package com.cisco.android.nchs.support;

import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.security.keystore.KeyInfo;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.text.TextUtils;
import com.cisco.android.nchs.NetworkComponentHostService;
import com.cisco.android.nchs.aidl.CertOpCode;
import com.cisco.android.nchs.aidl.CertificateChain;
import com.cisco.android.nchs.aidl.ClientCertRequestParcel;
import com.cisco.android.nchs.aidl.NCHSCertStore;
import com.cisco.android.nchs.aidl.NCHSReturnCode;
import com.cisco.android.nchs.permissions.Prerequisites;
import com.cisco.anyconnect.vpn.android.avf.R;
import com.cisco.anyconnect.vpn.android.crypto.ACLegacyCertStore;
import com.cisco.anyconnect.vpn.android.crypto.AndroidKeyStore;
import com.cisco.anyconnect.vpn.android.crypto.CertificateInfo;
import com.cisco.anyconnect.vpn.android.crypto.KeychainClientStore;
import com.cisco.anyconnect.vpn.android.crypto.MultiCertStore;
import com.cisco.anyconnect.vpn.android.crypto.TimaKeystore;
import com.cisco.anyconnect.vpn.android.crypto.YubikeyCertStore;
import com.cisco.anyconnect.vpn.android.crypto.YubikeySlot;
import com.cisco.anyconnect.vpn.android.localization.UITranslator;
import com.cisco.anyconnect.vpn.android.service.VpnCertificate;
import com.cisco.anyconnect.vpn.android.ui.Globals;
import com.cisco.anyconnect.vpn.android.util.AppLog;
import com.google.android.gms.common.internal.ImagesContract;
import com.samsung.android.knox.keystore.CertificateProvisioning;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.Cipher;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.StrictHostnameVerifier;
import org.apache.http.conn.ssl.X509HostnameVerifier;

/* loaded from: classes.dex */
public class CertificateManager {
    private static final String AUTH_TYPE = "RSA";
    public static final String CERTIFICATE_ADMIN_CLIENT_TAG = "CERTIFICATE_ADMIN_TAG";
    public static final String CERTIFICATE_ADMIN_SERVER_TAG = "CERTIFICATE_MDM_SERVER_TAG";
    public static final String CERTIFICATE_DEFAULT_GROUP = "com.cisco.android.nchs.support.CERTIFICATE_DEFAULT_GROUP";
    public static final String CERTIFICATE_MDM_PROVISIONED_TAG = "CERTIFICATE_MDM_PROVISIONED_TAG";
    public static final String CERTIFICATE_VPN_TAG = "CERTIFICATE_VPN_TAG";
    private static final int CERT_CHAIN_CACHE_SIZE = 10;
    private static final String CLIENT_KEYSTORE_FILENAME = "anyconnect_client_certs.bks";
    protected static final String CLIENT_KEYSTORE_TYPE = "BKS";
    private static final String ENTITY_NAME = "CertificateManager";
    private static final String KEYCHAIN_ALIAS_FILENAME = "aliases";
    public static final String KEYSTORE_PREFIX_ANDROID = "ANDROID/";
    public static final String KEYSTORE_PREFIX_ANYCONNECT = "AC/";
    public static final String KEYSTORE_PREFIX_KEYCHAIN = "KEYCHAIN/";
    public static final String KEYSTORE_PREFIX_KNOX_TIMA = "KNOX_TIMA/";
    public static final String KEYSTORE_PREFIX_SYSTEM = "SYS/";
    public static final String KEYSTORE_PREFIX_YUBIKEY = "YUBIKEY/";
    public static final int KU_CRL_SIGN = 2;
    public static final int KU_DATA_ENCIPHERMENT = 16;
    public static final int KU_DECIPHER_ONLY = 32768;
    public static final int KU_DIGITAL_SIGNATURE = 128;
    public static final int KU_ENCIPHER_ONLY = 1;
    public static final int KU_KEY_AGREEMENT = 8;
    public static final int KU_KEY_CERT_SIGN = 4;
    public static final int KU_KEY_ENCIPHERMENT = 32;
    public static final int KU_NON_REPUDIATION = 64;
    private static final String PASSWORD_CHARSET = "UTF-8";
    public static final int RESULT_BAD = -1;
    public static final int RESULT_CONFIRM_EXPIRED = 4;
    public static final int RESULT_CONFIRM_INVALID_KEY_USE = 32;
    public static final int RESULT_CONFIRM_NAME_MISMATCH = 2;
    public static final int RESULT_CONFIRM_NOT_VALID_YET = 8;
    public static final int RESULT_CONFIRM_UNSPECIFIED = 1;
    public static final int RESULT_CONFIRM_UNTRUSTED_SOURCE = 16;
    public static final int RESULT_GOOD = 0;
    private static final String ROOT_KEYSTORE_FILENAME = "anyconnect_certs.bks";
    protected static final String ROOT_KEYSTORE_TYPE = KeyStore.getDefaultType();
    private static final int SERVER_KEY_USAGE = 4;
    private static final String TRUSTED_KEYSTORE_FILENAME = "anyconnect_trusted_certs.bks";
    private static final String TRUST_MANAGER_ALG = "X509";
    private final Context mContext;
    private final FileCache<String> mKeyChainAliasList;
    private String mKeystorePath;
    private MultiCertStore mMultiCertStore;
    private NetworkComponentHostService mNchs;
    private SystemCertificateManager mSystemCertMgr;
    private YubikeyCertStore mYubikeyStore;
    private X509TrustManager mSystemTrustMgr = null;
    private X509TrustManager mLocalTrustMgr = null;
    private X509HostnameVerifier mHostnameMgr = null;
    private KeyStore mTrustedKeyStore = null;
    private X509Certificate mCodeSigningCert = null;
    private String mRootStorePassword = null;
    private String mClientStorePassword = null;
    private String mClientPrivKeyPassword = null;
    private KeychainClientStore.IKeychainAliasList mKeychainAliasList = new KeychainClientStore.IKeychainAliasList() { // from class: com.cisco.android.nchs.support.CertificateManager.1
        @Override // com.cisco.anyconnect.vpn.android.crypto.KeychainClientStore.IKeychainAliasList
        public void addAlias(String str) {
            CertificateManager.this.mKeyChainAliasList.add(str, str);
        }

        @Override // com.cisco.anyconnect.vpn.android.crypto.KeychainClientStore.IKeychainAliasList
        public List<String> getAliases() {
            return new ArrayList(CertificateManager.this.mKeyChainAliasList.getContainer().values());
        }

        @Override // com.cisco.anyconnect.vpn.android.crypto.KeychainClientStore.IKeychainAliasList
        public boolean removeAlias(String str) {
            return CertificateManager.this.mKeyChainAliasList.remove(str);
        }
    };
    private final HashMap<String, X509Certificate[]> mCertChainCache = new LinkedHashMap<String, X509Certificate[]>() { // from class: com.cisco.android.nchs.support.CertificateManager.2
        @Override // java.util.LinkedHashMap
        protected boolean removeEldestEntry(Map.Entry<String, X509Certificate[]> entry) {
            return size() > 10;
        }
    };
    private Map<String, FileCache<List<String>>> mCategoryToCertGroupMap = new HashMap();

