package com.bytedance.android.sdk.bdticketguard;

import android.content.Context;
import android.content.SharedPreferences;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
import androidx.core.view.accessibility.AccessibilityEventCompat;
import com.a;
import com.ss.android.auto.anr.d.b;
import com.ss.android.auto.npth.d;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECPoint;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import me.ele.lancet.base.Scope;
import me.ele.lancet.base.annotations.ImplementedInterface;
import me.ele.lancet.base.annotations.Proxy;
import net.bytedance.zdplib.Delta;
import org.bouncycastle.asn1.ae.s;
import org.bouncycastle.asn1.x509.aa;
import org.bouncycastle.asn1.x509.j;
import org.bouncycastle.asn1.x509.y;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.f;
import org.bouncycastle.util.io.pem.c;

/* loaded from: classes6.dex */
public class TicketGuardKeyHelper {
    private volatile KeyPair keyPair;
    private final String keystoreAlias;
    private Boolean newKey;
    private final String principal;
    private String pubKey04;
    private String pubKeyBase64;
    private final SharedPreferences sp;

    /* loaded from: classes6.dex */
    public static class Api {
        @Proxy("apply")
        @ImplementedInterface(scope = Scope.ALL_SELF, value = {"android.content.SharedPreferences$Editor"})
        public static void INVOKEINTERFACE_com_bytedance_android_sdk_bdticketguard_TicketGuardKeyHelper$Api_com_ss_android_auto_anr_sp_SharedPreferencesEditorLancet_apply(SharedPreferences.Editor editor) {
            SharedPreferences.Editor editor2 = editor;
            if (b.f38009b) {
                b.a(editor2);
            }
            if (b.f38010c || b.f38009b) {
                d.a().a("SharedPref_apply_Stack", Log.getStackTraceString(new RuntimeException("SharedPref_apply_Stack")));
            }
            editor.apply();
        }

        public static boolean containsAlias(String str, SharedPreferences sharedPreferences, String str2, String str3) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            if (Build.VERSION.SDK_INT < 23) {
                return (TextUtils.isEmpty(sharedPreferences.getString(str2, null)) || TextUtils.isEmpty(sharedPreferences.getString(str3, null))) ? false : true;
            }
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            return keyStore.containsAlias(str);
        }

        public static String genCsr(KeyPair keyPair, String str) throws OperatorCreationException, IOException {
            f a2 = new org.bouncycastle.operator.jcajce.b("SHA256withECDSA").a(keyPair.getPrivate());
            org.bouncycastle.pkcs.b.b bVar = new org.bouncycastle.pkcs.b.b(new org.bouncycastle.asn1.am.d(str), keyPair.getPublic());
            aa aaVar = new aa();
            aaVar.a(y.g, true, (org.bouncycastle.asn1.f) new j(true));
            bVar.b(s.aj, aaVar.c());
            org.bouncycastle.util.io.pem.b bVar2 = new org.bouncycastle.util.io.pem.b("CERTIFICATE REQUEST", bVar.a(a2).f());
            StringWriter stringWriter = new StringWriter();
            org.bouncycastle.util.io.pem.f fVar = new org.bouncycastle.util.io.pem.f(stringWriter);
            fVar.a((c) bVar2);
            fVar.close();
            stringWriter.close();
            return stringWriter.toString();
        }

        public static KeyPair genKeyPair(String str, SharedPreferences.Editor editor, String str2, String str3) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
            if (Build.VERSION.SDK_INT >= 23) {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
                keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(str, 4).setDigests("SHA-256").build());
                return keyPairGenerator.generateKeyPair();
            }
            KeyPairGenerator keyPairGenerator2 = KeyPairGenerator.getInstance("EC", "BC");
            keyPairGenerator2.initialize(AccessibilityEventCompat.TYPE_VIEW_HOVER_EXIT, new SecureRandom());
            KeyPair generateKeyPair = keyPairGenerator2.generateKeyPair();
            editor.putString(str2, TicketGuardKeyHelper.base64EncodeKey(generateKeyPair.getPublic()));
            editor.putString(str3, TicketGuardKeyHelper.base64EncodeKey(generateKeyPair.getPrivate()));
            INVOKEINTERFACE_com_bytedance_android_sdk_bdticketguard_TicketGuardKeyHelper$Api_com_ss_android_auto_anr_sp_SharedPreferencesEditorLancet_apply(editor);
            return generateKeyPair;
        }

