package com.eero.android.pki;

import android.content.Context;
import com.eero.android.core.analytics.ObjectNames;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.SSLContext;
import kotlin.Lazy;
import kotlin.LazyKt;
import kotlin.Metadata;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.StringCompanionObject;
import kotlin.text.StringsKt;
import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
import timber.log.Timber;

/* compiled from: Keys.kt */
@Metadata(d1 = {"\u0000h\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0010\u000b\n\u0002\b\b\n\u0002\u0018\u0002\n\u0002\b\u0014\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\t\n\u0002\u0010\u0011\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0012\n\u0002\b\u0006\u0018\u00002\u00020\u0001B1\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0006\u0010\u0006\u001a\u00020\u0007\u0012\b\b\u0002\u0010\b\u001a\u00020\u0007\u0012\b\b\u0002\u0010\t\u001a\u00020\n¢\u0006\u0002\u0010\u000bJ\u0010\u00107\u001a\u0002082\u0006\u00109\u001a\u00020:H\u0016J\u0010\u0010;\u001a\u00020\u00072\u0006\u0010<\u001a\u00020\u0007H\u0002J\u0010\u0010=\u001a\u00020\u00072\u0006\u0010<\u001a\u00020\u0007H\u0002J\b\u0010>\u001a\u000208H\u0016J\r\u0010?\u001a\u00020\nH\u0000¢\u0006\u0002\b@J\b\u0010A\u001a\u000208H\u0002J\b\u0010B\u001a\u000208H\u0002J\u0013\u0010C\u001a\b\u0012\u0004\u0012\u00020E0DH\u0016¢\u0006\u0002\u0010FJ\u0010\u0010G\u001a\u0002082\u0006\u00109\u001a\u00020:H\u0016J\u0018\u0010H\u001a\u00020I2\u0006\u0010J\u001a\u00020I2\u0006\u0010K\u001a\u00020\u0007H\u0016J \u0010L\u001a\u00020\n2\u0006\u0010J\u001a\u00020I2\u0006\u0010M\u001a\u00020I2\u0006\u0010K\u001a\u00020\u0007H\u0016J\f\u0010N\u001a\u00020\u0007*\u00020EH\u0002R\u000e\u0010\f\u001a\u00020\u0007X\u0082D¢\u0006\u0002\n\u0000R\u001b\u0010\r\u001a\u00020\u00078FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b\u0010\u0010\u0011\u001a\u0004\b\u000e\u0010\u000fR\u001b\u0010\u0012\u001a\u00020\u00138FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b\u0016\u0010\u0011\u001a\u0004\b\u0014\u0010\u0015R\u001b\u0010\u0017\u001a\u00020\u00138FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b\u0019\u0010\u0011\u001a\u0004\b\u0018\u0010\u0015R\u0014\u0010\u001a\u001a\u00020\u00138VX\u0096\u0004¢\u0006\u0006\u001a\u0004\b\u001b\u0010\u0015R\u0011\u0010\u0002\u001a\u00020\u0003¢\u0006\b\n\u0000\u001a\u0004\b\u001c\u0010\u001dR\u0011\u0010\u0004\u001a\u00020\u0005¢\u0006\b\n\u0000\u001a\u0004\b\u001e\u0010\u001fR\u001b\u0010 \u001a\u00020\u00078FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b\"\u0010\u0011\u001a\u0004\b!\u0010\u000fR\u001b\u0010#\u001a\u00020\u00138FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b%\u0010\u0011\u001a\u0004\b$\u0010\u0015R\u000e\u0010&\u001a\u00020\u0007X\u0082D¢\u0006\u0002\n\u0000R\u001b\u0010'\u001a\u00020(8FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b+\u0010\u0011\u001a\u0004\b)\u0010*R\u001b\u0010,\u001a\u00020-8FX\u0086\u0084\u0002¢\u0006\f\n\u0004\b0\u0010\u0011\u001a\u0004\b.\u0010/R\u0011\u0010\b\u001a\u00020\u0007¢\u0006\b\n\u0000\u001a\u0004\b1\u0010\u000fR\u0014\u00102\u001a\u0002038VX\u0096\u0004¢\u0006\u0006\u001a\u0004\b4\u00105R\u0011\u0010\u0006\u001a\u00020\u0007¢\u0006\b\n\u0000\u001a\u0004\b6\u0010\u000f¨\u0006O"}, d2 = {"Lcom/eero/android/pki/LocalKeyStoreIdentity;", "Lcom/eero/android/pki/LocalIdentity;", "context", "Landroid/content/Context;", "keyStore", "Lcom/eero/android/pki/SegmentedKeyStore;", "x500Subject", "", "rootAlias", "createIfNeeded", "", "(Landroid/content/Context;Lcom/eero/android/pki/SegmentedKeyStore;Ljava/lang/String;Ljava/lang/String;Z)V", "authoritySuffix", "caAlias", "getCaAlias", "()Ljava/lang/String;", "caAlias$delegate", "Lkotlin/Lazy;", "caCert", "Ljava/security/cert/Certificate;", "getCaCert", "()Ljava/security/cert/Certificate;", "caCert$delegate", "cert", "getCert", "cert$delegate", "certificateAuthority", "getCertificateAuthority", "getContext", "()Landroid/content/Context;", "getKeyStore", "()Lcom/eero/android/pki/SegmentedKeyStore;", "leafAlias", "getLeafAlias", "leafAlias$delegate", "leafCert", "getLeafCert", "leafCert$delegate", "leafSuffix", "private", "Ljava/security/PrivateKey;", "getPrivate", "()Ljava/security/PrivateKey;", "private$delegate", "public", "Ljava/security/PublicKey;", "getPublic", "()Ljava/security/PublicKey;", "public$delegate", "getRootAlias", "sslContext", "Ljavax/net/ssl/SSLContext;", "getSslContext", "()Ljavax/net/ssl/SSLContext;", "getX500Subject", "addTrustedAuthority", "", "certStream", "Ljava/io/InputStream;", "convertAuthorityAlias", "alias", "convertLeafAlias", ObjectNames.DELETE, "exists", "exists$pki_release", "generateCerts", "generateKeys", "getTrustedAuthorities", "", "Ljava/security/cert/X509Certificate;", "()[Ljava/security/cert/X509Certificate;", "removeTrustedAuthority", "sign", "", "data", "signatureAlgorithm", "verify", "signature", "aliasForKeyStore", "pki_release"}, k = 1, mv = {1, 9, 0}, xi = 48)
/* loaded from: classes2.dex */
public final class LocalKeyStoreIdentity implements LocalIdentity {
    private final String authoritySuffix;