    /* loaded from: classes.dex */
    public enum CertificateBlobType {
        TYPE_CERTIFICATE,
        TYPE_PKCS12
    }

    public CertificateManager(Context context, NetworkComponentHostService networkComponentHostService) {
        this.mContext = context;
        this.mKeyChainAliasList = new FileCache<>(new File(context.getFilesDir(), KEYCHAIN_ALIAS_FILENAME));
        this.mCategoryToCertGroupMap.put(CERTIFICATE_ADMIN_CLIENT_TAG, new FileCache<>(new File(context.getFilesDir(), CERTIFICATE_ADMIN_CLIENT_TAG)));
        this.mCategoryToCertGroupMap.put(CERTIFICATE_ADMIN_SERVER_TAG, new FileCache<>(new File(context.getFilesDir(), CERTIFICATE_ADMIN_SERVER_TAG)));
        this.mCategoryToCertGroupMap.put(CERTIFICATE_MDM_PROVISIONED_TAG, new FileCache<>(new File(context.getFilesDir(), CERTIFICATE_MDM_PROVISIONED_TAG)));
        this.mCategoryToCertGroupMap.put(CERTIFICATE_VPN_TAG, new FileCache<>(new File(context.getFilesDir(), CERTIFICATE_VPN_TAG)));
        this.mNchs = networkComponentHostService;
        this.mSystemCertMgr = new SystemCertificateManager(context, networkComponentHostService);
    }

    private void buildVerifyCertChain(X509Certificate[] x509CertificateArr, List<X509Certificate> list) {
        if (list == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "buildVerifyCertChain: null cert list");
            return;
        }
        try {
            PKIXParameters pKIXParameters = getPKIXParameters(x509CertificateArr);
            pKIXParameters.setRevocationEnabled(false);
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) CertPathBuilder.getInstance("PKIX").build(pKIXParameters);
            CertPath certPath = pKIXCertPathBuilderResult.getCertPath();
            TrustAnchor trustAnchor = pKIXCertPathBuilderResult.getTrustAnchor();
            Iterator<? extends Certificate> it = certPath.getCertificates().iterator();
            while (it.hasNext()) {
                list.add((X509Certificate) it.next());
            }
            list.add(trustAnchor.getTrustedCert());
        } catch (Exception e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "buildVerifyCertChain: build chain failed", e);
        }
        if (list.isEmpty()) {
            for (X509Certificate x509Certificate : x509CertificateArr) {
                list.add(x509Certificate);
            }
        }
    }

    private int checkTrustManager(X509TrustManager x509TrustManager, X509Certificate[] x509CertificateArr, String str, KeyStore keyStore) {
        int i;
        try {
            x509CertificateArr[0].checkValidity();
            i = 0;
        } catch (CertificateExpiredException unused) {
            i = 4;
        } catch (CertificateNotYetValidException unused2) {
            i = 8;
        }
        try {
            x509TrustManager.checkServerTrusted(x509CertificateArr, AUTH_TYPE);
            if (keyStore != null) {
                AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Validating certificate path...");
                CertPath generateCertPath = CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(x509CertificateArr));
                PKIXParameters pKIXParameters = new PKIXParameters(keyStore);
                pKIXParameters.setRevocationEnabled(false);
                CertPathValidator.getInstance(CertPathValidator.getDefaultType()).validate(generateCertPath, pKIXParameters);
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate is trusted");
            return 0;
        } catch (InvalidAlgorithmParameterException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "checkTrustManager (" + str + "): InvalidAlgorithmParameterException. " + e);
            return -1;
        } catch (KeyStoreException e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "checkTrustManager (" + str + "): KeyStoreException. " + e2);
            return -1;
        } catch (NoSuchAlgorithmException e3) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "checkTrustManager (" + str + "): NoSuchAlgorithmException. " + e3);
            return -1;
        } catch (CertPathValidatorException e4) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate chain cannot be validated: " + e4);
            return i | 16;
        } catch (CertificateEncodingException e5) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "checkTrustManager (" + str + "): bad certificate encoding: " + e5);
            return -1;
        } catch (CertificateExpiredException e6) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate has expired: " + e6);
            return i | 4;
        } catch (CertificateNotYetValidException e7) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate is not valid yet: " + e7);
            return i | 8;
        } catch (CertificateException e8) {
            Throwable cause = e8.getCause();
            while (true) {
                if (cause == null) {
                    break;
                }
                if (cause instanceof CertificateExpiredException) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate has expired: " + e8);
                    i |= 4;
                    break;
                }
                if (cause instanceof CertificateNotYetValidException) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate is not valid yet: " + e8);
                    i |= 8;
                    break;
                }
                if (cause instanceof CertPathValidatorException) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate chain cannot be validated: " + e8);
                    i |= 16;
                    break;
                }
                cause = cause.getCause();
            }
            if (cause != null) {
                return i;
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "checkTrustManager (" + str + "): the certificate chain cannot be validated or is not trusted: " + e8);
            return i | 16;
        }
    }

    private X509TrustManager createTrustManager(KeyStore keyStore, String str) {
        TrustManager[] trustManagers;
        X509TrustManager x509TrustManager = null;
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TRUST_MANAGER_ALG);
            trustManagerFactory.init(keyStore);
            trustManagers = trustManagerFactory.getTrustManagers();
        } catch (KeyStoreException e) {
            e = e;
        } catch (NoSuchAlgorithmException e2) {
            e = e2;
        }
        if (trustManagers != null && trustManagers.length != 0) {
            TrustManager trustManager = trustManagers[0];
            if (trustManager instanceof X509TrustManager) {
                X509TrustManager x509TrustManager2 = (X509TrustManager) trustManager;
                try {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "createTrustManager: got first of " + trustManagers.length + " " + str + " managers: " + x509TrustManager2);
                    x509TrustManager = x509TrustManager2;
                } catch (KeyStoreException e3) {
                    e = e3;
                    x509TrustManager = x509TrustManager2;
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createTrustManager: failed to initialize " + str + " TrustManagerFactory with X509 keystore: " + e);
                    return x509TrustManager;
                } catch (NoSuchAlgorithmException e4) {
                    e = e4;
                    x509TrustManager = x509TrustManager2;
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createTrustManager: no TrustManagerFactory for algorithm=X509: " + e);
                    return x509TrustManager;
                }
                return x509TrustManager;
            }
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createTrustManager: no " + str + " TrustManager for X509 with key store=" + keyStore);
        return x509TrustManager;
    }

    private boolean deleteKeyStoreEntry(KeyStore keyStore, String str, String str2) {
        try {
            if (!keyStore.containsAlias(str)) {
                return false;
            }
            keyStore.deleteEntry(str);
            return true;
        } catch (KeyStoreException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "deleteKeyStoreEntry: exception deleting alias=" + str + " from " + str2, e);
            return false;
        }
    }

    public static X509Certificate derToX509Certificate(byte[] bArr) {
        CertificateException e;
        X509Certificate x509Certificate;
        IOException e2;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance(TRUST_MANAGER_ALG);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            x509Certificate = (X509Certificate) certificateFactory.generateCertificate(byteArrayInputStream);
            try {
                byteArrayInputStream.close();
            } catch (IOException e3) {
                e2 = e3;
                AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "derToX509Certificate: IOException while parsing certificate: " + e2);
                return x509Certificate;
            } catch (CertificateException e4) {
                e = e4;
                AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "derToX509Certificate: CertificateException while parsing certificate: " + e);
                return x509Certificate;
            }
        } catch (IOException e5) {
            e2 = e5;
            x509Certificate = null;
        } catch (CertificateException e6) {
            e = e6;
            x509Certificate = null;
        }
        return x509Certificate;
    }

    private void dumpCertAliasesMap() {
        Iterator<String> it = this.mCategoryToCertGroupMap.keySet().iterator();
        while (it.hasNext()) {
            HashMap<String, List<String>> container = this.mCategoryToCertGroupMap.get(it.next()).getContainer();
            Iterator<String> it2 = container.keySet().iterator();
            while (it2.hasNext()) {
                for (String str : container.get(it2.next())) {
                }
            }
        }
    }

    private KeyStore getACTrustedKeystore() {
        String rootKeyStoreFile = getRootKeyStoreFile();
        String rootKeyStorePassword = getRootKeyStorePassword();
        String str = ROOT_KEYSTORE_TYPE;
        KeyStore openKeyStoreFile = openKeyStoreFile(rootKeyStoreFile, rootKeyStorePassword, str);
        if (openKeyStoreFile != null) {
            return openKeyStoreFile;
        }
        KeyStore createKeyStore = createKeyStore(rootKeyStorePassword, str);
        if (createKeyStore != null) {
            return createKeyStore;
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getACTrustedKeystore: failed to create root store!");
        return null;
    }

