package com.microsoft.omadm.utils;

import android.content.Context;
import android.security.KeyChain;
import android.security.KeyChainException;
import com.microsoft.intune.common.http.AbstractHttpClientFactory;
import com.microsoft.intune.common.utils.IOUtils;
import com.microsoft.omadm.Services;
import com.microsoft.omadm.exception.OMADMException;
import com.microsoft.omadm.platforms.android.certmgr.CertificateChainBuilder;
import com.microsoft.omadm.platforms.android.certmgr.data.RootCertificateState;
import com.microsoft.omadm.platforms.android.certmgr.data.SAN;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificate;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificateState;
import com.microsoft.omadm.utils.CertSearchCriteria;
import com.samsung.android.knox.keystore.CertificateProvisioning;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.net.util.Base64;
import org.jscep.util.ConnectionUtils;
import org.spongycastle.asn1.ASN1InputStream;
import org.spongycastle.asn1.ASN1ObjectIdentifier;
import org.spongycastle.asn1.ASN1OctetString;
import org.spongycastle.asn1.ASN1Primitive;
import org.spongycastle.asn1.ASN1Sequence;
import org.spongycastle.asn1.ASN1TaggedObject;
import org.spongycastle.asn1.DERTaggedObject;
import org.spongycastle.asn1.DERUTF8String;
import org.spongycastle.asn1.x509.AccessDescription;
import org.spongycastle.asn1.x509.AuthorityInformationAccess;
import org.spongycastle.asn1.x509.Extension;
import org.spongycastle.asn1.x509.KeyPurposeId;
import org.spongycastle.pqc.jcajce.spec.McElieceCCA2KeyGenParameterSpec;

/* loaded from: classes2.dex */
public final class CertUtils {
    private static final String CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT = "Excluding cert with alias {0} and requestId {1} as {2}";
    public static final String LACKS_PERMISSION_MSG = "PERMISSION";
    public static final String LOCKED_KEYSTORE_MSG = "LOCKED";
    private static final Logger LOGGER = Logger.getLogger(CertUtils.class.getName());
    private static final int PASSWORD_LENGTH = 43;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public static class LazyCertificateInfo {
        public ScepCertificate scepCert;
        public X509Certificate x509Cert;
        public List<String> chainThumbPrints = null;
        public Set<String> extendedKeyUsage = null;
        public Integer weight = null;

        LazyCertificateInfo(ScepCertificate scepCertificate) {
            this.x509Cert = null;
            this.scepCert = scepCertificate;
            if (this.scepCert.x509Certificate != null) {
                this.x509Cert = this.scepCert.x509Certificate;
            }
        }

        public List<String> getChainThumbPrints() throws OMADMException {
            if (this.chainThumbPrints == null) {
                this.chainThumbPrints = CertUtils.getIssuerHashes(getX509Certificate());
            }
            return this.chainThumbPrints;
        }

        public Set<String> getExtendedKeyUsage() throws OMADMException {
            if (this.extendedKeyUsage == null) {
                this.extendedKeyUsage = new HashSet();
                try {
                    this.extendedKeyUsage.addAll(getX509Certificate().getExtendedKeyUsage());
                } catch (CertificateParsingException unused) {
                }
            }
            return this.extendedKeyUsage;
        }

        public int getWeight() throws OMADMException {
            if (this.weight == null) {
                int i = CertUtils.hasCdp(getX509Certificate()) ? 1 : 0;
                if (CertUtils.hasAiaOscp(getX509Certificate())) {
                    i += 2;
                }
                this.weight = Integer.valueOf(i);
            }
            return this.weight.intValue();
        }

        public X509Certificate getX509Certificate() throws OMADMException {
            if (this.x509Cert == null) {
                try {
                    this.x509Cert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(this.scepCert.certBlob));
                } catch (CertificateException e) {
                    throw new OMADMException("Failed to decode certificate " + this.scepCert.alias, e);
                }
            }
            return this.x509Cert;
        }

