package de.tutao.tutanota;

import android.content.Context;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.util.Log;
import de.tutao.tutanota.credentials.CredentialEncryptionMode;
import de.tutao.tutanota.credentials.DataKeyGenerator;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;

/* loaded from: classes.dex */
public class AndroidKeyStoreFacade {
    private final Crypto crypto;
    private final DataKeyGenerator dataKeyGenerator;
    private volatile KeyStore keyStore;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: de.tutao.tutanota.AndroidKeyStoreFacade$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$de$tutao$tutanota$credentials$CredentialEncryptionMode;

        static {
            int[] iArr = new int[CredentialEncryptionMode.values().length];
            $SwitchMap$de$tutao$tutanota$credentials$CredentialEncryptionMode = iArr;
            try {
                iArr[CredentialEncryptionMode.ENCRYPTION_MODE_DEVICE_LOCK.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$de$tutao$tutanota$credentials$CredentialEncryptionMode[CredentialEncryptionMode.ENCRYPTION_MODE_SYSTEM_PASSWORD.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$de$tutao$tutanota$credentials$CredentialEncryptionMode[CredentialEncryptionMode.ENCRYPTION_MODE_BIOMETRICS.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
        }
    }

    public AndroidKeyStoreFacade(Context context, DataKeyGenerator dataKeyGenerator) {
        this.crypto = new Crypto(context);
        this.dataKeyGenerator = dataKeyGenerator;
    }

    private Cipher createRSACipher(Key key, int i) throws CryptoError {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidOpenSSL");
            cipher.init(i, key);
            return cipher;
        } catch (InvalidKeyException e) {
            throw new CryptoError(e);
        } catch (NoSuchAlgorithmException e2) {
            e = e2;
            throw new RuntimeException(e);
        } catch (NoSuchProviderException e3) {
            e = e3;
            throw new RuntimeException(e);
        } catch (NoSuchPaddingException e4) {
            e = e4;
            throw new RuntimeException(e);
        }
    }

    private void generateSymmetricKey() throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
        keyGenerator.init(new KeyGenParameterSpec.Builder("TutanotaAppDeviceKey", 3).setBlockModes("CBC").setEncryptionPaddings("NoPadding").setRandomizedEncryptionRequired(false).build());
        keyGenerator.generateKey();
    }

    private byte[] getData(byte[] bArr) {
        int length = bArr.length - 16;
        byte[] bArr2 = new byte[length];
        System.arraycopy(bArr, 16, bArr2, 0, length);
        return bArr2;
    }

    private Key getDataKey(CredentialEncryptionMode credentialEncryptionMode) throws KeyStoreException {
        KeyStore orInitKeyStore = getOrInitKeyStore();
        String keyAliasForEncryptionMode = keyAliasForEncryptionMode(credentialEncryptionMode);
        if (!orInitKeyStore.containsAlias(keyAliasForEncryptionMode)) {
            return this.dataKeyGenerator.generateDataKey(keyAliasForEncryptionMode, credentialEncryptionMode);
        }
        try {
            return orInitKeyStore.getKey(keyAliasForEncryptionMode, null);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        } catch (UnrecoverableKeyException e2) {
            throw new KeyStoreException(e2);
        }
    }

    private byte[] getIV(byte[] bArr) {
        byte[] bArr2 = new byte[16];
        System.arraycopy(bArr, 0, bArr2, 0, 16);
        return bArr2;
    }

    private synchronized KeyStore getOrInitKeyStore() throws KeyStoreException {
        if (this.keyStore != null) {
            return this.keyStore;
        }
        try {
            this.keyStore = KeyStore.getInstance("AndroidKeyStore");
            this.keyStore.load(null);
            if (!this.keyStore.containsAlias("TutanotaAppDeviceKey") && !this.keyStore.containsAlias("TutanotaAppDeviceAsymmetricKey")) {
                generateSymmetricKey();
            }
            return this.keyStore;
        } catch (IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
            Log.w("AndroidKeyStoreFacade", "Keystore could not be initialized", e);
            throw new RuntimeException(e);
        }
    }

    private Key getSymmetricKey() throws KeyStoreException {
        try {
            return getOrInitKeyStore().getKey("TutanotaAppDeviceKey", null);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        } catch (UnrecoverableKeyException e2) {
            throw new KeyStoreException(e2);
        }
    }

