package com.huawei.hms.keyring.credential.util;

import android.content.Context;
import android.content.pm.Signature;
import android.util.Base64;
import defpackage.va;
import defpackage.wa;
import defpackage.ya;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.cert.CertPath;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import java.util.StringJoiner;

/* loaded from: classes.dex */
public class i {
    private static volatile X509Certificate a;
    private static volatile Set<String> b = new HashSet();

    public static String a(Context context, String str) {
        ya.a("CertUtil", "packageName: " + str, new Object[0]);
        try {
            Signature[] signatureArr = context.getPackageManager().getPackageInfo(str, 64).signatures;
            if (signatureArr == null || signatureArr.length == 0) {
                return "";
            }
            MessageDigest messageDigest = MessageDigest.getInstance("SHA256");
            messageDigest.update(signatureArr[0].toByteArray());
            byte[] digest = messageDigest.digest();
            StringJoiner stringJoiner = new StringJoiner(":");
            for (byte b2 : digest) {
                stringJoiner.add(String.format("%02X", Byte.valueOf(b2)));
            }
            return stringJoiner.toString();
        } catch (Exception e) {
            ya.b("CertUtil", "getNativeOrigin failed, " + e, new Object[0]);
            return "";
        }
    }

    private static X509Certificate a(Context context) throws wa {
        try {
            InputStream open = context.getAssets().open("cbg_root.cer");
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(open);
                if (open != null) {
                    open.close();
                }
                return x509Certificate;
            } finally {
            }
        } catch (Exception e) {
            ya.b("CertUtil", "Read root cert error " + e.getMessage(), new Object[0]);
            throw new wa(va.PRIVILEGED_VERIFY_ERROR, "Read root cert error " + e.getMessage());
        }
    }

    private static X509Certificate a(String str) throws wa {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.decode(str, 2));
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
                return x509Certificate;
            } finally {
            }
        } catch (Exception e) {
            ya.b("CertUtil", "readCert failed , exception " + e.getMessage(), new Object[0]);
            throw new wa(va.PRIVILEGED_VERIFY_ERROR, e.getMessage());
        }
    }

    private static boolean a(Context context, String[] strArr) {
        try {
            if (a == null) {
                synchronized (i.class) {
                    if (a == null) {
                        a = a(context);
                    }
                }
            }
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            ArrayList arrayList = new ArrayList(strArr.length);
            for (String str : strArr) {
                arrayList.add(certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.decode(str, 2))));
            }
            CertPath generateCertPath = certificateFactory.generateCertPath(arrayList);
            PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(a, null)));
            pKIXParameters.setRevocationEnabled(false);
            CertPathValidator.getInstance("PKIX").validate(generateCertPath, pKIXParameters);
            return true;
        } catch (Exception e) {
            ya.b("CertUtil", "verifyCertPath error, " + e.getMessage(), new Object[0]);
            return false;
        }
    }

    private static boolean a(X509Certificate x509Certificate, String str, String str2, String str3, String str4) {
        try {
            if (!x509Certificate.getSubjectDN().getName().contains("HMS Keyring")) {
                ya.b("CertUtil", "cert is not HMS Keyring.", new Object[0]);
                return false;
            }
            java.security.Signature signature = java.security.Signature.getInstance(str4);
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update((str2 + str3).getBytes(StandardCharsets.UTF_8));
            return signature.verify(Base64.decode(str, 2));
        } catch (Exception e) {
            ya.b("CertUtil", "verify sign failed , exception " + e.getMessage(), new Object[0]);
            return false;
        }
    }

    private static String b(Context context, String str) throws wa {
        try {
            return context.getPackageManager().getApplicationInfo(str, 128).metaData.getString("com.huawei.hms.keyring.fingerprint_signature");
        } catch (Exception e) {
            ya.b("CertUtil", str + ", getFingerPrintSignature failed," + e, new Object[0]);
            throw new wa(va.PRIVILEGED_VERIFY_ERROR, str + ", getFingerPrintSignature failed," + e.getMessage());
        }
    }

    private static String c(Context context, String str) throws wa {
        try {
            return context.getPackageManager().getApplicationInfo(str, 128).metaData.getString("com.huawei.hms.keyring.sign_certchain");
        } catch (Exception e) {
            ya.b("CertUtil", str + ", getSignCertChains failed," + e, new Object[0]);
            throw new wa(va.PRIVILEGED_VERIFY_ERROR, str + ", getSignCertChains failed," + e.getMessage());
        }
    }

    public static boolean d(Context context, String str) {
        try {
            String c = c(context, str);
            String[] strArr = (String[]) JsonUtils.fromJson(c, new String[0].getClass());
            if (strArr == null) {
                ya.b("CertUtil", "get certs chain failed.", new Object[0]);
                return false;
            }
            String b2 = b(context, str);
            String substring = b2.substring(0, b2.indexOf(":"));
            String substring2 = b2.substring(b2.indexOf(":") + 1);
            String a2 = a(context, str);
            String a3 = n.a(str + a2 + b2 + c);
            if (!b.contains(a3)) {
                if (!a(context, strArr)) {
                    ya.b("CertUtil", "verify certs chain failed.", new Object[0]);
                    return false;
                }
                b.add(a3);
            }
            return a(a(strArr[0]), substring2, str, a2, substring);
        } catch (Exception e) {
            ya.b("CertUtil", str + ", verifyInvoker failed," + e, new Object[0]);
            return false;
        }
    }
}
