package com.android.server.wifi;

import android.R;
import android.app.Notification;
import android.app.PendingIntent;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.graphics.drawable.Icon;
import android.net.Uri;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiContext;
import android.net.wifi.WifiEnterpriseConfig;
import android.os.Handler;
import android.text.TextUtils;
import android.text.format.DateFormat;
import android.util.Log;
import com.android.server.wifi.WifiConfigManager;
import com.android.server.wifi.WifiDialogManager;
import com.android.server.wifi.util.CertificateSubjectInfo;
import com.android.wifi.x.com.android.internal.util.HexDump;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Set;
import java.util.StringJoiner;

/* loaded from: classes.dex */
public class InsecureEapNetworkHandler {
    static final String ACTION_CERT_NOTIF_ACCEPT = "com.android.server.wifi.ClientModeImpl.ACTION_CERT_NOTIF_ACCEPT";
    static final String ACTION_CERT_NOTIF_REJECT = "com.android.server.wifi.ClientModeImpl.ACTION_CERT_NOTIF_REJECT";
    static final String ACTION_CERT_NOTIF_TAP = "com.android.server.wifi.ClientModeImpl.ACTION_CERT_NOTIF_TAP";
    static final String EXTRA_PENDING_CERT_SSID = "com.android.server.wifi.ClientModeImpl.EXTRA_PENDING_CERT_SSID";
    private final String mCaCertHelpLink;
    private final InsecureEapNetworkHandlerCallbacks mCallbacks;
    private final WifiContext mContext;
    private final FrameworkFacade mFacade;
    private final Handler mHandler;
    private final String mInterfaceName;
    private final boolean mIsInsecureEnterpriseConfigurationAllowed;
    private final boolean mIsTrustOnFirstUseSupported;
    private final WifiNotificationManager mNotificationManager;
    private boolean mUseTrustStore;
    private final WifiConfigManager mWifiConfigManager;
    private final WifiDialogManager mWifiDialogManager;
    private final WifiNative mWifiNative;
    private WifiConfiguration mConnectingConfig = null;
    private WifiConfiguration mCurrentTofuConfig = null;
    private int mPendingRootCaCertDepth = -1;
    private X509Certificate mPendingRootCaCert = null;
    private X509Certificate mPendingServerCert = null;
    private CertificateSubjectInfo mPendingServerCertSubjectInfo = null;
    private CertificateSubjectInfo mPendingServerCertIssuerInfo = null;
    private LinkedList mServerCertChain = new LinkedList();
    private WifiDialogManager.DialogHandle mTofuAlertDialog = null;
    private boolean mIsCertNotificationReceiverRegistered = false;
    private String mServerCertHash = null;
    BroadcastReceiver mCertNotificationReceiver = new BroadcastReceiver() { // from class: com.android.server.wifi.InsecureEapNetworkHandler.1
        @Override // android.content.BroadcastReceiver
        public void onReceive(Context context, Intent intent) {
            String action = intent.getAction();
            String stringExtra = intent.getStringExtra(InsecureEapNetworkHandler.EXTRA_PENDING_CERT_SSID);
            InsecureEapNetworkHandler.this.dismissDialogAndNotification();
            Log.d("InsecureEapNetworkHandler", "Received CertNotification: ssid=" + stringExtra + ", action=" + action);
            if (TextUtils.equals(action, InsecureEapNetworkHandler.ACTION_CERT_NOTIF_TAP)) {
                InsecureEapNetworkHandler.this.askForUserApprovalForCaCertificate();
            } else if (TextUtils.equals(action, InsecureEapNetworkHandler.ACTION_CERT_NOTIF_ACCEPT)) {
                InsecureEapNetworkHandler.this.handleAccept(stringExtra);
            } else if (TextUtils.equals(action, InsecureEapNetworkHandler.ACTION_CERT_NOTIF_REJECT)) {
                InsecureEapNetworkHandler.this.handleReject(stringExtra);
            }
        }
    };
    private final OnNetworkUpdateListener mOnNetworkUpdateListener = new OnNetworkUpdateListener();

