package com.android.se.security;

import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.os.Build;
import android.os.SystemProperties;
import android.util.Log;
import com.android.se.Channel;
import com.android.se.SecureElementService;
import com.android.se.Terminal;
import com.android.se.internal.ByteArrayConverter;
import com.android.se.security.ChannelAccess;
import com.android.se.security.ara.AraController;
import com.android.se.security.arf.ArfController;
import com.oplus.se.security.OplusAccessControlEnforcer;
import java.io.IOException;
import java.io.PrintWriter;
import java.security.AccessControlException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.MissingResourceException;
import java.util.NoSuchElementException;

/* loaded from: classes.dex */
public class AccessControlEnforcer {
    private static final boolean DEBUG = Build.IS_DEBUGGABLE;
    private AccessRuleCache mAccessRuleCache;
    private Terminal mTerminal;
    private final String mTag = "SecureElement-AccessControlEnforcer";
    private PackageManager mPackageManager = null;
    private boolean mNoRuleFound = false;
    private AraController mAraController = null;
    private boolean mUseAra = true;
    private ArfController mArfController = null;
    private boolean mUseArf = false;
    private boolean mRulesRead = false;
    private ChannelAccess mInitialChannelAccess = new ChannelAccess();
    private boolean mFullAccess = false;
    public OplusAccessControlEnforcer mOplusAccessControlEnforcer = new OplusAccessControlEnforcer(this);

    public AccessControlEnforcer(Terminal terminal) {
        this.mAccessRuleCache = null;
        this.mTerminal = null;
        this.mTerminal = terminal;
        this.mAccessRuleCache = new AccessRuleCache();
    }

    private List<byte[]> getAppCertHashes(String str) throws NoSuchAlgorithmException, AccessControlException {
        if (str == null || str.length() == 0) {
            throw new AccessControlException("Package Name not defined");
        }
        try {
            PackageInfo packageInfo = this.mPackageManager.getPackageInfo(str, 64);
            if (packageInfo == null) {
                throw new AccessControlException("Package does not exist");
            }
            MessageDigest messageDigest = MessageDigest.getInstance("SHA");
            MessageDigest messageDigest2 = MessageDigest.getInstance("SHA-256");
            if (messageDigest == null || messageDigest2 == null) {
                throw new AccessControlException("Hash can not be computed");
            }
            ArrayList arrayList = new ArrayList();
            for (Signature signature : packageInfo.signatures) {
                arrayList.add(messageDigest.digest(signature.toByteArray()));
                arrayList.add(messageDigest2.digest(signature.toByteArray()));
            }
            return arrayList;
        } catch (PackageManager.NameNotFoundException unused) {
            throw new AccessControlException("Package does not exist");
        }
    }

    private synchronized boolean[] internal_isNfcEventAllowed(byte[] bArr, String[] strArr) {
        boolean[] zArr;
        List<byte[]> appCertHashes;
        this.mOplusAccessControlEnforcer.isNfcEventAllowedCheckRefresh(bArr);
        zArr = new boolean[strArr.length];
        int i = 0;
        for (String str : strArr) {
            try {
                appCertHashes = getAppCertHashes(str);
            } catch (Exception e) {
                Log.w("SecureElement-AccessControlEnforcer", " Access Rules for NFC: " + e.getLocalizedMessage());
                zArr[i] = false;
            }
            if (appCertHashes != null && appCertHashes.size() != 0) {
                zArr[i] = this.mOplusAccessControlEnforcer.getRuleAccess(bArr, appCertHashes, str);
                i++;
            }
            zArr[i] = false;
            i++;
        }
        return zArr;
    }

    private synchronized ChannelAccess internal_setUpChannelAccess(byte[] bArr, String str, byte[] bArr2, boolean z) throws IOException, MissingResourceException {
        List<byte[]> list;
        if (bArr2 == null) {
            if (str != null) {
                if (!str.isEmpty()) {
                }
            }
            throw new AccessControlException("package names must be specified");
        }
        list = null;
        try {
            try {
                if (str != null) {
                    list = getAppCertHashes(str);
                } else if (bArr2 != null) {
                    list = new ArrayList<>();
                    list.add(bArr2);
                }
                if (list == null || list.size() == 0) {
                    throw new AccessControlException("Application certificates are invalid or do not exist.");
                }
                if (z) {
                    updateAccessRuleIfNeed();
                }
            } catch (IOException | MissingResourceException e) {
                throw e;
            }
        } catch (Throwable th) {
            throw new AccessControlException(th.getMessage());
        }
        return getAccessRule(bArr, list);
    }

