package com.avast.android.ffl.v2;

import com.avast.android.ffl.AbstractFFLClient;
import com.avast.android.ffl.EncryptionException;
import com.avast.android.ffl.Hex;
import com.avast.android.ffl.KeyExpiredException;
import com.avast.android.ffl.LoggingProvider;
import com.avast.android.ffl.NonFFLResponseException;
import com.avast.android.ffl.RegistrationException;
import com.avast.crypto.FFLSpec;
import com.avast.crypto.KeyUtilityException;
import com.avast.crypto.PayloadException;
import com.avast.crypto.SymKeyUtility;
import com.avast.ffl.auth.proto.AuthProto;
import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Locale;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.protocol.HTTP;
import retrofit.client.Client;
import retrofit.client.Header;
import retrofit.client.Request;
import retrofit.client.Response;
import retrofit.mime.TypedInput;
import retrofit.mime.TypedOutput;

/* loaded from: classes.dex */
public class FFLV2ClientImpl extends AbstractFFLClient implements FFLV2Client {
    private final AuthProto.Identity appIdentity;
    private final AuthStorage authStorage;
    private final AtomicReference<AuthClock> clockRef;
    private final boolean useRootClientId;

    public FFLV2ClientImpl(Client client, LoggingProvider loggingProvider, AuthStorage authStorage, AuthProto.Identity identity, String str) {
        this(client, loggingProvider, authStorage, identity, str, false);
    }

    public FFLV2ClientImpl(Client client, LoggingProvider loggingProvider, AuthStorage authStorage, AuthProto.Identity identity, String str, boolean z) {
        super(client, loggingProvider, str);
        this.clockRef = new AtomicReference<>();
        this.authStorage = authStorage;
        this.appIdentity = identity;
        this.useRootClientId = z;
    }

    private byte[] decodeBinary(String str) throws UnsupportedEncodingException {
        return Base64.decodeBase64(decodeString(str).getBytes(HTTP.UTF_8));
    }

    private String decodeString(String str) throws UnsupportedEncodingException {
        return URLDecoder.decode(str, HTTP.UTF_8);
    }

    private String encodeBinary(byte[] bArr) throws UnsupportedEncodingException {
        return encodeString(new String(Base64.encodeBase64(bArr), HTTP.UTF_8));
    }

    private String encodeString(String str) throws UnsupportedEncodingException {
        return URLEncoder.encode(str, HTTP.UTF_8);
    }

    private Response executeWithKey(Request request, ClientKey clientKey) throws IOException {
        try {
            return executeWithKeyAndRequestTime(request, clientKey, now());
        } catch (InvalidRequestTimeException e) {
            this.log.info("Server rejected request due to invalid time. Updating offset to server time ($s)", Long.valueOf(e.getServerTime()));
            updateClock(e.getServerTime());
            return executeWithKeyAndRequestTime(request, clientKey, now());
        }
    }

    private Response executeWithKeyAndRequestTime(Request request, ClientKey clientKey, long j) throws IOException {
        byte[] bArr;
        try {
            final TypedOutput body = request.getBody();
            ArrayList arrayList = new ArrayList(request.getHeaders());
            String clientId = loadIdentity().getClientId();
            byte[] generateTEK = SymKeyUtility.generateTEK();
            byte[] encryptTEK = SymKeyUtility.encryptTEK(generateTEK, clientKey.getKey().toByteArray(), j, FFLSpec.V2.threadLocalHmac());
            if (body != null) {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream((int) body.length());
                body.writeTo(byteArrayOutputStream);
                bArr = byteArrayOutputStream.toByteArray();
            } else {
                bArr = new byte[0];
            }
            final byte[] encrypt = (bArr == null || bArr.length <= 0) ? new byte[0] : FFLSpec.V2.cryptoHelper().encrypt(bArr, generateTEK);
            arrayList.add(new Header(HTTP.CONTENT_ENCODING, "x-ffl"));
            arrayList.add(new Header("X-AVAST-FFL-Version", "2"));
            arrayList.add(new Header("X-AVAST-FFL-Mode", "SFSR"));
            arrayList.add(new Header("X-AVAST-Request-Time", Long.toString(j)));
            arrayList.add(new Header("X-AVAST-Client-Id-0", encodeString(clientId)));
            arrayList.add(new Header("X-AVAST-Key-Id-0", encodeBinary(clientKey.getId().toByteArray())));
            arrayList.add(new Header("X-AVAST-ETEK-0", encodeBinary(encryptTEK)));
            Response execute = this.wrappedClient.execute(new Request(request.getMethod(), request.getUrl(), arrayList, body != null ? new TypedOutput() { // from class: com.avast.android.ffl.v2.FFLV2ClientImpl.2
                @Override // retrofit.mime.TypedOutput
                public String fileName() {
                    return body.fileName();
                }