    /* renamed from: caAlias$delegate, reason: from kotlin metadata */
    private final Lazy caAlias;

    /* renamed from: caCert$delegate, reason: from kotlin metadata */
    private final Lazy caCert;

    /* renamed from: cert$delegate, reason: from kotlin metadata */
    private final Lazy cert;
    private final Context context;
    private final SegmentedKeyStore keyStore;

    /* renamed from: leafAlias$delegate, reason: from kotlin metadata */
    private final Lazy leafAlias;

    /* renamed from: leafCert$delegate, reason: from kotlin metadata */
    private final Lazy leafCert;
    private final String leafSuffix;

    /* renamed from: private$delegate, reason: from kotlin metadata */
    private final Lazy private;

    /* renamed from: public$delegate, reason: from kotlin metadata */
    private final Lazy public;
    private final String rootAlias;
    private final String x500Subject;

    public LocalKeyStoreIdentity(Context context, SegmentedKeyStore keyStore, String x500Subject, String rootAlias, boolean z) {
        Intrinsics.checkNotNullParameter(context, "context");
        Intrinsics.checkNotNullParameter(keyStore, "keyStore");
        Intrinsics.checkNotNullParameter(x500Subject, "x500Subject");
        Intrinsics.checkNotNullParameter(rootAlias, "rootAlias");
        this.context = context;
        this.keyStore = keyStore;
        this.x500Subject = x500Subject;
        this.rootAlias = rootAlias;
        this.authoritySuffix = "-ca";
        this.leafSuffix = "-leaf";
        this.private = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$private$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final PrivateKey invoke() {
                Key key = LocalKeyStoreIdentity.this.getKeyStore().getKey(LocalKeyStoreIdentity.this.getRootAlias(), null);
                Intrinsics.checkNotNull(key, "null cannot be cast to non-null type java.security.PrivateKey");
                return (PrivateKey) key;
            }
        });
        this.cert = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$cert$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final Certificate invoke() {
                Certificate certificate = LocalKeyStoreIdentity.this.getKeyStore().getCertificate(LocalKeyStoreIdentity.this.getRootAlias());
                Intrinsics.checkNotNull(certificate);
                return certificate;
            }
        });
        this.public = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$public$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final PublicKey invoke() {
                return LocalKeyStoreIdentity.this.getCert().getPublicKey();
            }
        });
        this.caAlias = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$caAlias$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final String invoke() {
                String convertAuthorityAlias;
                LocalKeyStoreIdentity localKeyStoreIdentity = LocalKeyStoreIdentity.this;
                convertAuthorityAlias = localKeyStoreIdentity.convertAuthorityAlias(localKeyStoreIdentity.getRootAlias());
                return convertAuthorityAlias;
            }
        });
        this.caCert = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$caCert$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final Certificate invoke() {
                Certificate certificate = LocalKeyStoreIdentity.this.getKeyStore().getCertificate(LocalKeyStoreIdentity.this.getCaAlias());
                Intrinsics.checkNotNull(certificate);
                return certificate;
            }
        });
        this.leafAlias = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$leafAlias$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final String invoke() {
                String convertLeafAlias;
                LocalKeyStoreIdentity localKeyStoreIdentity = LocalKeyStoreIdentity.this;
                convertLeafAlias = localKeyStoreIdentity.convertLeafAlias(localKeyStoreIdentity.getRootAlias());
                return convertLeafAlias;
            }
        });
        this.leafCert = LazyKt.lazy(new Function0() { // from class: com.eero.android.pki.LocalKeyStoreIdentity$leafCert$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final Certificate invoke() {
                Certificate certificate = LocalKeyStoreIdentity.this.getKeyStore().getCertificate(LocalKeyStoreIdentity.this.getLeafAlias());
                Intrinsics.checkNotNull(certificate);
                return certificate;
            }
        });
        boolean contains = keyStore.contains(getLeafAlias());
        boolean contains2 = keyStore.contains(getCaAlias());
        if (z) {
            if (contains && contains2) {
                return;
            }
            if (contains || contains2) {
                Timber.Forest.w("Partial KeyStore detected! Regenerating CA and leaf certificates!", new Object[0]);
            }
            try {
                generateKeys();
                generateCerts();
            } catch (Exception e) {
                Timber.Forest.e(e, "Key or Certificate generation failed", new Object[0]);
                try {
                    delete();
                } catch (KeyStoreException unused) {
                }
            }
        }
    }

