package com.android.server.security;

import android.annotation.NonNull;
import android.content.Context;
import android.os.Build;
import android.os.Bundle;
import android.security.attestationverification.AttestationVerificationManager;
import android.util.IndentingPrintWriter;
import android.util.Slog;
import com.android.internal.annotations.VisibleForTesting;
import com.android.server.security.AndroidKeystoreAttestationVerificationAttributes;
import com.android.server.security.AttestationVerificationManagerService;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.time.LocalDate;
import java.time.ZoneId;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import org.json.JSONObject;

/* loaded from: classes2.dex */
public class AttestationVerificationPeerDeviceVerifier {
    public static final Set ANDROID_SYSTEM_PACKAGE_NAME_SET = Collections.singleton("AndroidSystem");
    public final CertPathValidator mCertPathValidator;
    public final CertificateFactory mCertificateFactory;
    public final Context mContext;
    public final AttestationVerificationManagerService.DumpLogger mDumpLogger;
    public final boolean mRevocationEnabled;
    public final LocalDate mTestLocalPatchDate;
    public final LocalDate mTestSystemDate;
    public final Set mTrustAnchors;

    /* loaded from: classes2.dex */
    public final class AndroidRevocationStatusListChecker extends PKIXCertPathChecker {
        public JSONObject mJsonStatusMap;
        public String mStatusUrl;

        public AndroidRevocationStatusListChecker() {
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public void check(Certificate certificate, Collection collection) {
            String bigInteger = ((X509Certificate) certificate).getSerialNumber().toString(16);
            if (bigInteger == null) {
                throw new CertPathValidatorException("Certificate serial number can not be null.");
            }
            if (this.mJsonStatusMap.has(bigInteger)) {
                try {
                    JSONObject jSONObject = this.mJsonStatusMap.getJSONObject(bigInteger);
                    throw new CertPathValidatorException("Invalid certificate with serial number " + bigInteger + " has status " + jSONObject.getString("status") + " because reason " + jSONObject.getString("reason"));
                } catch (Throwable th) {
                    throw new CertPathValidatorException("Unable get properties for certificate with serial number " + bigInteger);
                }
            }
        }

        public final String getRevocationListUrl() {
            return AttestationVerificationPeerDeviceVerifier.this.mContext.getResources().getString(17041986);
        }

        public final JSONObject getStatusMap(String str) {
            try {
                try {
                    InputStream openStream = new URL(str).openStream();
                    try {
                        JSONObject jSONObject = new JSONObject(new String(openStream.readAllBytes(), StandardCharsets.UTF_8)).getJSONObject("entries");
                        openStream.close();
                        return jSONObject;
                    } finally {
                    }
                } catch (Throwable th) {
                    throw new CertPathValidatorException("Unable to parse revocation status from " + this.mStatusUrl, th);
                }
            } catch (Throwable th2) {
                throw new CertPathValidatorException("Unable to get revocation status from " + this.mStatusUrl, th2);
            }
        }

        @Override // java.security.cert.PKIXCertPathChecker
        public Set getSupportedExtensions() {
            return null;
        }

        @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
        public void init(boolean z) {
            this.mStatusUrl = getRevocationListUrl();
            if (this.mStatusUrl == null || this.mStatusUrl.isEmpty()) {
                throw new CertPathValidatorException("R.string.vendor_required_attestation_revocation_list_url is empty.");
            }
            this.mJsonStatusMap = getStatusMap(this.mStatusUrl);
        }

        @Override // java.security.cert.PKIXCertPathChecker, java.security.cert.CertPathChecker
        public boolean isForwardCheckingSupported() {
            return false;
        }
    }

    /* loaded from: classes2.dex */
    public class MyDumpData extends AttestationVerificationManagerService.DumpData {
        public boolean mAttestationParametersOk;
        public boolean mAttestationVersionAtLeast3;
        public boolean mBindingOk;
        public int mBindingType;
        public boolean mBootStateIsVerified;
        public boolean mCertChainOk;
        public boolean mCertPathValidatorAvailable;
        public boolean mCertificationFactoryAvailable;
        public boolean mKeyBootPatchLevelInRange;
        public boolean mKeyHwBacked;
        public boolean mKeyVendorPatchLevelInRange;
        public boolean mKeymasterHwBacked;
        public boolean mKeymasterVersionAtLeast4;
        public boolean mOsPatchLevelInRange;
        public boolean mOsVersionAtLeast10;
        public int mResult;
        public boolean mSystemOwned;
        public boolean mSystemOwnershipChecked;
        public boolean mVerifiedBootStateLocked;