    /* loaded from: classes.dex */
    public abstract class InsecureEapNetworkHandlerCallbacks {
        public abstract void onAccept(String str, int i);

        public abstract void onError(String str);

        public abstract void onReject(String str, boolean z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public class OnNetworkUpdateListener implements WifiConfigManager.OnNetworkUpdateListener {
        private OnNetworkUpdateListener() {
        }

        @Override // com.android.server.wifi.WifiConfigManager.OnNetworkUpdateListener
        public void onNetworkRemoved(WifiConfiguration wifiConfiguration) {
            if (wifiConfiguration == null || InsecureEapNetworkHandler.this.mCurrentTofuConfig == null || InsecureEapNetworkHandler.this.mTofuAlertDialog == null || wifiConfiguration.networkId != InsecureEapNetworkHandler.this.mCurrentTofuConfig.networkId) {
                return;
            }
            InsecureEapNetworkHandler.this.dismissDialogAndNotification();
        }
    }

    public InsecureEapNetworkHandler(WifiContext wifiContext, WifiConfigManager wifiConfigManager, WifiNative wifiNative, FrameworkFacade frameworkFacade, WifiNotificationManager wifiNotificationManager, WifiDialogManager wifiDialogManager, boolean z, boolean z2, InsecureEapNetworkHandlerCallbacks insecureEapNetworkHandlerCallbacks, String str, Handler handler) {
        this.mContext = wifiContext;
        this.mWifiConfigManager = wifiConfigManager;
        this.mWifiNative = wifiNative;
        this.mFacade = frameworkFacade;
        this.mNotificationManager = wifiNotificationManager;
        this.mWifiDialogManager = wifiDialogManager;
        this.mIsTrustOnFirstUseSupported = z;
        this.mIsInsecureEnterpriseConfigurationAllowed = z2;
        this.mCallbacks = insecureEapNetworkHandlerCallbacks;
        this.mInterfaceName = str;
        this.mHandler = handler;
        this.mWifiConfigManager.addOnNetworkUpdateListener(this.mOnNetworkUpdateListener);
        this.mCaCertHelpLink = this.mContext.getString(2131165189);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void askForUserApprovalForCaCertificate() {
        String str;
        int length;
        int length2;
        String str2;
        if (this.mCurrentTofuConfig == null || TextUtils.isEmpty(this.mCurrentTofuConfig.SSID)) {
            return;
        }
        if (useTrustOnFirstUse() && (this.mPendingRootCaCert == null || this.mPendingServerCert == null)) {
            Log.e("InsecureEapNetworkHandler", "Cannot launch a dialog for TOFU without a valid pending CA certificate.");
            return;
        }
        dismissDialogAndNotification();
        String string = useTrustOnFirstUse() ? this.mContext.getString(2131165232) : this.mContext.getString(2131165231);
        String string2 = useTrustOnFirstUse() ? this.mContext.getString(2131165219) : this.mContext.getString(2131165228);
        String string3 = useTrustOnFirstUse() ? this.mContext.getString(2131165218) : this.mContext.getString(2131165227);
        if (useTrustOnFirstUse()) {
            StringBuilder sb = new StringBuilder();
            sb.append(this.mContext.getString(2131165222));
            sb.append(this.mContext.getString(2131165225, new Object[]{this.mPendingServerCertSubjectInfo.commonName}));
            StringBuilder append = sb.append(this.mContext.getString(2131165223, new Object[]{this.mPendingServerCertIssuerInfo.commonName}));
            if (!TextUtils.isEmpty(this.mPendingServerCertSubjectInfo.organization)) {
                append.append(this.mContext.getString(2131165224, new Object[]{this.mPendingServerCertSubjectInfo.organization}));
            }
            Date notAfter = this.mPendingServerCert.getNotAfter();
            if (notAfter != null) {
                append.append(this.mContext.getString(2131165221, new Object[]{DateFormat.getMediumDateFormat(this.mContext).format(notAfter)}));
            }
            String digest = getDigest(this.mPendingServerCert, "SHA256");
            if (!TextUtils.isEmpty(digest)) {
                append.append(this.mContext.getString(2131165226, new Object[]{digest}));
            }
            length = 0;
            length2 = 0;
            str = append.toString();
            str2 = null;
        } else {
            String string4 = this.mContext.getString(2131165229, new Object[]{this.mCurrentTofuConfig.SSID});
            String str3 = string4 + " " + this.mContext.getString(2131165230);
            String str4 = this.mCaCertHelpLink;
            str = str3;
            length = string4.length() + 1;
            length2 = str3.length();
            str2 = str4;
        }
        this.mTofuAlertDialog = this.mWifiDialogManager.createLegacySimpleDialogWithUrl(string, str, str2, length, length2, string2, string3, null, new WifiDialogManager.SimpleDialogCallback() { // from class: com.android.server.wifi.InsecureEapNetworkHandler.3
            @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
            public void onCancelled() {
                if (InsecureEapNetworkHandler.this.mCurrentTofuConfig == null) {
                    return;
                }
                Log.d("InsecureEapNetworkHandler", "User input canceled");
                InsecureEapNetworkHandler.this.handleReject(InsecureEapNetworkHandler.this.mCurrentTofuConfig.SSID);
            }