        public boolean isExpired() throws OMADMException {
            Date tryGetCurrentDate = Services.get().getNtpTimeClient().tryGetCurrentDate();
            X509Certificate x509Certificate = getX509Certificate();
            return tryGetCurrentDate.before(x509Certificate.getNotBefore()) || tryGetCurrentDate.after(x509Certificate.getNotAfter());
        }

        public boolean isWorseThan(LazyCertificateInfo lazyCertificateInfo) throws OMADMException {
            return getWeight() != lazyCertificateInfo.getWeight() ? getWeight() < lazyCertificateInfo.getWeight() : getX509Certificate().getNotBefore().before(lazyCertificateInfo.getX509Certificate().getNotBefore());
        }
    }

    private CertUtils() {
    }

    private static boolean checkAllEKUsPresent(LazyCertificateInfo lazyCertificateInfo, List<CertSearchCriteria.EKU> list) throws OMADMException {
        Iterator<CertSearchCriteria.EKU> it = list.iterator();
        while (it.hasNext()) {
            if (!lazyCertificateInfo.getExtendedKeyUsage().contains(it.next().oid)) {
                return false;
            }
        }
        return true;
    }

    private static boolean checkCertAllowedByAnyPurposeEKU(LazyCertificateInfo lazyCertificateInfo, List<CertSearchCriteria.EKU> list) throws OMADMException {
        if (hasAnyPurposeEKU(lazyCertificateInfo)) {
            return checkAllEKUsPresent(lazyCertificateInfo, list);
        }
        return false;
    }

    private static boolean checkCertAllowedByClientAuthEKU(LazyCertificateInfo lazyCertificateInfo, List<CertSearchCriteria.EKU> list) throws OMADMException {
        if (hasClientAuthEKU(lazyCertificateInfo)) {
            return checkAllEKUsPresent(lazyCertificateInfo, list);
        }
        return false;
    }

    private static boolean checkCertAllowedByIssuerHash(LazyCertificateInfo lazyCertificateInfo, List<String> list) throws OMADMException {
        if (list == null || list.isEmpty()) {
            return true;
        }
        Iterator<String> it = lazyCertificateInfo.getChainThumbPrints().iterator();
        while (it.hasNext()) {
            if (list.contains(it.next())) {
                return true;
            }
        }
        LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "required issuer hashes not found in chain."));
        return false;
    }

    private static boolean checkFilterAllowsCert(LazyCertificateInfo lazyCertificateInfo, CertSearchCriteria certSearchCriteria) throws OMADMException {
        if (lazyCertificateInfo == null || lazyCertificateInfo.scepCert == null || !lazyCertificateInfo.scepCert.hasCertContent()) {
            LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "it is not valid."));
            return false;
        }
        if (!certSearchCriteria.allowExpiredCertificates && lazyCertificateInfo.isExpired()) {
            LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "it is expired."));
            return false;
        }
        if (certSearchCriteria.requireUpnInSubjectAlternativeNames && getUPNFromCertificate(lazyCertificateInfo.getX509Certificate()) == null) {
            LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "it does not have the UPN SAN."));
            return false;
        }
        if (certSearchCriteria.clientAuthEKU != null || certSearchCriteria.anyPurposeEKU != null) {
            if (isAllPurposeCertificate(lazyCertificateInfo.getX509Certificate())) {
                if (certSearchCriteria.allPurposeEnabled) {
                    return checkCertAllowedByIssuerHash(lazyCertificateInfo, certSearchCriteria.caIssuerHash);
                }
                LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "it is all purpose but criteria is not."));
                return false;
            }
            if (certSearchCriteria.clientAuthEKU != null && !checkCertAllowedByClientAuthEKU(lazyCertificateInfo, certSearchCriteria.clientAuthEKU)) {
                LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "it does not have client auth EKU."));
                return false;
            }
            if (certSearchCriteria.anyPurposeEKU != null && !checkCertAllowedByAnyPurposeEKU(lazyCertificateInfo, certSearchCriteria.anyPurposeEKU)) {
                LOGGER.fine(MessageFormat.format(CERT_EXCLUDED_BY_FILTERS_LOG_MESSAGE_FORMAT, lazyCertificateInfo.scepCert.alias, lazyCertificateInfo.scepCert.requestId, "it does not have any purpose EKU."));
                return false;
            }
        }
        return checkCertAllowedByIssuerHash(lazyCertificateInfo, certSearchCriteria.caIssuerHash);
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    public static KeyStore createTrustStore(List<RootCertificateState> list) throws OMADMException {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            for (RootCertificateState rootCertificateState : list) {
                try {
                    keyStore.setCertificateEntry(rootCertificateState.thumbPrint, generateX509Certificate(rootCertificateState.certBlob));
                } catch (Exception unused) {
                    LOGGER.warning(MessageFormat.format("Unable to add CA certificate from RootCertificateState ''{0}'' to policy trust store.", rootCertificateState.thumbPrint));
                }
            }
            return keyStore;
        } catch (Exception e) {
            throw new OMADMException("Unable to create trust store from rootCertificateStates.", e);
        }
    }

