package okio;

import com.microsoft.identity.broker4j.broker.prt.PrtConstants;
import com.microsoft.intune.mam.agent.knox.IKnoxAttestationManager;
import com.microsoft.omadm.apppolicy.mamservice.KeyRegistrationRequiredException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.logging.Logger;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;

@Metadata(d1 = {"\u0000t\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\t\n\u0002\b\u0005\u0018\u0000 (2\u00020\u0001:\u0002'(B/\b\u0007\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0006\u0010\u0006\u001a\u00020\u0007\u0012\u0006\u0010\b\u001a\u00020\t\u0012\u0006\u0010\n\u001a\u00020\u000b¢\u0006\u0002\u0010\fJ\b\u0010\r\u001a\u00020\u000eH\u0016J\u0018\u0010\u000f\u001a\u00020\u00102\u0006\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u0014H\u0002J\u0010\u0010\u0015\u001a\u00020\u000e2\u0006\u0010\u0016\u001a\u00020\u0017H\u0016J\u0010\u0010\u0018\u001a\u00020\u00192\u0006\u0010\u001a\u001a\u00020\u001bH\u0016J>\u0010\u001c\u001a\u00020\u001d2\u0006\u0010\u001e\u001a\u00020\u001f2\f\u0010 \u001a\b\u0012\u0004\u0012\u00020\"0!2\u0006\u0010\u0011\u001a\u00020\u00122\u0006\u0010#\u001a\u00020$2\u000e\u0010%\u001a\n\u0012\u0004\u0012\u00020\"\u0018\u00010!H\u0002J\u0010\u0010&\u001a\u00020\u001b2\u0006\u0010\u0011\u001a\u00020\u0012H\u0016R\u000e\u0010\n\u001a\u00020\u000bX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006)"}, d2 = {"Lcom/microsoft/omadm/apppolicy/mamservice/MAMServiceRequestSigner;", "Lcom/microsoft/omadm/apppolicy/mamservice/IMAMServiceRequestSigner;", "knoxAttestationManager", "Lcom/microsoft/intune/mam/agent/knox/IKnoxAttestationManager;", "ntpTime", "Lcom/microsoft/omadm/utils/NtpTimeClient;", "keyStore", "Lcom/microsoft/intune/cryptography/androidapicomponent/abstraction/ILocalKeyStore;", "tracker", "Lcom/microsoft/omadm/apppolicy/mamservice/IMAMServiceSignedRequestTracker;", "clock", "Lcom/microsoft/intune/core/common/domain/ISystemClock;", "(Lcom/microsoft/intune/mam/agent/knox/IKnoxAttestationManager;Lcom/microsoft/omadm/utils/NtpTimeClient;Lcom/microsoft/intune/cryptography/androidapicomponent/abstraction/ILocalKeyStore;Lcom/microsoft/omadm/apppolicy/mamservice/IMAMServiceSignedRequestTracker;Lcom/microsoft/intune/core/common/domain/ISystemClock;)V", "canCreateSignedRequest", "", "createAttestation", "Lcom/microsoft/omadm/apppolicy/mamservice/MAMServiceRequestSigner$AttestationResult;", PrtConstants.REQUEST_JWT_KEY, "Lcom/microsoft/omadm/apppolicy/mamservice/RequestToSign;", "challenge", "", "isKnoxSignedRequestRequired", "appInstanceId", "", "recordKeyRegistrationSuccessIfNecessary", "", "signedRequest", "Lcom/microsoft/omadm/apppolicy/mamservice/SignedRequest;", "signRequest", "Lcom/nimbusds/jwt/SignedJWT;", "keyPair", "Ljava/security/KeyPair;", "chain", "", "Ljava/security/cert/X509Certificate;", "now", "", "rotateTo", "signRequestWithKnoxAttestedKey", "AttestationResult", "Companion", "OMADMClient_officialProductionRelease"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes2.dex */
public final class Provider implements isChannelBuilt {
    private final IKnoxAttestationManager BCFKSLoadStoreParameter$SignatureAlgorithm;
    private final getTotalScrollRange BCFKSStoreParameter;
    private final setExpandedTitleTypeface BCLoadStoreParameter;
    private final buildChannel CompositePrivateKey;
    private final writeEnumNoTag getProtectionParameter;
    public static final Provider$INotificationSideChannel$Default BCFKSLoadStoreParameter$MacAlgorithm = new Provider$INotificationSideChannel$Default(null);
    private static final Logger BCFKSLoadStoreParameter$EncryptionAlgorithm = Authenticator.INotificationSideChannel(openLinkInBrowser.MediaBrowserCompat$MediaBrowserImplBase$1(Provider.class));
    private static final long withStoreSignatureAlgorithm = TimeUnit.HOURS.toMillis(1);