    private void readSecurityProfile() {
        if (Build.IS_DEBUGGABLE) {
            String str = SystemProperties.get("persist.service.seek", SystemProperties.get("service.seek", "useara usearf"));
            if (str.contains("usearf")) {
                this.mUseArf = true;
            } else {
                this.mUseArf = false;
            }
            if (str.contains("useara")) {
                this.mUseAra = true;
            } else {
                this.mUseAra = false;
            }
            if (str.contains("fullaccess")) {
                this.mFullAccess = true;
            } else {
                this.mFullAccess = false;
            }
        } else {
            this.mUseArf = true;
            this.mUseAra = true;
            this.mFullAccess = false;
        }
        if (!this.mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) {
            this.mUseArf = false;
        }
        Log.i("SecureElement-AccessControlEnforcer", "Allowed ACE mode: ara=" + this.mUseAra + " arf=" + this.mUseArf + " fullaccess=" + this.mFullAccess);
    }

    private void updateAccessRuleIfNeed() throws IOException {
        ArfController arfController;
        AraController araController;
        if (this.mUseAra && (araController = this.mAraController) != null) {
            try {
                araController.initialize();
                this.mUseArf = false;
                this.mFullAccess = false;
                return;
            } catch (IOException | MissingResourceException e) {
                throw e;
            } catch (Exception unused) {
                throw new AccessControlException("No ARA applet found in " + this.mTerminal.getName());
            }
        }
        if (!this.mUseArf || (arfController = this.mArfController) == null) {
            return;
        }
        try {
            arfController.initialize();
        } catch (IOException | MissingResourceException e2) {
            throw e2;
        } catch (Exception unused2) {
            throw new AccessControlException("No ARF found in " + this.mTerminal.getName());
        }
    }

    public synchronized boolean checkCarrierPrivilege(PackageInfo packageInfo, boolean z) {
        if (!this.mUseAra && !this.mUseArf) {
            return false;
        }
        if (z) {
            try {
                updateAccessRuleIfNeed();
            } catch (IOException | MissingResourceException unused) {
                throw new AccessControlException("Access-Control not found in " + this.mTerminal.getName());
            }
        }
        if (!this.mRulesRead) {
            return false;
        }
        try {
            List<byte[]> appCertHashes = getAppCertHashes(packageInfo.packageName);
            if (appCertHashes != null && appCertHashes.size() != 0) {
                return this.mAccessRuleCache.checkCarrierPrivilege(packageInfo.packageName, appCertHashes);
            }
            return false;
        } catch (Exception e) {
            Log.w("SecureElement-AccessControlEnforcer", " checkCarrierPrivilege: " + e.getLocalizedMessage());
            return false;
        }
    }

    public synchronized void checkCommand(Channel channel, byte[] bArr) {
        ChannelAccess channelAccess = channel.getChannelAccess();
        if (channelAccess == null) {
            throw new AccessControlException("SecureElement-AccessControlEnforcerChannel access not set");
        }
        String reason = channelAccess.getReason();
        if (reason.length() == 0) {
            reason = "Unspecified";
        }
        if (DEBUG) {
            Log.i("SecureElement-AccessControlEnforcer", "checkCommand() : Access = " + channelAccess.getAccess() + " APDU Access = " + channelAccess.getApduAccess() + " Reason = " + reason);
        }
        if (channelAccess.getAccess() != ChannelAccess.ACCESS.ALLOWED) {
            throw new AccessControlException("SecureElement-AccessControlEnforcer" + reason);
        }
        if (!channelAccess.isUseApduFilter()) {
            if (channelAccess.getApduAccess() != ChannelAccess.ACCESS.ALLOWED) {
                throw new AccessControlException("SecureElement-AccessControlEnforcerAPDU access NOT allowed");
            }
            return;
        }
        ApduFilter[] apduFilter = channelAccess.getApduFilter();
        if (apduFilter == null || apduFilter.length == 0) {
            throw new AccessControlException("SecureElement-AccessControlEnforcerAccess Rule not available:" + reason);
        }
        for (ApduFilter apduFilter2 : apduFilter) {
            if (CommandApdu.compareHeaders(bArr, apduFilter2.getMask(), apduFilter2.getApdu())) {
                return;
            }
        }
        throw new AccessControlException("SecureElement-AccessControlEnforcerAccess Rule does not match: " + reason);
    }

