package com.microsoft.omadm.platforms.safe.certmgr;

import android.app.enterprise.CertificateInfo;
import android.app.enterprise.SecurityPolicy;
import android.security.KeyChainException;
import com.microsoft.omadm.Services;
import com.microsoft.omadm.exception.OMADMException;
import com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager;
import com.microsoft.omadm.platforms.android.certmgr.data.RootCertificateState;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificate;
import com.microsoft.omadm.platforms.android.certmgr.data.ScepCertificateState;
import com.microsoft.omadm.platforms.safe.policy.EnterpriseDeviceManagerFactory;
import com.microsoft.omadm.platforms.safe.policy.SafePolicyManager;
import com.microsoft.omadm.utils.CertUtils;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.inject.Inject;

/* loaded from: classes.dex */
public final class SafeCertificateStoreManager extends AbstractCertificateStoreManager {
    private final Logger logger = Logger.getLogger(SafeCertificateStoreManager.class.getName());

    @Inject
    ISafeCertificateOperations operations;

    @Inject
    SafeCertStorePasswords passwords;

    @Inject
    SafePolicyManager policyManager;

    public static SafeCertificateStoreManager create() throws OMADMException {
        SafeCertificateStoreManager safeCertificateStoreManager = new SafeCertificateStoreManager();
        Services.injectMember(safeCertificateStoreManager);
        try {
            safeCertificateStoreManager.androidCAStore = KeyStore.getInstance("AndroidCAStore");
            safeCertificateStoreManager.androidCAStore.load(null, null);
            return safeCertificateStoreManager;
        } catch (Exception e) {
            throw new OMADMException("Cannot read the android CA store, " + e.getMessage());
        }
    }

    private boolean isCertificateCorrectlyInstalled(String str) {
        try {
            Enumeration<String> aliases = this.androidCAStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                Certificate certificate = this.androidCAStore.getCertificate(nextElement);
                if (certificate instanceof X509Certificate) {
                    try {
                        if (str.equals(CertUtils.getThumbPrint(certificate))) {
                            return true;
                        }
                    } catch (OMADMException e) {
                        this.logger.log(Level.WARNING, "Failed to compute thumbprint for alias " + nextElement, (Throwable) e);
                    }
                }
            }
        } catch (KeyStoreException e2) {
            this.logger.log(Level.WARNING, "Failed to access Android key store", (Throwable) e2);
        }
        return false;
    }

    private void tryRemoveUserCertificates(List<ScepCertificateState> list) {
        Iterator<ScepCertificateState> it = list.iterator();
        while (it.hasNext()) {
            tryRemoveUserCertificate(new ScepCertificate(it.next()));
        }
    }

    public void enableCredentialStorage() throws OMADMException {
        this.policyManager.setEnableCredentialStorage();
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager
    protected String getExistingCertificateAlias(RootCertificateState rootCertificateState) throws OMADMException {
        try {
            String installedCertificateAlias = this.operations.getInstalledCertificateAlias("CACERT_", rootCertificateState.thumbPrint);
            if (isCertificateCorrectlyInstalled(rootCertificateState.thumbPrint)) {
                return installedCertificateAlias;
            }
            return null;
        } catch (EnterpriseDeviceManagerFactory.IllegalEdmStateException e) {
            this.logger.log(Level.SEVERE, "Failed to get instance of knox EnterpriseDeviceManager.");
            return null;
        } catch (Exception e2) {
            this.logger.log(Level.SEVERE, "Caught exception while trying to retrieve existing CA certificate alias.", (Throwable) e2);
            return null;
        }
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public X509Certificate getRootCertificate(String str) {
        try {
            CertificateInfo installedCertificateInfo = this.operations.getInstalledCertificateInfo(str);
            if (installedCertificateInfo == null) {
                this.logger.info(MessageFormat.format("Certificate ''{0}'' not found via knox SecurityPolicy, attempting to fallback to native.", str));
                return super.getRootCertificate(str);
            }
            Certificate certificate = installedCertificateInfo.getCertificate();
            if (!(certificate instanceof X509Certificate)) {
                return null;
            }
            if (isCertificateCorrectlyInstalled(CertUtils.getThumbPrint(certificate))) {
                return (X509Certificate) installedCertificateInfo.getCertificate();
            }
            this.logger.warning("Root certificate " + str + " visible to knox but not to the user. Removing the certificate from knox.");
            if (!this.operations.removeCACertificate(str)) {
                this.logger.warning("Failed to remove user certificate from device, cert: " + str);
            }
            return null;
        } catch (Exception e) {
            this.logger.log(Level.SEVERE, "Failed to get root certificate from device, cert: " + str, (Throwable) e);
            return null;
        }
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public X509Certificate getUserCertificate(String str) {
        X509Certificate x509Certificate = null;
        try {
            CertificateInfo installedCertificateInfo = this.operations.getInstalledCertificateInfo(str);
            if (installedCertificateInfo != null) {
                Certificate certificate = installedCertificateInfo.getCertificate();
                if (certificate instanceof X509Certificate) {
                    x509Certificate = (X509Certificate) certificate;
                } else {
                    this.logger.warning("Certificate returned from knox SecurityPolicy was not an X509Certificate.");
                }
            }
        } catch (EnterpriseDeviceManagerFactory.IllegalEdmStateException e) {
            this.logger.log(Level.WARNING, "Unable to read user certificate using knox EDM: " + e.getMessage());
        }
        if (x509Certificate != null) {
            return x509Certificate;
        }
        this.logger.info(MessageFormat.format("Certificate ''{0}'' not found via knox SecurityPolicy, attempting to fallback to native.", str));
        return super.getUserCertificate(str);
    }