                @Override // retrofit.mime.TypedOutput
                public long length() {
                    return encrypt.length;
                }

                @Override // retrofit.mime.TypedOutput
                public String mimeType() {
                    return body.mimeType();
                }

                @Override // retrofit.mime.TypedOutput
                public void writeTo(OutputStream outputStream) throws IOException {
                    outputStream.write(encrypt);
                }
            } : null));
            final TypedInput body2 = execute.getBody();
            long length = body2 != null ? body2.length() : 0L;
            this.log.debug("Received response with status " + execute.getStatus() + "(" + execute.getReason() + ") and payload size " + length, new Object[0]);
            if (execute.getStatus() == 442) {
                throw new KeyExpiredException("Status code 442 from server");
            }
            final byte[] decrypt = body2 != null ? FFLSpec.V2.cryptoHelper().decrypt(readBytes(body2.in()), SymKeyUtility.decryptTEK(getEtekFromHeaders(execute), clientKey.getKey().toByteArray(), j, FFLSpec.V2.threadLocalHmac())) : new byte[0];
            if (execute.getStatus() == 443) {
                throw new InvalidRequestTimeException(getServerTimeFromBody(decrypt));
            }
            return new Response(execute.getUrl(), execute.getStatus(), execute.getReason(), execute.getHeaders(), new TypedInput() { // from class: com.avast.android.ffl.v2.FFLV2ClientImpl.3
                @Override // retrofit.mime.TypedInput
                public InputStream in() throws IOException {
                    return new ByteArrayInputStream(decrypt);
                }

                @Override // retrofit.mime.TypedInput
                public long length() {
                    return decrypt.length;
                }

                @Override // retrofit.mime.TypedInput
                public String mimeType() {
                    return body2 != null ? body2.mimeType() : "application/octet-stream";
                }
            });
        } catch (KeyUtilityException | PayloadException | InvalidKeyException | NoSuchAlgorithmException e) {
            throw new EncryptionException(e);
        }
    }

    private ByteString generateCigt() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return ByteString.copyFrom(bArr);
    }

    private byte[] getEtekFromHeaders(Response response) throws EncryptionException, UnsupportedEncodingException, NonFFLResponseException {
        String str = null;
        String str2 = null;
        String str3 = null;
        for (Header header : response.getHeaders()) {
            if ("X-AVAST-FFL-Version".equalsIgnoreCase(header.getName())) {
                str = header.getValue();
            } else if ("X-AVAST-FFL-Mode".equalsIgnoreCase(header.getName())) {
                str2 = header.getValue();
            } else if ("X-AVAST-ETEK-0".equalsIgnoreCase(header.getName())) {
                str3 = header.getValue();
            }
        }
        if (!"2".equals(str)) {
            throw new NonFFLResponseException("Invalid FFL version in server response: " + str, response);
        }
        if (!"SFSR".equals(str2)) {
            if (!"SFMR".equals(str2)) {
                throw new EncryptionException("Invalid FFL mode in server response: " + str2);
            }
            this.log.warn("Ignoring all but the first recipient in SFMR mode", new Object[0]);
        }
        if (str3 == null) {
            throw new EncryptionException("Missing ETEK in server response");
        }
        return decodeBinary(str3);
    }

    private long getServerTimeFromBody(byte[] bArr) throws IOException {
        try {
            return Long.parseLong(new String(bArr, HTTP.UTF_8));
        } catch (NumberFormatException e) {
            throw new EncryptionException(e, "Cannot parse server time from respnse");
        }
    }

    private ClientIdentity loadIdentity() throws IOException {
        return this.useRootClientId ? this.authStorage.loadRootClientId() : this.authStorage.loadAppClientId();
    }

    private ClientKey loadKey() throws IOException {
        return this.useRootClientId ? this.authStorage.loadRootKey() : this.authStorage.loadAppKey();
    }