    private PKIXParameters getPKIXParameters(X509Certificate[] x509CertificateArr) throws CertificateException {
        try {
            HashSet hashSet = new HashSet();
            for (X509Certificate x509Certificate : this.mSystemTrustMgr.getAcceptedIssuers()) {
                hashSet.add(new TrustAnchor(x509Certificate, null));
            }
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate(x509CertificateArr[0]);
            x509CertSelector.setSubject(x509CertificateArr[0].getSubjectDN().getName());
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(hashSet, x509CertSelector);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(x509CertificateArr))));
            return pKIXBuilderParameters;
        } catch (Exception e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getPKIXParameters: failed", e);
            throw new CertificateException(e);
        }
    }

    private boolean initializeHostnameVerifier() {
        if (this.mHostnameMgr == null) {
            this.mHostnameMgr = new StrictHostnameVerifier();
        }
        return this.mHostnameMgr != null;
    }

    private boolean initializeLocalTrustManager() {
        if (this.mLocalTrustMgr == null) {
            this.mLocalTrustMgr = createTrustManager(this.mTrustedKeyStore, ImagesContract.LOCAL);
        }
        return this.mLocalTrustMgr != null;
    }

    private boolean initializeSystemTrustManager() {
        if (this.mSystemTrustMgr == null) {
            this.mSystemTrustMgr = createTrustManager(null, "system");
        }
        return this.mSystemTrustMgr != null;
    }

    private boolean initializeTrustedKeyStore() {
        if (this.mTrustedKeyStore != null) {
            AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "initializeTrustedKeyStore: local KeyStore already initialized");
            return true;
        }
        String rootKeyStoreFile = getRootKeyStoreFile();
        File file = new File(rootKeyStoreFile);
        if (!file.exists() || !file.isFile()) {
            AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "initializeTrustedKeyStore: no existing file for " + rootKeyStoreFile);
            return false;
        }
        KeyStore openKeyStoreFile = openKeyStoreFile(rootKeyStoreFile, getRootKeyStorePassword(), ROOT_KEYSTORE_TYPE);
        this.mTrustedKeyStore = openKeyStoreFile;
        if (openKeyStoreFile != null) {
            return true;
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "initializeTrustedKeyStore: failed to get local KeyStore");
        return false;
    }

    private boolean isCertInGroups(String str) {
        Iterator<FileCache<List<String>>> it = this.mCategoryToCertGroupMap.values().iterator();
        while (it.hasNext()) {
            Iterator<List<String>> it2 = it.next().getContainer().values().iterator();
            while (it2.hasNext()) {
                if (it2.next().contains(str)) {
                    return true;
                }
            }
        }
        return false;
    }

    private boolean isTrustedLeaf(X509Certificate x509Certificate) {
        try {
            String certificateAlias = this.mTrustedKeyStore.getCertificateAlias(x509Certificate);
            if (certificateAlias == null || certificateAlias.length() == 0) {
                return false;
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "isTrustedLeaf: alias='" + certificateAlias + "' for cert: " + x509Certificate.getSubjectDN());
            return true;
        } catch (KeyStoreException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "isTrustedLeaf: problem with keystore: ", e);
            return false;
        }
    }

    private KeyStore openKeyStoreStream(InputStream inputStream, String str, String str2) {
        try {
            KeyStore keyStore = KeyStore.getInstance(str2);
            keyStore.load(inputStream, str.toCharArray());
            return keyStore;
        } catch (IOException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "openKeyStoreStream: failed to read stream for local keystore: " + e);
            return null;
        } catch (ClassCastException e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "openKeyStoreStream: is this DER/CER format? got exception: " + e2);
            return null;
        } catch (KeyStoreException e3) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "openKeyStoreStream: keystore error for local keystore: " + e3);
            return null;
        } catch (NoSuchAlgorithmException e4) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "openKeyStoreStream: bad algorithm for local keystore: " + e4);
            return null;
        } catch (CertificateException e5) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "openKeyStoreStream: certificate error for local keystore: " + e5);
            return null;
        } catch (Exception e6) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "openKeyStoreStream: unhandled exception: " + e6);
            return null;
        }
    }

    private boolean saveKeyStore(KeyStore keyStore, String str, String str2) {
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(str);
            keyStore.store(fileOutputStream, str2.toCharArray());
            fileOutputStream.flush();
            fileOutputStream.close();
            return true;
        } catch (FileNotFoundException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "saveKeyStore: FileNotFoundException: " + e);
            return false;
        } catch (IOException e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "saveKeyStore: IOException: " + e2);
            return false;
        } catch (KeyStoreException e3) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "saveKeyStore: KeyStoreException: " + e3);
            return false;
        } catch (NoSuchAlgorithmException e4) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "saveKeyStore: NoSuchAlgorithmException: " + e4);
            return false;
        } catch (CertificateException e5) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "saveKeyStore: CertificateException: " + e5);
            return false;
        }
    }

    public static void updateCertMap(Map<String, FileCache<List<String>>> map, String str, String str2, String str3, NCHSCertStore nCHSCertStore, boolean z) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str2);
        updateCertMap(map, str, arrayList, str3, nCHSCertStore, z);
    }

    public static void updateCertMap(Map<String, FileCache<List<String>>> map, String str, List<String> list, String str2, NCHSCertStore nCHSCertStore, boolean z) {
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            arrayList.add(str);
        }
        updateCertMap(map, arrayList, list, str2, nCHSCertStore, z);
    }

    public static void updateCertMap(Map<String, FileCache<List<String>>> map, List<String> list, String str, String str2, NCHSCertStore nCHSCertStore, boolean z) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(str);
        updateCertMap(map, list, arrayList, str2, nCHSCertStore, z);
    }

    public static void updateCertMap(Map<String, FileCache<List<String>>> map, List<String> list, List<String> list2, String str, NCHSCertStore nCHSCertStore, boolean z) {
        FileCache fileCache = map.get(str);
        HashMap container = fileCache.getContainer();
        if (z) {
            if (list == null || list.isEmpty()) {
                AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "No group id for this cert(s) adding to default group: " + str + "/" + list2);
                list = new ArrayList<>();
                list.add(CERTIFICATE_DEFAULT_GROUP);
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Updating cert map: Adding certificate(s) to group(s) " + str + "/" + list + ": " + list2);
            for (String str2 : list) {
                List list3 = (List) fileCache.getValue(str2);
                if (list3 == null) {
                    list3 = new ArrayList();
                }
                list3.addAll(list2);
                fileCache.add(str2, list3);
            }
            return;
        }
        if (list.isEmpty()) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Removing certificate(s) from all groups: " + list2);
            for (Map.Entry entry : container.entrySet()) {
                ArrayList arrayList = new ArrayList((Collection) entry.getValue());
                if (arrayList.removeAll(list2)) {
                    if (arrayList.isEmpty()) {
                        fileCache.remove((String) entry.getKey());
                    } else {
                        fileCache.add((String) entry.getKey(), arrayList);
                    }
                }
            }
            return;
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Updating cert map: Removing certificate(s) from group(s) " + str + "/" + list + ": " + list2);
        for (String str3 : list) {
            List list4 = (List) fileCache.getValue(str3);
            if (list4 != null) {
                ArrayList arrayList2 = new ArrayList(list4);
                if (arrayList2.removeAll(list2)) {
                    if (arrayList2.isEmpty()) {
                        fileCache.remove(str3);
                    } else {
                        fileCache.add(str3, arrayList2);
                    }
                }
            }
        }
    }