        public MyDumpData() {
            this.mResult = -1;
            this.mCertificationFactoryAvailable = false;
            this.mCertPathValidatorAvailable = false;
            this.mAttestationParametersOk = false;
            this.mCertChainOk = false;
            this.mBindingOk = false;
            this.mBindingType = -1;
            this.mSystemOwnershipChecked = false;
            this.mSystemOwned = false;
            this.mOsVersionAtLeast10 = false;
            this.mKeyHwBacked = false;
            this.mAttestationVersionAtLeast3 = false;
            this.mKeymasterVersionAtLeast4 = false;
            this.mKeymasterHwBacked = false;
            this.mBootStateIsVerified = false;
            this.mVerifiedBootStateLocked = false;
            this.mOsPatchLevelInRange = false;
            this.mKeyBootPatchLevelInRange = false;
            this.mKeyVendorPatchLevelInRange = false;
        }

        public final String booleanToOkFail(boolean z) {
            return z ? "OK" : "FAILURE";
        }

        @Override // com.android.server.security.AttestationVerificationManagerService.DumpData
        public void dumpTo(IndentingPrintWriter indentingPrintWriter) {
            indentingPrintWriter.println("Result: " + this.mResult);
            if (!this.mCertificationFactoryAvailable) {
                indentingPrintWriter.println("Certificate Factory Unavailable");
                return;
            }
            if (!this.mCertPathValidatorAvailable) {
                indentingPrintWriter.println("Cert Path Validator Unavailable");
                return;
            }
            if (!this.mAttestationParametersOk) {
                indentingPrintWriter.println("Attestation parameters set incorrectly.");
                return;
            }
            indentingPrintWriter.println("Certificate Chain Valid (inc. Trust Anchor): " + booleanToOkFail(this.mCertChainOk));
            if (this.mCertChainOk) {
                indentingPrintWriter.println("Local Binding: " + booleanToOkFail(this.mBindingOk));
                indentingPrintWriter.increaseIndent();
                indentingPrintWriter.println("Binding Type: " + this.mBindingType);
                indentingPrintWriter.decreaseIndent();
                if (this.mSystemOwnershipChecked) {
                    indentingPrintWriter.println("System Ownership: " + booleanToOkFail(this.mSystemOwned));
                }
                indentingPrintWriter.println("KeyStore Attestation Parameters");
                indentingPrintWriter.increaseIndent();
                indentingPrintWriter.println("OS Version >= 10: " + booleanToOkFail(this.mOsVersionAtLeast10));
                indentingPrintWriter.println("OS Patch Level in Range: " + booleanToOkFail(this.mOsPatchLevelInRange));
                indentingPrintWriter.println("Attestation Version >= 3: " + booleanToOkFail(this.mAttestationVersionAtLeast3));
                indentingPrintWriter.println("Keymaster Version >= 4: " + booleanToOkFail(this.mKeymasterVersionAtLeast4));
                indentingPrintWriter.println("Keymaster HW-Backed: " + booleanToOkFail(this.mKeymasterHwBacked));
                indentingPrintWriter.println("Key is HW Backed: " + booleanToOkFail(this.mKeyHwBacked));
                indentingPrintWriter.println("Boot State is VERIFIED: " + booleanToOkFail(this.mBootStateIsVerified));
                indentingPrintWriter.println("Verified Boot is LOCKED: " + booleanToOkFail(this.mVerifiedBootStateLocked));
                indentingPrintWriter.println("Key Boot Level in Range: " + booleanToOkFail(this.mKeyBootPatchLevelInRange));
                indentingPrintWriter.println("Key Vendor Patch Level in Range: " + booleanToOkFail(this.mKeyVendorPatchLevelInRange));
                indentingPrintWriter.decreaseIndent();
            }
        }
    }

    public AttestationVerificationPeerDeviceVerifier(Context context, AttestationVerificationManagerService.DumpLogger dumpLogger) {
        Objects.requireNonNull(context);
        this.mContext = context;
        this.mDumpLogger = dumpLogger;
        this.mCertificateFactory = CertificateFactory.getInstance("X.509");
        this.mCertPathValidator = CertPathValidator.getInstance("PKIX");
        this.mTrustAnchors = getTrustAnchors();
        this.mRevocationEnabled = true;
        this.mTestSystemDate = null;
        this.mTestLocalPatchDate = null;
    }