    public /* synthetic */ LocalKeyStoreIdentity(Context context, SegmentedKeyStore segmentedKeyStore, String str, String str2, boolean z, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this(context, segmentedKeyStore, str, (i & 8) != 0 ? str : str2, (i & 16) != 0 ? true : z);
    }

    private final String aliasForKeyStore(X509Certificate x509Certificate) {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.update(x509Certificate.getEncoded());
        StringCompanionObject stringCompanionObject = StringCompanionObject.INSTANCE;
        String format = String.format("%X", Arrays.copyOf(new Object[]{new BigInteger(1, messageDigest.digest())}, 1));
        Intrinsics.checkNotNullExpressionValue(format, "format(...)");
        return this.rootAlias + "-trusts-" + ((Object) format.subSequence(0, 10));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public final String convertAuthorityAlias(String alias) {
        return alias + this.authoritySuffix;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public final String convertLeafAlias(String alias) {
        return alias + this.leafSuffix;
    }

    private final void generateCerts() {
        Date expiryForStartDate = X509Kt.expiryForStartDate(new Date());
        String str = this.x500Subject + "-android";
        X509Certificate createRootCertificateAuthority = X509Kt.createRootCertificateAuthority(getPrivate(), getPublic(), this.x500Subject, X509Kt.randomCertSerial(), expiryForStartDate);
        PrivateKey privateKey = getPrivate();
        PublicKey publicKey = getPublic();
        String str2 = this.x500Subject;
        BigInteger serialNumber = createRootCertificateAuthority.getSerialNumber();
        Intrinsics.checkNotNullExpressionValue(serialNumber, "getSerialNumber(...)");
        X509Certificate createLeafCertificate$default = X509Kt.createLeafCertificate$default(privateKey, publicKey, str2, str, X509Kt.leafCertSerialFromCaSerial(serialNumber), expiryForStartDate, null, 64, null);
        this.keyStore.setCertificate(getCaAlias(), createRootCertificateAuthority);
        this.keyStore.setCertificate(getLeafAlias(), createLeafCertificate$default);
    }

    private final void generateKeys() {
        this.keyStore.generateKey(this.context, this.rootAlias, this.x500Subject);
    }

    @Override // com.eero.android.pki.LocalIdentity
    public void addTrustedAuthority(InputStream certStream) {
        Intrinsics.checkNotNullParameter(certStream, "certStream");
        for (Object obj : new CertificateFactory().engineGenerateCertificates(certStream)) {
            Intrinsics.checkNotNull(obj, "null cannot be cast to non-null type java.security.cert.X509Certificate");
            X509Certificate x509Certificate = (X509Certificate) obj;
            String convertAuthorityAlias = convertAuthorityAlias(aliasForKeyStore(x509Certificate));
            Timber.Forest.d("Adding remote cert '" + x509Certificate.getSubjectX500Principal() + "'with alias " + convertAuthorityAlias + " to KeyStore", new Object[0]);
            this.keyStore.setCertificate(convertAuthorityAlias, (Certificate) obj);
        }
    }

