package com.microsoft.identity.common.internal.platform;

import android.annotation.SuppressLint;
import android.content.Context;
import android.os.Build;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.security.keystore.StrongBoxUnavailableException;
import androidx.constraintlayout.core.widgets.Barrier$$ExternalSyntheticOutline0;
import com.microsoft.identity.common.adal.internal.cache.StorageHelper;
import com.microsoft.identity.common.java.WarningType;
import com.microsoft.identity.common.java.crypto.IDevicePopManager;
import com.microsoft.identity.common.java.crypto.IKeyStoreKeyManager;
import com.microsoft.identity.common.java.crypto.SecureHardwareState;
import com.microsoft.identity.common.java.crypto.key.KeyUtil;
import com.microsoft.identity.common.java.platform.AbstractDevicePopManager;
import com.microsoft.identity.common.java.util.ported.DateUtilities;
import com.microsoft.identity.common.logging.Logger;
import com.nimbusds.jose.crypto.impl.RSAKeyUtils;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.security.auth.x500.X500Principal;
import lombok.NonNull;

/* loaded from: classes2.dex */
public class AndroidDevicePopManager extends AbstractDevicePopManager {
    private static final String ANDROID_KEYSTORE = "AndroidKeyStore";
    public static final String FAILED_TO_GENERATE_ATTESTATION_CERTIFICATE_CHAIN = "Failed to generate attestation certificate chain";
    private static final int RSA_KEY_SIZE = 2048;
    public static final String STRONG_BOX_UNAVAILABLE_EXCEPTION = "StrongBoxUnavailableException";
    private static final String TAG = "AndroidDevicePopManager";
    private final Context mContext;

    public AndroidDevicePopManager(@NonNull Context context) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
        this(context, AbstractDevicePopManager.DEFAULT_KEYSTORE_ENTRY_ALIAS);
        if (context == null) {
            throw new NullPointerException("context is marked non-null but is null");
        }
    }

    public AndroidDevicePopManager(@NonNull Context context, @NonNull String str) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
        super(createKeyStoreKeyManager(str));
        if (context == null) {
            throw new NullPointerException("context is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        this.mContext = context;
    }

    @SuppressLint({WarningType.NewApi})
    private static KeyGenParameterSpec.Builder applyHardwareIsolation(KeyGenParameterSpec.Builder builder) {
        KeyGenParameterSpec.Builder isStrongBoxBacked;
        isStrongBoxBacked = builder.setIsStrongBoxBacked(true);
        return isStrongBoxBacked;
    }

    private static IKeyStoreKeyManager<KeyStore.PrivateKeyEntry> createKeyStoreKeyManager(@NonNull String str) throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE);
        keyStore.load(null);
        return AndroidDeviceKeyManager.builder().keyAlias(str).keyStore(keyStore).build();
    }

    private KeyPair generateNewKeyPair(Context context, boolean z, boolean z2, boolean z3) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, StrongBoxUnavailableException {
        KeyPair generateKeyPair;
        synchronized ((DateUtilities.isLocaleCalendarNonGregorian(Locale.getDefault()) ? DateUtilities.LOCALE_CHANGE_LOCK : new Object())) {
            Locale locale = Locale.getDefault();
            StorageHelper.applyKeyStoreLocaleWorkarounds(locale);
            try {
                generateKeyPair = getInitializedRsaKeyPairGenerator(context, 2048, z, z2, z3).generateKeyPair();
            } finally {
                Locale.setDefault(locale);
            }
        }
        return generateKeyPair;
    }

    @SuppressLint({WarningType.NewApi})
    private KeyPair generateNewRsaKeyPair(Context context, int i) throws UnsupportedOperationException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException {
        for (int i2 = 0; i2 < 4; i2++) {
            KeyPair keyPair = null;
            boolean z = false;
            boolean z2 = true;
            boolean z3 = true;
            boolean z4 = true;
            while (!z) {
                try {
                    keyPair = generateNewKeyPair(context, z2, z3, z4);
                    z = true;
                } catch (ProviderException e) {
                    if (z2 && isStrongBoxUnavailableException(e)) {
                        z2 = false;
                    } else if (z3 && e.getClass().getSimpleName().equals("SecureKeyImportUnavailableException")) {
                        Logger.error(TAG, "Import unsupported - skipping import flags.", e);
                        if (z2 && e.getCause() != null && isStrongBoxUnavailableException(e.getCause())) {
                            z2 = false;
                        }
                        z3 = false;
                    } else {
                        if (!z4 || !FAILED_TO_GENERATE_ATTESTATION_CERTIFICATE_CHAIN.equalsIgnoreCase(e.getMessage())) {
                            clearAsymmetricKey();
                            throw e;
                        }
                        Logger.error(TAG, "Failed to generate attestation cert - skipping flag.", e);
                        z4 = false;
                    }
                }
            }
            int keyBitLength = RSAKeyUtils.keyBitLength(keyPair.getPrivate());
            if (keyBitLength >= i || keyBitLength < 0) {
                getSecureHardwareState(keyPair);
                return keyPair;
            }
        }
        clearAsymmetricKey();
        throw new UnsupportedOperationException("Failed to generate valid KeyPair. Attempted 4 times.");
    }

    private KeyPairGenerator getInitializedRsaKeyPairGenerator(Context context, int i, boolean z, boolean z2, boolean z3) throws InvalidAlgorithmParameterException, NoSuchProviderException, NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA, ANDROID_KEYSTORE);
        initialize(context, keyPairGenerator, i, z, z2, z3);
        return keyPairGenerator;
    }

    private void initialize(Context context, KeyPairGenerator keyPairGenerator, int i, boolean z, boolean z2, boolean z3) throws InvalidAlgorithmParameterException {
        if (Build.VERSION.SDK_INT < 28) {
            initialize23(keyPairGenerator, i, z, z3);
        } else {
            initialize28(keyPairGenerator, i, z, z2, z3);
        }
    }