    public static List<X509Certificate> downloadIssuerCaCertificatesFromAia(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        List<String> caIssuerLocations = getCaIssuerLocations(x509Certificate);
        if (!caIssuerLocations.isEmpty()) {
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
                for (String str : caIssuerLocations) {
                    try {
                        if (!StringUtils.isNotEmpty(str)) {
                            LOGGER.info("Invalid cert download location. Skipping.");
                        } else if (str.toLowerCase(Locale.US).startsWith(AbstractHttpClientFactory.SCHEME_HTTP)) {
                            byte[] certificateBlobFromHttp = getCertificateBlobFromHttp(str);
                            if (certificateBlobFromHttp != null && certificateBlobFromHttp.length != 0) {
                                X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certificateBlobFromHttp));
                                if (x509Certificate2 == null) {
                                    LOGGER.info("Could not create X509Certificate from cert blob returned by download location.");
                                } else if (!arrayList.contains(x509Certificate2)) {
                                    arrayList.add(x509Certificate2);
                                }
                            }
                            LOGGER.info("Empty cert blob returned. Skipping.");
                        } else {
                            LOGGER.info("Skipping cert download. Unsupported cert download protocol found, url:" + str);
                        }
                    } catch (GeneralSecurityException unused) {
                        LOGGER.warning("Unable to generate certificate for certificate blob downloaded from AIA specified in cert: " + x509Certificate.getSubjectDN().getName());
                    } catch (Exception e) {
                        LOGGER.log(Level.WARNING, "Caught exception while trying to download issuer CA certificates for cert:" + x509Certificate.getSubjectDN().getName(), (Throwable) e);
                    }
                }
            } catch (CertificateException unused2) {
                LOGGER.warning("Failed to get X509 certificate factory. Unable to get ca issuers for cert: " + x509Certificate.getSubjectDN().getName());
                return null;
            }
        }
        return arrayList;
    }

    public static List<X509Certificate> downloadIssuerCaChainFromAia(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        arrayList2.add(x509Certificate);
        while (!arrayList2.isEmpty()) {
            ArrayList arrayList3 = new ArrayList();
            Iterator it = arrayList2.iterator();
            while (it.hasNext()) {
                for (X509Certificate x509Certificate2 : downloadIssuerCaCertificatesFromAia((X509Certificate) it.next())) {
                    if (arrayList.contains(x509Certificate2)) {
                        LOGGER.fine(MessageFormat.format("Encountered duplicate issuer in certificate chain ''{0}''.", x509Certificate2.getSubjectDN().toString()));
                    } else {
                        arrayList.add(x509Certificate2);
                        arrayList3.add(x509Certificate2);
                    }
                }
            }
            arrayList2 = arrayList3;
        }
        return arrayList;
    }

    public static ScepCertificate findCertificateByThumbPrint(List<ScepCertificate> list, String str) throws OMADMException {
        if (str == null) {
            return null;
        }
        for (ScepCertificate scepCertificate : list) {
            if (str.equals(scepCertificate.thumbprint)) {
                return scepCertificate;
            }
        }
        return null;
    }