    @Override // com.eero.android.pki.LocalIdentity
    public void delete() {
        List<String> aliases = this.keyStore.getAliases();
        ArrayList arrayList = new ArrayList();
        for (Object obj : aliases) {
            if (StringsKt.startsWith$default((String) obj, this.rootAlias, false, 2, (Object) null)) {
                arrayList.add(obj);
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            this.keyStore.delete((String) it.next());
        }
    }

    public final boolean exists$pki_release() {
        return this.keyStore.contains(getCaAlias());
    }

    public final String getCaAlias() {
        return (String) this.caAlias.getValue();
    }

    public final Certificate getCaCert() {
        return (Certificate) this.caCert.getValue();
    }

    public final Certificate getCert() {
        return (Certificate) this.cert.getValue();
    }

    @Override // com.eero.android.pki.LocalIdentity
    public Certificate getCertificateAuthority() {
        return getCaCert();
    }

    public final Context getContext() {
        return this.context;
    }

    public final SegmentedKeyStore getKeyStore() {
        return this.keyStore;
    }

    public final String getLeafAlias() {
        return (String) this.leafAlias.getValue();
    }

    public final Certificate getLeafCert() {
        return (Certificate) this.leafCert.getValue();
    }

    public final PrivateKey getPrivate() {
        return (PrivateKey) this.private.getValue();
    }

    public final PublicKey getPublic() {
        Object value = this.public.getValue();
        Intrinsics.checkNotNullExpressionValue(value, "getValue(...)");
        return (PublicKey) value;
    }

    public final String getRootAlias() {
        return this.rootAlias;
    }

    @Override // com.eero.android.pki.LocalIdentity
    public SSLContext getSslContext() {
        return SslKt.createSslContext(this);
    }

    @Override // com.eero.android.pki.LocalIdentity
    public X509Certificate[] getTrustedAuthorities() {
        List<String> aliases = this.keyStore.getAliases();
        ArrayList arrayList = new ArrayList();
        for (Object obj : aliases) {
            if (StringsKt.endsWith$default((String) obj, this.authoritySuffix, false, 2, (Object) null)) {
                arrayList.add(obj);
            }
        }
        ArrayList arrayList2 = new ArrayList();
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            Certificate certificate = this.keyStore.getCertificate((String) it.next());
            X509Certificate x509Certificate = certificate instanceof X509Certificate ? (X509Certificate) certificate : null;
            if (x509Certificate != null) {
                arrayList2.add(x509Certificate);
            }
        }
        return (X509Certificate[]) arrayList2.toArray(new X509Certificate[0]);
    }

    public final String getX500Subject() {
        return this.x500Subject;
    }

    @Override // com.eero.android.pki.LocalIdentity
    public void removeTrustedAuthority(InputStream certStream) {
        Intrinsics.checkNotNullParameter(certStream, "certStream");
        for (Object obj : new CertificateFactory().engineGenerateCertificates(certStream)) {
            Intrinsics.checkNotNull(obj, "null cannot be cast to non-null type java.security.cert.X509Certificate");
            X509Certificate x509Certificate = (X509Certificate) obj;
            String convertAuthorityAlias = convertAuthorityAlias(aliasForKeyStore(x509Certificate));
            Timber.Forest.d("Removing remote cert '" + x509Certificate.getSubjectX500Principal() + "' with alias " + convertAuthorityAlias + " from KeyStore", new Object[0]);
            this.keyStore.delete(convertAuthorityAlias);
        }
    }

    @Override // com.eero.android.pki.LocalIdentity
    public byte[] sign(byte[] data, String signatureAlgorithm) {
        Intrinsics.checkNotNullParameter(data, "data");
        Intrinsics.checkNotNullParameter(signatureAlgorithm, "signatureAlgorithm");
        Signature signature = Signature.getInstance(signatureAlgorithm);
        signature.initSign(getPrivate());
        signature.update(data);
        byte[] sign = signature.sign();
        Intrinsics.checkNotNullExpressionValue(sign, "sign(...)");
        return sign;
    }

    @Override // com.eero.android.pki.LocalIdentity
    public boolean verify(byte[] data, byte[] signature, String signatureAlgorithm) {
        Intrinsics.checkNotNullParameter(data, "data");
        Intrinsics.checkNotNullParameter(signature, "signature");
        Intrinsics.checkNotNullParameter(signatureAlgorithm, "signatureAlgorithm");
        Signature signature2 = Signature.getInstance(signatureAlgorithm);
        signature2.initVerify(getPublic());
        signature2.update(data);
        return signature2.verify(signature);
    }
}