    public void dump(PrintWriter printWriter) {
        printWriter.println("SecureElement-AccessControlEnforcer:");
        printWriter.println("mUseArf: " + this.mUseArf);
        printWriter.println("mUseAra: " + this.mUseAra);
        if (this.mUseAra && this.mAraController != null) {
            if (getDefaultAccessControlAid() == null) {
                printWriter.println("AraInUse: default applet");
            } else {
                printWriter.println("AraInUse: " + ByteArrayConverter.byteArrayToHexString(getDefaultAccessControlAid()));
            }
        }
        printWriter.println("mInitialChannelAccess:");
        printWriter.println(this.mInitialChannelAccess.toString());
        printWriter.println();
        AccessRuleCache accessRuleCache = this.mAccessRuleCache;
        if (accessRuleCache != null) {
            accessRuleCache.dump(printWriter);
        }
    }

    public ChannelAccess getAccessRule(byte[] bArr, List<byte[]> list) throws AccessControlException {
        if (DEBUG) {
            Iterator<byte[]> it = list.iterator();
            while (it.hasNext()) {
                Log.i("SecureElement-AccessControlEnforcer", "getAccessRule() appCert = " + ByteArrayConverter.byteArrayToHexString(it.next()));
            }
        }
        ChannelAccess findAccessRule = this.mRulesRead ? this.mAccessRuleCache.findAccessRule(bArr, list) : null;
        if (findAccessRule != null) {
            return findAccessRule;
        }
        ChannelAccess channelAccess = new ChannelAccess();
        channelAccess.setAccess(ChannelAccess.ACCESS.DENIED, "no access rule found!");
        channelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED);
        channelAccess.setNFCEventAccess(ChannelAccess.ACCESS.DENIED);
        return channelAccess;
    }

    public AccessRuleCache getAccessRuleCache() {
        return this.mAccessRuleCache;
    }

    public byte[] getDefaultAccessControlAid() {
        AraController araController = this.mAraController;
        return araController != null ? araController.getAccessControlAid() : AraController.getAraMAid();
    }

    public PackageManager getPackageManager() {
        return this.mPackageManager;
    }