    private long now() throws IOException {
        AuthClock authClock = this.clockRef.get();
        if (authClock == null) {
            authClock = new DefaultClock(this.authStorage.loadTimeOffset());
            this.clockRef.set(authClock);
        }
        return authClock.now();
    }

    private void register(ClientIdentity clientIdentity) throws IOException {
        ByteString generateCigt = generateCigt();
        AuthProto.FFLAuthRegistrationRequest.Builder identity = AuthProto.FFLAuthRegistrationRequest.newBuilder().setClientIdGenerationToken(generateCigt).setIdentity(this.appIdentity);
        if (clientIdentity != null) {
            identity.setParent(AuthProto.FFLAuthRegistrationRequest.Parent.newBuilder().setClientId(clientIdentity.getClientId()).setClientIdGenerationToken(clientIdentity.getClientIdGenerationToken()));
        }
        final byte[] byteArray = identity.build().toByteArray();
        Response execute = this.wrappedClient.execute(new Request(HttpPost.METHOD_NAME, registerUrl(), null, new TypedOutput() { // from class: com.avast.android.ffl.v2.FFLV2ClientImpl.1
            @Override // retrofit.mime.TypedOutput
            public String fileName() {
                return null;
            }

            @Override // retrofit.mime.TypedOutput
            public long length() {
                return byteArray.length;
            }

            @Override // retrofit.mime.TypedOutput
            public String mimeType() {
                return "application/octet-stream";
            }

            @Override // retrofit.mime.TypedOutput
            public void writeTo(OutputStream outputStream) throws IOException {
                outputStream.write(byteArray);
            }
        }));
        if (execute.getStatus() != 200) {
            throw new RegistrationException("Return code of AUTH service should be 200, is " + execute.getStatus());
        }
        try {
            AuthProto.FFLAuthRegistrationResponse parseFrom = AuthProto.FFLAuthRegistrationResponse.parseFrom(execute.getBody().in());
            Calendar calendar = Calendar.getInstance();
            calendar.setTimeInMillis(parseFrom.getKeyExpiration());
            this.log.info("Registered as %s Client ID %s with CIGT %s", clientIdentity != null ? "app" : "root", parseFrom.getClientId(), Hex.encodeHexString(generateCigt.toByteArray()));
            this.log.info("Received new AUTH key ID %s, version %s, expiration %s", Hex.encodeHexString(parseFrom.getKeyId().toByteArray()), Long.valueOf(parseFrom.getKeyVersion()), new SimpleDateFormat("yyyy-MM-dd HH:mm:ss", Locale.US).format(calendar.getTime()));
            ClientIdentity clientIdentity2 = new ClientIdentity(generateCigt, parseFrom.getClientId());
            ClientKey clientKey = new ClientKey(parseFrom.getKeyId(), parseFrom.getKey(), parseFrom.getKeyVersion(), parseFrom.getKeyExpiration());
            if (clientIdentity != null) {
                this.authStorage.storeAppClientId(clientIdentity2, clientKey);
            } else {
                this.authStorage.storeRootClientId(clientIdentity2, clientKey);
            }
        } catch (InvalidProtocolBufferException e) {
            throw new RegistrationException(e, "Could not parse registration GPB response");
        }
    }

    private ClientKey requestNextKey(ClientIdentity clientIdentity, ClientKey clientKey) throws IOException {
        final byte[] byteArray = AuthProto.FFLAuthGenerateKeyRequest.newBuilder().setClientIdGenerationToken(clientIdentity.getClientIdGenerationToken()).setClientId(clientIdentity.getClientId()).setPreviousKeyVersion(clientKey.getVersion()).setIdentity(this.appIdentity).build().toByteArray();
        Response execute = this.wrappedClient.execute(new Request(HttpPost.METHOD_NAME, nextKeyUrl(), null, new TypedOutput() { // from class: com.avast.android.ffl.v2.FFLV2ClientImpl.4
            @Override // retrofit.mime.TypedOutput
            public String fileName() {
                return null;
            }

            @Override // retrofit.mime.TypedOutput
            public long length() {
                return byteArray.length;
            }

            @Override // retrofit.mime.TypedOutput
            public String mimeType() {
                return "application/octet-stream";
            }

