eg = eg(16);
                            byte[] e = e(str, enrollCertResp, eg);
                            if (enrollCertResp.getRtnCode() == 0) {
                                PKIMessage c = c(str, e);
                                d(str, enrollCertResp, a(c, eg, this.amM.getCbgRootCert()), e(c));
                            }
                        } else {
                            axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibGenerateAttestationCert error , result : 0x" + Long.toHexString(aL));
                            enrollCertResp.setRtnCode(101002);
                            enrollCertResp.setErrorReason(Long.toHexString(aL));
                        }
                    } else {
                        axw.e("InnerEnrollCertHandler", "TssCaLib.tssLibGenerateKeypair error , result : 0x" + Long.toHexString(k));
                        enrollCertResp.setRtnCode(101002);
                        enrollCertResp.setErrorReason(Long.toHexString(k));
                    }
                }
                return enrollCertResp;
            } catch (CertificateException e2) {
                throw new awt("201006", "fail to generate cert from return bytes");
            }
        } finally {
            axb.Dm();
            axw.i("InnerEnrollCertHandler", "TSS inner service enroll cert end, appId : " + str);
        }
    }
}
