package com.android.server.security;

import android.annotation.NonNull;
import android.annotation.Nullable;
import com.android.framework.protobuf.ByteString;
import com.android.internal.org.bouncycastle.asn1.ASN1Boolean;
import com.android.internal.org.bouncycastle.asn1.ASN1Encodable;
import com.android.internal.org.bouncycastle.asn1.ASN1Enumerated;
import com.android.internal.org.bouncycastle.asn1.ASN1InputStream;
import com.android.internal.org.bouncycastle.asn1.ASN1Integer;
import com.android.internal.org.bouncycastle.asn1.ASN1ObjectIdentifier;
import com.android.internal.org.bouncycastle.asn1.ASN1OctetString;
import com.android.internal.org.bouncycastle.asn1.ASN1Sequence;
import com.android.internal.org.bouncycastle.asn1.ASN1TaggedObject;
import com.android.internal.org.bouncycastle.asn1.x509.Certificate;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/android/server/security/AndroidKeystoreAttestationVerificationAttributes.class */
class AndroidKeystoreAttestationVerificationAttributes {
    private static final String ANDROID_KEYMASTER_KEY_DESCRIPTION_EXTENSION_OID = "1.3.6.1.4.1.11129.2.1.17";
    private static final int ATTESTATION_VERSION_INDEX = 0;
    private static final int ATTESTATION_SECURITY_LEVEL_INDEX = 1;
    private static final int KEYMASTER_VERSION_INDEX = 2;
    private static final int KEYMASTER_SECURITY_LEVEL_INDEX = 3;
    private static final int ATTESTATION_CHALLENGE_INDEX = 4;
    private static final int KEYMASTER_UNIQUE_ID_INDEX = 5;
    private static final int SW_ENFORCED_INDEX = 6;
    private static final int HW_ENFORCED_INDEX = 7;
    private static final int VERIFIED_BOOT_KEY_INDEX = 0;
    private static final int VERIFIED_BOOT_LOCKED_INDEX = 1;
    private static final int VERIFIED_BOOT_STATE_INDEX = 2;
    private static final int VERIFIED_BOOT_HASH_INDEX = 3;
    private static final int PACKAGE_INFO_SET_INDEX = 0;
    private static final int PACKAGE_SIGNATURE_SET_INDEX = 1;
    private static final int PACKAGE_INFO_NAME_INDEX = 0;
    private static final int PACKAGE_INFO_VERSION_INDEX = 1;
    private static final int HW_AUTH_NONE = 0;
    private static final int KM_TAG_NO_AUTH_REQUIRED = 503;
    private static final int KM_TAG_UNLOCKED_DEVICE_REQUIRED = 509;
    private static final int KM_TAG_ALL_APPLICATIONS = 600;
    private static final int KM_TAG_ROOT_OF_TRUST = 704;
    private static final int KM_TAG_OS_VERSION = 705;
    private static final int KM_TAG_OS_PATCHLEVEL = 706;
    private static final int KM_TAG_ATTESTATION_APPLICATION_ID = 709;
    private static final int KM_TAG_ATTESTATION_ID_BRAND = 710;
    private static final int KM_TAG_ATTESTATION_ID_DEVICE = 711;
    private static final int KM_TAG_ATTESTATION_ID_PRODUCT = 712;
    private static final int KM_TAG_VENDOR_PATCHLEVEL = 718;
    private static final int KM_TAG_BOOT_PATCHLEVEL = 719;
    private static final int KM_SECURITY_LEVEL_SOFTWARE = 0;
    private static final int KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 1;
    private static final int KM_SECURITY_LEVEL_STRONG_BOX = 2;
    private static final int KM_VERIFIED_BOOT_STATE_VERIFIED = 0;
    private static final int KM_VERIFIED_BOOT_STATE_SELF_SIGNED = 1;
    private static final int KM_VERIFIED_BOOT_STATE_UNVERIFIED = 2;
    private static final int KM_VERIFIED_BOOT_STATE_FAILED = 3;
    private Integer mAttestationVersion;
    private SecurityLevel mAttestationSecurityLevel;
    private boolean mAttestationHardwareBacked;
    private Integer mKeymasterVersion;
    private SecurityLevel mKeymasterSecurityLevel;
    private boolean mKeymasterHardwareBacked;
    private ByteString mAttestationChallenge;
    private ByteString mKeymasterUniqueId;
    private String mDeviceBrand;
    private String mDeviceName;
    private String mDeviceProductName;
    private boolean mKeyAllowedForAllApplications;
    private Integer mKeyAuthenticatorType;
    private Integer mKeyBootPatchLevel;
    private Integer mKeyOsPatchLevel;
    private Integer mKeyOsVersion;
    private Integer mKeyVendorPatchLevel;
    private Boolean mKeyRequiresUnlockedDevice;
    private ByteString mVerifiedBootHash;
    private ByteString mVerifiedBootKey;
    private Boolean mVerifiedBootLocked;
    private VerifiedBootState mVerifiedBootState;
    private Map<String, Long> mApplicationPackageNameVersion = null;
    private List<ByteString> mApplicationCertificateDigests = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/security/AndroidKeystoreAttestationVerificationAttributes$SecurityLevel.class */
    public enum SecurityLevel {
        SOFTWARE,
        TRUSTED_ENVIRONMENT,
        STRONG_BOX
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/android/server/security/AndroidKeystoreAttestationVerificationAttributes$VerifiedBootState.class */
    public enum VerifiedBootState {
        VERIFIED,
        SELF_SIGNED,
        UNVERIFIED,
        FAILED
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NonNull
    public static AndroidKeystoreAttestationVerificationAttributes fromCertificate(@NonNull X509Certificate x509Certificate) throws CertificateEncodingException, IOException {
        return new AndroidKeystoreAttestationVerificationAttributes(x509Certificate);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getAttestationVersion() {
        return this.mAttestationVersion.intValue();
    }

