package com.amazon.whisperlink.feature.security.transport;

import android.annotation.SuppressLint;
import com.amazon.whisperlink.android.transport.tcomm.CloudTransportFeature;
import com.amazon.whisperlink.platform.PlatformManager;
import com.amazon.whisperlink.plugin.config.SecurityConfig;
import com.amazon.whisperlink.security.service.AuthDaemonInternal;
import com.amazon.whisperlink.service.Description;
import com.amazon.whisperlink.service.Device;
import com.amazon.whisperlink.service.Registrar;
import com.amazon.whisperlink.transport.HandshakeCompleteHandler;
import com.amazon.whisperlink.transport.TWhisperLinkTransport;
import com.amazon.whisperlink.transport.WhisperLinkConnHandler;
import com.amazon.whisperlink.util.Connection;
import com.amazon.whisperlink.util.EncryptionUtil;
import com.amazon.whisperlink.util.Log;
import com.amazon.whisperlink.util.StringUtil;
import com.amazon.whisperlink.util.WhisperLinkUtil;
import com.amazon.whisperplay.feature.security.CertificateSourceFeature;
import com.amazon.whisperplay.thrift.TException;
import java.lang.reflect.Method;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.interfaces.RSAKey;
import java.util.Arrays;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;

/* loaded from: classes2.dex */
public class TSecureWhisperLinkTransport extends TWhisperLinkTransport {
    private static final String TAG = "TSecureWhisperLinkTransport";

    public TSecureWhisperLinkTransport(TTransport tTransport, Description description, Device device, Device device2, boolean z, WhisperLinkConnHandler whisperLinkConnHandler, HandshakeCompleteHandler handshakeCompleteHandler, String str, String str2, boolean z2, String str3, int i, String str4, String str5, String str6) throws TTransportException {
        this(tTransport, null, description, device, device2, z, whisperLinkConnHandler, handshakeCompleteHandler, str, str2, z2, str3, i, str4, str5, str6);
    }

    public TSecureWhisperLinkTransport(TTransport tTransport, WhisperLinkConnHandler whisperLinkConnHandler, String str, boolean z) throws TTransportException {
        this(tTransport, null, null, null, null, false, whisperLinkConnHandler, null, str, null, z, null, 0, null, null, null);
    }

    public TSecureWhisperLinkTransport(TTransport tTransport, String str, Description description, Device device, Device device2, String str2, String str3, String str4, int i, String str5, String str6, String str7) throws TTransportException {
        this(tTransport, str, description, device, device2, true, null, null, str2, str3, device2 == null || WhisperLinkUtil.isLocalDevice(device2), str4, i, str5, str6, str7);
    }

    public TSecureWhisperLinkTransport(TTransport tTransport, String str, Description description, Device device, Device device2, boolean z, WhisperLinkConnHandler whisperLinkConnHandler, HandshakeCompleteHandler handshakeCompleteHandler, String str2, String str3, boolean z2, String str4, int i, String str5, String str6, String str7) throws TTransportException {
        super(tTransport, str, description, device, device2, z, whisperLinkConnHandler, handshakeCompleteHandler, str2, str3, z2, str4, i, str5, str6, str7);
        Log.debug(TAG, "Created TSecureWhisperLinkTransport.  Client? " + z);
    }

    private boolean doVerify(String str, Certificate certificate, boolean z) throws TTransportException {
        try {
            certificate.verify(getPublicKeyFor(str));
            Log.debug(TAG, "doVerify: Connection with Valid Device Verified");
            return false;
        } catch (GeneralSecurityException e) {
            Log.metric(null, Log.AUTH2_AUTH_FAIL_COUNT, Log.LogHandler.Metrics.COUNTER, 1.0d);
            if (z) {
                Log.debug(TAG, "doVerify: Verification failed, updating list of keys");
                if (forceAuthUpdate()) {
                    return true;
                }
            }
            Log.warning(TAG, "doVerify: Connection failed verification");
            throw new TTransportException("Verification failed");
        } catch (Exception e2) {
            Log.warning(TAG, "doVerify: Connection unverified", e2);
            throw new TTransportException("Verification failed");
        }
    }

    private String encryptKey(PublicKey publicKey) throws TTransportException {
        return EncryptionUtil.base64Encode(makePad(publicKey));
    }

    private boolean forceAuthUpdate() {
        Connection<AuthDaemonInternal.Iface, AuthDaemonInternal.Client> createConnection = createConnection();
        try {
            try {
                boolean forceAuthDataUpdate = createConnection.connect().forceAuthDataUpdate();
                if (createConnection == null) {
                    return forceAuthDataUpdate;
                }
                createConnection.close();
                return forceAuthDataUpdate;
            } catch (TException e) {
                Log.error(TAG, "Exception when get current auths from internal service");
                if (createConnection != null) {
                    createConnection.close();
                }
                return false;
            }
        } catch (Throwable th) {
            if (createConnection != null) {
                createConnection.close();
            }
            throw th;
        }
    }