    @SuppressLint({"InlinedApi"})
    private void initialize23(KeyPairGenerator keyPairGenerator, int i, boolean z, boolean z2) throws InvalidAlgorithmParameterException {
        KeyGenParameterSpec.Builder encryptionPaddings = new KeyGenParameterSpec.Builder(this.mKeyManager.getKeyAlias(), 15).setKeySize(i).setSignaturePaddings("PKCS1").setDigests("NONE", IDevicePopManager.SHA_1, KeyUtil.HMAC_KEY_HASH_ALGORITHM).setEncryptionPaddings("OAEPPadding", "PKCS1Padding");
        if (z2) {
            encryptionPaddings = setAttestationChallenge(encryptionPaddings);
        }
        if (Build.VERSION.SDK_INT >= 28 && z) {
            Logger.verbose(TAG, "Attempting to apply StrongBox isolation.");
            encryptionPaddings = applyHardwareIsolation(encryptionPaddings);
        }
        keyPairGenerator.initialize(encryptionPaddings.build());
    }

    @SuppressLint({"InlinedApi"})
    private void initialize28(KeyPairGenerator keyPairGenerator, int i, boolean z, boolean z2, boolean z3) throws InvalidAlgorithmParameterException {
        KeyGenParameterSpec.Builder encryptionPaddings = new KeyGenParameterSpec.Builder(this.mKeyManager.getKeyAlias(), (!z2 || Build.VERSION.SDK_INT < 28) ? 15 : 47).setKeySize(i).setSignaturePaddings("PKCS1").setDigests("NONE", IDevicePopManager.SHA_1, KeyUtil.HMAC_KEY_HASH_ALGORITHM).setEncryptionPaddings("OAEPPadding", "PKCS1Padding");
        if (z3) {
            encryptionPaddings = setAttestationChallenge(encryptionPaddings);
        }
        if (Build.VERSION.SDK_INT >= 28 && z) {
            Logger.verbose(TAG, "Attempting to apply StrongBox isolation.");
            encryptionPaddings = applyHardwareIsolation(encryptionPaddings);
        }
        keyPairGenerator.initialize(encryptionPaddings.build());
    }

    @SuppressLint({WarningType.NewApi})
    private void initializePre23(Context context, KeyPairGenerator keyPairGenerator, int i) throws InvalidAlgorithmParameterException {
        Calendar calendar = Calendar.getInstance();
        Date now = AbstractDevicePopManager.getNow(calendar);
        calendar.add(1, 99);
        KeyPairGeneratorSpec.Builder subject = new KeyPairGeneratorSpec.Builder(context).setAlias(this.mKeyManager.getKeyAlias()).setStartDate(now).setEndDate(calendar.getTime()).setSerialNumber(AbstractDevicePopManager.CertificateProperties.SERIAL_NUMBER).setSubject(new X500Principal(AbstractDevicePopManager.CertificateProperties.COMMON_NAME));
        subject.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(i, RSAKeyGenParameterSpec.F4));
        keyPairGenerator.initialize(subject.build());
    }

    private static boolean isStrongBoxUnavailableException(Throwable th) {
        boolean equals = th.getClass().getSimpleName().equals("StrongBoxUnavailableException");
        if (equals) {
            Logger.error(TAG + ":isStrongBoxUnavailableException", "StrongBox not supported.", th);
        }
        return equals;
    }

    @SuppressLint({WarningType.NewApi})
    private KeyGenParameterSpec.Builder setAttestationChallenge(KeyGenParameterSpec.Builder builder) {
        return builder.setAttestationChallenge(null);
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public KeyPair generateNewRsaKeyPair(int i) throws UnsupportedOperationException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException {
        return generateNewRsaKeyPair(this.mContext, i);
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public SecureHardwareState getSecureHardwareState(@NonNull KeyPair keyPair) {
        if (keyPair == null) {
            throw new NullPointerException("kp is marked non-null but is null");
        }
        String m = Barrier$$ExternalSyntheticOutline0.m(new StringBuilder(), TAG, ":getSecureHardwareState");
        try {
            PrivateKey privateKey = keyPair.getPrivate();
            boolean isInsideSecureHardware = ((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), ANDROID_KEYSTORE).getKeySpec(privateKey, KeyInfo.class)).isInsideSecureHardware();
            Logger.info(m, "SecretKey is secure hardware backed? " + isInsideSecureHardware);
            return isInsideSecureHardware ? SecureHardwareState.TRUE_UNATTESTED : SecureHardwareState.FALSE;
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e) {
            Logger.error(m, "Failed to query secure hardware state.", e);
            return SecureHardwareState.UNKNOWN_QUERY_ERROR;
        }
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public void performCleanupIfMintShrFails(@NonNull Exception exc) {
        if (exc == null) {
            throw new NullPointerException("e is marked non-null but is null");
        }
        if (exc.getCause() instanceof KeyPermanentlyInvalidatedException) {
            Logger.warn(TAG, "Unable to access asymmetric key - clearing.");
            clearAsymmetricKey();
        }
    }
}