    public static String formatCertThumbprintForExport(String str) throws OMADMException {
        if (str == null || str.isEmpty() || str.contains(" ")) {
            return str;
        }
        if (str.length() % 2 == 1) {
            throw new OMADMException("Expected cert thumbprint to have an even number of hex values. Cannot format for export.");
        }
        String str2 = "";
        for (int i = 2; i <= str.length(); i += 2) {
            str2 = str2 + str.substring(i - 2, i) + " ";
        }
        return str2.replaceAll(" 0", " ").trim().toLowerCase(Locale.US);
    }

    public static X509Certificate generateX509Certificate(byte[] bArr) throws OMADMException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        try {
            try {
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            } catch (Exception e) {
                throw new OMADMException("Failed to generate X509Certificate from bytes", e);
            }
        } finally {
            IOUtils.safeClose(byteArrayInputStream);
        }
    }

    private static ASN1Primitive getASN1Primitive(byte[] bArr) throws OMADMException {
        ASN1InputStream aSN1InputStream;
        ASN1InputStream aSN1InputStream2 = null;
        if (bArr == null) {
            return null;
        }
        ASN1InputStream aSN1InputStream3 = new ASN1InputStream(new ByteArrayInputStream(bArr));
        try {
            try {
                aSN1InputStream = new ASN1InputStream(((ASN1OctetString) aSN1InputStream3.readObject()).getOctets());
            } catch (IOException e) {
                e = e;
            }
        } catch (Throwable th) {
            th = th;
        }
        try {
            ASN1Primitive readObject = aSN1InputStream.readObject();
            try {
                aSN1InputStream3.close();
            } catch (IOException unused) {
            }
            try {
                aSN1InputStream.close();
            } catch (IOException unused2) {
            }
            return readObject;
        } catch (IOException e2) {
            e = e2;
            aSN1InputStream2 = aSN1InputStream;
            throw new OMADMException("Failed to read object from ASN1 stream", e);
        } catch (Throwable th2) {
            th = th2;
            aSN1InputStream2 = aSN1InputStream;
            try {
                aSN1InputStream3.close();
            } catch (IOException unused3) {
            }
            if (aSN1InputStream2 == null) {
                throw th;
            }
            try {
                aSN1InputStream2.close();
                throw th;
            } catch (IOException unused4) {
                throw th;
            }
        }
    }

    private static AuthorityInformationAccess getAia(X509Certificate x509Certificate) throws OMADMException {
        ASN1Primitive aSN1Primitive;
        byte[] extensionValue = x509Certificate.getExtensionValue(Extension.authorityInfoAccess.getId());
        if (extensionValue == null || (aSN1Primitive = getASN1Primitive(extensionValue)) == null) {
            return null;
        }
        return AuthorityInformationAccess.getInstance(aSN1Primitive);
    }

    public static List<ScepCertificate> getApplicableClientCertificateList(List<ScepCertificate> list, CertSearchCriteria certSearchCriteria) throws OMADMException {
        return restrictClientCertificateList(prepareCertificates(list), certSearchCriteria);
    }

    public static String getCAAliasFromCertificate(RootCertificateState rootCertificateState) throws OMADMException {
        String tryGetCAAliasFromCertificate = tryGetCAAliasFromCertificate(rootCertificateState);
        if (tryGetCAAliasFromCertificate != null) {
            return tryGetCAAliasFromCertificate;
        }
        throw new OMADMException("Could find the cert in the store.");
    }

    public static List<String> getCaIssuerLocations(X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        AuthorityInformationAccess tryGetAia = tryGetAia(x509Certificate);
        if (tryGetAia != null) {
            for (AccessDescription accessDescription : tryGetAia.getAccessDescriptions()) {
                if (accessDescription.getAccessMethod().equals(AccessDescription.id_ad_caIssuers)) {
                    arrayList.add(accessDescription.getAccessLocation().getName().toString());
                }
            }
        }
        return arrayList;
    }

