package androidx.security.identity;

import android.content.Context;
import android.security.keystore.KeyGenParameterSpec;
import androidx.security.identity.PersonalizationData;
import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborEncoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.builder.ArrayBuilder;
import co.nstant.in.cbor.builder.MapBuilder;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.UnicodeString;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;

/* loaded from: classes.dex */
class SoftwareWritableIdentityCredential extends WritableIdentityCredential {
    private static final String TAG = "SoftwareWritableIdentityCredential";
    private Context mContext;
    private String mCredentialName;
    private String mDocType;
    private KeyPair mKeyPair = null;
    private Collection<X509Certificate> mCertificates = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SoftwareWritableIdentityCredential(Context context, String str, String str2) throws AlreadyPersonalizedException {
        this.mContext = context;
        this.mDocType = str2;
        this.mCredentialName = str;
        if (CredentialData.credentialAlreadyExists(context, str)) {
            throw new AlreadyPersonalizedException("Credential with given name already exists");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DataItem buildProofOfProvisioningWithSignature(String str, PersonalizationData personalizationData, PrivateKey privateKey) {
        CborBuilder cborBuilder = new CborBuilder();
        ArrayBuilder<CborBuilder> addArray = cborBuilder.addArray();
        Iterator<AccessControlProfile> it = personalizationData.getAccessControlProfiles().iterator();
        while (it.hasNext()) {
            addArray.add(Util.accessControlProfileToCbor(it.next()));
        }
        CborBuilder cborBuilder2 = new CborBuilder();
        MapBuilder<CborBuilder> addMap = cborBuilder2.addMap();
        for (PersonalizationData.NamespaceData namespaceData : personalizationData.getNamespaceDatas()) {
            addMap.put(new UnicodeString(namespaceData.getNamespaceName()), Util.namespaceDataToCbor(namespaceData));
        }
        CborBuilder cborBuilder3 = new CborBuilder();
        cborBuilder3.addArray().add("ProofOfProvisioning").add(str).add(cborBuilder.build().get(0)).add(cborBuilder2.build().get(0)).add(false);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new CborEncoder(byteArrayOutputStream).encode(cborBuilder3.build().get(0));
            return Util.coseSign1Sign(privateKey, byteArrayOutputStream.toByteArray(), (byte[]) null, (Collection<X509Certificate>) null);
        } catch (CborException | InvalidKeyException | NoSuchAlgorithmException | CertificateEncodingException e) {
            throw new RuntimeException("Error building ProofOfProvisioning", e);
        }
    }

    private Collection<X509Certificate> ensureCredentialKey(byte[] bArr) {
        if (this.mKeyPair != null) {
            return null;
        }
        String aliasFromCredentialName = CredentialData.getAliasFromCredentialName(this.mCredentialName);
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            if (keyStore.containsAlias(aliasFromCredentialName)) {
                keyStore.deleteEntry(aliasFromCredentialName);
            }
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            KeyGenParameterSpec.Builder digests = new KeyGenParameterSpec.Builder(aliasFromCredentialName, 12).setDigests("SHA-256", "SHA-512");
            if (bArr == null) {
                bArr = new byte[0];
            }
            digests.setAttestationChallenge(bArr);
            keyPairGenerator.initialize(digests.build());
            this.mKeyPair = keyPairGenerator.generateKeyPair();
            Certificate[] certificateChain = keyStore.getCertificateChain(aliasFromCredentialName);
            this.mCertificates = new ArrayList();
            for (Certificate certificate : certificateChain) {
                this.mCertificates.add((X509Certificate) certificate);
            }
            return this.mCertificates;
        } catch (IOException | InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
            throw new RuntimeException("Error creating CredentialKey", e);
        }
    }

    @Override // androidx.security.identity.WritableIdentityCredential
    public Collection<X509Certificate> getCredentialKeyCertificateChain(byte[] bArr) {
        Collection<X509Certificate> ensureCredentialKey = ensureCredentialKey(bArr);
        if (ensureCredentialKey != null) {
            return ensureCredentialKey;
        }
        throw new RuntimeException("getCredentialKeyCertificateChain() must be called before personalize()");
    }

    @Override // androidx.security.identity.WritableIdentityCredential
    public byte[] personalize(PersonalizationData personalizationData) {
        try {
            ensureCredentialKey(null);
            DataItem buildProofOfProvisioningWithSignature = buildProofOfProvisioningWithSignature(this.mDocType, personalizationData, this.mKeyPair.getPrivate());
            CredentialData.createCredentialData(this.mContext, this.mDocType, this.mCredentialName, CredentialData.getAliasFromCredentialName(this.mCredentialName), this.mCertificates, personalizationData, MessageDigest.getInstance("SHA-256").digest(Util.coseSign1GetData(buildProofOfProvisioningWithSignature)), false);
            return Util.cborEncode(buildProofOfProvisioningWithSignature);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Error digesting ProofOfProvisioning", e);
        }
    }
}