    private void updateChainCache(String str, Certificate[] certificateArr) {
        X509Certificate[] x509CertificateArr = new X509Certificate[certificateArr.length];
        for (int i = 0; i < certificateArr.length; i++) {
            x509CertificateArr[i] = (X509Certificate) certificateArr[i];
        }
        this.mCertChainCache.put(str, x509CertificateArr);
    }

    public static boolean verifyExtendedKeyUse(X509Certificate x509Certificate, X509EnhancedKeyUse[] x509EnhancedKeyUseArr) {
        if (x509Certificate == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyExtendedKeyUse: no certficate");
            return false;
        }
        if (x509EnhancedKeyUseArr == null || x509EnhancedKeyUseArr.length == 0) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyExtendedKeyUse: no required uses");
            return true;
        }
        try {
            List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
            if (extendedKeyUsage == null) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyExtendedKeyUse: certificate has no extended key uses specified");
                return true;
            }
            if (x509EnhancedKeyUseArr.length > extendedKeyUsage.size()) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyExtendedKeyUse: not enough required elements: required = " + x509EnhancedKeyUseArr.length + ", certificate=" + extendedKeyUsage.size());
                return false;
            }
            for (X509EnhancedKeyUse x509EnhancedKeyUse : x509EnhancedKeyUseArr) {
                if (!extendedKeyUsage.contains(x509EnhancedKeyUse.getOid())) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyExtendedKeyUse: missing required use=" + x509EnhancedKeyUse);
                    return false;
                }
            }
            AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyExtendedKeyUse: got all " + x509EnhancedKeyUseArr.length + " required uses");
            return true;
        } catch (CertificateParsingException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "verifyExtendedKeyUse: failed to get extended usages:" + e);
            return false;
        }
    }

    protected boolean convertKeystorePasswords(String str, String str2, String str3, String str4, String str5, String str6) {
        if (!new File(str).exists()) {
            return true;
        }
        if (str5 == null || str3 == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: cannot have a null password");
            return false;
        }
        if (openKeyStoreFile(str, str5, str2) != null) {
            AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "convertKeystorePasswords: already converted to new password");
            return true;
        }
        KeyStore openKeyStoreFile = openKeyStoreFile(str, str3, str2);
        if (openKeyStoreFile == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: failed to open keystore=" + str + " with old password");
            return false;
        }
        try {
            ArrayList<String> list = Collections.list(openKeyStoreFile.aliases());
            for (String str7 : list) {
                if (openKeyStoreFile.isKeyEntry(str7)) {
                    if (str4 != null && str6 != null) {
                        Certificate[] certificateChain = openKeyStoreFile.getCertificateChain(str7);
                        Key key = openKeyStoreFile.getKey(str7, str4.toCharArray());
                        if (key == null) {
                            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: failed to update private key for keystore=" + str);
                            return false;
                        }
                        openKeyStoreFile.setKeyEntry(str7, key, str6.toCharArray(), certificateChain);
                    }
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: null private key password for keystore=" + str);
                    return false;
                }
            }
            if (!saveKeyStore(openKeyStoreFile, str, str5)) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: failed to save updated keystore=" + str);
                return false;
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "convertKeystorePasswords: converted keystore with " + list.size() + " entries");
            return true;
        } catch (KeyStoreException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: KeyStoreException updating keystore=" + str, e);
            return false;
        } catch (NoSuchAlgorithmException e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: NoSuchAlgorithmException updating keystore=" + str, e2);
            return false;
        } catch (UnrecoverableKeyException e3) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "convertKeystorePasswords: UnrecoverableKeyException updating keystore=" + str, e3);
            return false;
        }
    }

    protected KeyStore createKeyStore(String str, String str2) {
        try {
            KeyStore keyStore = KeyStore.getInstance(str2);
            keyStore.load(null, str.toCharArray());
            return keyStore;
        } catch (IOException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createKeyStore: IOException: " + e);
            return null;
        } catch (KeyStoreException e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createKeyStore: KeyStoreException: " + e2);
            return null;
        } catch (NoSuchAlgorithmException e3) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createKeyStore: NoSuchAlgorithmException: " + e3);
            return null;
        } catch (CertificateException e4) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "createKeyStore: CertificateException: " + e4);
            return null;
        }
    }

    public boolean deleteCertificate(String str, NCHSCertStore nCHSCertStore) {
        if (NCHSCertStore.SYSTEM != nCHSCertStore && NCHSCertStore.ALL != nCHSCertStore) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Not implemented");
            return false;
        }
        if (NCHSCertStore.ALL == nCHSCertStore) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Cannot delete one certificate from local store: Not implemented");
        }
        return CertOpCode.RESULT_CERTIFICATE_OPERATION_SUCCESS == this.mSystemCertMgr.deleteCertificate(str);
    }

    public synchronized boolean deleteCertificates(String[] strArr, String str, String str2) {
        ArrayList arrayList;
        arrayList = new ArrayList();
        arrayList.add(str);
        return deleteCertificates(strArr, arrayList, str2);
    }

    /* JADX WARN: Removed duplicated region for block: B:24:0x004f A[Catch: all -> 0x013d, TryCatch #2 {, blocks: (B:10:0x0008, B:13:0x000d, B:15:0x001d, B:18:0x0024, B:20:0x0034, B:22:0x0049, B:24:0x004f, B:26:0x0053, B:29:0x005b, B:31:0x006b, B:33:0x0073, B:36:0x0097, B:48:0x009f, B:39:0x00c1, B:41:0x00c9, B:43:0x00d0, B:46:0x010f, B:52:0x00ed, B:57:0x0106, B:61:0x0115, B:63:0x0123, B:64:0x012c, B:67:0x003f, B:5:0x0132), top: B:9:0x0008 }] */
    /* JADX WARN: Removed duplicated region for block: B:61:0x0115 A[Catch: all -> 0x013d, TryCatch #2 {, blocks: (B:10:0x0008, B:13:0x000d, B:15:0x001d, B:18:0x0024, B:20:0x0034, B:22:0x0049, B:24:0x004f, B:26:0x0053, B:29:0x005b, B:31:0x006b, B:33:0x0073, B:36:0x0097, B:48:0x009f, B:39:0x00c1, B:41:0x00c9, B:43:0x00d0, B:46:0x010f, B:52:0x00ed, B:57:0x0106, B:61:0x0115, B:63:0x0123, B:64:0x012c, B:67:0x003f, B:5:0x0132), top: B:9:0x0008 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public synchronized boolean deleteCertificates(java.lang.String[] r17, java.util.List<java.lang.String> r18, java.lang.String r19) {
        /*
            Method dump skipped, instructions count: 322
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.cisco.android.nchs.support.CertificateManager.deleteCertificates(java.lang.String[], java.util.List, java.lang.String):boolean");
    }

    public boolean deleteGroupOfCertificates(String str, String str2, NCHSCertStore nCHSCertStore) {
        if (NCHSCertStore.ANYCONNECT != nCHSCertStore && NCHSCertStore.ALL != nCHSCertStore) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Not implemented");
            return false;
        }
        if (NCHSCertStore.ALL == nCHSCertStore) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Cannot delete group of certificates from system store: Not implemented");
        }
        return deleteGroupOfCertificatesFromLocalStore(str, str2);
    }

    public synchronized boolean deleteGroupOfCertificatesFromLocalStore(String str, String str2) {
        List<String> arrayList;
        dumpCertAliasesMap();
        ArrayList arrayList2 = new ArrayList();
        if (TextUtils.isEmpty(str)) {
            arrayList = new ArrayList<>();
            HashMap<String, List<String>> container = this.mCategoryToCertGroupMap.get(str2).getContainer();
            Iterator<List<String>> it = container.values().iterator();
            while (it.hasNext()) {
                arrayList.addAll(it.next());
            }
            arrayList2.addAll(container.keySet());
        } else {
            arrayList2.add(str);
            arrayList = this.mCategoryToCertGroupMap.get(str2).getValue(str);
            AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Deleting certificate(s) with id: " + str + " in " + str2 + ": " + arrayList);
        }
        if (arrayList != null) {
            Object[] array = arrayList.toArray();
            String[] strArr = (String[]) Arrays.copyOf(array, array.length, String[].class);
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Deleting certificate(s) from groups: " + str2 + "/" + arrayList2 + " certs: " + arrayList);
            return deleteCertificates(strArr, arrayList2, str2);
        }
        if (str != null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "unable to find certificates for given ID " + str + " & tag " + str2);
        } else {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "unable to find certificates for given tag " + str2);
        }
        return false;
    }

