package com.android.server.wifi;

import android.content.Context;
import android.net.wifi.WifiConfiguration;
import android.net.wifi.WifiEnterpriseConfig;
import android.os.UserHandle;
import android.text.TextUtils;
import android.util.ArraySet;
import android.util.Log;
import com.android.server.wifi.util.ArrayUtils;
import com.android.wifi.x.com.android.internal.util.Preconditions;
import com.android.wifi.x.com.android.modules.utils.build.SdkLevel;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes.dex */
public class WifiKeyStore {
    private final Context mContext;
    private final FrameworkFacade mFrameworkFacade;
    private final KeyStore mKeyStore;
    private boolean mVerboseLoggingEnabled = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    public WifiKeyStore(Context context, KeyStore keyStore, FrameworkFacade frameworkFacade) {
        this.mKeyStore = keyStore;
        if (this.mKeyStore == null) {
            Log.e("WifiKeyStore", "Unable to retrieve keystore, all key operations will fail");
        }
        this.mContext = context;
        this.mFrameworkFacade = frameworkFacade;
    }

    private int getSuiteBCipherFromCert(X509Certificate x509Certificate) {
        ECParameterSpec params;
        X500Principal subjectX500Principal;
        String sigAlgOID = x509Certificate.getSigAlgOID();
        if (this.mVerboseLoggingEnabled && (subjectX500Principal = x509Certificate.getSubjectX500Principal()) != null && !TextUtils.isEmpty(subjectX500Principal.getName())) {
            Log.d("WifiKeyStore", "Checking cert " + subjectX500Principal.getName());
        }
        int i = 0;
        if (TextUtils.equals(sigAlgOID, "1.2.840.113549.1.1.12")) {
            if (x509Certificate.getPublicKey() instanceof RSAPublicKey) {
                RSAPublicKey rSAPublicKey = (RSAPublicKey) x509Certificate.getPublicKey();
                if (rSAPublicKey.getModulus() != null && (i = rSAPublicKey.getModulus().bitLength()) >= 3072) {
                    if (!this.mVerboseLoggingEnabled) {
                        return 1;
                    }
                    Log.d("WifiKeyStore", "Found Suite-B RSA certificate");
                    return 1;
                }
            }
        } else if (TextUtils.equals(sigAlgOID, "1.2.840.10045.4.3.3") && (x509Certificate.getPublicKey() instanceof ECPublicKey) && (params = ((ECPublicKey) x509Certificate.getPublicKey()).getParams()) != null && params.getOrder() != null && (i = params.getOrder().bitLength()) >= 384) {
            if (!this.mVerboseLoggingEnabled) {
                return 0;
            }
            Log.d("WifiKeyStore", "Found Suite-B ECDSA certificate");
            return 0;
        }
        Log.e("WifiKeyStore", "Invalid certificate type for Suite-B: " + sigAlgOID + " or insufficient bit length: " + i);
        return -1;
    }

    private boolean installKeys(WifiEnterpriseConfig wifiEnterpriseConfig, WifiEnterpriseConfig wifiEnterpriseConfig2, String str, String str2) {
        Preconditions.checkNotNull(this.mKeyStore);
        X509Certificate[] clientCertificateChain = wifiEnterpriseConfig2.getClientCertificateChain();
        if (!ArrayUtils.isEmpty(clientCertificateChain) && !putUserPrivKeyAndCertsInKeyStore(str2, wifiEnterpriseConfig2.getClientPrivateKey(), clientCertificateChain)) {
            return false;
        }
        X509Certificate[] caCertificates = wifiEnterpriseConfig2.getCaCertificates();
        ArraySet arraySet = new ArraySet();
        if (wifiEnterpriseConfig != null && wifiEnterpriseConfig.getCaCertificateAliases() != null && wifiEnterpriseConfig.isAppInstalledCaCert() && caCertificates != null) {
            arraySet.addAll(Arrays.asList(wifiEnterpriseConfig.getCaCertificateAliases()));
        }
        ArrayList arrayList = null;
        if (caCertificates != null) {
            arrayList = new ArrayList();
            for (int i = 0; i < caCertificates.length; i++) {
                String str3 = str2 + "_" + i;
                arraySet.remove(str3);
                if (!putCaCertInKeyStore(str3, caCertificates[i])) {
                    removeEntryFromKeyStore(str2);
                    Iterator it = arrayList.iterator();
                    while (it.hasNext()) {
                        removeEntryFromKeyStore((String) it.next());
                    }
                    return false;
                }
                arrayList.add(str3);
            }
        }
        if (!TextUtils.equals(str2, str) && wifiEnterpriseConfig != null && wifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()) {
            removeEntryFromKeyStore(str);
        }
        Iterator it2 = arraySet.iterator();
        while (it2.hasNext()) {
            removeEntryFromKeyStore((String) it2.next());
        }
        if (wifiEnterpriseConfig2.getClientCertificate() != null) {
            wifiEnterpriseConfig2.setClientCertificateAlias(str2);
            wifiEnterpriseConfig2.resetClientKeyEntry();
        }
        if (caCertificates == null) {
            return true;
        }
        wifiEnterpriseConfig2.setCaCertificateAliases((String[]) arrayList.toArray(new String[arrayList.size()]));
        wifiEnterpriseConfig2.resetCaCertificate();
        return true;
    }