            @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
            public void onNegativeButtonClicked() {
                if (InsecureEapNetworkHandler.this.mCurrentTofuConfig == null) {
                    return;
                }
                Log.d("InsecureEapNetworkHandler", "User rejected the server certificate");
                InsecureEapNetworkHandler.this.handleReject(InsecureEapNetworkHandler.this.mCurrentTofuConfig.SSID);
            }

            @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
            public void onNeutralButtonClicked() {
                if (InsecureEapNetworkHandler.this.mCurrentTofuConfig == null) {
                    return;
                }
                Log.d("InsecureEapNetworkHandler", "User input neutral");
                InsecureEapNetworkHandler.this.handleReject(InsecureEapNetworkHandler.this.mCurrentTofuConfig.SSID);
            }

            @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
            public void onPositiveButtonClicked() {
                if (InsecureEapNetworkHandler.this.mCurrentTofuConfig == null) {
                    return;
                }
                Log.d("InsecureEapNetworkHandler", "User accepted the server certificate");
                InsecureEapNetworkHandler.this.handleAccept(InsecureEapNetworkHandler.this.mCurrentTofuConfig.SSID);
            }
        }, new WifiThreadRunner(this.mHandler));
        this.mTofuAlertDialog.launchDialog();
    }

    private void clearInternalData() {
        this.mPendingRootCaCertDepth = -1;
        this.mPendingRootCaCert = null;
        this.mPendingServerCert = null;
        this.mPendingServerCertSubjectInfo = null;
        this.mPendingServerCertIssuerInfo = null;
        this.mCurrentTofuConfig = null;
        this.mServerCertHash = null;
        this.mUseTrustStore = false;
    }

    private void clearNativeData() {
        if (this.mCurrentTofuConfig != null) {
            this.mWifiNative.removeNetworkCachedData(this.mCurrentTofuConfig.networkId);
        }
        this.mWifiNative.removeAllNetworks(this.mInterfaceName);
    }