    public void enableYubikey(boolean z) {
        this.mYubikeyStore.enableYubikey(z);
    }

    public synchronized Map<X509Certificate, String> enumerateClientCertificates() {
        HashMap hashMap;
        hashMap = new HashMap();
        try {
            for (CertificateInfo certificateInfo : this.mMultiCertStore.getClientCerts()) {
                hashMap.put(certificateInfo.getX509(), certificateInfo.getAlias());
            }
        } catch (CertStoreException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Exception on retrieving client certs", e);
            return null;
        }
        return hashMap;
    }

    public CertificateChain getACCerts(boolean z, String str, String str2) {
        Certificate certificate;
        CertificateChain certificateChain = new CertificateChain();
        List<String> value = this.mCategoryToCertGroupMap.get(str2).getValue(str);
        if (value != null && !value.isEmpty()) {
            if (z) {
                for (String str3 : value) {
                    try {
                        X509Certificate[] certChain = this.mMultiCertStore.getCertChain(str3);
                        if (certChain == null || certChain.length == 0) {
                            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "No chain for alias=" + str3);
                        }
                        certificateChain.getDerEncodedCerts().add(certChain[0].getEncoded());
                    } catch (Exception e) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Exception fetching chain for alias=" + str3, e);
                    }
                }
            } else {
                KeyStore aCTrustedKeystore = getACTrustedKeystore();
                for (String str4 : value) {
                    try {
                        if (aCTrustedKeystore.containsAlias(str4) && (certificate = aCTrustedKeystore.getCertificate(str4)) != null) {
                            certificateChain.getDerEncodedCerts().add(certificate.getEncoded());
                        }
                    } catch (Exception e2) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Unexpected Exception", e2);
                    }
                }
            }
        }
        return certificateChain;
    }

    public List<String> getAliasListFromID(String str) {
        HashMap<String, List<String>> container = this.mCategoryToCertGroupMap.get(str).getContainer();
        ArrayList arrayList = new ArrayList();
        Iterator<List<String>> it = container.values().iterator();
        while (it.hasNext()) {
            arrayList.addAll(it.next());
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getCertAlias(X509Certificate x509Certificate) {
        try {
            return CryptoAlgorithms.hashToHexString(x509Certificate.getEncoded());
        } catch (CertificateEncodingException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getCertAlias: failed to encode certificate: " + e);
            return null;
        }
    }

    public synchronized X509Certificate[] getCertChain(String str) throws KeyStoreException {
        if (this.mCertChainCache.containsKey(str)) {
            return this.mCertChainCache.get(str);
        }
        try {
            X509Certificate[] certChain = this.mMultiCertStore.getCertChain(str);
            this.mCertChainCache.put(str, certChain);
            return certChain;
        } catch (CertStoreException unused) {
            return null;
        }
    }

    public synchronized byte[] getCertificateHashForAlias(String str) {
        try {
            X509Certificate[] certChain = this.mMultiCertStore.getCertChain(str);
            if (certChain != null && certChain.length != 0) {
                return new VpnCertificate(certChain[0].getEncoded()).GetHash();
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Failed to get cert chain from certificate store.");
            return new byte[0];
        } catch (Exception e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getCertificateforAlias exception", e);
            return null;
        }
    }

    public List<CertificateInfo> getClientCerts() {
        try {
            return this.mMultiCertStore.getClientCerts();
        } catch (CertStoreException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getClientCerts exception", e);
            return new ArrayList();
        }
    }

    protected String getClientKeyStoreFile() {
        return this.mKeystorePath + File.separator + CLIENT_KEYSTORE_FILENAME;
    }

    protected String getClientKeyStorePassword() {
        return this.mClientStorePassword;
    }

    protected String getClientPrivateKeyPassword() {
        return this.mClientPrivKeyPassword;
    }

    protected String getDeprecatedRootKeyStoreFile() {
        return this.mKeystorePath + File.separator + ROOT_KEYSTORE_FILENAME;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getKeyAliasForCertAlias(String str) {
        return str + "_key";
    }

    public synchronized X509Certificate[] getRootCertificates() {
        ArrayList<String> arrayList;
        if (!initializeTrustedKeyStore()) {
            return new X509Certificate[0];
        }
        try {
            arrayList = Collections.list(this.mTrustedKeyStore.aliases());
        } catch (KeyStoreException unused) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getRootCertificates: failed to get aliases for keystore");
            arrayList = null;
        }
        if (arrayList == null) {
            return new X509Certificate[0];
        }
        ArrayList arrayList2 = new ArrayList();
        for (String str : arrayList) {
            try {
                if (!this.mTrustedKeyStore.isKeyEntry(str) && this.mTrustedKeyStore.isCertificateEntry(str)) {
                    Certificate certificate = this.mTrustedKeyStore.getCertificate(str);
                    if (certificate == null) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getRootCertificates: failed to get certificate for alias=" + str);
                    } else if (certificate instanceof X509Certificate) {
                        arrayList2.add((X509Certificate) certificate);
                    } else {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getRootCertificates: non-X509 certificate for alias=" + str);
                    }
                }
            } catch (KeyStoreException e) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "getRootCertificates: exception getting certificate for alias=" + str, e);
            }
        }
        return (X509Certificate[]) arrayList2.toArray(new X509Certificate[arrayList2.size()]);
    }

    protected String getRootKeyStoreFile() {
        return this.mKeystorePath + File.separator + TRUSTED_KEYSTORE_FILENAME;
    }

    protected String getRootKeyStorePassword() {
        return this.mRootStorePassword;
    }

    public X509Certificate[] getSortedChain(X509Certificate[] x509CertificateArr) {
        if (1 >= x509CertificateArr.length) {
            return x509CertificateArr;
        }
        ArrayList arrayList = new ArrayList();
        ArrayList<X509Certificate> arrayList2 = new ArrayList();
        boolean z = false;
        X509Certificate x509Certificate = x509CertificateArr[0];
        arrayList.add(x509Certificate);
        for (int i = 1; i < x509CertificateArr.length; i++) {
            arrayList2.add(x509CertificateArr[i]);
        }
        do {
            Principal issuerDN = x509Certificate.getIssuerDN();
            Iterator it = arrayList2.iterator();
            while (true) {
                if (!it.hasNext()) {
                    x509Certificate = null;
                    break;
                }
                x509Certificate = (X509Certificate) it.next();
                if (x509Certificate.getSubjectDN().equals(issuerDN)) {
                    break;
                }
            }
            if (x509Certificate != null) {
                arrayList.add(x509Certificate);
                arrayList2.remove(x509Certificate);
                z = x509Certificate.getIssuerDN().equals(x509Certificate.getSubjectDN());
            }
            if (x509Certificate == null) {
                break;
            }
        } while (!z);
        if (!arrayList2.isEmpty()) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "getSortedChain: got " + arrayList2.size() + " extra certificates");
            for (X509Certificate x509Certificate2 : arrayList2) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "     " + x509Certificate2.getSubjectDN());
            }
        }
        return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
    }

    public synchronized X509Certificate[] getSystemCertificates() {
        if (initializeSystemTrustManager()) {
            return this.mSystemTrustMgr.getAcceptedIssuers();
        }
        return new X509Certificate[0];
    }

    public CertificateInfo getYubikeyCert(YubikeySlot yubikeySlot) {
        return this.mYubikeyStore.getClientCert(yubikeySlot);
    }