        public static boolean isKeyMatch(byte[] bArr, PrivateKey privateKey) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, IOException, CertificateException {
            byte[] bytes = "test".getBytes();
            boolean verify = verify(parseCertificate(bArr), bytes, sign(privateKey, bytes));
            if (!verify) {
                TicketGuardEventHelper.monitorKeyNotMatch();
            }
            return verify;
        }

        public static int keySecurityLevel(PrivateKey privateKey) throws NoSuchAlgorithmException, InvalidKeySpecException {
            KeyFactory keyFactory = KeyFactory.getInstance(privateKey.getAlgorithm());
            if (Build.VERSION.SDK_INT >= 23) {
                return ((KeyInfo) keyFactory.getKeySpec(privateKey, KeyInfo.class)).isInsideSecureHardware() ? 1 : 0;
            }
            return 0;
        }

        public static KeyPair loadKeyPair(String str, SharedPreferences sharedPreferences, String str2, String str3) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, UnrecoverableEntryException, InvalidKeySpecException {
            PrivateKey generatePrivate;
            PublicKey publicKey;
            if (Build.VERSION.SDK_INT >= 23) {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                KeyStore.Entry entry = keyStore.getEntry(str, null);
                if (entry instanceof KeyStore.PrivateKeyEntry) {
                    KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
                    publicKey = privateKeyEntry.getCertificate().getPublicKey();
                    generatePrivate = privateKeyEntry.getPrivateKey();
                } else {
                    generatePrivate = null;
                    publicKey = null;
                }
            } else {
                PublicKey generatePublic = KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(Base64.decode(sharedPreferences.getString(str2, null), 0)));
                generatePrivate = KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(Base64.decode(sharedPreferences.getString(str3, null), 0)));
                publicKey = generatePublic;
            }
            if (publicKey == null || generatePrivate == null) {
                return null;
            }
            return new KeyPair(publicKey, generatePrivate);
        }

        public static String parse04PublicKey(ECPublicKey eCPublicKey) {
            ECPoint w = eCPublicKey.getW();
            byte[] byteArray = w.getAffineX().toByteArray();
            byte[] byteArray2 = w.getAffineY().toByteArray();
            if (byteArray[0] == 0) {
                byteArray = Arrays.copyOfRange(byteArray, 1, byteArray.length);
            }
            if (byteArray2[0] == 0) {
                byteArray2 = Arrays.copyOfRange(byteArray2, 1, byteArray2.length);
            }
            return "04" + Delta.c(byteArray) + Delta.c(byteArray2);
        }

        public static String parseBase64PublicKey(ECPublicKey eCPublicKey) {
            return Base64.encodeToString(Delta.a(parse04PublicKey(eCPublicKey)), 0);
        }

        public static X509Certificate parseCertificate(byte[] bArr) throws IOException, CertificateException {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Certificate generateCertificate = CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
            byteArrayInputStream.close();
            if (generateCertificate instanceof X509Certificate) {
                return (X509Certificate) generateCertificate;
            }
            return null;
        }

        public static byte[] sign(PrivateKey privateKey, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
            Signature signature = Signature.getInstance("SHA256withECDSA");
            signature.initSign(privateKey);
            signature.update(bArr);
            return signature.sign();
        }