    private static boolean needsKeyStore(WifiEnterpriseConfig wifiEnterpriseConfig) {
        return (wifiEnterpriseConfig.getClientCertificate() == null && wifiEnterpriseConfig.getCaCertificate() == null && wifiEnterpriseConfig.getCaCertificateAlias() == null && wifiEnterpriseConfig.getClientCertificateAlias() == null) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void enableVerboseLogging(boolean z) {
        this.mVerboseLoggingEnabled = z;
    }

    public boolean putCaCertInKeyStore(String str, Certificate certificate) {
        try {
            this.mKeyStore.setCertificateEntry(str, certificate);
            return true;
        } catch (KeyStoreException e) {
            Log.e("WifiKeyStore", "Failed to put CA certificate in keystore: " + e.getMessage());
            return false;
        }
    }

    public boolean putUserPrivKeyAndCertsInKeyStore(String str, Key key, Certificate[] certificateArr) {
        try {
            this.mKeyStore.setKeyEntry(str, key, null, certificateArr);
            return true;
        } catch (KeyStoreException e) {
            Log.e("WifiKeyStore", "Failed to put private key or certificate in keystore: " + e.getMessage());
            return false;
        }
    }

    public boolean removeEntryFromKeyStore(String str) {
        Preconditions.checkNotNull(this.mKeyStore);
        try {
            this.mKeyStore.deleteEntry(str);
            return true;
        } catch (KeyStoreException e) {
            return false;
        }
    }

    public void removeKeys(WifiEnterpriseConfig wifiEnterpriseConfig, boolean z) {
        String[] caCertificateAliases;
        Preconditions.checkNotNull(this.mKeyStore);
        if (z || wifiEnterpriseConfig.isAppInstalledDeviceKeyAndCert()) {
            String clientCertificateAlias = wifiEnterpriseConfig.getClientCertificateAlias();
            if (!TextUtils.isEmpty(clientCertificateAlias)) {
                if (this.mVerboseLoggingEnabled) {
                    Log.d("WifiKeyStore", "removing client private key, user cert and CA cert)");
                }
                removeEntryFromKeyStore(clientCertificateAlias);
            }
        }
        if ((!z && !wifiEnterpriseConfig.isAppInstalledCaCert()) || (caCertificateAliases = wifiEnterpriseConfig.getCaCertificateAliases()) == null || caCertificateAliases.length == 0) {
            return;
        }
        for (String str : caCertificateAliases) {
            if (!TextUtils.isEmpty(str)) {
                if (this.mVerboseLoggingEnabled) {
                    Log.d("WifiKeyStore", "removing CA cert: " + str);
                }
                removeEntryFromKeyStore(str);
            }
        }
    }