    public ClientCertRequestParcel handleClientCertRequest(List<String> list, List<String> list2) {
        for (CertificateInfo certificateInfo : getClientCerts()) {
            String name = certificateInfo.getX509().getIssuerDN().getName();
            AppLog.info(this, "handleClientCertRequest Issuer DN: " + name);
            List asList = Arrays.asList(name.split(","));
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                List asList2 = Arrays.asList(it.next().split(","));
                if (asList2.size() == asList.size() && asList2.containsAll(asList)) {
                    try {
                        PrivateKey privateKey = this.mMultiCertStore.getPrivateKey(certificateInfo.getAlias());
                        AppLog.info(this, "handleClientCertRequest Key algorithm: " + privateKey.getAlgorithm());
                        if (list2.isEmpty() || list2.contains(privateKey.getAlgorithm())) {
                            X509Certificate[] certChain = getCertChain(certificateInfo.getAlias());
                            if (certChain != null) {
                                if (Build.VERSION.SDK_INT > 30 && privateKey.getClass().getName().contains("keystore2")) {
                                    AppLog.info(this, "Can't serialize private key, retrieving it in WebViewActivity");
                                    privateKey = null;
                                }
                                return new ClientCertRequestParcel(certificateInfo.getAlias(), privateKey, certChain);
                            }
                            continue;
                        }
                    } catch (Exception e) {
                        AppLog.error(this, "Error retrieving private key and cert chain", e);
                    }
                }
            }
        }
        return null;
    }

    public synchronized boolean hasCertFromSystem(String str) {
        try {
            X509Certificate[] certChain = this.mMultiCertStore.getCertChain(str);
            if (certChain != null && certChain.length != 0) {
                if (this.mMultiCertStore.getPrivateKey(str) == null) {
                    AppLog.warn(this, "hasCertFromSystem could not get private key");
                    return false;
                }
                if (!this.mKeychainAliasList.getAliases().contains(str)) {
                    AppLog.info(this, "Already granted access to certificate, adding alias to keychain alias list.");
                    this.mMultiCertStore.importKeychainAlias(str);
                }
                return true;
            }
            AppLog.warn(this, "hasCertFromSystem could not get cert chain");
            return false;
        } catch (Exception e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "hasCertFromSystem exception", e);
            return false;
        }
    }

    public synchronized byte[] importCertFromSystem(String str) {
        try {
            this.mMultiCertStore.importKeychainAlias(str);
            X509Certificate[] certChain = this.mMultiCertStore.getCertChain(str);
            if (certChain != null && certChain.length != 0) {
                return new VpnCertificate(certChain[0].getEncoded()).GetHash();
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Failed to get cert chain from system.");
            return new byte[0];
        } catch (Exception e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importCertFromSystem exception", e);
            return null;
        }
    }

    public CertOpCode importClientCertificatesToSystemStore(byte[] bArr, String str, String str2, String str3, Intent intent) {
        return this.mSystemCertMgr.importCertificate(CertificateBlobType.TYPE_PKCS12, bArr, str, str2, str3, intent);
    }

    public synchronized X509Certificate[] importPkcs12ClientCert(byte[] bArr, String str, String str2, String str3) throws UnrecoverableKeyException {
        return importPkcs12ClientCert(bArr, str, str2, str3, false);
    }

    public synchronized X509Certificate[] importPkcs12ClientCert(byte[] bArr, String str, String str2, String str3, boolean z) throws UnrecoverableKeyException {
        if (bArr != null) {
            if (bArr.length != 0) {
                if (str == null) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: import password cannot be null");
                    throw new UnrecoverableKeyException("import password cannot be null");
                }
                KeyStore openKeyStoreStream = openKeyStoreStream(new ByteArrayInputStream(bArr), str, CertificateProvisioning.TYPE_PKCS12);
                if (openKeyStoreStream == null) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: failed to open PKCS input");
                    throw new UnrecoverableKeyException("failed to open PKCS blob -- probably bad password");
                }
                try {
                    ArrayList<String> list = Collections.list(openKeyStoreStream.aliases());
                    if (list.size() == 0) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: no aliases received");
                        return null;
                    }
                    ArrayList arrayList = new ArrayList();
                    ArrayList arrayList2 = new ArrayList();
                    for (String str4 : list) {
                        try {
                            Key key = openKeyStoreStream.getKey(str4, str.toCharArray());
                            if (key == null) {
                                AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: no private key");
                            } else {
                                Certificate certificate = openKeyStoreStream.getCertificate(str4);
                                Certificate[] certificateChain = openKeyStoreStream.getCertificateChain(str4);
                                if (certificateChain == null) {
                                    AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: no chain for '" + str4 + "'");
                                }
                                if (certificate == null) {
                                    AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: no client cert");
                                } else if (certificate instanceof X509Certificate) {
                                    try {
                                        String importPrivateKey = this.mMultiCertStore.importPrivateKey(key, certificateChain, z);
                                        if (importPrivateKey == null) {
                                            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importPkcs12ClientCert: failed to import private key");
                                        } else {
                                            arrayList.add((X509Certificate) certificate);
                                            updateChainCache(importPrivateKey, certificateChain);
                                            arrayList2.add(importPrivateKey);
                                        }
                                    } catch (Exception e) {
                                        e = e;
                                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importPkcs12ClientCert: failed update due to Exception: ", e);
                                    }
                                } else {
                                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importPkcs12ClientCert: non-X509 certificate class=" + certificate.getClass().getName());
                                }
                            }
                        } catch (Exception e2) {
                            e = e2;
                        }
                    }
                    updateCertMap(this.mCategoryToCertGroupMap, str2, (List<String>) arrayList2, str3, NCHSCertStore.ANYCONNECT, true);
                    return (X509Certificate[]) arrayList.toArray(new X509Certificate[arrayList.size()]);
                } catch (KeyStoreException e3) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importPkcs12ClientCert: KeyStoreException trying to get aliases: " + e3.getMessage());
                    return null;
                }
            }
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "importPkcs12ClientCert: no PKCS blob to import");
        return null;
    }

    public CertOpCode importServerCertificateToSystemStore(byte[] bArr, String str, String str2, Intent intent) {
        return this.mSystemCertMgr.importCertificate(CertificateBlobType.TYPE_CERTIFICATE, bArr, null, str, str2, intent);
    }

    public synchronized NCHSReturnCode importTrustedCertificate(X509Certificate x509Certificate, String str, String str2) {
        if (x509Certificate == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "importTrustedCertificate: null certificate provided!");
            return NCHSReturnCode.RESULT_OPERATION_FAILED;
        }
        String rootKeyStoreFile = getRootKeyStoreFile();
        String rootKeyStorePassword = getRootKeyStorePassword();
        String str3 = ROOT_KEYSTORE_TYPE;
        KeyStore openKeyStoreFile = openKeyStoreFile(rootKeyStoreFile, rootKeyStorePassword, str3);
        if (openKeyStoreFile == null && (openKeyStoreFile = createKeyStore(rootKeyStorePassword, str3)) == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importTrustedCertificate: failed to create root store!");
            return NCHSReturnCode.RESULT_OPERATION_FAILED;
        }
        String certAlias = getCertAlias(x509Certificate);
        try {
            if (openKeyStoreFile.containsAlias(certAlias)) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "importTrustedCertificate: certificate already in the store with alias='" + certAlias + "'!");
                updateCertMap(this.mCategoryToCertGroupMap, str, certAlias, str2, NCHSCertStore.ANYCONNECT, true);
                return NCHSReturnCode.RESULT_CERTIFICATE_ALREADY_EXISTS;
            }
            openKeyStoreFile.setCertificateEntry(certAlias, x509Certificate);
            if (!saveKeyStore(openKeyStoreFile, rootKeyStoreFile, rootKeyStorePassword)) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "importTrustedCertificate: failed to save root file!");
                return NCHSReturnCode.RESULT_OPERATION_FAILED;
            }
            updateCertMap(this.mCategoryToCertGroupMap, str, certAlias, str2, NCHSCertStore.ANYCONNECT, true);
            AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "importTrustedCertificate: " + str);
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "importTrustedCertificate: imported " + x509Certificate.getSubjectDN() + " (" + certAlias + "), local KeyStore=" + this.mTrustedKeyStore);
            this.mTrustedKeyStore = null;
            this.mLocalTrustMgr = null;
            return NCHSReturnCode.RESULT_OPERATION_COMPLETED;
        } catch (KeyStoreException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importTrustedCertificate: failed due to KeyStoreException: " + e);
            return NCHSReturnCode.RESULT_OPERATION_FAILED;
        }
    }

