package com.microsoft.identity.broker4j.workplacejoin;

import ch.qos.logback.core.CoreConstants;
import com.microsoft.identity.broker4j.workplacejoin.data.CertificateData;
import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.logging.Logger;
import com.nimbusds.jose.util.X509CertUtils;
import edu.umd.cs.findbugs.annotations.Nullable;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Set;
import lombok.NonNull;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.DERBMPString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.crypto.engines.DESedeEngine;
import org.bouncycastle.crypto.engines.RC2Engine;
import org.bouncycastle.crypto.modes.CBCBlockCipher;
import org.bouncycastle.pkcs.PKCS12PfxPduBuilder;
import org.bouncycastle.pkcs.PKCS12SafeBag;
import org.bouncycastle.pkcs.PKCSException;
import org.bouncycastle.pkcs.bc.BcPKCS12MacCalculatorBuilder;
import org.bouncycastle.pkcs.bc.BcPKCS12PBEOutputEncryptorBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder;
import org.bouncycastle.util.encoders.Hex;

/* loaded from: classes3.dex */
public class WorkplaceJoinCertHelper {
    public static final String ISSUER_CN_VALUE = "MS-Organization-Access";
    private static final String OID_CERT_FOR_DEVICE_ID = "1.2.840.113556.1.5.284.2";
    private static final String OID_CERT_FOR_TENANT_ID = "1.2.840.113556.1.5.284.5";
    private static final String TAG = WorkplaceJoinCertHelper.class.getSimpleName() + "#";

    static String convertOctetsToGUID(@NonNull byte[] bArr) throws UnsupportedEncodingException {
        if (bArr == null) {
            throw new NullPointerException("guid is marked non-null but is null");
        }
        String str = new String(Hex.encode(new byte[]{bArr[3], bArr[2], bArr[1], bArr[0], bArr[5], bArr[4], bArr[7], bArr[6], bArr[8], bArr[9], bArr[10], bArr[11], bArr[12], bArr[13], bArr[14], bArr[15]}), AuthenticationConstants.ENCODING_UTF8);
        return str.substring(0, 8) + CoreConstants.DASH_CHAR + str.substring(8, 12) + CoreConstants.DASH_CHAR + str.substring(12, 16) + CoreConstants.DASH_CHAR + str.substring(16, 20) + CoreConstants.DASH_CHAR + str.substring(20);
    }

    @Nullable
    private static String extractValueFromCertWithOid(@NonNull X509Certificate x509Certificate, @NonNull String str) {
        if (x509Certificate == null) {
            throw new NullPointerException("cert is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("matchingOid is marked non-null but is null");
        }
        Set<String> nonCriticalExtensionOIDs = x509Certificate.getNonCriticalExtensionOIDs();
        if (nonCriticalExtensionOIDs == null) {
            Logger.verbose(TAG + "extractValueFromCertWithOid", "Certificate's oid list is empty");
            return null;
        }
        for (String str2 : nonCriticalExtensionOIDs) {
            if (str2.equals(str)) {
                try {
                    ASN1Primitive parseExtensionValue = JcaX509ExtensionUtils.parseExtensionValue(x509Certificate.getExtensionValue(str2));
                    if (parseExtensionValue instanceof DEROctetString) {
                        String convertOctetsToGUID = convertOctetsToGUID(((DEROctetString) parseExtensionValue).getOctets());
                        Logger.infoPII(TAG + "extractValueFromCertWithOid", "Extension value. OID:" + str2 + " value:" + convertOctetsToGUID);
                        return convertOctetsToGUID;
                    }
                    continue;
                } catch (IOException e) {
                    StringBuilder sb = new StringBuilder();
                    String str3 = TAG;
                    sb.append(str3);
                    sb.append("extractValueFromCertWithOid");
                    Logger.error(sb.toString(), "IO Exception in parsing extension value. " + WorkplaceJoinFailure.INTERNAL, e);
                    Logger.errorPII(str3 + "extractValueFromCertWithOid", "OID: " + str2, null);
                }
            }
        }
        Logger.verbose(TAG + "extractValueFromCertWithOid", "OID:" + str + " was not found in certificate's oid list");
        return null;
    }