    @VisibleForTesting
    public AttestationVerificationPeerDeviceVerifier(@NonNull Context context, AttestationVerificationManagerService.DumpLogger dumpLogger, Set<TrustAnchor> set, boolean z, LocalDate localDate, LocalDate localDate2) throws Exception {
        Objects.requireNonNull(context);
        this.mContext = context;
        this.mDumpLogger = dumpLogger;
        this.mCertificateFactory = CertificateFactory.getInstance("X.509");
        this.mCertPathValidator = CertPathValidator.getInstance("PKIX");
        this.mTrustAnchors = set;
        this.mRevocationEnabled = z;
        this.mTestSystemDate = localDate;
        this.mTestLocalPatchDate = localDate2;
    }

    public final boolean checkAttestationChallenge(AndroidKeystoreAttestationVerificationAttributes androidKeystoreAttestationVerificationAttributes, byte[] bArr) {
        return Arrays.equals(androidKeystoreAttestationVerificationAttributes.getAttestationChallenge().toByteArray(), bArr);
    }

    public final int checkAttestationForPeerDeviceProfile(Bundle bundle, AndroidKeystoreAttestationVerificationAttributes androidKeystoreAttestationVerificationAttributes, MyDumpData myDumpData) {
        int i = 0;
        if (androidKeystoreAttestationVerificationAttributes.getAttestationVersion() < 3) {
            Slog.e("AVF", "Attestation version is not at least 3 (Keymaster 4).");
            i = 0 | 16;
        } else {
            myDumpData.mAttestationVersionAtLeast3 = true;
        }
        if (androidKeystoreAttestationVerificationAttributes.getKeymasterVersion() < 4) {
            Slog.e("AVF", "Keymaster version is not at least 4.");
            i |= 16;
        } else {
            myDumpData.mKeymasterVersionAtLeast4 = true;
        }
        if (androidKeystoreAttestationVerificationAttributes.getKeyOsVersion() < 100000) {
            Slog.e("AVF", "Android OS version is not 10+.");
            i |= 16;
        } else {
            myDumpData.mOsVersionAtLeast10 = true;
        }
        if (androidKeystoreAttestationVerificationAttributes.isAttestationHardwareBacked()) {
            myDumpData.mKeyHwBacked = true;
        } else {
            Slog.e("AVF", "Key is not HW backed.");
            i |= 16;
        }
        if (androidKeystoreAttestationVerificationAttributes.isKeymasterHardwareBacked()) {
            myDumpData.mKeymasterHwBacked = true;
        } else {
            Slog.e("AVF", "Keymaster is not HW backed.");
            i |= 16;
        }
        if (androidKeystoreAttestationVerificationAttributes.getVerifiedBootState() != AndroidKeystoreAttestationVerificationAttributes.VerifiedBootState.VERIFIED) {
            Slog.e("AVF", "Boot state not Verified.");
            i |= 32;
        } else {
            myDumpData.mBootStateIsVerified = true;
        }
        try {
            if (androidKeystoreAttestationVerificationAttributes.isVerifiedBootLocked()) {
                myDumpData.mVerifiedBootStateLocked = true;
            } else {
                Slog.e("AVF", "Verified boot state is not locked.");
                i |= 32;
            }
        } catch (IllegalStateException e) {
            Slog.e("AVF", "VerifiedBootLocked is not set.", e);
            i = 32;
        }
        int i2 = bundle.getInt("param_max_patch_level_diff_months", 12);
        if (isValidPatchLevel(androidKeystoreAttestationVerificationAttributes.getKeyOsPatchLevel(), i2)) {
            myDumpData.mOsPatchLevelInRange = true;
        } else {
            Slog.e("AVF", "OS patch level is not within valid range.");
            i |= 64;
        }
        if (isValidPatchLevel(androidKeystoreAttestationVerificationAttributes.getKeyBootPatchLevel(), i2)) {
            myDumpData.mKeyBootPatchLevelInRange = true;
        } else {
            Slog.e("AVF", "Boot patch level is not within valid range.");
            i |= 64;
        }
        if (isValidPatchLevel(androidKeystoreAttestationVerificationAttributes.getKeyVendorPatchLevel(), i2)) {
            myDumpData.mKeyVendorPatchLevelInRange = true;
        } else {
            Slog.e("AVF", "Vendor patch level is not within valid range.");
            i |= 64;
        }
        if (isValidPatchLevel(androidKeystoreAttestationVerificationAttributes.getKeyBootPatchLevel(), i2)) {
            myDumpData.mKeyBootPatchLevelInRange = true;
            return i;
        }
        Slog.e("AVF", "Boot patch level is not within valid range.");
        return i | 64;
    }

