package com.gallagher.security.mobileaccess;

import com.gallagher.security.libasn.AsnObject;
import com.gallagher.security.libasn.AsnObjectIdentifiers;
import com.gallagher.security.libasn.AsnTag;
import com.gallagher.security.mobileaccess.CloudNetworkConnectionError;
import com.gallagher.security.mobileaccess.Database;
import com.gallagher.security.mobileaccess.TotpError;
import java.nio.ByteBuffer;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import kotlin.jvm.internal.ByteCompanionObject;
import kotlin.time.DurationKt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import rx.Observable;
import rx.Scheduler;
import rx.functions.Action1;
import rx.subjects.PublishSubject;
import rx.subscriptions.SerialSubscription;
import rx.subscriptions.Subscriptions;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class TotpService implements ChildUpdateServiceDelegate {
    private static final String ASN_ENCRYPTED_FORMAT = "totpSecretAsn1-v1/ecies-v1";
    private static final String HMAC_ALGORITHM = "HmacSHA256";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TotpService.class);
    private final DatabaseOpener mDatabaseOpener;
    private final E2eEncryptionService mE2eEncryptionService;
    private final TotpTimerSource mTotpTimerSource;
    private List<TotpSecret> mTotpSecrets = new ArrayList();
    private final PublishSubject<TotpCodeUpdateEvent> mChangeSubject = PublishSubject.create();
    private final PublishSubject<TotpError> mErrorSubject = PublishSubject.create();
    private final SerialSubscription mGenerationTimerSubscription = new SerialSubscription();

    /* JADX INFO: Access modifiers changed from: package-private */
    public TotpService(UpdatesService updatesService, E2eEncryptionService e2eEncryptionService, DatabaseOpener databaseOpener, Scheduler scheduler) {
        this.mDatabaseOpener = databaseOpener;
        this.mE2eEncryptionService = e2eEncryptionService;
        this.mTotpTimerSource = TotpTimerSource.create(MobileAccessProvider.TOTP_ALLOWABLE_TIME_WINDOW_SECONDS.longValue() * 1000, scheduler);
        updatesService.addChildService(this);
        loadTotpSecrets();
    }

    private TotpSecret deserializeUpdate(TotpSecretUpdate totpSecretUpdate, String str, String str2) throws TotpError {
        byte[] bArr = totpSecretUpdate.value;
        if (bArr == null || !ASN_ENCRYPTED_FORMAT.equals(totpSecretUpdate.format)) {
            throw new TotpError.DeserializationError("Unsupported TOTP Update format");
        }
        try {
            AsnObject derDecode = AsnObject.derDecode(this.mE2eEncryptionService.decrypt(bArr));
            if (derDecode == null) {
                throw new TotpError.DeserializationError("Failed to decode TOTP ASN Object");
            }
            if (!derDecode.getTag().equals(AsnTag.Simple.SEQUENCE)) {
                throw new TotpError.DeserializationError("TOTP ASN was not a Sequence");
            }
            String str3 = null;
            byte[] bArr2 = null;
            for (AsnObject asnObject : derDecode.getChildren() != null ? derDecode.getChildren() : Collections.emptyList()) {
                if (asnObject.getTag().equals(AsnTag.Simple.OBJECT_IDENTIFIER)) {
                    str3 = AsnObject.decodeObjectIdentifier(asnObject.getValue() != null ? asnObject.getValue() : new byte[0]);
                } else if (asnObject.getTag().equals(AsnTag.Simple.SEQUENCE)) {
                    String str4 = null;
                    byte[] bArr3 = null;
                    for (AsnObject asnObject2 : asnObject.getChildren() != null ? asnObject.getChildren() : Collections.emptyList()) {
                        if (asnObject2.getTag().equals(AsnTag.Simple.OBJECT_IDENTIFIER)) {
                            str4 = AsnObject.decodeObjectIdentifier(asnObject2.getValue() != null ? asnObject2.getValue() : new byte[0]);
                        } else {
                            bArr3 = asnObject2.getValue();
                        }
                    }
                    if (str4 == null) {
                        throw new TotpError.DeserializationError("ASN Object is corrupt during deserialization");
                    }
                    if (AsnObjectIdentifiers.GGL_TOTP_SECRET_VALUE.equals(str4)) {
                        bArr2 = bArr3;
                    }
                } else {
                    continue;
                }
            }
            if (str3 == null || bArr2 == null) {
                throw new TotpError.DeserializationError("Failed to deserialize TOTP ASN Object correctly");
            }
            return new TotpSecret(str, bArr2, str2);
        } catch (EncryptionError | Exception e) {
            throw new TotpError.DecryptionError(e);
        }
    }