    /* JADX INFO: Access modifiers changed from: package-private */
    @Metadata(d1 = {"\u00002\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0002\b\u000f\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0010\b\n\u0002\b\u0002\b\u0082\b\u0018\u00002\u00020\u0001B3\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0010\b\u0002\u0010\u0006\u001a\n\u0012\u0004\u0012\u00020\b\u0018\u00010\u0007\u0012\n\b\u0002\u0010\t\u001a\u0004\u0018\u00010\u0005¢\u0006\u0002\u0010\nJ\t\u0010\u0012\u001a\u00020\u0003HÆ\u0003J\t\u0010\u0013\u001a\u00020\u0005HÆ\u0003J\u0011\u0010\u0014\u001a\n\u0012\u0004\u0012\u00020\b\u0018\u00010\u0007HÆ\u0003J\u000b\u0010\u0015\u001a\u0004\u0018\u00010\u0005HÆ\u0003J;\u0010\u0016\u001a\u00020\u00002\b\b\u0002\u0010\u0002\u001a\u00020\u00032\b\b\u0002\u0010\u0004\u001a\u00020\u00052\u0010\b\u0002\u0010\u0006\u001a\n\u0012\u0004\u0012\u00020\b\u0018\u00010\u00072\n\b\u0002\u0010\t\u001a\u0004\u0018\u00010\u0005HÆ\u0001J\u0013\u0010\u0017\u001a\u00020\u00182\b\u0010\u0019\u001a\u0004\u0018\u00010\u0001HÖ\u0003J\t\u0010\u001a\u001a\u00020\u001bHÖ\u0001J\t\u0010\u001c\u001a\u00020\u0005HÖ\u0001R\u0011\u0010\u0002\u001a\u00020\u0003¢\u0006\b\n\u0000\u001a\u0004\b\u000b\u0010\fR\u0011\u0010\u0004\u001a\u00020\u0005¢\u0006\b\n\u0000\u001a\u0004\b\r\u0010\u000eR\u0013\u0010\t\u001a\u0004\u0018\u00010\u0005¢\u0006\b\n\u0000\u001a\u0004\b\u000f\u0010\u000eR\u0019\u0010\u0006\u001a\n\u0012\u0004\u0012\u00020\b\u0018\u00010\u0007¢\u0006\b\n\u0000\u001a\u0004\b\u0010\u0010\u0011¨\u0006\u001d"}, d2 = {"Lcom/microsoft/omadm/apppolicy/mamservice/MAMServiceRequestSigner$AttestationResult;", "", "attestation", "Lcom/microsoft/intune/cryptography/domain/KeyAttestation;", "keyAlias", "", "rotateTo", "", "Ljava/security/cert/X509Certificate;", "registerKeyAlias", "(Lcom/microsoft/intune/cryptography/domain/KeyAttestation;Ljava/lang/String;Ljava/util/List;Ljava/lang/String;)V", "getAttestation", "()Lcom/microsoft/intune/cryptography/domain/KeyAttestation;", "getKeyAlias", "()Ljava/lang/String;", "getRegisterKeyAlias", "getRotateTo", "()Ljava/util/List;", "component1", "component2", "component3", "component4", "copy", "equals", "", "other", "hashCode", "", "toString", "OMADMClient_officialProductionRelease"}, k = 1, mv = {1, 6, 0}, xi = 48)
    /* renamed from: o.Provider$cancel, reason: from toString */
    /* loaded from: classes2.dex */
    public static final /* data */ class AttestationResult {