    public void initCertStores() {
        this.mMultiCertStore = new MultiCertStore(null);
        try {
            this.mMultiCertStore.addCertStore(new ACLegacyCertStore("AC/client", CLIENT_KEYSTORE_TYPE, new File(getClientKeyStoreFile()), getClientKeyStorePassword().toCharArray(), getClientPrivateKeyPassword().toCharArray()));
        } catch (CertStoreException unused) {
        }
        try {
            if (Build.VERSION.SDK_INT >= 18) {
                this.mMultiCertStore.addCertStore(new AndroidKeyStore("ANDROID/client", this.mContext));
            }
        } catch (CertStoreException unused2) {
        }
        try {
            this.mMultiCertStore.addCertStore(new KeychainClientStore("KEYCHAIN/client", this.mContext, this.mKeychainAliasList));
        } catch (CertStoreException unused3) {
        }
        try {
            this.mMultiCertStore.addCertStore(new TimaKeystore("KNOX_TIMA/client", this.mContext));
        } catch (CertStoreException unused4) {
        }
        this.mYubikeyStore = new YubikeyCertStore("YUBIKEY/client", this.mContext);
    }

    public boolean initializeSigningCert(InputStream inputStream) {
        this.mCodeSigningCert = null;
        if (inputStream == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "initializeSigningCert: no input stream provided");
            return false;
        }
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[1024];
            while (true) {
                int read = inputStream.read(bArr);
                if (read <= 0) {
                    break;
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
            inputStream.close();
            X509Certificate derToX509Certificate = derToX509Certificate(byteArrayOutputStream.toByteArray());
            this.mCodeSigningCert = derToX509Certificate;
            if (derToX509Certificate == null) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "initializeSigningCert: failed to parse to a cert!");
                return false;
            }
            AppLog.logDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "initializeSigningCert: " + this.mCodeSigningCert.getSubjectDN());
            return true;
        } catch (IOException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "initializeSigningCert: got IOException trying to read cert", e);
            return false;
        }
    }

    public synchronized boolean isCertificateInstalled(String str, NCHSCertStore nCHSCertStore) {
        if (NCHSCertStore.ANYCONNECT != nCHSCertStore && NCHSCertStore.ALL != nCHSCertStore) {
            if (NCHSCertStore.SYSTEM != nCHSCertStore && NCHSCertStore.ALL != nCHSCertStore) {
                return false;
            }
            return this.mSystemCertMgr.isCertificateInstalled(str);
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Not implemented");
        return false;
    }

    public boolean isUserAuthRequired(String str) throws UnrecoverableKeyException {
        try {
            if (Build.VERSION.SDK_INT >= 23) {
                PrivateKey privateKey = this.mMultiCertStore.getPrivateKey(str);
                if (privateKey == null) {
                    AppLog.error(this, "Could not find private key with alias " + str);
                    return false;
                }
                KeyInfo keyInfo = (KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, KeyInfo.class);
                if (!keyInfo.isUserAuthenticationRequired()) {
                    return false;
                }
                if (!Arrays.asList(keyInfo.getEncryptionPaddings()).contains("NoPadding")) {
                    this.mMultiCertStore.deleteCert(str);
                    Globals.PopupError(this.mContext, UITranslator.getString(R.string.fingerprint_auth_cert_not_valid));
                    return false;
                }
                if (Prerequisites.isDeviceSecure(this.mContext)) {
                    return true;
                }
                AppLog.error(this, "Device not secure, deleting key with alias " + str);
                this.mMultiCertStore.deleteCert(str);
                throw new UnrecoverableKeyException("Device not secure, key deleted");
            }
        } catch (UnrecoverableKeyException e) {
            throw e;
        } catch (InvalidKeySpecException unused) {
        } catch (Exception e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "isUserAuthRequired Exception ", e2);
        }
        return false;
    }

    public synchronized void mapCertAlias(String str, String str2, String str3) {
        try {
            updateCertMap(this.mCategoryToCertGroupMap, str2, (List<String>) new ArrayList<String>(str) { // from class: com.cisco.android.nchs.support.CertificateManager.3
                final /* synthetic */ String val$certAlias;

                {
                    this.val$certAlias = str;
                    add(str);
                }
            }, str3, NCHSCertStore.ANYCONNECT, true);
            dumpCertAliasesMap();
        } catch (Exception e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "importCertAlias exception", e);
        }
    }

    protected KeyStore openKeyStoreFile(String str, String str2, String str3) {
        KeyStore keyStore = null;
        try {
            FileInputStream fileInputStream = new FileInputStream(str);
            keyStore = openKeyStoreStream(fileInputStream, str2, str3);
            fileInputStream.close();
            return keyStore;
        } catch (FileNotFoundException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "openKeyStoreFile: " + e);
            return keyStore;
        } catch (IOException e2) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "openKeyStoreFile: failed to read " + str + " for local keystore: " + e2);
            return keyStore;
        } catch (NullPointerException e3) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "openKeyStoreFile: " + e3);
            return keyStore;
        }
    }

    protected void reset() {
        this.mHostnameMgr = null;
        this.mTrustedKeyStore = null;
        this.mSystemTrustMgr = null;
        this.mLocalTrustMgr = null;
    }

    protected boolean setClientKeyStorePassword(String str) {
        this.mClientStorePassword = str;
        return true;
    }

    protected boolean setClientPrivateKeyPassword(String str) {
        this.mClientPrivKeyPassword = str;
        return true;
    }

    protected boolean setCodeSigningCertificate(X509Certificate x509Certificate) {
        this.mCodeSigningCert = x509Certificate;
        return true;
    }

    public void setKeystorePath(String str) {
        this.mKeystorePath = str;
    }

    public void setPasswordSeed(String str) {
        try {
            setRootKeyStorePassword(CryptoAlgorithms.hashToHexString(("root:" + str).getBytes("UTF-8")));
            setClientKeyStorePassword(CryptoAlgorithms.hashToHexString(("client:" + str).getBytes("UTF-8")));
            setClientPrivateKeyPassword(CryptoAlgorithms.hashToHexString(("privkey:" + str).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "setPasswordSeed: got exception: ", e);
        }
    }

    protected boolean setRootKeyStorePassword(String str) {
        this.mRootStorePassword = str;
        return true;
    }

    public void setSafe() {
        throw new RuntimeException("SAFE Certificate manager not implemented");
    }

