package com.microsoft.identity.common.internal.broker;

import android.accounts.AccountManager;
import android.accounts.AuthenticatorDescription;
import android.annotation.SuppressLint;
import android.content.Context;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.text.TextUtils;
import android.util.Base64;
import com.microsoft.identity.client.claims.WWWAuthenticateHeader;
import com.microsoft.identity.common.adal.internal.AuthenticationConstants;
import com.microsoft.identity.common.exception.ClientException;
import com.microsoft.identity.common.exception.ErrorStrings;
import com.microsoft.identity.common.internal.util.StringUtil;
import com.microsoft.identity.common.logging.Logger;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

/* compiled from: ProGuard */
/* loaded from: classes2.dex */
public class BrokerValidator {
    private static final String TAG = "BrokerValidator";
    private static boolean sShouldTrustDebugBrokers = false;
    private final Context mContext;

    public BrokerValidator(Context context) {
        this.mContext = context;
    }

    public static String getBrokerRedirectUri(Context context, String str) {
        return PackageHelper.getBrokerRedirectUrl(str, new PackageHelper(context.getPackageManager()).getCurrentSignatureForPackage(str));
    }

    private X509Certificate getSelfSignedCert(List<X509Certificate> list) throws ClientException {
        int i10 = 0;
        X509Certificate x509Certificate = null;
        for (X509Certificate x509Certificate2 : list) {
            if (x509Certificate2.getSubjectDN().equals(x509Certificate2.getIssuerDN())) {
                i10++;
                x509Certificate = x509Certificate2;
            }
        }
        if (i10 > 1 || x509Certificate == null) {
            throw new ClientException(ErrorStrings.BROKER_APP_VERIFICATION_FAILED, "Multiple self signed certs found or no self signed cert existed.");
        }
        return x509Certificate;
    }

    public static boolean getShouldTrustDebugBrokers() {
        return sShouldTrustDebugBrokers;
    }

    public static boolean isValidBrokerRedirect(String str, Context context, String str2) {
        String brokerRedirectUri = getBrokerRedirectUri(context, str2);
        boolean equalsIgnoreCase = StringUtil.equalsIgnoreCase(str, brokerRedirectUri);
        if (str2.equals(AuthenticationConstants.Broker.AZURE_AUTHENTICATOR_APP_PACKAGE_NAME)) {
            String currentSignatureForPackage = new PackageHelper(context.getPackageManager()).getCurrentSignatureForPackage(str2);
            if (BrokerData.MICROSOFT_AUTHENTICATOR_PROD.signatureHash.equals(currentSignatureForPackage) || BrokerData.MICROSOFT_AUTHENTICATOR_DEBUG.signatureHash.equals(currentSignatureForPackage)) {
                equalsIgnoreCase |= StringUtil.equalsIgnoreCase(str, AuthenticationConstants.Broker.BROKER_REDIRECT_URI);
            }
        }
        if (!equalsIgnoreCase) {
            Logger.error("BrokerValidator:isValidBrokerRedirect", "Broker redirect uri is invalid. Expected: " + brokerRedirectUri + " Actual: " + str, null);
        }
        return equalsIgnoreCase;
    }

    @SuppressLint({"PackageManagerGetSignatures"})
    private List<X509Certificate> readCertDataForBrokerApp(String str) throws PackageManager.NameNotFoundException, ClientException, IOException, GeneralSecurityException {
        PackageInfo packageInfo = this.mContext.getPackageManager().getPackageInfo(str, 64);
        if (packageInfo == null) {
            throw new ClientException(ErrorStrings.APP_PACKAGE_NAME_NOT_FOUND, "No broker package existed.");
        }
        Signature[] signatureArr = packageInfo.signatures;
        if (signatureArr == null || signatureArr.length == 0) {
            throw new ClientException(ErrorStrings.BROKER_APP_VERIFICATION_FAILED, "No signature associated with the broker package.");
        }
        ArrayList arrayList = new ArrayList(packageInfo.signatures.length);
        for (Signature signature : packageInfo.signatures) {
            try {
                arrayList.add((X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(signature.toByteArray())));
            } catch (CertificateException unused) {
                throw new ClientException(ErrorStrings.BROKER_APP_VERIFICATION_FAILED);
            }
        }
        return arrayList;
    }