    private String keyAliasForEncryptionMode(CredentialEncryptionMode credentialEncryptionMode) {
        int i = AnonymousClass1.$SwitchMap$de$tutao$tutanota$credentials$CredentialEncryptionMode[credentialEncryptionMode.ordinal()];
        if (i == 1) {
            return "DeviceLockDataKey";
        }
        if (i == 2) {
            return "SystemPasswordDataKey";
        }
        if (i == 3) {
            return "BIometricsDataKey";
        }
        throw new AssertionError("Unknown encryption mode");
    }

    public byte[] decryptData(byte[] bArr, Cipher cipher) throws CryptoError {
        try {
            return cipher.doFinal(getData(bArr));
        } catch (BadPaddingException | IllegalBlockSizeException e) {
            throw new CryptoError(e);
        }
    }

    public byte[] decryptKey(byte[] bArr) throws UnrecoverableEntryException, KeyStoreException, CryptoError {
        KeyStore orInitKeyStore = getOrInitKeyStore();
        if (!orInitKeyStore.containsAlias("TutanotaAppDeviceAsymmetricKey")) {
            return this.crypto.decryptKey(getSymmetricKey(), bArr);
        }
        try {
            return createRSACipher((PrivateKey) orInitKeyStore.getKey("TutanotaAppDeviceAsymmetricKey", null), 2).doFinal(bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        } catch (BadPaddingException e2) {
            e = e2;
            throw new CryptoError(e);
        } catch (IllegalBlockSizeException e3) {
            e = e3;
            throw new CryptoError(e);
        }
    }

    public byte[] encryptData(byte[] bArr, Cipher cipher) throws CryptoError {
        try {
            byte[] doFinal = cipher.doFinal(bArr);
            byte[] iv = cipher.getIV();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(doFinal.length + iv.length);
            try {
                byteArrayOutputStream.write(iv);
                byteArrayOutputStream.write(doFinal);
                return byteArrayOutputStream.toByteArray();
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } catch (BadPaddingException | IllegalBlockSizeException e2) {
            throw new CryptoError(e2);
        }
    }

    public byte[] encryptKey(byte[] bArr) throws KeyStoreException, CryptoError {
        KeyStore orInitKeyStore = getOrInitKeyStore();
        if (!orInitKeyStore.containsAlias("TutanotaAppDeviceAsymmetricKey")) {
            return this.crypto.encryptKey(getSymmetricKey(), bArr);
        }
        try {
            return createRSACipher(orInitKeyStore.getCertificate("TutanotaAppDeviceAsymmetricKey").getPublicKey(), 1).doFinal(bArr);
        } catch (BadPaddingException | IllegalBlockSizeException e) {
            throw new CryptoError(e);
        }
    }

    public Cipher getCipherForDecryptionMode(CredentialEncryptionMode credentialEncryptionMode, byte[] bArr) throws KeyPermanentlyInvalidatedException, KeyStoreException, CryptoError {
        Key dataKey = getDataKey(credentialEncryptionMode);
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "AndroidKeyStoreBCWorkaround");
            try {
                cipher.init(2, dataKey, new IvParameterSpec(getIV(bArr)));
                return cipher;
            } catch (KeyPermanentlyInvalidatedException e) {
                this.keyStore.deleteEntry(keyAliasForEncryptionMode(credentialEncryptionMode));
                throw e;
            } catch (InvalidAlgorithmParameterException e2) {
                throw new CryptoError(e2);
            } catch (InvalidKeyException e3) {
                throw new KeyStoreException(e3);
            }
        } catch (NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException e4) {
            throw new RuntimeException(e4);
        }
    }

    public Cipher getCipherForEncryptionMode(CredentialEncryptionMode credentialEncryptionMode) throws KeyStoreException, KeyPermanentlyInvalidatedException {
        Key dataKey = getDataKey(credentialEncryptionMode);
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "AndroidKeyStoreBCWorkaround");
            try {
                cipher.init(1, dataKey);
                return cipher;
            } catch (KeyPermanentlyInvalidatedException e) {
                this.keyStore.deleteEntry(keyAliasForEncryptionMode(credentialEncryptionMode));
                throw e;
            } catch (InvalidKeyException e2) {
                throw new KeyStoreException(e2);
            }
        } catch (NoSuchAlgorithmException | NoSuchProviderException | NoSuchPaddingException e3) {
            throw new RuntimeException(e3);
        }
    }
}