    private boolean configureServerValidationMethod() {
        if (this.mServerCertChain.size() == 0) {
            Log.e("InsecureEapNetworkHandler", "No certificate chain provided by the server.");
            return false;
        }
        if (useCertificatePinning(true)) {
            return true;
        }
        try {
            CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(this.mServerCertChain);
            try {
                CertPathValidator certPathValidator = CertPathValidator.getInstance("PKIX");
                try {
                    PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Set.of(new TrustAnchor(this.mPendingRootCaCert, null)));
                    pKIXParameters.setRevocationEnabled(false);
                    certPathValidator.validate(generateCertPath, pKIXParameters);
                    this.mServerCertHash = null;
                    this.mUseTrustStore = false;
                    if (this.mWifiNative.isSupplicantAidlServiceVersionAtLeast(2) && isCertInTrustStore(this.mPendingRootCaCert)) {
                        this.mUseTrustStore = true;
                    }
                    StringBuilder sb = new StringBuilder();
                    sb.append("Server certificate chain validation succeeded, use ");
                    sb.append(this.mUseTrustStore ? "trust store" : "Root CA");
                    Log.i("InsecureEapNetworkHandler", sb.toString());
                    return true;
                } catch (InvalidAlgorithmParameterException e) {
                    Log.wtf("InsecureEapNetworkHandler", "Invalid algorithm exception.");
                    return false;
                } catch (CertPathValidatorException e2) {
                    Log.e("InsecureEapNetworkHandler", "Server certificate chain validation failed: " + e2);
                    return false;
                }
            } catch (NoSuchAlgorithmException e3) {
                Log.wtf("InsecureEapNetworkHandler", "PKIX algorithm not supported.");
                return false;
            }
        } catch (IllegalStateException e4) {
            Log.wtf("InsecureEapNetworkHandler", "Fail: " + e4);
            return false;
        } catch (CertificateException e5) {
            Log.e("InsecureEapNetworkHandler", "Certificate chain is invalid.");
            return false;
        }
    }

    private void createCertificateErrorNotification(boolean z, String str) {
        String string = this.mContext.getString(2131165334, new Object[]{str});
        String string2 = this.mContext.getString(2131165332);
        String string3 = this.mContext.getString(2131165333);
        if (TextUtils.isEmpty(string) || TextUtils.isEmpty(string2)) {
            return;
        }
        if (z) {
            this.mTofuAlertDialog = this.mWifiDialogManager.createLegacySimpleDialog(string, string2, null, null, string3, new WifiDialogManager.SimpleDialogCallback() { // from class: com.android.server.wifi.InsecureEapNetworkHandler.2
                @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
                public void onCancelled() {
                }

                @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
                public void onNegativeButtonClicked() {
                }

                @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
                public void onNeutralButtonClicked() {
                }

                @Override // com.android.server.wifi.WifiDialogManager.SimpleDialogCallback
                public void onPositiveButtonClicked() {
                }
            }, new WifiThreadRunner(this.mHandler));
            this.mTofuAlertDialog.launchDialog();
        } else {
            this.mNotificationManager.notify(67, this.mFacade.makeNotificationBuilder(this.mContext, WifiService.NOTIFICATION_NETWORK_ALERTS).setSmallIcon(Icon.createWithResource(this.mContext.getWifiOverlayApkPkgName(), 2130903041)).setContentTitle(string).setContentText(string2).setStyle(new Notification.BigTextStyle().bigText(string2)).setColor(this.mContext.getResources().getColor(R.color.system_notification_accent_color)).build());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void dismissDialogAndNotification() {
        this.mNotificationManager.cancel(67);
        if (this.mTofuAlertDialog != null) {
            this.mTofuAlertDialog.dismissDialog();
            this.mTofuAlertDialog = null;
        }
    }

    private static String fingerprint(byte[] bArr) {
        if (bArr == null) {
            return "";
        }
        StringJoiner stringJoiner = new StringJoiner(":");
        for (byte b : bArr) {
            stringJoiner.add(HexDump.toHexString(b));
        }
        return stringJoiner.toString();
    }

    private PendingIntent genCaCertNotifIntent(String str, String str2) {
        return this.mFacade.getBroadcast(this.mContext, 0, new Intent(str).setPackage(this.mContext.getServiceWifiPackageName()).putExtra(EXTRA_PENDING_CERT_SSID, str2), 201326592);
    }

    static String getDigest(X509Certificate x509Certificate, String str) {
        if (x509Certificate == null) {
            return "";
        }
        try {
            return fingerprint(MessageDigest.getInstance(str).digest(x509Certificate.getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            return "";
        } catch (CertificateEncodingException e2) {
            return "";
        }
    }

