package com.android.server.uwb.secure.provisioning;

import android.util.Log;
import androidx.annotation.NonNull;
import com.android.internal.annotations.VisibleForTesting;
import com.android.server.uwb.data.UwbUciConstants;
import com.android.server.uwb.util.ObjectIdentifier;
import com.android.x.uwb.co.nstant.in.cbor.CborDecoder;
import com.android.x.uwb.co.nstant.in.cbor.CborException;
import com.android.x.uwb.co.nstant.in.cbor.model.Array;
import com.android.x.uwb.co.nstant.in.cbor.model.ByteString;
import com.android.x.uwb.co.nstant.in.cbor.model.DataItem;
import com.android.x.uwb.co.nstant.in.cbor.model.MajorType;
import com.android.x.uwb.co.nstant.in.cbor.model.UnsignedInteger;
import com.android.x.uwb.com.google.common.collect.ImmutableSet;
import com.android.x.uwb.org.bouncycastle.cert.X509CertificateHolder;
import com.android.x.uwb.org.bouncycastle.cms.CMSException;
import com.android.x.uwb.org.bouncycastle.cms.CMSSignedData;
import com.android.x.uwb.org.bouncycastle.cms.SignerInformation;
import com.android.x.uwb.org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import com.android.x.uwb.org.bouncycastle.jce.provider.BouncyCastleProvider;
import com.android.x.uwb.org.bouncycastle.operator.OperatorCreationException;
import com.android.x.uwb.org.bouncycastle.util.Store;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/android/server/uwb/secure/provisioning/ScriptParser.class */
public class ScriptParser {
    private static final String LOG_TAG = "ScriptParser";
    private static final int VALID_DATA_ITEM_SIZE_2 = 2;
    private static final int VALID_DATA_ITEM_SIZE_3 = 3;
    private static final int VERSION_INDEX = 0;
    private static final int APDUS_INDEX = 1;
    private static final int ADF_OID_INDEX = 2;
    private static final String FIELD_VERSION = "ver";
    private static final String FIELD_APDUS = "APDUs";
    private static final String FIELD_ADF_OID = "adf_oid";
    private static final String SUB_FIELD_APDU = "APDU";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/uwb/secure/provisioning/ScriptParser$ScriptContent.class */
    public static class ScriptContent {
        final int mMajorVersion;
        final int mMinorVersion;
        final List<byte[]> mProvisioningApdus;
        final Optional<ObjectIdentifier> mAdfOid;

        @VisibleForTesting
        ScriptContent(int i, int i2, List<byte[]> list, Optional<ObjectIdentifier> optional) {
            this.mMajorVersion = i;
            this.mMinorVersion = i2;
            this.mProvisioningApdus = list;
            this.mAdfOid = optional;
        }
    }

    private ScriptParser() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NonNull
    public static ScriptContent parseSignedScript(@NonNull byte[] bArr) throws ProvisioningException {
        if (bArr == null || bArr.length == 0) {
            throw new ProvisioningException("No script content.");
        }
        return parseScript(verifyAndExtractScript(bArr).get());
    }

    private static Optional<byte[]> verifyAndExtractScript(byte[] bArr) throws ProvisioningException {
        try {
            CMSSignedData cMSSignedData = new CMSSignedData(bArr);
            boolean z = false;
            Store<X509CertificateHolder> certificates = cMSSignedData.getCertificates();
            ImmutableSet<X509Certificate> allProvidedCerts = getAllProvidedCerts(certificates);
            Iterator<SignerInformation> it = cMSSignedData.getSignerInfos().getSigners().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                SignerInformation next = it.next();
                Collection<X509CertificateHolder> matches = certificates.getMatches(next.getSID());
                if (!matches.isEmpty()) {
                    X509CertificateHolder next2 = matches.iterator().next();
                    if (verifyCertAgainstTrustedCas((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(next2.getEncoded())), allProvidedCerts)) {
                        if (next.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build(next2))) {
                            z = true;
                            break;
                        }
                    }
                }
            }
            if (z) {
                return Optional.of((byte[]) cMSSignedData.getSignedContent().getContent());
            }
            throw new ProvisioningException("the content cannot be trusted.");
        } catch (CMSException | OperatorCreationException | IOException | CertificateException e) {
            throw new ProvisioningException("Invalid Input", e);
        }
    }

    private static ImmutableSet<X509Certificate> getAllProvidedCerts(@NonNull Store store) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Iterator it = store.getMatches(null).iterator();
        while (it.hasNext()) {
            try {
                builder.add((ImmutableSet.Builder) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((X509CertificateHolder) it.next()).getEncoded())));
            } catch (IOException | CertificateException e) {
            }
        }
        return builder.build();
    }

    private static boolean verifyCertAgainstTrustedCas(@NonNull X509Certificate x509Certificate, @NonNull ImmutableSet<X509Certificate> immutableSet) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
            keyStore.load(null, null);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509Certificate);
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(immutableSet));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(keyStore, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            pKIXBuilderParameters.setRevocationEnabled(false);
            CertPathBuilder.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME).build(pKIXBuilderParameters);
            return true;
        } catch (IOException | GeneralSecurityException e) {
            return false;
        }
    }

    @NonNull
    @VisibleForTesting
    static ScriptContent parseScript(@NonNull byte[] bArr) throws ProvisioningException {
        try {
            List<DataItem> decode = CborDecoder.decode(bArr);
            if (decode.size() != 2 && decode.size() != 3) {
                throw new ProvisioningException(decode.size() + " The script only allows 2 or 3data items");
            }
            DataItem dataItem = decode.get(0);
            if (!checkType(dataItem, MajorType.UNSIGNED_INTEGER, FIELD_VERSION)) {
                throw new ProvisioningException("the data type is not correct for version");
            }
            int intValue = ((UnsignedInteger) dataItem).getValue().intValue();
            int i = intValue & UwbUciConstants.UWB_SESSION_STATE_ERROR;
            int i2 = (intValue >> 8) & UwbUciConstants.UWB_SESSION_STATE_ERROR;
            DataItem dataItem2 = decode.get(1);
            if (!checkType(dataItem2, MajorType.ARRAY, FIELD_APDUS)) {
                throw new ProvisioningException("the data type is not correct for APDUs");
            }
            ArrayList arrayList = new ArrayList();
            for (DataItem dataItem3 : ((Array) dataItem2).getDataItems()) {
                if (!checkType(dataItem3, MajorType.BYTE_STRING, SUB_FIELD_APDU)) {
                    throw new ProvisioningException("the data type is not correct for APDU");
                }
                arrayList.add(((ByteString) dataItem3).getBytes());
            }
            Optional empty = Optional.empty();
            if (decode.size() == 3) {
                DataItem dataItem4 = decode.get(2);
                if (!checkType(dataItem4, MajorType.BYTE_STRING, FIELD_ADF_OID)) {
                    throw new ProvisioningException("the data type is not correct for ADF_OID");
                }
                empty = Optional.of(ObjectIdentifier.fromBytes(((ByteString) dataItem4).getBytes()));
            }
            return new ScriptContent(i2, i, arrayList, empty);
        } catch (CborException e) {
            throw new ProvisioningException("the script is not correct CBOR encoded.", e);
        }
    }

    private static boolean checkType(DataItem dataItem, MajorType majorType, String str) {
        if (dataItem.getMajorType() == majorType) {
            return true;
        }
        logw("Wrong CBOR type for field: " + str + ". Expected " + majorType.name() + ", actual: " + dataItem.getMajorType().name());
        return false;
    }

    private static void logw(String str) {
        Log.w(LOG_TAG, str);
    }
}