    public Terminal getTerminal() {
        return this.mTerminal;
    }

    public synchronized void initialize() throws IOException, MissingResourceException {
        boolean z;
        ArfController arfController;
        AraController araController;
        String str = "";
        this.mInitialChannelAccess.setApduAccess(ChannelAccess.ACCESS.ALLOWED);
        this.mInitialChannelAccess.setNFCEventAccess(ChannelAccess.ACCESS.ALLOWED);
        this.mInitialChannelAccess.setAccess(ChannelAccess.ACCESS.ALLOWED, "");
        readSecurityProfile();
        boolean z2 = false;
        this.mNoRuleFound = false;
        if (this.mUseAra && this.mAraController == null) {
            this.mAraController = new AraController(this.mAccessRuleCache, this.mTerminal);
        }
        if (this.mUseAra && (araController = this.mAraController) != null) {
            try {
                araController.initialize();
                Log.i("SecureElement-AccessControlEnforcer", "ARA applet is used for:" + this.mTerminal.getName());
                this.mUseArf = false;
                this.mFullAccess = false;
            } catch (IOException | MissingResourceException e) {
                throw e;
            } catch (Exception e2) {
                this.mUseAra = false;
                String localizedMessage = e2.getLocalizedMessage();
                if (e2 instanceof NoSuchElementException) {
                    Log.i("SecureElement-AccessControlEnforcer", "No ARA applet found in: " + this.mTerminal.getName());
                    if (!this.mUseArf) {
                        this.mNoRuleFound = true;
                        z = this.mFullAccess;
                        str = localizedMessage;
                    }
                } else {
                    if (!this.mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) {
                        this.mUseArf = false;
                        this.mFullAccess = false;
                        Log.i("SecureElement-AccessControlEnforcer", "Problem accessing ARA, Access DENIED " + e2.getLocalizedMessage());
                    } else if (!this.mUseArf) {
                        this.mFullAccess = false;
                    }
                    str = localizedMessage;
                    z = false;
                }
                str = localizedMessage;
            }
        }
        z = true;
        if (this.mUseArf && this.mArfController == null) {
            this.mArfController = new ArfController(this.mAccessRuleCache, this.mTerminal);
        }
        if (this.mUseArf && (arfController = this.mArfController) != null) {
            try {
                try {
                    arfController.initialize();
                    Log.i("SecureElement-AccessControlEnforcer", "ARF rules are used for:" + this.mTerminal.getName());
                    this.mFullAccess = false;
                } catch (IOException | MissingResourceException e3) {
                    throw e3;
                }
            } catch (Exception e4) {
                this.mUseArf = false;
                String localizedMessage2 = e4.getLocalizedMessage();
                Log.e("SecureElement-AccessControlEnforcer", e4.getMessage());
                if (e4 instanceof NoSuchElementException) {
                    Log.i("SecureElement-AccessControlEnforcer", "No ARF found in: " + this.mTerminal.getName());
                    this.mNoRuleFound = true;
                    z2 = this.mFullAccess;
                } else {
                    this.mFullAccess = false;
                }
                str = localizedMessage2;
            }
        }
        z2 = z;
        if (!this.mUseArf && !this.mUseAra && !this.mFullAccess) {
            this.mInitialChannelAccess.setApduAccess(ChannelAccess.ACCESS.DENIED);
            this.mInitialChannelAccess.setNFCEventAccess(ChannelAccess.ACCESS.DENIED);
            this.mInitialChannelAccess.setAccess(ChannelAccess.ACCESS.DENIED, str);
            Log.i("SecureElement-AccessControlEnforcer", "Deny any access to:" + this.mTerminal.getName());
        }
        this.mRulesRead = z2;
    }

    public synchronized boolean[] isNfcEventAllowed(byte[] bArr, String[] strArr) {
        if (!this.mUseAra && !this.mUseArf) {
            int length = strArr.length;
            boolean[] zArr = new boolean[length];
            for (int i = 0; i < length; i++) {
                zArr[i] = this.mFullAccess;
            }
            return zArr;
        }
        return internal_isNfcEventAllowed(bArr, strArr);
    }

    public boolean isNoRuleFound() {
        return this.mNoRuleFound;
    }

    public synchronized void reset() {
        Log.i("SecureElement-AccessControlEnforcer", "Reset the ACE for terminal:" + this.mTerminal.getName());
        this.mAccessRuleCache.reset();
        this.mAraController = null;
        this.mArfController = null;
    }

    public void setPackageManager(PackageManager packageManager) {
        this.mPackageManager = packageManager;
    }

    public ChannelAccess setUpChannelAccess(byte[] bArr, String str, byte[] bArr2, boolean z) throws IOException, MissingResourceException {
        if (this.mInitialChannelAccess.getAccess() == ChannelAccess.ACCESS.DENIED) {
            throw new AccessControlException("SecureElement-AccessControlEnforceraccess denied: " + this.mInitialChannelAccess.getReason());
        }
        ChannelAccess channelAccess = this.mOplusAccessControlEnforcer.setupChannelAccessCheckPermission(str, (this.mUseAra || this.mUseArf) ? internal_setUpChannelAccess(bArr, str, bArr2, z) : null);
        if (channelAccess == null || (channelAccess.getApduAccess() != ChannelAccess.ACCESS.ALLOWED && !channelAccess.isUseApduFilter())) {
            if (!this.mFullAccess) {
                throw new AccessControlException("SecureElement-AccessControlEnforcerno APDU access allowed!");
            }
            channelAccess = this.mInitialChannelAccess;
        }
        channelAccess.setPackageName(str);
        return channelAccess.m21clone();
    }
}
