package nl.aeteurope.mpki;

import java.io.InputStream;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import nl.aeteurope.mpki.enrollment.CertificateMetadata;
import nl.aeteurope.mpki.enrollment.CertificateOrigin;
import nl.aeteurope.mpki.enrollment.EnrollmentStorage;
import nl.aeteurope.mpki.identity.CertificateWithPrivateKeyReference;
import nl.aeteurope.mpki.secureelement.IncorrectPasswordException;
import nl.aeteurope.mpki.secureelement.SecureElement;
import nl.aeteurope.mpki.secureelement.SmartCardUtil;
import nl.aeteurope.mpki.util.CertificateHelper;
import nl.aeteurope.mpki.workflow.CertificateCriteria;
import nl.aeteurope.mpki.workflow.MissingIdentityException;
import org.spongycastle.asn1.ASN1OctetString;
import org.spongycastle.asn1.DEROctetString;
import org.spongycastle.asn1.DERSequence;
import org.spongycastle.asn1.DERTaggedObject;
import org.spongycastle.asn1.DLSequence;
import org.spongycastle.asn1.x509.AuthorityKeyIdentifier;
import org.spongycastle.util.encoders.Base64;

/* loaded from: classes.dex */
public class CertificateStore {
    private static final String AKI_OID = "2.5.29.35";
    private static final String LOG = CertificateStore.class.getSimpleName();
    private final DomainConfiguration domainConfiguration;
    private EnrollmentStorage enrollmentStorage;
    private final Logger logger;
    private SmartCardUtil smartCardUtil;
    private SecureElement softSecureElement;

    public CertificateStore(Logger logger, SecureElement secureElement, SmartCardUtil smartCardUtil, EnrollmentStorage enrollmentStorage, DomainConfiguration domainConfiguration) {
        this.enrollmentStorage = enrollmentStorage;
        this.domainConfiguration = domainConfiguration;
        this.logger = logger;
        this.softSecureElement = secureElement;
        this.smartCardUtil = smartCardUtil;
    }

    private List<ExtendedCertificate> filterCertificates(CertificateCriteria certificateCriteria, List<ExtendedCertificate> list) throws MissingIdentityException {
        ArrayList arrayList = new ArrayList();
        try {
            for (ExtendedCertificate extendedCertificate : list) {
                X509Certificate certificate = extendedCertificate.getCertificate();
                List<String> extendedKeyUsage = certificate.getExtendedKeyUsage() != null ? certificate.getExtendedKeyUsage() : Collections.emptyList();
                boolean[] keyUsage = certificate.getKeyUsage() != null ? certificate.getKeyUsage() : new boolean[9];
                boolean containsAll = extendedKeyUsage.containsAll(certificateCriteria.getExtendedKeyUSages());
                boolean matchKeyUsage = matchKeyUsage(keyUsage, certificateCriteria.getKeyUsages());
                boolean matchAki = matchAki(certificate, certificateCriteria);
                if (containsAll && matchKeyUsage && matchAki && !isDisabled(extendedCertificate.getCertificateMetadata())) {
                    arrayList.add(extendedCertificate);
                }
            }
            return arrayList;
        } catch (CertificateParsingException e) {
            throw new RuntimeException(e);
        }
    }

    private boolean isDisabled(CertificateMetadata certificateMetadata) {
        return certificateMetadata.isDontUse() || certificateMetadata.isRevoked() || certificateMetadata.isDontUseTemporarely();
    }

    private boolean matchAki(X509Certificate x509Certificate, CertificateCriteria certificateCriteria) {
        if (certificateCriteria.getAki() == null) {
            return true;
        }
        byte[] decode = Base64.decode(certificateCriteria.getAki());
        byte[] extensionValue = x509Certificate.getExtensionValue(AKI_OID);
        if (extensionValue == null) {
            return false;
        }
        try {
            AuthorityKeyIdentifier authorityKeyIdentifier = new AuthorityKeyIdentifier(extensionValue);
            if (authorityKeyIdentifier.getKeyIdentifier() == null) {
                return false;
            }
            return Arrays.equals(decode, ((ASN1OctetString) ((DERTaggedObject) ((DLSequence) DERSequence.fromByteArray(((DEROctetString) DEROctetString.fromByteArray(((ASN1OctetString) ((DERTaggedObject) ((DERSequence) authorityKeyIdentifier.toASN1Primitive()).getObjectAt(0)).getObjectParser(0, true).toASN1Primitive()).getOctets())).getOctets())).getObjectAt(0)).getObjectParser(0, true).toASN1Primitive()).getOctets());
        } catch (Throwable th) {
            this.logger.i(LOG, "AKI didnt match");
            th.printStackTrace();
            return false;
        }
    }

    private boolean matchKeyUsage(boolean[] zArr, boolean[] zArr2) {
        for (int i = 0; i < zArr.length; i++) {
            if (zArr2[i] && !zArr[i]) {
                return false;
            }
        }
        return true;
    }

    public static X509Certificate readFromInputStream(InputStream inputStream) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStream);
        } catch (CertificateException unused) {
            return null;
        }
    }

    public List<CertificateWithPrivateKeyReference> getCertificateWithPrivateKeys(CertificateCriteria certificateCriteria, char[] cArr) throws AETException, MissingIdentityException, IncorrectPasswordException {
        ArrayList arrayList = new ArrayList();
        List<ExtendedCertificate> arrayList2 = new ArrayList<>();
        ArrayList arrayList3 = new ArrayList();
        if (this.enrollmentStorage.hasEnrolled()) {
            arrayList3.addAll(this.softSecureElement.getExtendedCertificates(null));
            if (certificateCriteria.getCertificateOrigin() != CertificateOrigin.CURRENT_SMARTCARD) {
                arrayList2.addAll(arrayList3);
            }
        }
        if (certificateCriteria.getCertificateOrigin() != CertificateOrigin.ENROLLED) {
            List<ExtendedCertificate> extendedCertificates = this.smartCardUtil.getSmartCardSecureElement().getExtendedCertificates(cArr);
            this.logger.d(LOG, "Found " + extendedCertificates.size() + " number of certificates");
            for (ExtendedCertificate extendedCertificate : extendedCertificates) {
                if (CertificateHelper.getExtendedCertificateIndexByAlias(arrayList3, extendedCertificate.getCertificateMetadata().getAlias()) < 0) {
                    arrayList2.add(extendedCertificate);
                }
            }
        }
        for (ExtendedCertificate extendedCertificate2 : filterCertificates(certificateCriteria, arrayList2)) {
            CertificateMetadata certificateMetadata = extendedCertificate2.getCertificateMetadata();
            arrayList.add(new CertificateWithPrivateKeyReference(this.logger, this.domainConfiguration, extendedCertificate2.getCertificate(), certificateMetadata.isSmartcard() ? this.smartCardUtil.getSmartCardSecureElement() : this.softSecureElement, certificateMetadata.getCertificateType(), certificateMetadata.getCertificateSource(), certificateMetadata.getAlias(), certificateMetadata.getCertificateSubject()));
        }
        return arrayList;
    }

    public SecureElement getSoftSecureElement() {
        return this.softSecureElement;
    }
}