    private void handleError(String str) {
        if (this.mCurrentTofuConfig != null) {
            this.mWifiConfigManager.updateNetworkSelectionStatus(this.mCurrentTofuConfig.networkId, 7);
        }
        dismissDialogAndNotification();
        clearInternalData();
        clearNativeData();
        if (this.mCallbacks != null) {
            this.mCallbacks.onError(str);
        }
    }

    private boolean isCertInTrustStore(X509Certificate x509Certificate) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
            keyStore.load(null);
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                X509Certificate x509Certificate2 = (X509Certificate) keyStore.getCertificate(aliases.nextElement());
                if (x509Certificate2.getSubjectDN().equals(x509Certificate.getSubjectDN())) {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            Log.e("InsecureEapNetworkHandler", e.getMessage(), e);
            return false;
        }
    }

    private boolean isConnectionValid(String str) {
        if (TextUtils.isEmpty(str) || this.mCurrentTofuConfig == null) {
            handleError(null);
            return false;
        }
        if (TextUtils.equals(str, this.mCurrentTofuConfig.SSID)) {
            return true;
        }
        Log.w("InsecureEapNetworkHandler", "Target SSID " + this.mCurrentTofuConfig.SSID + " is different from TOFU returned SSID" + str);
        return false;
    }

    private void notifyUserForCaCertificate() {
        if (this.mCurrentTofuConfig == null) {
            return;
        }
        if (useTrustOnFirstUse() && (this.mPendingRootCaCert == null || this.mPendingServerCert == null)) {
            return;
        }
        dismissDialogAndNotification();
        PendingIntent genCaCertNotifIntent = useTrustOnFirstUse() ? genCaCertNotifIntent(ACTION_CERT_NOTIF_TAP, this.mCurrentTofuConfig.SSID) : this.mFacade.getActivity(this.mContext, 0, new Intent("android.intent.action.VIEW").setData(Uri.parse(this.mCaCertHelpLink)).addFlags(268435456), 201326592);
        String string = useTrustOnFirstUse() ? this.mContext.getString(2131165239) : this.mContext.getString(2131165238);
        String string2 = useTrustOnFirstUse() ? this.mContext.getString(2131165234, new Object[]{this.mCurrentTofuConfig.SSID}) : this.mContext.getString(2131165237, new Object[]{this.mCurrentTofuConfig.SSID});
        Notification.Builder color = this.mFacade.makeNotificationBuilder(this.mContext, WifiService.NOTIFICATION_NETWORK_ALERTS).setSmallIcon(Icon.createWithResource(this.mContext.getWifiOverlayApkPkgName(), 2130903041)).setContentTitle(string).setContentText(string2).setStyle(new Notification.BigTextStyle().bigText(string2)).setContentIntent(genCaCertNotifIntent).setOngoing(true).setColor(this.mContext.getResources().getColor(R.color.system_notification_accent_color));
        if (!useTrustOnFirstUse()) {
            color.addAction(new Notification.Action.Builder((Icon) null, this.mContext.getString(2131165227), genCaCertNotifIntent(ACTION_CERT_NOTIF_REJECT, this.mCurrentTofuConfig.SSID)).build()).addAction(new Notification.Action.Builder((Icon) null, this.mContext.getString(2131165228), genCaCertNotifIntent(ACTION_CERT_NOTIF_ACCEPT, this.mCurrentTofuConfig.SSID)).build());
        }
        this.mNotificationManager.notify(67, color.build());
    }

    private void putNetworkOnHold() {
        this.mWifiConfigManager.updateNetworkSelectionStatus(this.mCurrentTofuConfig.networkId, 7);
        this.mWifiNative.disconnect(this.mInterfaceName);
        clearNativeData();
    }