    private static byte[] getCertificateBlobFromHttp(String str) {
        try {
            HttpURLConnection httpURLConnection = ConnectionUtils.getHttpURLConnection(new URL(str));
            httpURLConnection.setRequestMethod("GET");
            return org.jscep.util.IOUtils.toByteArray(httpURLConnection.getInputStream());
        } catch (MalformedURLException unused) {
            LOGGER.warning("AIA contained malformed URL for cert.");
            return null;
        } catch (IOException unused2) {
            LOGGER.warning("Error downloading or parsing issuer CA certificate.");
            return null;
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:5:0x0075  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static java.security.cert.X509Certificate[] getCertificateChain(android.content.Context r6, java.lang.String r7) throws android.security.KeyChainException {
        /*
            com.microsoft.omadm.Services$OMADMComponents r0 = com.microsoft.omadm.Services.get()
            com.microsoft.omadm.OMADMSettings r0 = r0.getOMADMSettings()
            r1 = 0
            java.security.cert.X509Certificate[] r6 = android.security.KeyChain.getCertificateChain(r6, r7)     // Catch: java.lang.Exception -> Le android.security.KeyChainException -> L28 java.lang.IllegalStateException -> L6b
            goto L73
        Le:
            r6 = move-exception
            java.util.logging.Logger r2 = com.microsoft.omadm.utils.CertUtils.LOGGER
            java.util.logging.Level r3 = java.util.logging.Level.WARNING
            java.lang.StringBuilder r4 = new java.lang.StringBuilder
            r4.<init>()
            java.lang.String r5 = "Failed to read certificate with alias "
            r4.append(r5)
            r4.append(r7)
            java.lang.String r7 = r4.toString()
            r2.log(r3, r7, r6)
            goto L72
        L28:
            r6 = move-exception
            java.util.logging.Logger r2 = com.microsoft.omadm.utils.CertUtils.LOGGER
            java.util.logging.Level r3 = java.util.logging.Level.WARNING
            java.lang.StringBuilder r4 = new java.lang.StringBuilder
            r4.<init>()
            java.lang.String r5 = "Cannot access certificate with alias "
            r4.append(r5)
            r4.append(r7)
            java.lang.String r7 = r4.toString()
            r2.log(r3, r7, r6)
            java.lang.String r7 = r6.getMessage()
            java.util.Locale r2 = java.util.Locale.US
            java.lang.String r7 = r7.toUpperCase(r2)
            java.lang.String r2 = "LOCKED"
            boolean r7 = r7.contains(r2)
            if (r7 == 0) goto L72
            java.lang.String r7 = "HasUserBeenPresentSinceReboot"
            boolean r7 = r0.getBoolean(r7, r1)
            if (r7 == 0) goto L63
            java.util.logging.Logger r6 = com.microsoft.omadm.utils.CertUtils.LOGGER
            java.lang.String r7 = "Keystore is LOCKED, but we are sure that the user has been present since reboot."
            r6.info(r7)
            goto L72
        L63:
            java.util.logging.Logger r7 = com.microsoft.omadm.utils.CertUtils.LOGGER
            java.lang.String r0 = "Keystore is LOCKED. Postponing deletion until user unlocks the device."
            r7.info(r0)
            throw r6
        L6b:
            java.util.logging.Logger r6 = com.microsoft.omadm.utils.CertUtils.LOGGER
            java.lang.String r7 = "Unable to read certificates from main thread"
            r6.severe(r7)
        L72:
            r6 = 0
        L73:
            if (r6 == 0) goto L83
            java.lang.String r7 = "HasUserBeenPresentSinceReboot"
            boolean r7 = r0.getBoolean(r7, r1)
            if (r7 != 0) goto L83
            java.lang.String r7 = "HasUserBeenPresentSinceReboot"
            r1 = 1
            r0.setBoolean(r7, r1)
        L83:
            return r6
        */
        throw new UnsupportedOperationException("Method not decompiled: com.microsoft.omadm.utils.CertUtils.getCertificateChain(android.content.Context, java.lang.String):java.security.cert.X509Certificate[]");
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    public static List<String> getIssuerHashes(X509Certificate x509Certificate) throws OMADMException {
        try {
            List<Certificate> certificateChain = CertificateChainBuilder.getCertificateChain(x509Certificate);
            ArrayList arrayList = new ArrayList(certificateChain.size());
            Iterator<Certificate> it = certificateChain.iterator();
            while (it.hasNext()) {
                arrayList.add(getThumbPrint(it.next()));
            }
            return arrayList;
        } catch (Exception e) {
            throw new OMADMException(e);
        }
    }