    private PrivateKey getPrivateKey() {
        Connection<AuthDaemonInternal.Iface, AuthDaemonInternal.Client> createConnection = createConnection();
        String str = null;
        try {
            try {
                str = createConnection.connect().getPrivateKeyData();
            } catch (TException e) {
                Log.error(TAG, "Exception when get current auths from internal service");
                if (createConnection != null) {
                    createConnection.close();
                }
            }
            return ((CertificateSourceFeature) PlatformManager.getPlatformManager().getFeature(CertificateSourceFeature.class)).getPrivateKeyFromString(str);
        } finally {
            if (createConnection != null) {
                createConnection.close();
            }
        }
    }

    private PublicKey getPublicKeyFor(String str) {
        Connection<AuthDaemonInternal.Iface, AuthDaemonInternal.Client> createConnection = createConnection();
        String str2 = null;
        try {
            try {
                str2 = createConnection.connect().getKeyDataFor(str);
            } catch (TException e) {
                Log.error(TAG, "Exception when get current auths from internal service");
                if (createConnection != null) {
                    createConnection.close();
                }
            }
            Log.debug(TAG, "PublicKey from Daemon for :" + str + ": is :" + str2 + ":");
            return ((CertificateSourceFeature) PlatformManager.getPlatformManager().getFeature(CertificateSourceFeature.class)).getPublicKeyFromString(str2);
        } finally {
            if (createConnection != null) {
                createConnection.close();
            }
        }
    }

    private String[] getPublicKeys(TTransport tTransport) throws TTransportException {
        try {
            Method method = tTransport.getClass().getMethod("getPublicKeys", (Class[]) null);
            if (method != null) {
                return (String[]) method.invoke(tTransport, (Object[]) null);
            }
        } catch (Exception e) {
        }
        Certificate sSLLinkCert = getSSLLinkCert(tTransport, true);
        if (sSLLinkCert == null) {
            return null;
        }
        PublicKey publicKey = sSLLinkCert.getPublicKey();
        if (publicKey == null) {
            throw new TTransportException("Invalid remote certificate (no public key)");
        }
        String encryptKey = encryptKey(publicKey);
        Certificate sSLLinkCert2 = getSSLLinkCert(tTransport, false);
        if (sSLLinkCert2 == null) {
            return null;
        }
        PublicKey publicKey2 = sSLLinkCert2.getPublicKey();
        if (publicKey2 != null) {
            return new String[]{encryptKey(publicKey2), encryptKey};
        }
        throw new TTransportException("Invalid local certificate (no public key)");
    }

    private Certificate getSSLLinkCert(TTransport tTransport, boolean z) throws TTransportException {
        if (!(tTransport instanceof TSocket)) {
            return null;
        }
        SSLSocket sSLSocket = (SSLSocket) ((TSocket) tTransport).getSocket();
        try {
            Certificate[] peerCertificates = z ? sSLSocket.getSession().getPeerCertificates() : sSLSocket.getSession().getLocalCertificates();
            if (peerCertificates != null && peerCertificates.length != 0) {
                return peerCertificates[0];
            }
            Log.error(TAG, "Expected at least one certificate.");
            throw new TTransportException("Invalid certificate in link");
        } catch (SSLPeerUnverifiedException e) {
            throw new TTransportException("Unverifiable remote certificate (bad data)");
        }
    }

    private boolean isCloudTransport(TTransport tTransport) {
        if (PlatformManager.getPlatformManager().isFeatureSupported(CloudTransportFeature.class)) {
            return ((CloudTransportFeature) PlatformManager.getPlatformManager().getFeature(CloudTransportFeature.class)).isCloudTransport(tTransport);
        }
        return false;
    }

    @SuppressLint({"NewApi"})
    private byte[] makePad(PublicKey publicKey) throws TTransportException {
        int bitLength = ((RSAKey) publicKey).getModulus().bitLength() / 8;
        if (bitLength == 0 || bitLength > 10000) {
            throw new RuntimeException("invalid or unknown Key format");
        }
        byte[] copyOf = Arrays.copyOf(WhisperLinkUtil.getBytes("This house holds rooms, one score and six,That shelter a vast mob.It lets lions lie down with the lambs,Yet makes both shun the slob."), bitLength);
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding");
            cipher.init(1, publicKey);
            return cipher.doFinal(copyOf);
        } catch (InvalidKeyException e) {
            throw new TTransportException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new TTransportException(e2);
        } catch (BadPaddingException e3) {
            throw new TTransportException(e3);
        } catch (IllegalBlockSizeException e4) {
            throw new TTransportException(e4);
        } catch (NoSuchPaddingException e5) {
            throw new TTransportException(e5);
        }
    }