    @Nullable
    SecurityLevel getAttestationSecurityLevel() {
        return this.mAttestationSecurityLevel;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAttestationHardwareBacked() {
        return this.mAttestationHardwareBacked;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getKeymasterVersion() {
        return this.mKeymasterVersion.intValue();
    }

    @Nullable
    SecurityLevel getKeymasterSecurityLevel() {
        return this.mKeymasterSecurityLevel;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isKeymasterHardwareBacked() {
        return this.mKeymasterHardwareBacked;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public ByteString getAttestationChallenge() {
        return this.mAttestationChallenge;
    }

    @Nullable
    ByteString getKeymasterUniqueId() {
        return this.mKeymasterUniqueId;
    }

    @Nullable
    String getDeviceBrand() {
        return this.mDeviceBrand;
    }

    @Nullable
    String getDeviceName() {
        return this.mDeviceName;
    }

    @Nullable
    String getDeviceProductName() {
        return this.mDeviceProductName;
    }

    boolean isKeyAllowedForAllApplications() {
        return this.mKeyAllowedForAllApplications;
    }

    int getKeyAuthenticatorType() {
        if (this.mKeyAuthenticatorType == null) {
            throw new IllegalStateException("KeyAuthenticatorType is not set.");
        }
        return this.mKeyAuthenticatorType.intValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getKeyBootPatchLevel() {
        if (this.mKeyBootPatchLevel == null) {
            throw new IllegalStateException("KeyBootPatchLevel is not set.");
        }
        return this.mKeyBootPatchLevel.intValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getKeyOsPatchLevel() {
        if (this.mKeyOsPatchLevel == null) {
            throw new IllegalStateException("KeyOsPatchLevel is not set.");
        }
        return this.mKeyOsPatchLevel.intValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getKeyVendorPatchLevel() {
        if (this.mKeyVendorPatchLevel == null) {
            throw new IllegalStateException("KeyVendorPatchLevel is not set.");
        }
        return this.mKeyVendorPatchLevel.intValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getKeyOsVersion() {
        if (this.mKeyOsVersion == null) {
            throw new IllegalStateException("KeyOsVersion is not set.");
        }
        return this.mKeyOsVersion.intValue();
    }

    boolean isKeyRequiresUnlockedDevice() {
        if (this.mKeyRequiresUnlockedDevice == null) {
            throw new IllegalStateException("KeyRequiresUnlockedDevice is not set.");
        }
        return this.mKeyRequiresUnlockedDevice.booleanValue();
    }

    @Nullable
    ByteString getVerifiedBootHash() {
        return this.mVerifiedBootHash;
    }

    @Nullable
    ByteString getVerifiedBootKey() {
        return this.mVerifiedBootKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isVerifiedBootLocked() {
        if (this.mVerifiedBootLocked == null) {
            throw new IllegalStateException("VerifiedBootLocked is not set.");
        }
        return this.mVerifiedBootLocked.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public VerifiedBootState getVerifiedBootState() {
        return this.mVerifiedBootState;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public Map<String, Long> getApplicationPackageNameVersion() {
        return Collections.unmodifiableMap(this.mApplicationPackageNameVersion);
    }