    private void registerCertificateNotificationReceiver() {
        unregisterCertificateNotificationReceiver();
        IntentFilter intentFilter = new IntentFilter();
        if (useTrustOnFirstUse()) {
            intentFilter.addAction(ACTION_CERT_NOTIF_TAP);
        } else {
            intentFilter.addAction(ACTION_CERT_NOTIF_ACCEPT);
            intentFilter.addAction(ACTION_CERT_NOTIF_REJECT);
        }
        this.mContext.registerReceiver(this.mCertNotificationReceiver, intentFilter, (String) null, this.mHandler);
        this.mIsCertNotificationReceiverRegistered = true;
    }

    private void unregisterCertificateNotificationReceiver() {
        if (this.mIsCertNotificationReceiverRegistered) {
            this.mContext.unregisterReceiver(this.mCertNotificationReceiver);
            this.mIsCertNotificationReceiverRegistered = false;
        }
    }

    private boolean useCertificatePinning(boolean z) {
        if (this.mServerCertChain.size() == 1) {
            if (z) {
                Log.i("InsecureEapNetworkHandler", "Only one certificate provided, use server certificate pinning");
            }
            return true;
        }
        if (!this.mPendingRootCaCert.getSubjectX500Principal().getName().equals(this.mPendingRootCaCert.getIssuerX500Principal().getName())) {
            if (z) {
                Log.i("InsecureEapNetworkHandler", "Root CA is not self-signed, use server certificate pinning");
            }
            return true;
        }
        if (this.mPendingRootCaCert.getVersion() < 2 || this.mPendingRootCaCert.getBasicConstraints() >= 0) {
            return false;
        }
        if (z) {
            Log.i("InsecureEapNetworkHandler", "Root CA with no CA bit set in basic constraints, use server certificate pinning");
        }
        return true;
    }

    private boolean useTrustOnFirstUse() {
        return this.mIsTrustOnFirstUseSupported && this.mCurrentTofuConfig.enterpriseConfig.isTrustOnFirstUseEnabled();
    }

    public boolean addPendingCertificate(int i, int i2, CertificateEventInfo certificateEventInfo) {
        String profileKey = this.mCurrentTofuConfig != null ? this.mCurrentTofuConfig.getProfileKey() : "null";
        if (i == -1 || this.mCurrentTofuConfig == null || this.mCurrentTofuConfig.networkId != i || certificateEventInfo == null || i2 < 0 || !this.mIsTrustOnFirstUseSupported) {
            return false;
        }
        if (this.mIsInsecureEnterpriseConfigurationAllowed && !this.mCurrentTofuConfig.enterpriseConfig.isTrustOnFirstUseEnabled()) {
            Log.d("InsecureEapNetworkHandler", "Certificates are not required for this connection");
            return false;
        }
        if (i2 == 0) {
            putNetworkOnHold();
        }
        if (!this.mServerCertChain.contains(certificateEventInfo.getCert())) {
            this.mServerCertChain.addFirst(certificateEventInfo.getCert());
            Log.d("InsecureEapNetworkHandler", "addPendingCertificate: SSID=" + this.mCurrentTofuConfig.SSID + " depth=" + i2 + " certHash=" + certificateEventInfo.getCertHash() + " current config=" + profileKey + "\ncertificate content:\n" + certificateEventInfo.getCert());
        }
        if (i2 == 0 && this.mPendingServerCert == null) {
            this.mPendingServerCert = certificateEventInfo.getCert();
            this.mPendingServerCertSubjectInfo = CertificateSubjectInfo.parse(certificateEventInfo.getCert().getSubjectX500Principal().getName());
            if (this.mPendingServerCertSubjectInfo == null) {
                Log.e("InsecureEapNetworkHandler", "Cert has no valid subject.");
                return false;
            }
            this.mPendingServerCertIssuerInfo = CertificateSubjectInfo.parse(certificateEventInfo.getCert().getIssuerX500Principal().getName());
            if (this.mPendingServerCertIssuerInfo == null) {
                Log.e("InsecureEapNetworkHandler", "Cert has no valid issuer.");
                return false;
            }
            this.mServerCertHash = certificateEventInfo.getCertHash();
        }
        if (i2 < this.mPendingRootCaCertDepth) {
            return true;
        }
        this.mPendingRootCaCertDepth = i2;
        this.mPendingRootCaCert = certificateEventInfo.getCert();
        return true;
    }