        public static boolean verify(Certificate certificate, byte[] bArr, byte[] bArr2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
            Signature signature = Signature.getInstance("SHA256withECDSA");
            signature.initVerify(certificate);
            signature.update(bArr);
            return signature.verify(bArr2);
        }
    }

    public TicketGuardKeyHelper(Context context, String str, String str2) {
        this.sp = a.a(context, "sp_TicketGuardHelper", 0);
        this.keystoreAlias = str;
        this.principal = str2;
    }

    public static String base64EncodeKey(Key key) {
        return Base64.encodeToString(key.getEncoded(), 0);
    }

    private KeyPair genKeyPair(boolean z) {
        for (int i = 1; i <= 3; i++) {
            KeyPair realGenKeyPair = realGenKeyPair(z, i);
            if (realGenKeyPair != null) {
                return realGenKeyPair;
            }
        }
        return null;
    }

    public static String getPrincipal(String str, String str2, String str3, String str4) {
        return String.format("CN=%s, OU=%s, O=%s, C=%s", str, str2, str3, str4);
    }

    private String getSpKeyPrivateKey() {
        return "sp_key_private_key_" + this.keystoreAlias;
    }

    private String getSpKeyPublicKey() {
        return "sp_key_public_key_" + this.keystoreAlias;
    }

    private int keySecurityLevel() {
        Throwable th;
        int i;
        try {
            i = Api.keySecurityLevel(this.keyPair.getPrivate());
            th = null;
        } catch (Throwable th2) {
            th = th2;
            i = 0;
        }
        TicketGuardEventHelper.monitorGetKeyLevel(i, th);
        return i;
    }

    private KeyPair loadKeyPair(boolean z) {
        for (int i = 1; i <= 3; i++) {
            KeyPair realLoadKeyPair = realLoadKeyPair(z, i);
            if (realLoadKeyPair != null) {
                return realLoadKeyPair;
            }
        }
        return null;
    }

    private void log(String str) {
        TicketGuardInnerFrameWork.log(str);
    }

    private String realGenCsr(KeyPair keyPair, int i) {
        try {
            String genCsr = Api.genCsr(keyPair, this.principal);
            log("生成 csr 成功");
            TicketGuardEventHelper.monitorGenCsr(0, null, i);
            return genCsr;
        } catch (Throwable th) {
            log("生成 csr 失败, exception=" + Log.getStackTraceString(th));
            TicketGuardEventHelper.monitorGenCsr(3001, th, i);
            return null;
        }
    }

    private KeyPair realGenKeyPair(boolean z, int i) {
        if (this.keyPair != null) {
            return this.keyPair;
        }
        long currentTimeMillis = System.currentTimeMillis();
        try {
            this.keyPair = Api.genKeyPair(this.keystoreAlias, this.sp.edit(), getSpKeyPublicKey(), getSpKeyPrivateKey());
            this.newKey = true;
            log("生成 Key pair 成功");
            TicketGuardEventHelper.monitorGetKeyPair(keySecurityLevel(), 0, null, System.currentTimeMillis() - currentTimeMillis, true, i, z);
            return this.keyPair;
        } catch (Throwable th) {
            log("生成 Key pair 失败, exception=" + Log.getStackTraceString(th));
            TicketGuardEventHelper.monitorGetKeyPair(0, -1, th, System.currentTimeMillis() - currentTimeMillis, true, i, z);
            return null;
        }
    }

    private KeyPair realLoadKeyPair(boolean z, int i) {
        if (this.keyPair != null) {
            return this.keyPair;
        }
        long currentTimeMillis = System.currentTimeMillis();
        try {
            this.keyPair = Api.loadKeyPair(this.keystoreAlias, this.sp, getSpKeyPublicKey(), getSpKeyPrivateKey());
            this.newKey = false;
            log("加载 Key pair 成功");
            TicketGuardEventHelper.monitorGetKeyPair(keySecurityLevel(), 0, null, System.currentTimeMillis() - currentTimeMillis, false, i, z);
        } catch (Throwable th) {
            log("加载 Key pair 失败, exception=" + Log.getStackTraceString(th));
            TicketGuardEventHelper.monitorGetKeyPair(0, -1, th, System.currentTimeMillis() - currentTimeMillis, false, i, z);
        }
        return this.keyPair;
    }