        /* renamed from: ExternalPublicKey, reason: from toString */
        private final String keyAlias;

        /* renamed from: PBKDF1Key, reason: from toString */
        private final KeyAttestation attestation;

        /* renamed from: getPrivateKeys, reason: from toString */
        private final List<X509Certificate> rotateTo;

        /* renamed from: getPublicKeys, reason: from toString */
        private final String registerKeyAlias;

        /* JADX WARN: Multi-variable type inference failed */
        public AttestationResult(KeyAttestation keyAttestation, String str, List<? extends X509Certificate> list, String str2) {
            setSharedPrefPackageName.readTypedObject(keyAttestation, "");
            setSharedPrefPackageName.readTypedObject(str, "");
            this.attestation = keyAttestation;
            this.keyAlias = str;
            this.rotateTo = list;
            this.registerKeyAlias = str2;
        }

        public /* synthetic */ AttestationResult(KeyAttestation keyAttestation, String str, List list, String str2, int i, DefaultConstructorMarker defaultConstructorMarker) {
            this(keyAttestation, str, (i & 4) != 0 ? null : list, (i & 8) != 0 ? null : str2);
        }

        public boolean equals(Object other) {
            if (this == other) {
                return true;
            }
            if (!(other instanceof AttestationResult)) {
                return false;
            }
            AttestationResult attestationResult = (AttestationResult) other;
            return setSharedPrefPackageName.areEqual(this.attestation, attestationResult.attestation) && setSharedPrefPackageName.areEqual(this.keyAlias, attestationResult.keyAlias) && setSharedPrefPackageName.areEqual(this.rotateTo, attestationResult.rotateTo) && setSharedPrefPackageName.areEqual(this.registerKeyAlias, attestationResult.registerKeyAlias);
        }

        public int hashCode() {
            int hashCode = this.attestation.hashCode();
            int hashCode2 = this.keyAlias.hashCode();
            List<X509Certificate> list = this.rotateTo;
            int hashCode3 = list == null ? 0 : list.hashCode();
            String str = this.registerKeyAlias;
            return (((((hashCode * 31) + hashCode2) * 31) + hashCode3) * 31) + (str != null ? str.hashCode() : 0);
        }

        /* renamed from: info, reason: from getter */
        public final KeyAttestation getAttestation() {
            return this.attestation;
        }

        public final List<X509Certificate> setAllowLogcat() {
            return this.rotateTo;
        }

        public String toString() {
            return "AttestationResult(attestation=" + this.attestation + ", keyAlias=" + this.keyAlias + ", rotateTo=" + this.rotateTo + ", registerKeyAlias=" + this.registerKeyAlias + ')';
        }

        /* renamed from: verbose, reason: from getter */
        public final String getKeyAlias() {
            return this.keyAlias;
        }

        /* renamed from: verbosePII, reason: from getter */
        public final String getRegisterKeyAlias() {
            return this.registerKeyAlias;
        }
    }