    public final boolean checkLocalBindingRequirements(X509Certificate x509Certificate, AndroidKeystoreAttestationVerificationAttributes androidKeystoreAttestationVerificationAttributes, int i, Bundle bundle, MyDumpData myDumpData) {
        myDumpData.mBindingType = i;
        switch (i) {
            case 2:
                if (!checkPublicKey(x509Certificate, bundle.getByteArray("localbinding.public_key"))) {
                    Slog.e("AVF", "Provided public key does not match leaf certificate public key.");
                    return false;
                }
                break;
            case 3:
                if (!checkAttestationChallenge(androidKeystoreAttestationVerificationAttributes, bundle.getByteArray("localbinding.challenge"))) {
                    Slog.e("AVF", "Provided challenge does not match leaf certificate challenge.");
                    return false;
                }
                break;
            default:
                throw new IllegalArgumentException("Unsupported local binding type " + AttestationVerificationManager.localBindingTypeToString(i));
        }
        myDumpData.mBindingOk = true;
        if (bundle.containsKey("android.key_owned_by_system")) {
            myDumpData.mSystemOwnershipChecked = true;
            if (!bundle.getBoolean("android.key_owned_by_system")) {
                throw new IllegalArgumentException("The value of the requirement key android.key_owned_by_system cannot be false. You can remove the key if you don't want to verify it.");
            }
            if (!checkOwnedBySystem(x509Certificate, androidKeystoreAttestationVerificationAttributes)) {
                Slog.e("AVF", "Certificate public key is not owned by the AndroidSystem.");
                return false;
            }
            myDumpData.mSystemOwned = true;
        }
        return true;
    }

    public final boolean checkOwnedBySystem(X509Certificate x509Certificate, AndroidKeystoreAttestationVerificationAttributes androidKeystoreAttestationVerificationAttributes) {
        Set keySet = androidKeystoreAttestationVerificationAttributes.getApplicationPackageNameVersion().keySet();
        if (ANDROID_SYSTEM_PACKAGE_NAME_SET.equals(keySet)) {
            return true;
        }
        Slog.e("AVF", "Owner is not system, packages=" + keySet);
        return false;
    }

    public final boolean checkPublicKey(Certificate certificate, byte[] bArr) {
        return Arrays.equals(certificate.getPublicKey().getEncoded(), bArr);
    }

    public final byte[] getCertificateBytes(String str) {
        return str.replaceAll("\\s+", "\n").replaceAll("-BEGIN\\nCERTIFICATE-", "-BEGIN CERTIFICATE-").replaceAll("-END\\nCERTIFICATE-", "-END CERTIFICATE-").getBytes(StandardCharsets.UTF_8);
    }

    public final List getCertificates(byte[] bArr) {
        ArrayList arrayList = new ArrayList();
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        while (byteArrayInputStream.available() > 0) {
            arrayList.add((X509Certificate) this.mCertificateFactory.generateCertificate(byteArrayInputStream));
        }
        return arrayList;
    }

    public final String[] getTrustAnchorResources() {
        return this.mContext.getResources().getStringArray(17236252);
    }

    public final Set getTrustAnchors() {
        HashSet hashSet = new HashSet();
        try {
            for (String str : getTrustAnchorResources()) {
                hashSet.add(new TrustAnchor((X509Certificate) this.mCertificateFactory.generateCertificate(new ByteArrayInputStream(getCertificateBytes(str))), null));
            }
            return Collections.unmodifiableSet(hashSet);
        } catch (CertificateException e) {
            e.printStackTrace();
            throw new CertPathValidatorException("Invalid trust anchor certificate.", e);
        }
    }