    public static byte[] generatePkcs12(@NonNull X509Certificate x509Certificate, @NonNull String str, @NonNull KeyPair keyPair) throws ClientException {
        if (x509Certificate == null) {
            throw new NullPointerException("cert is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("password is marked non-null but is null");
        }
        if (keyPair == null) {
            throw new NullPointerException("keyPair is marked non-null but is null");
        }
        try {
            JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
            JcaPKCS12SafeBagBuilder jcaPKCS12SafeBagBuilder = new JcaPKCS12SafeBagBuilder(x509Certificate);
            ASN1ObjectIdentifier aSN1ObjectIdentifier = PKCSObjectIdentifiers.pkcs_9_at_friendlyName;
            jcaPKCS12SafeBagBuilder.addBagAttribute(aSN1ObjectIdentifier, new DERBMPString(CertificateData.DEFAULT_WORKPLACE_JOIN_CERTIFICATE_ALIAS));
            ASN1ObjectIdentifier aSN1ObjectIdentifier2 = PKCSObjectIdentifiers.pkcs_9_at_localKeyId;
            jcaPKCS12SafeBagBuilder.addBagAttribute(aSN1ObjectIdentifier2, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
            JcaPKCS12SafeBagBuilder jcaPKCS12SafeBagBuilder2 = new JcaPKCS12SafeBagBuilder(keyPair.getPrivate(), new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC, new CBCBlockCipher(new DESedeEngine())).build(str.toCharArray()));
            jcaPKCS12SafeBagBuilder2.addBagAttribute(aSN1ObjectIdentifier, new DERBMPString(CertificateData.DEFAULT_WORKPLACE_JOIN_CERTIFICATE_ALIAS));
            jcaPKCS12SafeBagBuilder2.addBagAttribute(aSN1ObjectIdentifier2, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
            PKCS12PfxPduBuilder pKCS12PfxPduBuilder = new PKCS12PfxPduBuilder();
            pKCS12PfxPduBuilder.addEncryptedData(new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd40BitRC2_CBC, new CBCBlockCipher(new RC2Engine())).build(str.toCharArray()), new PKCS12SafeBag[]{jcaPKCS12SafeBagBuilder.build()});
            pKCS12PfxPduBuilder.addData(jcaPKCS12SafeBagBuilder2.build());
            return pKCS12PfxPduBuilder.build(new BcPKCS12MacCalculatorBuilder(), str.toCharArray()).toASN1Structure().getEncoded();
        } catch (IOException e) {
            throw new ClientException("io_error", e.getMessage(), e);
        } catch (NoSuchAlgorithmException e2) {
            throw new ClientException("no_such_algorithm", e2.getMessage(), e2);
        } catch (PKCSException e3) {
            throw new ClientException(ClientException.PKCS_FAILURE, e3.getMessage(), e3);
        }
    }

    public static X509Certificate generateX509Certificate(String str) throws CertificateException, UnsupportedEncodingException, NoSuchProviderException {
        return (X509Certificate) ProviderUtil.getX509CertificateFactory().generateCertificate(new ByteArrayInputStream((X509CertUtils.PEM_BEGIN_MARKER + System.getProperty("line.separator") + str + System.getProperty("line.separator") + X509CertUtils.PEM_END_MARKER).getBytes(AuthenticationConstants.ENCODING_UTF8)));
    }

    @Nullable
    public static String getDeviceIdFromCert(@NonNull X509Certificate x509Certificate) {
        if (x509Certificate != null) {
            return extractValueFromCertWithOid(x509Certificate, "1.2.840.113556.1.5.284.2");
        }
        throw new NullPointerException("cert is marked non-null but is null");
    }

    @Nullable
    public static String getTenantIdFromCert(@NonNull X509Certificate x509Certificate) {
        if (x509Certificate != null) {
            return extractValueFromCertWithOid(x509Certificate, "1.2.840.113556.1.5.284.5");
        }
        throw new NullPointerException("cert is marked non-null but is null");
    }

    private static String hexify(@NonNull byte[] bArr) {
        if (bArr == null) {
            throw new NullPointerException("bytes is marked non-null but is null");
        }
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(cArr[(b & 240) >> 4]);
            sb.append(cArr[b & 15]);
        }
        return sb.toString();
    }

    public static boolean isExpectedCertificateIssuer(@NonNull byte[] bArr) {
        if (bArr == null) {
            throw new NullPointerException("cert is marked non-null but is null");
        }
        try {
            X509Certificate x509Certificate = (X509Certificate) ProviderUtil.getX509CertificateFactory().generateCertificate(new ByteArrayInputStream(bArr));
            if (x509Certificate.getIssuerDN() != null && x509Certificate.getIssuerDN().getName() != null) {
                return x509Certificate.getIssuerDN().getName().toLowerCase().contains(ISSUER_CN_VALUE.toLowerCase());
            }
            return false;
        } catch (NoSuchProviderException | CertificateException e) {
            StringBuilder sb = new StringBuilder();
            String str = TAG;
            sb.append(str);
            sb.append("isExpectedCertificateIssuer");
            Logger.error(sb.toString(), "Certificate Exception, returning null " + WorkplaceJoinFailure.INTERNAL, e);
            Logger.errorPII(str + "isExpectedCertificateIssuer", e.getMessage(), null);
            return false;
        }
    }
}