    private static TotpCode generateCodeFromSecret(TotpSecret totpSecret, TotpTimerTick totpTimerTick) {
        try {
            return new TotpCode(totpSecret.getCredentialId(), totpSecret.getFacilityName(), generateTotpCode(totpTimerTick.getReferenceTime(), totpSecret.getValue()), totpTimerTick.getTimePeriodStart(), totpTimerTick.getTimePeriodEnd());
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            LOG.error("Exception thrown while attempting to decrypt stored TOTP Secret", e);
            return null;
        }
    }

    public static String generateTotpCode(long j, byte[] bArr) throws NoSuchAlgorithmException, InvalidKeyException {
        byte[] array = ByteBuffer.allocate(8).putLong(j / (MobileAccessProvider.TOTP_ALLOWABLE_TIME_WINDOW_SECONDS.longValue() * 1000)).array();
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, HMAC_ALGORITHM);
        Mac mac = Mac.getInstance(HMAC_ALGORITHM);
        mac.init(secretKeySpec);
        byte[] doFinal = mac.doFinal(array);
        int i = doFinal[doFinal.length - 1] & 15;
        return String.format("%06d", Integer.valueOf(((doFinal[i + 3] & 255) | (((doFinal[i + 2] & 255) << 8) | (((doFinal[i] & ByteCompanionObject.MAX_VALUE) << 24) | ((doFinal[i + 1] & 255) << 16)))) % DurationKt.NANOS_IN_MILLIS));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<TotpCode> generateTotpCodes(List<TotpSecret> list, TotpTimerTick totpTimerTick) {
        ArrayList arrayList = new ArrayList();
        Iterator<TotpSecret> it = list.iterator();
        while (it.hasNext()) {
            TotpCode generateCodeFromSecret = generateCodeFromSecret(it.next(), totpTimerTick);
            if (generateCodeFromSecret != null) {
                arrayList.add(generateCodeFromSecret);
            } else {
                LOG.error("Exception thrown while attempting to generate code from TOTP Secret");
            }
        }
        return arrayList;
    }

    public void beginTotpCodeGeneration() {
        this.mGenerationTimerSubscription.set(this.mTotpTimerSource.subscribe(new Action1<TotpTimerTick>() { // from class: com.gallagher.security.mobileaccess.TotpService.1
            @Override // rx.functions.Action1
            public void call(TotpTimerTick totpTimerTick) {
                PublishSubject publishSubject = TotpService.this.mChangeSubject;
                TotpService totpService = TotpService.this;
                publishSubject.onNext(new TotpCodeUpdateEvent(totpService.generateTotpCodes(totpService.mTotpSecrets, totpTimerTick), Collections.emptyList()));
            }
        }));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deleteSecretsForCredential(MobileCredential mobileCredential) throws TotpError {
        ArrayList arrayList = new ArrayList();
        TotpSecret totpSecret = null;
        for (TotpSecret totpSecret2 : this.mTotpSecrets) {
            if (totpSecret2.getCredentialId().equals(mobileCredential.getId())) {
                arrayList.add(totpSecret2.getCredentialId());
                totpSecret = totpSecret2;
            }
        }
        if (totpSecret == null) {
            return;
        }
        try {
            Database openDatabase = this.mDatabaseOpener.openDatabase();
            try {
                openDatabase.deleteTotpSecret(Util.decodeBase64(mobileCredential.getId()));
                if (openDatabase != null) {
                    openDatabase.close();
                }
                this.mTotpSecrets.remove(totpSecret);
                this.mChangeSubject.onNext(new TotpCodeUpdateEvent(Collections.emptyList(), arrayList));
            } finally {
            }
        } catch (Exception e) {
            LOG.error("Failed to delete TOTP Secrets linked to deleted mobile credential {}", mobileCredential.getFacilityName());
            TotpError.DeleteSecretFailed deleteSecretFailed = new TotpError.DeleteSecretFailed(e);
            this.mErrorSubject.onNext(deleteSecretFailed);
            throw deleteSecretFailed;
        }
    }

    @Override // com.gallagher.security.mobileaccess.ChildUpdateServiceDelegate
    public ChildServiceType getServiceType() {
        return ChildServiceType.TOTP;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<TotpCodeUpdateEvent> getTotpCodeUpdates() {
        return this.mChangeSubject;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<TotpError> getTotpUpdateErrors() {
        return this.mErrorSubject;
    }

    public void loadTotpSecrets() {
        ArrayList arrayList = new ArrayList();
        try {
            Database openDatabase = this.mDatabaseOpener.openDatabase();
            try {
                for (Database.TotpSecret totpSecret : openDatabase.getTotpSecrets()) {
                    try {
                        byte[] decrypt = this.mE2eEncryptionService.decrypt(totpSecret.value);
                        Database.MobileCredential mobileCredential = openDatabase.getMobileCredential(totpSecret.credentialId);
                        if (mobileCredential == null) {
                            LOG.warn("TOTP Secret has no mobile credential");
                        } else {
                            arrayList.add(new TotpSecret(Util.encodeBase64(totpSecret.credentialId), decrypt, mobileCredential.name));
                        }
                    } catch (EncryptionError | Exception e) {
                        LOG.error("Exception thrown while attempting to decrypt stored TOTP Secret", e);
                        this.mErrorSubject.onNext(new TotpError.GetSecretsFailed(e));
                    }
                }
                if (openDatabase != null) {
                    openDatabase.close();
                }
            } finally {
            }
        } catch (Exception e2) {
            LOG.error("Loading TOTP Secrets from the database failed", (Throwable) e2);
            this.mErrorSubject.onNext(new TotpError.GetSecretsFailed(e2));
        }
        this.mTotpSecrets = arrayList;
    }