    public static void setShouldTrustDebugBrokers(boolean z10) {
        if (z10) {
            Logger.warn(TAG, "You are forcing to trust debug brokers in non-debug builds.");
        }
        sShouldTrustDebugBrokers = z10;
    }

    private void verifyCertificateChain(List<X509Certificate> list) throws GeneralSecurityException, ClientException {
        PKIXParameters pKIXParameters = new PKIXParameters((Set<TrustAnchor>) Collections.singleton(new TrustAnchor(getSelfSignedCert(list), null)));
        pKIXParameters.setRevocationEnabled(false);
        CertPathValidator.getInstance("PKIX").validate(CertificateFactory.getInstance("X.509").generateCertPath(list), pKIXParameters);
    }

    private String verifySignatureHash(List<X509Certificate> list) throws NoSuchAlgorithmException, CertificateEncodingException, ClientException {
        StringBuilder sb2 = new StringBuilder();
        for (X509Certificate x509Certificate : list) {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA");
            messageDigest.update(x509Certificate.getEncoded());
            String encodeToString = Base64.encodeToString(messageDigest.digest(), 2);
            sb2.append(encodeToString);
            sb2.append(WWWAuthenticateHeader.COMMA);
            for (BrokerData brokerData : getValidBrokers()) {
                if (!TextUtils.isEmpty(brokerData.signatureHash) && brokerData.signatureHash.equals(encodeToString)) {
                    return encodeToString;
                }
            }
        }
        throw new ClientException(ErrorStrings.BROKER_APP_VERIFICATION_FAILED, "SignatureHashes: " + sb2.toString());
    }

    public String getCurrentActiveBrokerPackageName() {
        for (AuthenticatorDescription authenticatorDescription : AccountManager.get(this.mContext).getAuthenticatorTypes()) {
            if (authenticatorDescription.type.equals(AuthenticationConstants.Broker.BROKER_ACCOUNT_TYPE) && verifySignature(authenticatorDescription.packageName)) {
                return authenticatorDescription.packageName;
            }
        }
        return null;
    }

    public Set<BrokerData> getValidBrokers() {
        return sShouldTrustDebugBrokers ? BrokerData.getAllBrokers() : BrokerData.getProdBrokers();
    }

    public boolean isValidBrokerPackage(String str) {
        Iterator<BrokerData> it = getValidBrokers().iterator();
        while (it.hasNext()) {
            if (it.next().packageName.equals(str) && verifySignature(str)) {
                return true;
            }
        }
        return false;
    }

    public boolean verifySignature(String str) {
        try {
            return verifySignatureAndThrow(str) != null;
        } catch (ClientException e10) {
            Logger.error("BrokerValidator:verifySignature", e10.getErrorCode() + ": " + e10.getMessage(), e10);
            return false;
        }
    }

    public String verifySignatureAndThrow(String str) throws ClientException {
        try {
            List<X509Certificate> readCertDataForBrokerApp = readCertDataForBrokerApp(str);
            String verifySignatureHash = verifySignatureHash(readCertDataForBrokerApp);
            if (readCertDataForBrokerApp.size() > 1) {
                verifyCertificateChain(readCertDataForBrokerApp);
            }
            return verifySignatureHash;
        } catch (PackageManager.NameNotFoundException e10) {
            throw new ClientException(ErrorStrings.APP_PACKAGE_NAME_NOT_FOUND, e10.getMessage(), e10);
        } catch (IOException e11) {
            e = e11;
            throw new ClientException(ErrorStrings.BROKER_VERIFICATION_FAILED, e.getMessage(), e);
        } catch (NoSuchAlgorithmException e12) {
            throw new ClientException("no_such_algorithm", e12.getMessage(), e12);
        } catch (GeneralSecurityException e13) {
            e = e13;
            throw new ClientException(ErrorStrings.BROKER_VERIFICATION_FAILED, e.getMessage(), e);
        }
    }
}
