package com.nmwco.mobility.client.util;

import android.app.Activity;
import android.content.Context;
import android.net.http.SslCertificate;
import android.os.Bundle;
import android.security.KeyChain;
import android.security.KeyChainAliasCallback;
import com.nmwco.mobility.client.SharedApplication;
import com.nmwco.mobility.client.configuration.LocalKeyStore;
import com.nmwco.mobility.client.gen.EventCategories;
import com.nmwco.mobility.client.gen.Messages;
import com.nmwco.mobility.client.gen.NmStatus;
import com.nmwco.mobility.client.logging.Log;
import com.nmwco.mobility.client.profile.Profile;
import com.nmwco.mobility.client.profile.ProfileManager;
import com.nmwco.mobility.client.util.CertificateStoreEntry;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: classes.dex */
public class CertificateHelper {
    private static final String OID_EKU_SERVER_AUTH = "1.3.6.1.5.5.7.3.1";
    private static final String SIGNATURE_TYPE = "NONEwithRSA";
    private static final int SUBALTNAME_DIRECTORYNAME = 4;
    private static final int SUBALTNAME_DNSNAME = 2;
    private static final int SUBALTNAME_EDIPARTYNAME = 5;
    private static final int SUBALTNAME_IPADDRESS = 7;
    private static final int SUBALTNAME_OTHERNAME = 0;
    private static final int SUBALTNAME_REGISTREDID = 8;
    private static final int SUBALTNAME_RFC822NAME = 1;
    private static final int SUBALTNAME_URI = 6;
    private static final int SUBALTNAME_X400ADDRESS = 3;

    /* loaded from: classes.dex */
    public static abstract class KeyChainCallback implements KeyChainAliasCallback {
        private Bundle mBundleExtra;
        private boolean mCallbackExecuted;

        public KeyChainCallback(Bundle bundle) {
            this.mBundleExtra = bundle;
        }

        @Override // android.security.KeyChainAliasCallback
        public void alias(String str) {
            if (this.mCallbackExecuted) {
                return;
            }
            if (str != null) {
                try {
                    CertificateStoreEntry newCertificateEntry = CertificateStoreEntry.newCertificateEntry(KeyChain.getCertificateChain(SharedApplication.getSharedApplicationContext(), str)[0], CertificateStoreEntry.KeyType.SYSTEM_KEY, str, CertificateStoreEntry.READWRITE.booleanValue(), CertificateStoreEntry.HAS_PRIVATE_KEY.booleanValue());
                    try {
                        LocalKeyStore.deleteCertificate(newCertificateEntry.getCertificate());
                    } catch (Exception unused) {
                    }
                    onCertificateSelected(newCertificateEntry, this.mBundleExtra);
                } catch (Exception unused2) {
                    onCancelOrFailure(this.mBundleExtra);
                    return;
                }
            } else {
                onCancelOrFailure(this.mBundleExtra);
            }
            this.mCallbackExecuted = true;
        }

        public void onCancelOrFailure(Bundle bundle) {
        }

        public abstract void onCertificateSelected(CertificateStoreEntry certificateStoreEntry, Bundle bundle);
    }

    public static void choosePrivateKeyAlias(Activity activity, CertificateAlias certificateAlias, KeyChainCallback keyChainCallback) {
        KeyChain.choosePrivateKeyAlias(activity, keyChainCallback, new String[]{"RSA"}, null, null, -1, certificateAlias != null ? certificateAlias.getAlias() : null);
    }

    public static String getCertificateAuthenticationName(CertificateAlias certificateAlias, Context context) {
        if (!certificateAlias.isValid()) {
            return null;
        }
        try {
            KeyChain.getPrivateKey(context, certificateAlias.getAlias());
            return getUsername(KeyChain.getCertificateChain(context, certificateAlias.getAlias())[0]);
        } catch (Exception unused) {
            return null;
        }
    }

    public static String getIssuedBy(Certificate certificate) {
        try {
            return getIssuedBy(certificate.getEncoded());
        } catch (Exception unused) {
            return null;
        }
    }

    private static native String getIssuedBy(byte[] bArr);

    public static String getIssuedTo(Certificate certificate) {
        try {
            return getIssuedTo(certificate.getEncoded());
        } catch (Exception unused) {
            return null;
        }
    }

    private static native String getIssuedTo(byte[] bArr);

    public static String getNotAfter(Certificate certificate) {
        try {
            return DateFormat.getDateInstance(2, Locale.getDefault()).format(new SimpleDateFormat("yyyyMMddHHmmss'Z'", Locale.US).parse(getNotAfter(certificate.getEncoded())));
        } catch (Exception unused) {
            return null;
        }
    }

    private static native String getNotAfter(byte[] bArr);

    private static String[] getSubjectAlternativeNames(X509Certificate x509Certificate, int i) {
        ArrayList arrayList = new ArrayList();
        try {
            if (x509Certificate.getSubjectAlternativeNames() != null) {
                for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
                    if (i == ((Integer) list.get(0)).intValue() && (i == 1 || i == 2 || i == 6 || i == 7 || i == 8)) {
                        arrayList.add((String) list.get(1));
                    }
                }
            }
        } catch (CertificateParsingException unused) {
        }
        return (String[]) arrayList.toArray(new String[0]);
    }

    public static String getSubjectName(Certificate certificate) {
        try {
            return getSubjectName(certificate.getEncoded());
        } catch (Exception unused) {
            return null;
        }
    }

    private static native String getSubjectName(byte[] bArr);

    public static String getUsername(Certificate certificate) {
        try {
            return getUsername(certificate.getEncoded());
        } catch (Exception unused) {
            return null;
        }
    }

    private static native String getUsername(byte[] bArr);