    public synchronized byte[] signWithClientCertificate(String str, byte[] bArr) throws UnrecoverableKeyException {
        String str2;
        if (str != null) {
            if (!str.equals("")) {
                if (bArr == null) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "signWithClientCertificate: null hash given");
                    return null;
                }
                try {
                    PrivateKey privateKey = this.mMultiCertStore.getPrivateKey(str);
                    if (privateKey == null) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "Could not find private key with alias: " + str);
                        return null;
                    }
                    if (!privateKey.getAlgorithm().equals("EC") && !privateKey.getAlgorithm().equals("ECDSA")) {
                        if (Prerequisites.isChromebook(this.mContext) && this.mKeychainAliasList.getAliases().contains(str)) {
                            AppLog.info(this, "Signing with PKCS1Padding");
                            str2 = "RSA/ECB/PKCS1Padding";
                        } else {
                            AppLog.info(this, "Signing with NoPadding");
                            str2 = "RSA/ECB/NoPadding";
                        }
                        Cipher cipher = Cipher.getInstance(str2);
                        cipher.init(1, privateKey);
                        return cipher.doFinal(bArr);
                    }
                    Signature signature = Signature.getInstance("NONEwithECDSA");
                    signature.initSign(privateKey);
                    signature.update(bArr);
                    return signature.sign();
                } catch (InvalidKeyException e) {
                    if (!(e instanceof KeyPermanentlyInvalidatedException)) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "signWithClientCertificate: InvalidKeyException", e);
                        return null;
                    }
                    try {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "Key " + str + " was invalidated, deleting");
                        this.mMultiCertStore.deleteCert(str);
                    } catch (Exception e2) {
                        AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "deleteCert: Exception", e2);
                    }
                    throw new UnrecoverableKeyException();
                } catch (Exception e3) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "signWithClientCertificate: Exception", e3);
                    return null;
                }
            }
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "signWithClientCertificate: no client key alias given");
        return null;
    }

    public synchronized byte[] signWithYubikeyCertificate(YubikeySlot yubikeySlot, byte[] bArr) {
        return this.mYubikeyStore.sign(yubikeySlot, bArr);
    }

    public boolean updatePasswordSeed(String str, String str2) {
        if (str2 == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "updatePasswordSeed: cannot have null seed");
            return false;
        }
        setPasswordSeed(str);
        String clientKeyStorePassword = getClientKeyStorePassword();
        String clientPrivateKeyPassword = getClientPrivateKeyPassword();
        String rootKeyStorePassword = getRootKeyStorePassword();
        setPasswordSeed(str2);
        if (!convertKeystorePasswords(getRootKeyStoreFile(), ROOT_KEYSTORE_TYPE, rootKeyStorePassword, null, getRootKeyStorePassword(), null)) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "updatePasswordSeed: failed to convert root store");
            return false;
        }
        if (!convertKeystorePasswords(getClientKeyStoreFile(), CLIENT_KEYSTORE_TYPE, clientKeyStorePassword, clientPrivateKeyPassword, getClientKeyStorePassword(), getClientPrivateKeyPassword())) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "updatePasswordSeed: failed to convert client store");
            return false;
        }
        this.mTrustedKeyStore = null;
        this.mLocalTrustMgr = null;
        return true;
    }

    public boolean verifyKeyUsage(X509Certificate x509Certificate, int i) {
        if (x509Certificate == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyKeyUsage: no certficate");
            return false;
        }
        if (i == 0) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyKeyUsage: no required uses");
            return true;
        }
        boolean[] keyUsage = x509Certificate.getKeyUsage();
        if (keyUsage == null) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyKeyUsage: certificate has no uses specified");
            return true;
        }
        int highestOneBit = Integer.highestOneBit(i);
        for (int i2 = 0; i2 < highestOneBit; i2++) {
            int i3 = 1 << i2;
            if ((i3 & i) != 0 && (i2 > keyUsage.length || !keyUsage[i2])) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyKeyUsage: missing required use #" + i2 + " (0x" + Integer.toHexString(i3) + ")");
                return false;
            }
        }
        AppLog.logDebugBuildDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyKeyUsage: certificate has all required uses (0x" + Integer.toHexString(i) + ")");
        return true;
    }

    public synchronized int verifyX509CertForSigning(X509Certificate[] x509CertificateArr) {
        if (x509CertificateArr != null) {
            if (x509CertificateArr.length != 0) {
                if (this.mCodeSigningCert == null) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "verifyX509CertForSigning: signing cert not initialized");
                    return -1;
                }
                if (this.mCodeSigningCert.equals(getSortedChain(x509CertificateArr)[0])) {
                    AppLog.logDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "verifyX509CertForSigning: presented valid certificate");
                    return 0;
                }
                AppLog.logDebugMessage(AppLog.Severity.DBG_WARN, ENTITY_NAME, "verifyX509CertForSigning: presented certificate does not match code signing cert");
                return -1;
            }
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "verifyX509CertForSigning: no chain provided");
        return -1;
    }

    protected int verifyX509Certificate(X509Certificate[] x509CertificateArr, boolean z, boolean z2) {
        if (x509CertificateArr == null || x509CertificateArr.length == 0) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509Certificate: invalid certificate format");
            return -1;
        }
        if (!initializeSystemTrustManager()) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "verifyX509Certificate: system TrustManger intialization failed");
            return -1;
        }
        int length = x509CertificateArr.length;
        int i = 0;
        int i2 = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            X509Certificate x509Certificate = x509CertificateArr[i];
            AppLog.logDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "Certificate #" + i2);
            AppLog.logDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "    Subject : " + x509Certificate.getSubjectDN());
            AppLog.logDebugMessage(AppLog.Severity.DBG_TRACE, ENTITY_NAME, "    Issuer  : " + x509Certificate.getIssuerDN());
            i2++;
            i++;
        }
        AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Verifying against the system key store...");
        int checkTrustManager = checkTrustManager(this.mSystemTrustMgr, x509CertificateArr, "system", null);
        if (-1 == checkTrustManager || checkTrustManager == 0) {
            return checkTrustManager;
        }
        if (!z) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509Certificate: not checking local certificate store");
            return checkTrustManager;
        }
        if (!initializeTrustedKeyStore()) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509Certificate: no local key store to try");
            return checkTrustManager;
        }
        if (!initializeLocalTrustManager()) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509Certificate: could not create local trust manager");
            return checkTrustManager;
        }
        boolean z3 = (checkTrustManager & 16) == 0;
        AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Verifying against the local key store...");
        int checkTrustManager2 = checkTrustManager(this.mLocalTrustMgr, x509CertificateArr, ImagesContract.LOCAL, this.mTrustedKeyStore);
        if (-1 != checkTrustManager2 && checkTrustManager2 != 0) {
            checkTrustManager2 |= checkTrustManager;
            if (z3) {
                checkTrustManager2 &= -17;
            }
            X509Certificate x509Certificate2 = x509CertificateArr[0];
            if (z2 && isTrustedLeaf(x509Certificate2)) {
                AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509Certificate: " + x509Certificate2.getSubjectDN() + " is trusted");
                return 0;
            }
        }
        return checkTrustManager2;
    }

    public synchronized int verifyX509ServerCert(X509Certificate[] x509CertificateArr) {
        int verifyX509Certificate = verifyX509Certificate(x509CertificateArr, true, false);
        if (-1 == verifyX509Certificate) {
            return verifyX509Certificate;
        }
        if (!verifyKeyUsage(x509CertificateArr[0], 4)) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509ServerCertForHost: confirm because missing key usage: 0x" + Integer.toHexString(4));
            verifyX509Certificate |= 32;
        }
        return verifyX509Certificate;
    }

    public synchronized int verifyX509ServerCertForHost(X509Certificate[] x509CertificateArr, String str, boolean z, List<X509Certificate> list) {
        int verifyX509Certificate = verifyX509Certificate(x509CertificateArr, true, z);
        if (-1 == verifyX509Certificate) {
            return verifyX509Certificate;
        }
        buildVerifyCertChain(x509CertificateArr, list);
        try {
            if (initializeHostnameVerifier()) {
                this.mHostnameMgr.verify(str, x509CertificateArr[0]);
            } else {
                AppLog.logDebugMessage(AppLog.Severity.DBG_ERROR, ENTITY_NAME, "verifyX509ServerCertForHost: failed to initialize domain checker");
                verifyX509Certificate |= 1;
            }
        } catch (SSLException e) {
            AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "verifyX509ServerCertForHost: confirm because certificate did not match server: " + e);
            verifyX509Certificate |= 2;
        }
        return verifyX509Certificate;
    }
}