    public static String getRandomCertPassword() {
        byte[] bArr = new byte[43];
        new SecureRandom().nextBytes(bArr);
        return Base64.encodeBase64StringUnChunked(bArr);
    }

    public static String getThumbPrint(Certificate certificate) throws OMADMException {
        try {
            try {
                return QueryStringUtils.convertToHex(MessageDigest.getInstance(McElieceCCA2KeyGenParameterSpec.SHA1).digest(certificate.getEncoded()));
            } catch (CertificateEncodingException e) {
                throw new OMADMException("Could not decode cert", e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new OMADMException("Cannot compute SHA1 hashes", e2);
        }
    }

    public static String getUPNFromCertificate(X509Certificate x509Certificate) {
        if (x509Certificate.getSubjectAlternativeNames() == null) {
            return null;
        }
        for (List<?> list : x509Certificate.getSubjectAlternativeNames()) {
            if (((Integer) list.get(0)).intValue() == 0) {
                ASN1InputStream aSN1InputStream = new ASN1InputStream((byte[]) list.get(1));
                try {
                    ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance((ASN1TaggedObject) aSN1InputStream.readObject(), false);
                    if (ASN1ObjectIdentifier.getInstance(aSN1Sequence.getObjectAt(0)).getId().equals(SAN.SAN_TYPE_UPN_OID)) {
                        return ((DERUTF8String) ((DERTaggedObject) aSN1Sequence.getObjectAt(1)).getObject()).getString();
                    }
                } finally {
                    IOUtils.safeClose(aSN1InputStream);
                }
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean hasAiaOscp(X509Certificate x509Certificate) throws OMADMException {
        AuthorityInformationAccess aia = getAia(x509Certificate);
        if (aia == null) {
            return false;
        }
        for (AccessDescription accessDescription : aia.getAccessDescriptions()) {
            if (accessDescription.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) {
                return true;
            }
        }
        return false;
    }

    private static boolean hasAnyPurposeEKU(LazyCertificateInfo lazyCertificateInfo) throws OMADMException {
        return lazyCertificateInfo.getExtendedKeyUsage().contains(KeyPurposeId.anyExtendedKeyUsage.getId());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean hasCdp(X509Certificate x509Certificate) throws OMADMException {
        return x509Certificate.getExtensionValue(Extension.cRLDistributionPoints.getId()) != null;
    }

    private static boolean hasClientAuthEKU(LazyCertificateInfo lazyCertificateInfo) throws OMADMException {
        return lazyCertificateInfo.getExtendedKeyUsage().contains(KeyPurposeId.id_kp_clientAuth.getId());
    }

    private static boolean isAllPurposeCertificate(X509Certificate x509Certificate) {
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            return true;
        }
        for (boolean z : keyUsage) {
            if (z) {
                return false;
            }
        }
        return true;
    }

    public static boolean isCaCertificate(X509Certificate x509Certificate) {
        try {
            return -1 != x509Certificate.getBasicConstraints();
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Encountered exception while determining if cert is a CA cert. Returning false.", (Throwable) e);
            return false;
        }
    }

    public static boolean isKeyChainUnlocked(Context context) {
        try {
            KeyChain.getCertificateChain(context, "");
        } catch (KeyChainException e) {
            if (e.getMessage().toUpperCase(Locale.US).contains(LOCKED_KEYSTORE_MSG)) {
                return false;
            }
            if (e.getMessage().toUpperCase(Locale.US).contains(LACKS_PERMISSION_MSG)) {
                return true;
            }
        } catch (IllegalStateException | InterruptedException unused) {
            return false;
        }
        return true;
    }

    public static KeyStore loadKeyStore(ScepCertificateState scepCertificateState, char[] cArr) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore keyStore = KeyStore.getInstance(CertificateProvisioning.TYPE_PKCS12);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(scepCertificateState.certStoreBlob);
        try {
            keyStore.load(byteArrayInputStream, cArr);
            return keyStore;
        } finally {
            byteArrayInputStream.close();
        }
    }