    public static byte[] signHash(PrivateKey privateKey, byte[] bArr) throws SignatureException {
        if (privateKey == null) {
            return null;
        }
        try {
            Signature signature = Signature.getInstance(SIGNATURE_TYPE);
            signature.initSign(privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (Exception e) {
            throw new SignatureException(e);
        }
    }

    public static int validateCertificate(X509Certificate[] x509CertificateArr) {
        int i;
        Profile activeProfile = ProfileManager.getInstance().getActiveProfile();
        String eapHost = activeProfile.getEapHost();
        if (StringUtil.isEmpty(eapHost)) {
            i = Integer.MIN_VALUE;
        } else {
            i = verifyHostname(x509CertificateArr[0], eapHost);
            if (NmStatus.NM_ERROR(i)) {
                return i;
            }
        }
        if (!activeProfile.getEapCertValidate().booleanValue()) {
            return 0;
        }
        try {
            KeyStore localKeyStore = LocalKeyStore.getLocalKeyStore();
            if (localKeyStore != null) {
                i = verifyCertificateKeyUsage(x509CertificateArr[0], OID_EKU_SERVER_AUTH);
                if (NmStatus.NM_SUCCEEDED(i)) {
                    i = verifyCertificateChain(localKeyStore, x509CertificateArr);
                    if (NmStatus.NM_SUCCEEDED(i)) {
                        return i;
                    }
                }
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
        try {
            KeyStore globalKeyStore = LocalKeyStore.getGlobalKeyStore();
            if (globalKeyStore == null) {
                return i;
            }
            int verifyCertificateKeyUsage = verifyCertificateKeyUsage(x509CertificateArr[0], OID_EKU_SERVER_AUTH);
            return NmStatus.NM_SUCCEEDED(verifyCertificateKeyUsage) ? verifyCertificateChain(globalKeyStore, x509CertificateArr) : verifyCertificateKeyUsage;
        } catch (Exception e2) {
            e2.printStackTrace();
            return i;
        }
    }

    private static int verifyCertificateChain(KeyStore keyStore, X509Certificate[] x509CertificateArr) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            if (trustManagerFactory != null) {
                trustManagerFactory.init(keyStore);
                TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
                if (trustManagers != null) {
                    for (TrustManager trustManager : trustManagers) {
                        if (trustManager instanceof X509TrustManager) {
                            ((X509TrustManager) trustManager).checkServerTrusted(x509CertificateArr, "RSA");
                            return 0;
                        }
                    }
                }
            }
            return Integer.MIN_VALUE;
        } catch (KeyStoreException e) {
            e = e;
            Log.e(EventCategories.EV_SRC_NOMAD_CLIENT_UI, Messages.EV_CONFIG_CERTS_KEYSTORE, e);
            return NmStatus.NM_STAT_ERROR_NOT_SUPPORTED;
        } catch (NoSuchAlgorithmException e2) {
            e = e2;
            Log.e(EventCategories.EV_SRC_NOMAD_CLIENT_UI, Messages.EV_CONFIG_CERTS_KEYSTORE, e);
            return NmStatus.NM_STAT_ERROR_NOT_SUPPORTED;
        } catch (CertificateExpiredException | CertificateNotYetValidException unused) {
            return NmStatus.CERT_STAT_INVALID_TIME;
        } catch (CertificateException e3) {
            if (LocalKeyStore.KEYSTORE_GLOBAL.equals(keyStore.getType())) {
                Log.i(EventCategories.EV_SRC_NOMAD_CLIENT_UI, Messages.EV_CONFIG_CERTS_INVALID_SERVER_CERT, e3.getMessage());
            } else {
                Log.d(EventCategories.EV_SRC_NOMAD_CLIENT_UI, Messages.EV_CONFIG_CERTS_VALIDATE_USING_LOCAL_CA_CERTIFICATE, new Object[0]);
            }
            return NmStatus.CERT_STAT_INVALID_SERVER_CERT;
        }
    }

    private static int verifyCertificateKeyUsage(X509Certificate x509Certificate, String... strArr) throws CertificateException {
        List<String> extendedKeyUsage;
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        int i = (keyUsage == null || !keyUsage[0]) ? -2146303995 : 0;
        if (!NmStatus.NM_SUCCEEDED(i) || (extendedKeyUsage = x509Certificate.getExtendedKeyUsage()) == null) {
            return i;
        }
        for (String str : strArr) {
            if (!extendedKeyUsage.contains(str)) {
                return NmStatus.CERT_STAT_INVALID_SERVER_CERT;
            }
        }
        return 0;
    }

    private static int verifyHostname(X509Certificate x509Certificate, String str) {
        if (x509Certificate == null) {
            return NmStatus.CERT_STAT_INVALID_HOST;
        }
        String[] subjectAlternativeNames = getSubjectAlternativeNames(x509Certificate, 2);
        if (subjectAlternativeNames.length > 0) {
            for (String str2 : subjectAlternativeNames) {
                Log.d(EventCategories.EV_SRC_NOMAD_CLIENT_UI, Messages.EV_CONFIG_CERTS_HOSTNAME, str2);
                if (str2.endsWith(str) || str2.toLowerCase().endsWith(str.toLowerCase())) {
                    return 0;
                }
            }
        }
        String cName = new SslCertificate(x509Certificate).getIssuedTo().getCName();
        if (StringUtil.isEmpty(cName)) {
            return NmStatus.CERT_STAT_INVALID_HOST;
        }
        if (cName.endsWith(str) || cName.toLowerCase().endsWith(str.toLowerCase())) {
            return 0;
        }
        return NmStatus.CERT_STAT_INVALID_HOST;
    }
}