    @Override // com.gallagher.security.mobileaccess.ChildUpdateServiceDelegate
    public void onAfterSave(MobileCredential mobileCredential, Object obj) {
        List list = (List) obj;
        ArrayList arrayList = new ArrayList();
        TotpTimerTick currentTimeInfo = this.mTotpTimerSource.getCurrentTimeInfo();
        Iterator<TotpSecret> it = this.mTotpSecrets.iterator();
        while (it.hasNext()) {
            arrayList.add(generateCodeFromSecret(it.next(), currentTimeInfo));
        }
        this.mChangeSubject.onNext(new TotpCodeUpdateEvent(arrayList, list));
    }

    @Override // com.gallagher.security.mobileaccess.ChildUpdateServiceDelegate
    public void onError(MobileCredential mobileCredential, Throwable th) {
        if (!(th instanceof CloudNetworkConnectionError.MobileCredentialNotFound)) {
            this.mErrorSubject.onNext(th instanceof TotpError ? (TotpError) th : new TotpError.Unexpected(th));
            return;
        }
        try {
            deleteSecretsForCredential(mobileCredential);
            LOG.info("TOTP Secret deleted from credential {}", mobileCredential);
        } catch (TotpError e) {
            LOG.error("Failed to delete TOTP Secret from credential {}.", mobileCredential, e);
        }
    }

    @Override // com.gallagher.security.mobileaccess.ChildUpdateServiceDelegate
    public void onSharedCredentialsRevoked(Collection<RevokedSharedCredential> collection) {
    }

    @Override // com.gallagher.security.mobileaccess.ChildUpdateServiceDelegate
    public Object save(Database database, MobileCredential mobileCredential, MobileCredentialUpdate mobileCredentialUpdate) {
        if (mobileCredentialUpdate.totpSecrets.isEmpty()) {
            return Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        for (TotpSecretUpdate totpSecretUpdate : mobileCredentialUpdate.totpSecrets) {
            int i = 0;
            while (true) {
                if (i >= this.mTotpSecrets.size()) {
                    i = -1;
                    break;
                }
                if (this.mTotpSecrets.get(i).getCredentialId().equals(mobileCredential.getId())) {
                    break;
                }
                i++;
            }
            if (totpSecretUpdate.updateType == CloudItemUpdateType.ADD_OR_UPDATE) {
                try {
                    TotpSecret deserializeUpdate = deserializeUpdate(totpSecretUpdate, mobileCredential.getId(), mobileCredential.getFacilityName());
                    try {
                        try {
                            database.addTotpSecret(new Database.TotpSecret(Util.decodeBase64(mobileCredential.getId()), this.mE2eEncryptionService.encryptForInternal(deserializeUpdate.getValue())));
                            LOG.info("TOTP Secret update received for credential {}", mobileCredential.getId());
                            if (i != -1) {
                                this.mTotpSecrets.set(i, deserializeUpdate);
                            } else {
                                this.mTotpSecrets.add(deserializeUpdate);
                            }
                        } catch (Exception e) {
                            LOG.error("Error trying to add TOTP Secret to database", (Throwable) e);
                            onError(mobileCredential, new TotpError.AddSecretFailed(e));
                        }
                    } catch (EncryptionError | Exception e2) {
                        LOG.error("Failed to encrypt TOTP Secret for internal storage.", e2);
                        onError(mobileCredential, new TotpError.AddSecretFailed(e2));
                    }
                } catch (TotpError e3) {
                    LOG.error("Failed to decrypt TOTP Secret", (Throwable) e3);
                    onError(mobileCredential, e3);
                }
            } else if (totpSecretUpdate.updateType == CloudItemUpdateType.DELETE) {
                try {
                    database.deleteTotpSecret(Util.decodeBase64(mobileCredential.getId()));
                    LOG.info("TOTP Secret deleted from credential {}", mobileCredential.getId());
                    if (i != -1) {
                        arrayList.add(this.mTotpSecrets.remove(i).getCredentialId());
                    }
                } catch (Exception e4) {
                    LOG.error("Error trying to delete TOTP Secret from database", (Throwable) e4);
                    onError(mobileCredential, new TotpError.DeleteSecretFailed(e4));
                }
            }
        }
        return arrayList;
    }

    public void stopTotpCodeGeneration() {
        this.mGenerationTimerSubscription.set(Subscriptions.empty());
    }
}