    @Nullable
    List<ByteString> getApplicationCertificateDigests() {
        return Collections.unmodifiableList(this.mApplicationCertificateDigests);
    }

    private AndroidKeystoreAttestationVerificationAttributes(X509Certificate x509Certificate) throws CertificateEncodingException, IOException {
        this.mAttestationVersion = null;
        this.mAttestationSecurityLevel = null;
        this.mAttestationHardwareBacked = false;
        this.mKeymasterVersion = null;
        this.mKeymasterSecurityLevel = null;
        this.mKeymasterHardwareBacked = false;
        this.mAttestationChallenge = null;
        this.mKeymasterUniqueId = null;
        this.mDeviceBrand = null;
        this.mDeviceName = null;
        this.mDeviceProductName = null;
        this.mKeyAllowedForAllApplications = false;
        this.mKeyAuthenticatorType = null;
        this.mKeyBootPatchLevel = null;
        this.mKeyOsPatchLevel = null;
        this.mKeyOsVersion = null;
        this.mKeyVendorPatchLevel = null;
        this.mKeyRequiresUnlockedDevice = null;
        this.mVerifiedBootHash = null;
        this.mVerifiedBootKey = null;
        this.mVerifiedBootLocked = null;
        this.mVerifiedBootState = null;
        ASN1Sequence extensionParsedValue = Certificate.getInstance(new ASN1InputStream(x509Certificate.getEncoded()).readObject()).getTBSCertificate().getExtensions().getExtensionParsedValue(new ASN1ObjectIdentifier(ANDROID_KEYMASTER_KEY_DESCRIPTION_EXTENSION_OID));
        if (extensionParsedValue == null) {
            throw new CertificateEncodingException("No attestation extension found in certificate.");
        }
        this.mAttestationVersion = Integer.valueOf(getIntegerFromAsn1(extensionParsedValue.getObjectAt(0)));
        this.mAttestationSecurityLevel = getSecurityLevelEnum(extensionParsedValue.getObjectAt(1));
        this.mAttestationHardwareBacked = this.mAttestationSecurityLevel == SecurityLevel.TRUSTED_ENVIRONMENT;
        this.mAttestationChallenge = getOctetsFromAsn1(extensionParsedValue.getObjectAt(4));
        this.mKeymasterVersion = Integer.valueOf(getIntegerFromAsn1(extensionParsedValue.getObjectAt(2)));
        this.mKeymasterUniqueId = getOctetsFromAsn1(extensionParsedValue.getObjectAt(5));
        this.mKeymasterSecurityLevel = getSecurityLevelEnum(extensionParsedValue.getObjectAt(3));
        this.mKeymasterHardwareBacked = this.mKeymasterSecurityLevel == SecurityLevel.TRUSTED_ENVIRONMENT;
        for (ASN1TaggedObject aSN1TaggedObject : extensionParsedValue.getObjectAt(6).toArray()) {
            switch (aSN1TaggedObject.getTagNo()) {
                case KM_TAG_UNLOCKED_DEVICE_REQUIRED /* 509 */:
                    this.mKeyRequiresUnlockedDevice = getBoolFromAsn1(aSN1TaggedObject.getObject());
                    break;
                case KM_TAG_ATTESTATION_APPLICATION_ID /* 709 */:
                    parseAttestationApplicationId(getOctetsFromAsn1(aSN1TaggedObject.getObject()).toByteArray());
                    break;
            }
        }
        for (ASN1TaggedObject aSN1TaggedObject2 : extensionParsedValue.getObjectAt(7).toArray()) {
            switch (aSN1TaggedObject2.getTagNo()) {
                case KM_TAG_NO_AUTH_REQUIRED /* 503 */:
                    this.mKeyAuthenticatorType = 0;
                    break;
                case 600:
                    this.mKeyAllowedForAllApplications = true;
                    break;
                case KM_TAG_ROOT_OF_TRUST /* 704 */:
                    ASN1Sequence object = aSN1TaggedObject2.getObject();
                    this.mVerifiedBootKey = getOctetsFromAsn1(object.getObjectAt(0));
                    this.mVerifiedBootLocked = getBoolFromAsn1(object.getObjectAt(1));
                    this.mVerifiedBootState = getVerifiedBootStateEnum(object.getObjectAt(2));
                    if (this.mAttestationVersion.intValue() >= 3) {
                        this.mVerifiedBootHash = getOctetsFromAsn1(object.getObjectAt(3));
                        break;
                    } else {
                        break;
                    }
                case 705:
                    this.mKeyOsVersion = Integer.valueOf(getIntegerFromAsn1(aSN1TaggedObject2.getObject()));
                    break;
                case KM_TAG_OS_PATCHLEVEL /* 706 */:
                    this.mKeyOsPatchLevel = Integer.valueOf(getIntegerFromAsn1(aSN1TaggedObject2.getObject()));
                    break;
                case KM_TAG_ATTESTATION_ID_BRAND /* 710 */:
                    this.mDeviceBrand = getUtf8FromOctetsFromAsn1(aSN1TaggedObject2.getObject());
                    break;
                case KM_TAG_ATTESTATION_ID_DEVICE /* 711 */:
                    this.mDeviceName = getUtf8FromOctetsFromAsn1(aSN1TaggedObject2.getObject());
                    break;
                case KM_TAG_ATTESTATION_ID_PRODUCT /* 712 */:
                    this.mDeviceProductName = getUtf8FromOctetsFromAsn1(aSN1TaggedObject2.getObject());
                    break;
                case KM_TAG_VENDOR_PATCHLEVEL /* 718 */:
                    this.mKeyVendorPatchLevel = Integer.valueOf(getIntegerFromAsn1(aSN1TaggedObject2.getObject()));
                    break;
                case KM_TAG_BOOT_PATCHLEVEL /* 719 */:
                    this.mKeyBootPatchLevel = Integer.valueOf(getIntegerFromAsn1(aSN1TaggedObject2.getObject()));
                    break;
            }
        }
    }