    private byte[] realSign(byte[] bArr, int i, String str) {
        Throwable th;
        byte[] bArr2;
        long currentTimeMillis;
        try {
            currentTimeMillis = System.currentTimeMillis();
            bArr2 = Api.sign(this.keyPair.getPrivate(), bArr);
        } catch (Throwable th2) {
            th = th2;
            bArr2 = null;
        }
        try {
            log("签名成功");
            TicketGuardEventHelper.monitorRealSign(true, null, i, System.currentTimeMillis() - currentTimeMillis);
        } catch (Throwable th3) {
            th = th3;
            log("签名失败, exception=" + Log.getStackTraceString(th));
            TicketGuardEventHelper.monitorRealSign(false, th, i, 0L);
            return bArr2;
        }
        return bArr2;
    }

    public String genCsr() {
        if (this.keyPair == null) {
            log("生成 csr 失败, key pair为空");
            TicketGuardEventHelper.monitorGenCsr(3000, null, 0);
            return null;
        }
        for (int i = 1; i <= 3; i++) {
            String realGenCsr = realGenCsr(this.keyPair, i);
            if (realGenCsr != null) {
                return realGenCsr;
            }
        }
        return null;
    }

    public String getPubKey04() {
        return this.pubKey04;
    }

    public String getPubKeyBase64() {
        return this.pubKeyBase64;
    }

    public boolean isKeyMatch(byte[] bArr) {
        try {
            return Api.isKeyMatch(bArr, this.keyPair.getPrivate());
        } catch (Throwable th) {
            log("isKeyMatch failed, e=" + Log.getStackTraceString(th));
            return false;
        }
    }

    public Boolean isNewKey() {
        return this.newKey;
    }

    public byte[] sign(byte[] bArr, String str) {
        if (this.keyPair == null || this.keyPair.getPrivate() == null) {
            log("签名失败, 获取私钥失败");
            TicketGuardEventHelper.monitorSign(4002, "empty private key", 0L, 0, str);
            return null;
        }
        for (int i = 1; i <= 3; i++) {
            long currentTimeMillis = System.currentTimeMillis();
            byte[] realSign = realSign(bArr, i, str);
            if (realSign != null) {
                TicketGuardEventHelper.monitorSign(0, null, System.currentTimeMillis() - currentTimeMillis, i, str);
                return realSign;
            }
        }
        TicketGuardEventHelper.monitorSign(-1, "sign error, see bd_ticket_guard_create_signature", 0L, 3, str);
        return null;
    }

    public boolean tryGetKey(boolean z) {
        boolean z2 = true;
        if (this.newKey != null) {
            return true;
        }
        synchronized (this) {
            if (this.newKey != null) {
                return true;
            }
            try {
                if (Api.containsAlias(this.keystoreAlias, this.sp, getSpKeyPublicKey(), getSpKeyPrivateKey())) {
                    loadKeyPair(z);
                } else {
                    genKeyPair(z);
                }
                if (this.newKey != null && (this.keyPair.getPublic() instanceof ECPublicKey)) {
                    ECPublicKey eCPublicKey = (ECPublicKey) this.keyPair.getPublic();
                    this.pubKey04 = Api.parse04PublicKey(eCPublicKey);
                    this.pubKeyBase64 = Api.parseBase64PublicKey(eCPublicKey);
                }
            } catch (Throwable th) {
                log("containsAlias failed, e=" + Log.getStackTraceString(th));
                TicketGuardEventHelper.monitorContainsAliasError(z, th);
            }
            if (this.newKey == null) {
                z2 = false;
            }
            return z2;
        }
    }
}