    @serialize
    public Provider(IKnoxAttestationManager iKnoxAttestationManager, writeEnumNoTag writeenumnotag, setExpandedTitleTypeface setexpandedtitletypeface, buildChannel buildchannel, getTotalScrollRange gettotalscrollrange) {
        setSharedPrefPackageName.readTypedObject(iKnoxAttestationManager, "");
        setSharedPrefPackageName.readTypedObject(writeenumnotag, "");
        setSharedPrefPackageName.readTypedObject(setexpandedtitletypeface, "");
        setSharedPrefPackageName.readTypedObject(buildchannel, "");
        setSharedPrefPackageName.readTypedObject(gettotalscrollrange, "");
        this.BCFKSLoadStoreParameter$SignatureAlgorithm = iKnoxAttestationManager;
        this.getProtectionParameter = writeenumnotag;
        this.BCLoadStoreParameter = setexpandedtitletypeface;
        this.CompositePrivateKey = buildchannel;
        this.BCFKSStoreParameter = gettotalscrollrange;
    }

    private final AttestationResult INotificationSideChannel(RequestToSign requestToSign, byte[] bArr) {
        IKnoxAttestationManager.AttestationAndKey createAttestation$default = IKnoxAttestationManager.DefaultImpls.createAttestation$default(this.BCFKSLoadStoreParameter$SignatureAlgorithm, bArr, null, 2, null);
        buildChannel buildchannel = this.CompositePrivateKey;
        String key = requestToSign.getAppInstance().getKey();
        setSharedPrefPackageName.getInterfaceDescriptor(key, "");
        String supportBackgroundTintMode = buildchannel.setSupportBackgroundTintMode(key);
        if (setSharedPrefPackageName.areEqual(supportBackgroundTintMode, createAttestation$default.getKeyAlias())) {
            return new AttestationResult(createAttestation$default.getAttestation(), createAttestation$default.getKeyAlias(), null, null, 12, null);
        }
        boolean z = supportBackgroundTintMode == null;
        if (requestToSign.getAllowKeyRegistration() && z) {
            BCFKSLoadStoreParameter$EncryptionAlgorithm.info("New attestation key will be registered with service");
            return new AttestationResult(createAttestation$default.getAttestation(), createAttestation$default.getKeyAlias(), null, createAttestation$default.getKeyAlias(), 4, null);
        }
        if (requestToSign.getAllowKeyRegistration()) {
            BCFKSLoadStoreParameter$EncryptionAlgorithm.info("Attestation key rotated, registering new one with service");
            IKnoxAttestationManager.AttestationAndKey createAttestation = this.BCFKSLoadStoreParameter$SignatureAlgorithm.createAttestation(bArr, supportBackgroundTintMode);
            return new AttestationResult(createAttestation.getAttestation(), createAttestation.getKeyAlias(), createAttestation$default.getAttestation().DeviceStateRequest(), createAttestation$default.getKeyAlias());
        }
        String str = z ? "not yet registered" : "rotated";
        BCFKSLoadStoreParameter$EncryptionAlgorithm.info("Attestation key " + str + ", but a new one can't be registered right now");
        throw new KeyRegistrationRequiredException();
    }

    private final SignedJWT cancelAll(KeyPair keyPair, List<? extends X509Certificate> list, RequestToSign requestToSign, long j, List<? extends X509Certificate> list2) {
        JWSAlgorithm jWSAlgorithm;
        int notify;
        int notify2;
        if (!(keyPair.getPublic() instanceof RSAPublicKey)) {
            throw new IllegalArgumentException("Only RSA keys supported for signing");
        }
        jWSAlgorithm = getKeyPair.CompositePublicKey;
        JWSHeader.Builder builder = new JWSHeader.Builder(jWSAlgorithm);
        notify = sanitizeParsedSuffixes.notify(list, 10);
        ArrayList arrayList = new ArrayList(notify);
        Iterator<T> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(Base64.encode(((X509Certificate) it.next()).getEncoded()));
        }
        JWSHeader build = builder.x509CertChain(arrayList).type(JOSEObjectType.JWT).build();
        long j2 = withStoreSignatureAlgorithm;
        String str = requestToSign.getAppInstance().addExtraArgs.TextBundle;
        JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().subject(requestToSign.getIdentity().aadId()).issueTime(new Date(j)).expirationTime(new Date(j + j2)).notBeforeTime(new Date(j - j2)).audience(requestToSign.getAppInstance().getKey()).claim("queryString", requestToSign.getQueryString()).claim("requestBody", requestToSign.getBody());
        if (!(str == null || str.length() == 0)) {
            claim.claim("AADDeviceId", str);
        }
        if (list2 != null) {
            notify2 = sanitizeParsedSuffixes.notify(list2, 10);
            ArrayList arrayList2 = new ArrayList(notify2);
            Iterator<T> it2 = list2.iterator();
            while (it2.hasNext()) {
                arrayList2.add(Base64.encode(((X509Certificate) it2.next()).getEncoded()).toString());
            }
            claim.claim("rotateTo", arrayList2);
        }
        SignedJWT signedJWT = new SignedJWT(build, claim.build());
        PrivateKey privateKey = keyPair.getPrivate();
        setSharedPrefPackageName.getInterfaceDescriptor(privateKey, "");
        signedJWT.sign(new getData(privateKey));
        return signedJWT;
    }