    public final boolean isValidPatchLevel(int i, int i2) {
        LocalDate now = this.mTestSystemDate != null ? this.mTestSystemDate : LocalDate.now(ZoneId.systemDefault());
        try {
            LocalDate parse = this.mTestLocalPatchDate != null ? this.mTestLocalPatchDate : LocalDate.parse(Build.VERSION.SECURITY_PATCH);
            if (ChronoUnit.MONTHS.between(parse, now) > 12) {
                return true;
            }
            String valueOf = String.valueOf(i);
            if (valueOf.length() == 6 || valueOf.length() == 8) {
                return Math.abs(ChronoUnit.MONTHS.between(parse, LocalDate.of(Integer.parseInt(valueOf.substring(0, 4)), Integer.parseInt(valueOf.substring(4, 6)), 1))) <= ((long) i2);
            }
            Slog.e("AVF", "Patch level is not in format YYYYMM or YYYYMMDD");
            return false;
        } catch (Throwable th) {
            Slog.e("AVF", "Build.VERSION.SECURITY_PATCH: " + Build.VERSION.SECURITY_PATCH + " is not in format YYYY-MM-DD");
            return false;
        }
    }

    public final boolean validateAttestationParameters(int i, Bundle bundle) {
        if (i != 2 && i != 3) {
            Slog.e("AVF", "Binding type is not supported: " + i);
            return false;
        }
        if (bundle.size() < 1) {
            Slog.e("AVF", "At least 1 requirement is required.");
            return false;
        }
        if (i == 2 && !bundle.containsKey("localbinding.public_key")) {
            Slog.e("AVF", "Requirements does not contain key: localbinding.public_key");
            return false;
        }
        if (i != 3 || bundle.containsKey("localbinding.challenge")) {
            return true;
        }
        Slog.e("AVF", "Requirements does not contain key: localbinding.challenge");
        return false;
    }

    public final void validateCertificateChain(List list) {
        if (list.size() < 2) {
            Slog.e("AVF", "Certificate chain less than 2 in size.");
            throw new CertificateException("Certificate chain less than 2 in size.");
        }
        CertPath generateCertPath = this.mCertificateFactory.generateCertPath((List<? extends Certificate>) list);
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) this.mTrustAnchors);
        if (this.mRevocationEnabled) {
            pKIXParameters.addCertPathChecker(new AndroidRevocationStatusListChecker());
        }
        pKIXParameters.setRevocationEnabled(false);
        this.mCertPathValidator.validate(generateCertPath, pKIXParameters);
    }

    public int verifyAttestation(int i, Bundle bundle, byte[] bArr) {
        MyDumpData myDumpData = new MyDumpData();
        int verifyAttestationInternal = verifyAttestationInternal(i, bundle, bArr, myDumpData);
        myDumpData.mResult = verifyAttestationInternal;
        this.mDumpLogger.logAttempt(myDumpData);
        return verifyAttestationInternal;
    }

    public final int verifyAttestationInternal(int i, Bundle bundle, byte[] bArr, MyDumpData myDumpData) {
        if (this.mCertificateFactory == null) {
            Slog.e("AVF", "Unable to access CertificateFactory");
            return 4;
        }
        myDumpData.mCertificationFactoryAvailable = true;
        if (this.mCertPathValidator == null) {
            Slog.e("AVF", "Unable to access CertPathValidator");
            return 4;
        }
        myDumpData.mCertPathValidatorAvailable = true;
        try {
            List certificates = getCertificates(bArr);
            validateCertificateChain(certificates);
            myDumpData.mCertChainOk = true;
            X509Certificate x509Certificate = (X509Certificate) certificates.get(0);
            AndroidKeystoreAttestationVerificationAttributes fromCertificate = AndroidKeystoreAttestationVerificationAttributes.fromCertificate(x509Certificate);
            if (!validateAttestationParameters(i, bundle)) {
                return 8;
            }
            myDumpData.mAttestationParametersOk = true;
            try {
                return checkAttestationForPeerDeviceProfile(bundle, fromCertificate, myDumpData) | (checkLocalBindingRequirements(x509Certificate, fromCertificate, i, bundle, myDumpData) ? 0 : 0 | 8);
            } catch (IOException | InvalidAlgorithmParameterException | CertPathValidatorException | CertificateException e) {
                e = e;
                Slog.e("AVF", "Unable to parse/validate Android Attestation certificate(s)", e);
                return 4;
            } catch (RuntimeException e2) {
                e = e2;
                Slog.e("AVF", "Unexpected error", e);
                return 1;
            }
        } catch (IOException | InvalidAlgorithmParameterException | CertPathValidatorException | CertificateException e3) {
            e = e3;
        } catch (RuntimeException e4) {
            e = e4;
        }
    }
}