    public void cleanup() {
        dismissDialogAndNotification();
        unregisterCertificateNotificationReceiver();
        clearInternalData();
        this.mWifiConfigManager.removeOnNetworkUpdateListener(this.mOnNetworkUpdateListener);
    }

    void handleAccept(String str) {
        if (isConnectionValid(str)) {
            if (!useTrustOnFirstUse()) {
                this.mWifiConfigManager.setUserApproveNoCaCert(this.mCurrentTofuConfig.networkId, true);
            } else {
                if (this.mPendingRootCaCert == null || this.mPendingServerCert == null) {
                    handleError(str);
                    return;
                }
                if (!this.mWifiConfigManager.updateCaCertificate(this.mCurrentTofuConfig.networkId, this.mPendingRootCaCert, this.mPendingServerCert, this.mServerCertHash, this.mUseTrustStore)) {
                    Log.e("InsecureEapNetworkHandler", "Cannot update CA cert to network " + this.mCurrentTofuConfig.getProfileKey() + ", CA cert = " + this.mPendingRootCaCert);
                }
                this.mWifiConfigManager.setTofuPostConnectionState(this.mCurrentTofuConfig.networkId, useCertificatePinning(false) ? 3 : 2);
            }
            int i = this.mCurrentTofuConfig.networkId;
            this.mWifiConfigManager.setTofuDialogApproved(i, true);
            this.mWifiConfigManager.updateNetworkSelectionStatus(i, 0);
            dismissDialogAndNotification();
            clearInternalData();
            if (this.mCallbacks != null) {
                this.mCallbacks.onAccept(str, i);
            }
        }
    }

    void handleReject(String str) {
        if (isConnectionValid(str)) {
            boolean z = !useTrustOnFirstUse();
            this.mWifiConfigManager.setTofuDialogApproved(this.mCurrentTofuConfig.networkId, false);
            this.mWifiConfigManager.updateNetworkSelectionStatus(this.mCurrentTofuConfig.networkId, 7);
            dismissDialogAndNotification();
            clearInternalData();
            if (z) {
                clearNativeData();
            }
            if (this.mCallbacks != null) {
                this.mCallbacks.onReject(str, z);
            }
        }
    }

    public void prepareConnection(WifiConfiguration wifiConfiguration) {
        if (wifiConfiguration == null) {
            return;
        }
        this.mConnectingConfig = wifiConfiguration;
        if (wifiConfiguration.isEnterprise()) {
            WifiEnterpriseConfig wifiEnterpriseConfig = wifiConfiguration.enterpriseConfig;
            if (wifiEnterpriseConfig.isEapMethodServerCertUsed() && !wifiEnterpriseConfig.hasCaCertificate()) {
                Log.d("InsecureEapNetworkHandler", "prepareConnection: isTofuSupported=" + this.mIsTrustOnFirstUseSupported + ", isInsecureEapNetworkAllowed=" + this.mIsInsecureEnterpriseConfigurationAllowed + ", isTofuEnabled=" + wifiEnterpriseConfig.isTrustOnFirstUseEnabled() + ", isUserApprovedNoCaCert=" + wifiEnterpriseConfig.isUserApproveNoCaCert());
                if (wifiEnterpriseConfig.isUserApproveNoCaCert()) {
                    if (!this.mIsTrustOnFirstUseSupported) {
                        return;
                    }
                    if (this.mIsInsecureEnterpriseConfigurationAllowed && !wifiEnterpriseConfig.isTrustOnFirstUseEnabled()) {
                        return;
                    }
                }
                if (this.mIsTrustOnFirstUseSupported && (wifiEnterpriseConfig.isTrustOnFirstUseEnabled() || !this.mIsInsecureEnterpriseConfigurationAllowed)) {
                    if (wifiConfiguration.enterpriseConfig.getEapMethod() == 2 || wifiConfiguration.enterpriseConfig.getEapMethod() == 0) {
                        wifiConfiguration.enterpriseConfig.setPhase2Method(0);
                        wifiConfiguration.enterpriseConfig.setIdentity(null);
                        if (TextUtils.isEmpty(wifiConfiguration.enterpriseConfig.getAnonymousIdentity())) {
                            wifiConfiguration.enterpriseConfig.setAnonymousIdentity("anonymous");
                        }
                        wifiConfiguration.enterpriseConfig.setPassword(null);
                    }
                    if (this.mWifiNative.isSupplicantAidlServiceVersionAtLeast(2)) {
                        wifiConfiguration.enterpriseConfig.setCaPath(WifiConfigurationUtil.getSystemTrustStorePath());
                    }
                }
                this.mCurrentTofuConfig = wifiConfiguration;
                this.mServerCertChain.clear();
                dismissDialogAndNotification();
                registerCertificateNotificationReceiver();
                if (useTrustOnFirstUse()) {
                    clearNativeData();
                    Log.d("InsecureEapNetworkHandler", "Remove native cached data and networks for TOFU.");
                }
            }
        }
    }