    @Override // okio.isChannelBuilt
    public boolean BrokerMsalController$6() {
        return this.BCFKSLoadStoreParameter$SignatureAlgorithm.isLicenseActivated();
    }

    @Override // okio.isChannelBuilt
    public void INotificationSideChannel(SignedRequest signedRequest) {
        setSharedPrefPackageName.readTypedObject(signedRequest, "");
        if (signedRequest.getKeyRegistrationToken() == null) {
            return;
        }
        if (signedRequest.getJwt().getJWTClaimsSet().getAudience().size() != 1) {
            throw new IllegalArgumentException("Invalid SignedJWT not created by this class");
        }
        String str = signedRequest.getJwt().getJWTClaimsSet().getAudience().get(0);
        buildChannel buildchannel = this.CompositePrivateKey;
        setSharedPrefPackageName.getInterfaceDescriptor(str, "");
        buildchannel.newArray(str, signedRequest.getKeyRegistrationToken());
        BCFKSLoadStoreParameter$EncryptionAlgorithm.info("Updated registered key alias");
    }

    @Override // okio.isChannelBuilt
    public SignedRequest cancel(RequestToSign requestToSign) {
        setSharedPrefPackageName.readTypedObject(requestToSign, "");
        long elapsedRealtime = this.BCFKSStoreParameter.elapsedRealtime();
        long createAccessTokenRecord = this.getProtectionParameter.createAccessTokenRecord();
        byte[] bytes = (requestToSign.getAppInstance().getKey() + createAccessTokenRecord).getBytes(validateADFS.GridLayoutAnimationController);
        setSharedPrefPackageName.getInterfaceDescriptor(bytes, "");
        AttestationResult INotificationSideChannel = INotificationSideChannel(requestToSign, bytes);
        KeyAttestation attestation = INotificationSideChannel.getAttestation();
        String keyAlias = INotificationSideChannel.getKeyAlias();
        List<X509Certificate> allowLogcat = INotificationSideChannel.setAllowLogcat();
        String registerKeyAlias = INotificationSideChannel.getRegisterKeyAlias();
        SignedJWT cancelAll = cancelAll(new KeyPair(this.BCLoadStoreParameter.getPublicKey(keyAlias), this.BCLoadStoreParameter.getPrivateKey(keyAlias)), attestation.DeviceStateRequest(), requestToSign, createAccessTokenRecord, allowLogcat);
        long elapsedRealtime2 = this.BCFKSStoreParameter.elapsedRealtime();
        BCFKSLoadStoreParameter$EncryptionAlgorithm.fine("Signed request in " + (elapsedRealtime2 - elapsedRealtime) + "ms");
        return new SignedRequest(cancelAll, registerKeyAlias);
    }

    @Override // okio.isChannelBuilt
    public boolean setDropDownBackgroundResource(String str) {
        setSharedPrefPackageName.readTypedObject(str, "");
        return this.CompositePrivateKey.setSupportCompoundDrawablesTintMode(str);
    }
}
