package nl.aeteurope.mpki.secureelement;

import android.app.Activity;
import com.aet.android.client.javaprovider.AETProvider;
import com.aet.android.client.javaprovider.InvalidOrMissingConfigurationException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.Security;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.Properties;
import javax.crypto.BadPaddingException;
import nl.aeteurope.mpki.AETException;
import nl.aeteurope.mpki.CertificateSource;
import nl.aeteurope.mpki.CertificateType;
import nl.aeteurope.mpki.Constants;
import nl.aeteurope.mpki.ErrorCode;
import nl.aeteurope.mpki.ExtendedCertificate;
import nl.aeteurope.mpki.Logger;
import nl.aeteurope.mpki.backendclient.BackendClientFactory;
import nl.aeteurope.mpki.backendclient.DefaultBackendClientFactory;
import nl.aeteurope.mpki.enrollment.CertificateMetadata;
import nl.aeteurope.mpki.identity.CertificateWithPrivateKeyReference;
import nl.aeteurope.mpki.util.CertificateHelper;
import nl.aeteurope.mpki.workflow.MissingIdentityException;
import nl.aeteurope.mpki.workflow.PinState;
import org.spongycastle.cert.X509CertificateHolder;
import org.spongycastle.cms.CMSException;
import org.spongycastle.cms.CMSProcessableByteArray;
import org.spongycastle.cms.CMSSignedData;
import org.spongycastle.cms.CMSSignedDataGenerator;
import org.spongycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.spongycastle.jce.provider.BouncyCastleProvider;
import org.spongycastle.operator.ContentSigner;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;
import org.spongycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;

/* loaded from: classes.dex */
public class SmartCardSecureElement extends BaseSecureElement {
    private static final String AET_LEGAL_STATEMENT = "I am A.E.T. Europe B.V. SafeSign or BlueX approved software.";
    private static final String ANDROID_OPEN_SSL_PROVIDER = "AndroidOpenSSL";
    private static final String CONCENTID_SAFESING_IDENTITY = "1d05fa2217cdff275a82429bdc22b98bf8aa92ee4500a748015af259b53468ba";
    private static final String LOG = SmartCardSecureElement.class.getSimpleName();
    public static final String SMARTCARD_KEYSTORE_NAME = "RecoveryKeyStore";
    private static final String STATEMENT = "STATEMENT";
    private static final String UID = "UID";
    private final Provider androidOpenSSLProvider = Security.getProvider(ANDROID_OPEN_SSL_PROVIDER);
    private final Logger logger;
    private Provider provider;

    public SmartCardSecureElement(Activity activity, Logger logger) throws MissingIdentityException, AETException {
        this.logger = logger;
        try {
            Properties properties = new Properties();
            properties.setProperty(UID, CONCENTID_SAFESING_IDENTITY);
            properties.setProperty(STATEMENT, AET_LEGAL_STATEMENT);
            this.provider = AETProvider.getInstance(properties, activity.getApplicationContext());
        } catch (InvalidOrMissingConfigurationException e) {
            logger.e(LOG, "unable to instantiate the AETProvider due to an InvalidOrMissingConfigurationException", e);
            throw new AETException(ErrorCode.AET_ERROR_SMARTCARD_INVALID_SAFESIGN_CONFIGURATION);
        } catch (Exception e2) {
            logger.e(LOG, "Exception occurred instantiating the AETProvider...", e2);
            throw new MissingIdentityException(MissingIdentityException.NOT_CONNECTED);
        }
    }

    private List<ExtendedCertificate> getExtendedCertificatesFromSmartcard(char[] cArr) throws MissingIdentityException, IncorrectPasswordException {
        ArrayList arrayList = new ArrayList();
        this.logger.d(LOG, "executing getExtendedCertificates for smartCard");
        try {
            KeyStore keyStore = getKeyStore(cArr);
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.getCertificate(nextElement) instanceof X509Certificate) {
                    X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(nextElement);
                    this.logger.d(LOG, "found certificate " + x509Certificate.getSubjectDN().getName() + " adding it to the result");
                    if (x509Certificate != null) {
                        arrayList.add(new ExtendedCertificate(x509Certificate, new CertificateMetadata(CertificateHelper.generateCertificateHash(x509Certificate), CertificateType.SMART_NOT_PRE_ENROLLED, CertificateSource.SMARTCARD, x509Certificate.getSubjectDN().getName(), CertificateHelper.getBase64EncodedCertificate(x509Certificate))));
                    }
                }
            }
            return arrayList;
        } catch (KeyStoreException unused) {
            throw new IncorrectPasswordException();
        }
    }