    public boolean startUserApprovalIfNecessary(boolean z) {
        if (this.mConnectingConfig == null || this.mCurrentTofuConfig == null || this.mConnectingConfig.networkId != this.mCurrentTofuConfig.networkId) {
            return false;
        }
        if (this.mIsTrustOnFirstUseSupported && !this.mIsInsecureEnterpriseConfigurationAllowed && !this.mCurrentTofuConfig.enterpriseConfig.isTrustOnFirstUseEnabled()) {
            Log.e("InsecureEapNetworkHandler", "Upgrade insecure connection to TOFU.");
            this.mCurrentTofuConfig.enterpriseConfig.enableTrustOnFirstUse(true);
        }
        if (useTrustOnFirstUse()) {
            if (this.mPendingRootCaCert == null) {
                Log.e("InsecureEapNetworkHandler", "No valid CA cert for TLS-based connection.");
                handleError(this.mCurrentTofuConfig.SSID);
                return false;
            }
            if (this.mPendingServerCert == null) {
                Log.e("InsecureEapNetworkHandler", "No valid Server cert for TLS-based connection.");
                handleError(this.mCurrentTofuConfig.SSID);
                return false;
            }
            Log.d("InsecureEapNetworkHandler", "TOFU certificate chain:");
            Iterator it = this.mServerCertChain.iterator();
            while (it.hasNext()) {
                Log.d("InsecureEapNetworkHandler", ((X509Certificate) it.next()).getSubjectX500Principal().getName());
            }
            if (this.mPendingServerCertSubjectInfo == null) {
                handleError(this.mCurrentTofuConfig.SSID);
                Log.d("InsecureEapNetworkHandler", "No valid subject info in Server cert for TLS-based connection.");
                return false;
            }
            if (this.mPendingServerCertIssuerInfo == null) {
                handleError(this.mCurrentTofuConfig.SSID);
                Log.d("InsecureEapNetworkHandler", "No valid issuer info in Server cert for TLS-based connection.");
                return false;
            }
            if (!configureServerValidationMethod()) {
                Log.e("InsecureEapNetworkHandler", "Server cert chain is invalid.");
                String str = this.mCurrentTofuConfig.SSID;
                handleError(str);
                createCertificateErrorNotification(z, str);
                return false;
            }
        } else if (this.mIsInsecureEnterpriseConfigurationAllowed) {
            Log.i("InsecureEapNetworkHandler", "Insecure networks without a Root CA cert are allowed.");
            return false;
        }
        if (z) {
            askForUserApprovalForCaCertificate();
        } else {
            notifyUserForCaCertificate();
        }
        return true;
    }
}