    private static void logCertificates(String str, List<LazyCertificateInfo> list) {
        StringBuilder sb = new StringBuilder(str);
        for (LazyCertificateInfo lazyCertificateInfo : list) {
            sb.append(" ");
            sb.append(lazyCertificateInfo.scepCert.alias);
            sb.append("[");
            if (lazyCertificateInfo.chainThumbPrints != null) {
                sb.append("i:");
                sb.append(StringUtils.join(lazyCertificateInfo.chainThumbPrints, ","));
                sb.append(";");
            }
            if (lazyCertificateInfo.extendedKeyUsage != null) {
                sb.append("eku:");
                sb.append(StringUtils.join(lazyCertificateInfo.extendedKeyUsage, ","));
            }
            sb.append("]");
        }
        LOGGER.fine(sb.toString());
    }

    public static String normalizeThumbPrint(String str) {
        if (str == null) {
            return null;
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str);
        StringBuilder sb = new StringBuilder();
        while (stringTokenizer.hasMoreTokens()) {
            String nextToken = stringTokenizer.nextToken();
            if (nextToken.length() == 1) {
                sb.append("0");
            }
            sb.append(nextToken);
        }
        return sb.toString().toUpperCase(Locale.US);
    }

    public static List<String> normalizeThumbPrintList(List<String> list) {
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(normalizeThumbPrint(it.next()));
        }
        return arrayList;
    }

    private static LazyCertificateInfo[] prepareCertificates(List<ScepCertificate> list) throws OMADMException {
        LazyCertificateInfo[] lazyCertificateInfoArr = new LazyCertificateInfo[list.size()];
        for (int i = 0; i < list.size(); i++) {
            lazyCertificateInfoArr[i] = new LazyCertificateInfo(list.get(i));
        }
        return lazyCertificateInfoArr;
    }

    private static List<ScepCertificate> restrictClientCertificateList(LazyCertificateInfo[] lazyCertificateInfoArr, CertSearchCriteria certSearchCriteria) throws OMADMException {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        for (LazyCertificateInfo lazyCertificateInfo : lazyCertificateInfoArr) {
            if (checkFilterAllowsCert(lazyCertificateInfo, certSearchCriteria)) {
                arrayList2.add(lazyCertificateInfo);
                arrayList.add(lazyCertificateInfo.scepCert);
            } else {
                arrayList3.add(lazyCertificateInfo);
            }
        }
        logCertificates(MessageFormat.format("{0} cert(s) matched criteria:", Integer.valueOf(arrayList2.size())), arrayList2);
        logCertificates(MessageFormat.format("{0} cert(s) excluded by criteria:", Integer.valueOf(arrayList3.size())), arrayList3);
        return arrayList;
    }

    public static ScepCertificate simpleSelectClientCertificate(List<ScepCertificate> list) throws OMADMException {
        LazyCertificateInfo lazyCertificateInfo = null;
        for (LazyCertificateInfo lazyCertificateInfo2 : prepareCertificates(list)) {
            if (!lazyCertificateInfo2.isExpired() && (lazyCertificateInfo == null || lazyCertificateInfo.isWorseThan(lazyCertificateInfo2))) {
                lazyCertificateInfo = lazyCertificateInfo2;
            }
        }
        if (lazyCertificateInfo == null) {
            return null;
        }
        return lazyCertificateInfo.scepCert;
    }

    private static AuthorityInformationAccess tryGetAia(X509Certificate x509Certificate) {
        try {
            return getAia(x509Certificate);
        } catch (OMADMException unused) {
            return null;
        }
    }

    public static String tryGetCAAliasFromCertificate(RootCertificateState rootCertificateState) throws OMADMException {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
            keyStore.load(null, null);
            return keyStore.getCertificateAlias(generateX509Certificate(rootCertificateState.certBlob));
        } catch (Exception e) {
            throw new OMADMException("Could not open Android CA cert store.", e);
        }
    }
}