    public boolean updateNetworkKeys(WifiConfiguration wifiConfiguration, WifiConfiguration wifiConfiguration2) {
        String str;
        WifiEnterpriseConfig wifiEnterpriseConfig;
        int i;
        boolean z;
        Object obj;
        String clientKeyPairAliasInternal;
        Preconditions.checkNotNull(this.mKeyStore);
        Preconditions.checkNotNull(wifiConfiguration.enterpriseConfig);
        WifiEnterpriseConfig wifiEnterpriseConfig2 = wifiConfiguration.enterpriseConfig;
        String keyIdForCredentials = wifiConfiguration.getKeyIdForCredentials(wifiConfiguration2);
        if (wifiConfiguration2 != null) {
            Preconditions.checkNotNull(wifiConfiguration2.enterpriseConfig);
            WifiEnterpriseConfig wifiEnterpriseConfig3 = wifiConfiguration2.enterpriseConfig;
            str = wifiConfiguration2.getKeyIdForCredentials(wifiConfiguration2);
            wifiEnterpriseConfig = wifiEnterpriseConfig3;
        } else {
            str = null;
            wifiEnterpriseConfig = null;
        }
        boolean z2 = false;
        if (SdkLevel.isAtLeastS() && (clientKeyPairAliasInternal = wifiEnterpriseConfig2.getClientKeyPairAliasInternal()) != null) {
            String wifiKeyGrantAsUser = this.mFrameworkFacade.getWifiKeyGrantAsUser(this.mContext, UserHandle.getUserHandleForUid(wifiConfiguration.creatorUid), clientKeyPairAliasInternal);
            if (wifiKeyGrantAsUser == null) {
                Log.e("WifiKeyStore", "Unable to get key grant");
                return false;
            }
            wifiEnterpriseConfig2.setClientCertificateAlias(wifiKeyGrantAsUser);
        }
        if (!needsKeyStore(wifiEnterpriseConfig2)) {
            return true;
        }
        try {
            if (!installKeys(wifiEnterpriseConfig, wifiEnterpriseConfig2, str, keyIdForCredentials)) {
                Log.e("WifiKeyStore", wifiConfiguration.SSID + ": failed to install keys");
                return false;
            }
            if (!wifiConfiguration.isSecurityType(5)) {
                return true;
            }
            String[] caCertificateAliases = wifiConfiguration.enterpriseConfig.getCaCertificateAliases();
            if (!wifiConfiguration.enterpriseConfig.isTrustOnFirstUseEnabled()) {
                if (caCertificateAliases == null) {
                    z = false;
                } else if (caCertificateAliases.length == 0) {
                    z = false;
                } else {
                    int length = caCertificateAliases.length;
                    int i2 = 0;
                    int i3 = -1;
                    i = -1;
                    while (i2 < length) {
                        try {
                            obj = this.mKeyStore.getCertificate(caCertificateAliases[i2]);
                        } catch (KeyStoreException e) {
                            Log.e("WifiKeyStore", "Failed to get Suite-B certificate", e);
                            obj = null;
                        }
                        if (obj == null || !(obj instanceof X509Certificate)) {
                            Log.e("WifiKeyStore", "Failed reading CA certificate for Suite-B");
                            return false;
                        }
                        i = getSuiteBCipherFromCert((X509Certificate) obj);
                        if (i < 0) {
                            return false;
                        }
                        if (i3 != -1 && i3 != i) {
                            Log.e("WifiKeyStore", "Incompatible CA certificates");
                            return false;
                        }
                        i3 = i;
                        i2++;
                        z2 = false;
                    }
                }
                Log.e("WifiKeyStore", "No CA aliases in profile");
                return z;
            }
            i = -1;
            Object obj2 = null;
            try {
                obj2 = this.mKeyStore.getCertificate(wifiConfiguration.enterpriseConfig.getClientCertificateAlias());
            } catch (KeyStoreException e2) {
                Log.e("WifiKeyStore", "Failed to get Suite-B client certificate", e2);
            }
            if (obj2 == null || !(obj2 instanceof X509Certificate)) {
                Log.e("WifiKeyStore", "Failed reading client certificate for Suite-B");
                return false;
            }
            int suiteBCipherFromCert = getSuiteBCipherFromCert((X509Certificate) obj2);
            if (suiteBCipherFromCert < 0) {
                return false;
            }
            if (suiteBCipherFromCert == i || wifiConfiguration.enterpriseConfig.isTrustOnFirstUseEnabled()) {
                wifiConfiguration.enableSuiteBCiphers(suiteBCipherFromCert == 0, suiteBCipherFromCert == 1);
                return true;
            }
            Log.e("WifiKeyStore", "Client certificate for Suite-B is incompatible with the CA certificate");
            return false;
        } catch (IllegalStateException e3) {
            Log.e("WifiKeyStore", wifiConfiguration.SSID + " invalid config for key installation: " + e3.getMessage());
            return false;
        }
    }

    public boolean validateKeyChainAlias(String str, int i) {
        if (TextUtils.isEmpty(str)) {
            Log.e("WifiKeyStore", "Alias cannot be empty");
            return false;
        }
        if (SdkLevel.isAtLeastS()) {
            return this.mFrameworkFacade.hasWifiKeyGrantAsUser(this.mContext, UserHandle.getUserHandleForUid(i), str);
        }
        Log.w("WifiKeyStore", "Attempt to use a KeyChain key on pre-S device");
        return false;
    }
}
