package com.centrify.directcontrol.safetynet;

import android.content.Context;
import android.support.annotation.NonNull;
import android.util.Base64;
import com.centrify.agent.samsung.utils.LogUtil;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.List;
import org.apache.commons.lang3.StringUtils;

/* loaded from: classes.dex */
public class SafetyNetVerifier {
    static final String HOST_NAME = "attest.android.com";
    static final String TAG = "SafetyNetVerifier";
    static final long TIME_LIMITED = 120000;
    Context mContext;
    SafeNetJWSResult mJwsResult;
    byte[] mNonce;
    long mTimeStamp;

    public SafetyNetVerifier(Context context, byte[] bArr, long j) {
        this.mContext = context;
        this.mNonce = bArr;
        this.mTimeStamp = j;
    }

    private boolean ValidateCert(@NonNull SafeNetJWSResult safeNetJWSResult) {
        boolean z = false;
        X509Certificate x509Cert = safeNetJWSResult.getX509Cert();
        if (x509Cert != null) {
            try {
                x509Cert.checkValidity();
                Principal subjectDN = x509Cert.getSubjectDN();
                if (subjectDN != null) {
                    String name = subjectDN.getName();
                    LogUtil.debug(TAG, "name: " + name);
                    z = StringUtils.containsIgnoreCase(name, HOST_NAME);
                }
            } catch (CertificateExpiredException e) {
                LogUtil.debug(TAG, "Cert expired", e);
            } catch (CertificateNotYetValidException e2) {
                LogUtil.debug(TAG, "Cert Not Yet Valid", e2);
            }
        }
        LogUtil.debug(TAG, "checkCertValid matched:" + z);
        return z;
    }

    private boolean checkApkCertsSha256(@NonNull SafetyNetResponse safetyNetResponse) {
        boolean z = false;
        List<String> apkCertificateDigestSha256 = safetyNetResponse.getApkCertificateDigestSha256();
        List<String> calApkCertsSha256Base64Encoded = SafetyNetUtils.calApkCertsSha256Base64Encoded(this.mContext);
        if (apkCertificateDigestSha256 != null && calApkCertsSha256Base64Encoded != null) {
            z = apkCertificateDigestSha256.containsAll(calApkCertsSha256Base64Encoded) && calApkCertsSha256Base64Encoded.containsAll(apkCertificateDigestSha256);
        }
        LogUtil.debug(TAG, "checkApkCertsSha256 matched: " + z);
        return z;
    }

    private boolean checkApkSha256(@NonNull SafetyNetResponse safetyNetResponse) {
        boolean equalsIgnoreCase = StringUtils.equalsIgnoreCase(safetyNetResponse.getApkDigestSha256(), SafetyNetUtils.calApkSha256Base64Encoded(this.mContext));
        LogUtil.debug(TAG, "checkApkSha256 matched: " + equalsIgnoreCase);
        return equalsIgnoreCase;
    }

    private boolean checkJWSMessageSignature(@NonNull SafeNetJWSResult safeNetJWSResult) {
        boolean z = false;
        X509Certificate x509Cert = safeNetJWSResult.getX509Cert();
        byte[] signature = safeNetJWSResult.getSignature();
        String jWSMessage = safeNetJWSResult.getJWSMessage();
        if (x509Cert != null && signature != null && jWSMessage != null) {
            try {
                Signature signature2 = Signature.getInstance("SHA256withRSA");
                signature2.initVerify(x509Cert);
                signature2.update(jWSMessage.getBytes());
                z = signature2.verify(signature);
            } catch (InvalidKeyException e) {
                LogUtil.error(TAG, "checkSignature", e);
            } catch (NoSuchAlgorithmException e2) {
                LogUtil.error(TAG, "checkSignature", e2);
            } catch (SignatureException e3) {
                LogUtil.error(TAG, "checkSignature", e3);
            }
        }
        LogUtil.debug(TAG, "checkJWSMessageSignature matched: " + z);
        return z;
    }

    private boolean checkNonce(@NonNull SafetyNetResponse safetyNetResponse) {
        boolean z = false;
        if (this.mNonce != null) {
            z = StringUtils.equalsIgnoreCase(safetyNetResponse.getNonce(), Base64.encodeToString(this.mNonce, 0).trim());
        }
        LogUtil.debug(TAG, "checkNonce matched: " + z);
        return z;
    }

    private boolean checkPackageName(@NonNull SafetyNetResponse safetyNetResponse) {
        boolean equalsIgnoreCase = StringUtils.equalsIgnoreCase(safetyNetResponse.getApkPackageName(), this.mContext.getPackageName());
        LogUtil.debug(TAG, "checkPackageName matched: " + equalsIgnoreCase);
        return equalsIgnoreCase;
    }

    private boolean checkResponse(SafetyNetResponse safetyNetResponse) {
        boolean z = false;
        if (safetyNetResponse == null) {
            LogUtil.debug(TAG, "response shouldn't be null");
        } else if (safetyNetResponse.getError() != null) {
            LogUtil.debug(TAG, "response shouldn't contain error " + safetyNetResponse.getError());
        } else {
            z = true;
        }
        LogUtil.debug(TAG, "checkResponse matched: " + z);
        return z;
    }

    private boolean checkTimeStamp(@NonNull SafetyNetResponse safetyNetResponse) {
        boolean z = false;
        long timestampMs = safetyNetResponse.getTimestampMs();
        if (timestampMs > 0 && this.mTimeStamp > 0) {
            z = timestampMs - this.mTimeStamp < 120000;
        }
        LogUtil.debug(TAG, "checkTimeStamp matched: " + z);
        return z;
    }

    public void setSafeNetJWSResult(SafeNetJWSResult safeNetJWSResult) {
        this.mJwsResult = safeNetJWSResult;
    }

    public boolean verifyJWSResult() {
        boolean z = this.mJwsResult != null && ValidateCert(this.mJwsResult) && checkJWSMessageSignature(this.mJwsResult);
        if (z) {
            SafetyNetResponse response = this.mJwsResult.getResponse();
            z = checkResponse(response) && checkNonce(response) && checkTimeStamp(response) && checkPackageName(response) && checkApkCertsSha256(response);
        }
        LogUtil.info(TAG, "verifyJWSResult : " + z);
        return z;
    }
}