    private void parseAttestationApplicationId(byte[] bArr) throws IOException {
        ASN1Sequence aSN1Sequence = ASN1Sequence.getInstance(new ASN1InputStream(bArr).readObject());
        HashMap hashMap = new HashMap();
        for (ASN1Sequence aSN1Sequence2 : aSN1Sequence.getObjectAt(0).toArray()) {
            hashMap.put(getUtf8FromOctetsFromAsn1(aSN1Sequence2.getObjectAt(0)), Long.valueOf(getLongFromAsn1(aSN1Sequence2.getObjectAt(1))));
        }
        ArrayList arrayList = new ArrayList();
        for (ASN1Encodable aSN1Encodable : aSN1Sequence.getObjectAt(1).toArray()) {
            arrayList.add(getOctetsFromAsn1(aSN1Encodable));
        }
        this.mApplicationPackageNameVersion = Collections.unmodifiableMap(hashMap);
        this.mApplicationCertificateDigests = Collections.unmodifiableList(arrayList);
    }

    private VerifiedBootState getVerifiedBootStateEnum(ASN1Encodable aSN1Encodable) {
        switch (getEnumFromAsn1(aSN1Encodable)) {
            case 0:
                return VerifiedBootState.VERIFIED;
            case 1:
                return VerifiedBootState.SELF_SIGNED;
            case 2:
                return VerifiedBootState.UNVERIFIED;
            case 3:
                return VerifiedBootState.FAILED;
            default:
                throw new IllegalArgumentException("Invalid verified boot state.");
        }
    }

    private SecurityLevel getSecurityLevelEnum(ASN1Encodable aSN1Encodable) {
        switch (getEnumFromAsn1(aSN1Encodable)) {
            case 0:
                return SecurityLevel.SOFTWARE;
            case 1:
                return SecurityLevel.TRUSTED_ENVIRONMENT;
            case 2:
                return SecurityLevel.STRONG_BOX;
            default:
                throw new IllegalArgumentException("Invalid security level.");
        }
    }

    @NonNull
    private ByteString getOctetsFromAsn1(ASN1Encodable aSN1Encodable) {
        return ByteString.copyFrom(((ASN1OctetString) aSN1Encodable).getOctets());
    }

    @NonNull
    private String getUtf8FromOctetsFromAsn1(ASN1Encodable aSN1Encodable) {
        return new String(((ASN1OctetString) aSN1Encodable).getOctets(), StandardCharsets.UTF_8);
    }

    @NonNull
    private int getIntegerFromAsn1(ASN1Encodable aSN1Encodable) {
        return ((ASN1Integer) aSN1Encodable).getValue().intValueExact();
    }

    @NonNull
    private long getLongFromAsn1(ASN1Encodable aSN1Encodable) {
        return ((ASN1Integer) aSN1Encodable).getValue().longValueExact();
    }

    @NonNull
    private int getEnumFromAsn1(ASN1Encodable aSN1Encodable) {
        return ((ASN1Enumerated) aSN1Encodable).getValue().intValueExact();
    }

    @Nullable
    private Boolean getBoolFromAsn1(ASN1Encodable aSN1Encodable) {
        if (aSN1Encodable instanceof ASN1Boolean) {
            return Boolean.valueOf(((ASN1Boolean) aSN1Encodable).isTrue());
        }
        return null;
    }
}