    private void verifyAuthByService(String str, Description description, Certificate certificate) throws TException {
        Log.info(TAG, "verifyAuthByService");
        if (!WhisperLinkUtil.serviceRequiresAuthenticatedEncryption(description)) {
            Log.debug(TAG, "Not verifying connection, service doesn't require it");
            return;
        }
        Log.info(TAG, "Service requires AUTHENTICATED_EXTERNAL_ENCRYPTION. Will verify cert.");
        if (doVerify(str, certificate, true)) {
            doVerify(str, certificate, false);
        }
    }

    private void verifyAuthByService(TTransport tTransport, String str, Description description, boolean z) throws TException {
        if (!WhisperLinkUtil.serviceRequiresAuthenticatedEncryption(description)) {
            Log.debug(TAG, "verifyAuthByService: Not upgrading connection, service doesn't require it");
            return;
        }
        Log.info(TAG, "Service requires AUTHENTICATED_EXTERNAL_ENCRYPTION. Will update transport.");
        if (getPublicKeyFor(str) == null) {
            Log.debug(TAG, "We don't have the public key for this UUID, so force update");
            forceAuthUpdate();
        }
        if (isCloudTransport(tTransport)) {
            ((CloudTransportFeature) PlatformManager.getPlatformManager().getFeature(CloudTransportFeature.class)).upgradeToSecureAndAuthenticated(tTransport, getPublicKeyFor(str), getPrivateKey(), z);
        } else {
            Log.info(TAG, "Not upgrading the connection as this is not a TComm Transport");
        }
    }

    @Override // com.amazon.whisperlink.transport.TWhisperLinkTransport
    protected void authenticateAsClient(Description description, Device device) throws TException {
        TTransport delegate = getDelegate();
        if (isCloudTransport(delegate)) {
            verifyAuthByService(delegate, device.getUuid(), description, this.isClient);
            return;
        }
        Certificate sSLLinkCert = getSSLLinkCert(delegate, true);
        if (sSLLinkCert != null) {
            verifyAuthByService(device.getUuid(), description, sSLLinkCert);
        }
    }

    @Override // com.amazon.whisperlink.transport.TWhisperLinkTransport
    protected void authenticateAsServer(String str, String str2) throws TException {
        TTransport delegate = getDelegate();
        if (isCloudTransport(delegate) || (delegate instanceof TSocket)) {
            Connection<Registrar.Iface, Registrar.Client> registrarConnection = WhisperLinkUtil.getRegistrarConnection();
            try {
                for (Description description : registrarConnection.connect().getServicesByDevice(WhisperLinkUtil.getLocalDevice(false))) {
                    if (str.equals(description.getSid())) {
                        if (isCloudTransport(delegate)) {
                            verifyAuthByService(delegate, str2, description, false);
                        } else {
                            verifyAuthByService(str2, description, getSSLLinkCert(delegate, true));
                        }
                        return;
                    }
                }
                throw new TTransportException("Verification failed.  Service not found:" + str);
            } finally {
                if (registrarConnection != null) {
                    registrarConnection.close();
                }
                Log.info(TAG, "authenticateAsServer done");
            }
        }
    }

    protected Connection<AuthDaemonInternal.Iface, AuthDaemonInternal.Client> createConnection() {
        return new Connection<>(WhisperLinkUtil.getLocalDevice(false), SecurityConfig.getAuthDaemonInternalDescription(), new AuthDaemonInternal.Client.Factory());
    }

    @Override // com.amazon.whisperlink.transport.TLayeredTransport
    public TTransport getDelegate() {
        return this.delegate;
    }

    @Override // com.amazon.whisperlink.transport.TWhisperLinkTransport
    public void open(boolean z) throws TTransportException {
        super.open(z);
        if (this.localPublicKey == null && this.remotePublicKey == null) {
            setPublicKeys();
        }
    }

    protected void setPublicKeys() throws TTransportException {
        String[] publicKeys = getPublicKeys(this.delegate);
        if (publicKeys != null) {
            setPublicKeys(publicKeys[0], publicKeys[1]);
        }
    }

    protected void setPublicKeys(String str, String str2) {
        if (StringUtil.isEmpty(str) || StringUtil.isEmpty(str2) || str.equals(str2)) {
            throw new IllegalArgumentException("Invalid key when setting public keys");
        }
        this.localPublicKey = str;
        this.remotePublicKey = str2;
    }
}