    public boolean installRootCert(RootCertificateState rootCertificateState) {
        boolean z = false;
        try {
            if (this.operations.installCertificate("CERT", rootCertificateState.certBlob, rootCertificateState.defaultDisplayName, null)) {
                rootCertificateState.alias = rootCertificateState.defaultDisplayName;
                z = true;
            } else {
                this.logger.warning("Install CA certificate returned unsuccessfully; cert store status: " + SafePolicyManager.getSecurityPolicy().getCredentialStorageStatus());
            }
        } catch (Exception e) {
            this.logger.log(Level.SEVERE, "Failed to install certificate with alias " + rootCertificateState.alias, (Throwable) e);
        }
        return z;
    }

    public boolean installUserCert(ScepCertificateState scepCertificateState) {
        boolean z = false;
        try {
            SecurityPolicy securityPolicy = SafePolicyManager.getSecurityPolicy();
            this.logger.fine("Trying to install user certificate; cert store status: " + securityPolicy.getCredentialStorageStatus());
            if (this.operations.installCertificate("PKCS12", scepCertificateState.certStoreBlob, scepCertificateState.alias, this.passwords.getEntryPasswordString())) {
                scepCertificateState.certStoreBlob = null;
                z = true;
            } else {
                this.logger.severe("Failed to install user certificate with alias " + scepCertificateState.alias + "; cert store status: " + securityPolicy.getCredentialStorageStatus());
            }
        } catch (Exception e) {
            this.logger.log(Level.SEVERE, "Failed to install user certificate with alias " + scepCertificateState.alias, (Throwable) e);
        }
        return z;
    }

    public boolean isStorageReady() throws OMADMException {
        int credentialStorageStatus = SafePolicyManager.getSecurityPolicy().getCredentialStorageStatus();
        if (credentialStorageStatus == 1) {
            return true;
        }
        this.logger.warning("Keystore not ready. CredentialStorageStatus: " + credentialStorageStatus);
        return false;
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public boolean loadUserCertificate(ScepCertificate scepCertificate) throws KeyChainException {
        try {
            X509Certificate userCertificate = getUserCertificate(scepCertificate.alias);
            if (userCertificate != null) {
                scepCertificate.certBlob = userCertificate.getEncoded();
                return true;
            }
        } catch (CertificateEncodingException e) {
            this.logger.log(Level.SEVERE, "Failed to encode certificate with alias " + scepCertificate.alias, (Throwable) e);
        }
        return super.loadUserCertificate(scepCertificate);
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public void tryRemoveCACertificate(RootCertificateState rootCertificateState) {
        try {
            this.logger.fine("Removing CA certificate with alias " + rootCertificateState.alias);
            if (this.operations.removeCACertificate(rootCertificateState.alias)) {
                return;
            }
            this.logger.warning("Failed to remove CA certificate from device, cert: " + rootCertificateState.alias);
        } catch (EnterpriseDeviceManagerFactory.IllegalEdmStateException e) {
            this.logger.log(Level.SEVERE, "Failed to get instance of knox EnterpriseDeviceManager.");
        } catch (Exception e2) {
            this.logger.log(Level.SEVERE, "Failed to remove CA certificate from device, cert" + rootCertificateState.alias, (Throwable) e2);
        }
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public void tryRemoveCACertificates() {
        try {
            Iterator<RootCertificateState> it = this.certStateData.getAllRootCertificates().iterator();
            while (it.hasNext()) {
                tryRemoveCACertificate(it.next());
            }
        } catch (Exception e) {
            this.logger.log(Level.SEVERE, "Failed to remove ca certificates from device", (Throwable) e);
        }
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public void tryRemoveUserCertificate(ScepCertificate scepCertificate) {
        try {
            this.logger.fine("Removing user certificate with alias " + scepCertificate.alias);
            if (this.operations.removeUserCertificate(scepCertificate.alias)) {
                return;
            }
            this.logger.warning("Failed to remove user certificate from device, cert: " + scepCertificate.alias);
        } catch (EnterpriseDeviceManagerFactory.IllegalEdmStateException e) {
            this.logger.log(Level.SEVERE, "Failed to get instance of knox EnterpriseDeviceManager.");
        } catch (Exception e2) {
            this.logger.log(Level.SEVERE, "Failed to remove user certificate from device, cert: " + scepCertificate.alias, (Throwable) e2);
        }
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public void tryRemoveUserCertificates() {
        try {
            tryRemoveUserCertificates(this.certStateData.getAllUserCertificates());
        } catch (Exception e) {
            this.logger.log(Level.SEVERE, "Failed to remove user certificates from device", (Throwable) e);
        }
    }

    @Override // com.microsoft.omadm.platforms.android.certmgr.AbstractCertificateStoreManager, com.microsoft.omadm.platforms.ICertificateStoreManager
    public void tryRemoveUserCertificates(Long l) {
        try {
            tryRemoveUserCertificates(this.certStateData.getAllUserCertificates(l));
        } catch (Exception e) {
            this.logger.log(Level.SEVERE, MessageFormat.format("Failed to remove user certificates from device, User: {0}", l), (Throwable) e);
        }
    }
}