    private KeyStore loadKeyStore(char[] cArr) throws IncorrectPasswordException, MissingIdentityException {
        try {
            KeyStore keyStore = KeyStore.getInstance(SMARTCARD_KEYSTORE_NAME, getProvider().getName());
            keyStore.load(null, cArr);
            if (cArr != null) {
                keyStore.load(null, cArr);
            } else {
                keyStore.load(null, null);
            }
            return keyStore;
        } catch (IOException e) {
            if (e.getCause() instanceof UnrecoverableKeyException) {
                throw new IncorrectPasswordException();
            }
            if (e.getCause() instanceof BadPaddingException) {
                throw new IncorrectPasswordException();
            }
            throw new MissingIdentityException("Unable to load the keyStore");
        } catch (NoSuchProviderException unused) {
            throw new MissingIdentityException("smartCard not present");
        } catch (MissingIdentityException e2) {
            throw e2;
        } catch (Exception e3) {
            throw new RuntimeException(e3);
        }
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public BackendClientFactory getBackendClientFactory() {
        return new DefaultBackendClientFactory();
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public X509Certificate getCertificate(String str) {
        return null;
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public List<ExtendedCertificate> getExtendedCertificates(char[] cArr) throws MissingIdentityException, IncorrectPasswordException {
        try {
            setSSLProvider();
            return getExtendedCertificatesFromSmartcard(cArr);
        } finally {
            restoreSSLProvider();
        }
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public KeyStore getKeyStore(char[] cArr) throws MissingIdentityException {
        try {
            return loadKeyStore(cArr);
        } catch (IncorrectPasswordException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public PinState getPinState() throws MissingIdentityException {
        int retryPinCount = ((AETProvider) getProvider()).getRetryPinCount();
        if (retryPinCount != -1) {
            return retryPinCount == 0 ? PinState.BLOCKED : retryPinCount == 1 ? PinState.LAST_ATTEMPT : PinState.CORRECT;
        }
        this.logger.d(LOG, "SafeSign is returning -1 for pinTries, meaning there is an issues with the AETProvider library for SafeSign");
        throw new MissingIdentityException("Unable to determine the pinstate of the smartcard");
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public PrivateKey getPrivateKey(X509Certificate x509Certificate, char[] cArr) throws IncorrectPasswordException, MissingIdentityException {
        KeyStore keyStore = getKeyStore(cArr);
        try {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (keyStore.isKeyEntry(nextElement)) {
                    KeyStore.Entry entry = keyStore.getEntry(nextElement, null);
                    if (entry instanceof KeyStore.PrivateKeyEntry) {
                        return ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                    }
                }
            }
            return null;
        } catch (KeyStoreException e) {
            e = e;
            throw new MissingIdentityException("Cannot retrieve private key for certificate", e);
        } catch (NoSuchAlgorithmException e2) {
            e = e2;
            throw new MissingIdentityException("Cannot retrieve private key for certificate", e);
        } catch (Exception e3) {
            this.logger.e(LOG, "Exception occurred retrieving the privateKey from the smartCard, throwing IncorrectPasswordException", e3);
            throw new IncorrectPasswordException();
        }
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public Provider getProvider() throws MissingIdentityException {
        Provider provider = this.provider;
        if (provider != null) {
            return provider;
        }
        throw new MissingIdentityException(MissingIdentityException.NOT_CONNECTED);
    }

    @Override // nl.aeteurope.mpki.secureelement.BaseSecureElement, nl.aeteurope.mpki.secureelement.SecureElement
    public KeyStore getSSLKeyStore(CertificateWithPrivateKeyReference certificateWithPrivateKeyReference, char[] cArr) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, MissingIdentityException, IncorrectPasswordException {
        return getKeyStore(cArr);
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public boolean hasPrivateKey(String str) {
        return false;
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public boolean isValidPin(char[] cArr, CertificateWithPrivateKeyReference certificateWithPrivateKeyReference) throws IncorrectPasswordException, MissingIdentityException {
        return true;
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public void restoreSSLProvider() {
        Security.removeProvider(this.provider.getName());
        Security.insertProviderAt(this.androidOpenSSLProvider, 1);
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public void setSSLProvider() {
        Security.removeProvider(ANDROID_OPEN_SSL_PROVIDER);
        Security.removeProvider("SC");
        Security.insertProviderAt(this.provider, 1);
    }

    @Override // nl.aeteurope.mpki.secureelement.SecureElement
    public byte[] signPKCS7(byte[] bArr, CertificateWithPrivateKeyReference certificateWithPrivateKeyReference, char[] cArr) throws GeneralSecurityException, CMSException, OperatorCreationException, IOException, MissingIdentityException, IncorrectPasswordException {
        setSSLProvider();
        X509Certificate certificate = certificateWithPrivateKeyReference.getCertificate();
        ContentSigner build = new JcaContentSignerBuilder(Constants.SIGNATURE_ALGORITHM).setProvider(this.provider).build(getPrivateKey(certificate, cArr));
        CMSProcessableByteArray cMSProcessableByteArray = new CMSProcessableByteArray(bArr);
        CMSSignedDataGenerator cMSSignedDataGenerator = new CMSSignedDataGenerator();
        cMSSignedDataGenerator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider(new BouncyCastleProvider()).build()).setDirectSignature(true).build(build, certificate));
        cMSSignedDataGenerator.addCertificate(new X509CertificateHolder(certificate.getEncoded()));
        CMSSignedData generate = cMSSignedDataGenerator.generate(cMSProcessableByteArray, true);
        restoreSSLProvider();
        return generate.getEncoded();
    }
}