            @Override // retrofit.mime.TypedOutput
            public void writeTo(OutputStream outputStream) throws IOException {
                outputStream.write(byteArray);
            }
        }));
        if (execute.getStatus() == 409) {
            throw new KeyVersionConflictException("Conflict when requesting new key with previous version: " + clientKey.getVersion());
        }
        if (execute.getStatus() != 200) {
            throw new GenerateKeyException("Return code of AUTH service should be 200, is " + execute.getStatus());
        }
        try {
            AuthProto.FFLAuthGenerateKeyResponse parseFrom = AuthProto.FFLAuthGenerateKeyResponse.parseFrom(execute.getBody().in());
            Calendar calendar = Calendar.getInstance();
            calendar.setTimeInMillis(parseFrom.getKeyExpiration());
            this.log.info("Received new AUTH key ID %s, version %s, expiration %s", Hex.encodeHexString(parseFrom.getKeyId().toByteArray()), Long.valueOf(parseFrom.getKeyVersion()), new SimpleDateFormat("yyyy-MM-dd HH:mm:ss", Locale.US).format(calendar.getTime()));
            ClientKey clientKey2 = new ClientKey(parseFrom.getKeyId(), parseFrom.getKey(), parseFrom.getKeyVersion(), parseFrom.getKeyExpiration());
            storeKey(clientKey2);
            return clientKey2;
        } catch (InvalidProtocolBufferException e) {
            throw new GenerateKeyException("Could not parse generate key GPB response", e);
        }
    }

    private void storeKey(ClientKey clientKey) throws IOException {
        if (this.useRootClientId) {
            this.authStorage.storeNewRootKey(clientKey);
        } else {
            this.authStorage.storeNewAppKey(clientKey);
        }
    }

    private void updateClock(long j) throws IOException {
        long offsetFromServerTime = DefaultClock.offsetFromServerTime(j);
        this.authStorage.storeTimeOffset(offsetFromServerTime);
        this.clockRef.set(new DefaultClock(offsetFromServerTime));
    }

    @Override // retrofit.client.Client
    public Response execute(Request request) throws IOException, KeyExpiredException {
        ClientIdentity loadRootClientId = this.authStorage.loadRootClientId();
        if (loadRootClientId == null) {
            throw new IllegalStateException("Root Client ID not registered");
        }
        ClientIdentity loadAppClientId = this.authStorage.loadAppClientId();
        if (loadAppClientId == null) {
            throw new IllegalStateException("App Client ID not registered");
        }
        if (loadAppClientId.isDescendantOf(loadRootClientId)) {
            return executeWithKey(request, loadKey());
        }
        throw new AppClientIdMismatchException("App Client ID is not derived from root Client ID");
    }

    @Override // com.avast.android.ffl.v2.FFLV2Client
    public boolean hasAppClientId() throws IOException {
        return (this.authStorage.loadAppClientId() == null || this.authStorage.loadAppKey() == null) ? false : true;
    }

    @Override // com.avast.android.ffl.v2.FFLV2Client
    public boolean hasRootClientId() throws IOException {
        return this.authStorage.loadRootClientId() != null;
    }

    protected String nextKeyUrl() {
        return "https://" + this.authServer + "/V2/KEY";
    }

    @Override // com.avast.android.ffl.v2.FFLV2Client
    public void registerAppClientId() throws IOException {
        ClientIdentity loadRootClientId = this.authStorage.loadRootClientId();
        if (loadRootClientId == null) {
            throw new IllegalStateException("Root client id must be registered before registering app client id.");
        }
        register(loadRootClientId);
    }

    @Override // com.avast.android.ffl.v2.FFLV2Client
    public void registerRootClientId() throws IOException {
        register(null);
    }

    protected String registerUrl() {
        return "https://" + this.authServer + "/V2/REG";
    }

    @Override // com.avast.android.ffl.v2.FFLV2Client
    public void requestNextKey() throws IOException {
        ClientKey loadKey = loadKey();
        ClientIdentity loadIdentity = loadIdentity();
        if (loadKey == null || loadIdentity == null) {
            throw new IllegalStateException("App client is not registered with auth server");
        }
        storeKey(new ClientKey(loadKey.getId(), loadKey.getKey(), loadKey.getVersion() + 1, loadKey.getExpiration()));
        requestNextKey(loadIdentity, loadKey);
    }
}
