package com.microsoft.aad.adal;

import android.content.Context;
import android.security.KeyPairGeneratorSpec;
import android.util.Base64;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.DigestException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.x500.X500Principal;

/* loaded from: classes3.dex */
public class StorageHelper {
    private static final String ADALKS = "adalks";
    private static final String CIPHER_ALGORITHM = "AES/CBC/PKCS5Padding";
    public static final int DATA_KEY_LENGTH = 16;
    private static final String ENCODE_VERSION = "E1";
    private static final String KEYSPEC_ALGORITHM = "AES";
    private static final int KEY_SIZE = 256;
    private static final String KEY_STORE_CERT_ALIAS = "AdalKey";
    private static final int KEY_VERSION_BLOB_LENGTH = 4;
    private static final Object LOCK_OBJ = new Object();
    private static final String MAC_ALGORITHM = "HmacSHA256";
    private static final String MAC_KEY_HASH_ALGORITHM = "SHA256";
    public static final int MAC_LENGTH = 32;
    private static final String TAG = "StorageHelper";
    public static final String VERSION_ANDROID_KEY_STORE = "A001";
    public static final String VERSION_USER_DEFINED = "U001";
    private static final String WRAP_ALGORITHM = "RSA/ECB/PKCS1Padding";
    private static SecretKey sSecretKeyFromAndroidKeyStore;
    private String mBlobVersion;
    private Context mContext;
    private KeyPair mKeyPair;
    private SecretKey mKey = null;
    private SecretKey mMacKey = null;
    private final SecureRandom mRandom = new SecureRandom();

    public StorageHelper(Context context) {
        this.mContext = context;
    }

    private void assertMac(byte[] bArr, int i, int i2, byte[] bArr2) throws DigestException {
        if (bArr2.length != i2 - i) {
            throw new IllegalArgumentException("Unexpected MAC length");
        }
        byte b = 0;
        for (int i3 = i; i3 < i2; i3++) {
            b = (byte) (b | (bArr2[i3 - i] ^ bArr[i3]));
        }
        if (b != 0) {
            throw new DigestException();
        }
    }

    private void deleteKeyFile() {
        Context context = this.mContext;
        File file = new File(context.getDir(context.getPackageName(), 0), ADALKS);
        if (file.exists()) {
            Logger.v(TAG, "Delete KeyFile");
            file.delete();
        }
    }

    private final SecretKey generateSecretKey() throws NoSuchAlgorithmException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(KEYSPEC_ALGORITHM);
        keyGenerator.init(256, this.mRandom);
        return keyGenerator.generateKey();
    }

    private char getEncodeVersionLengthPrefix() {
        return (char) 99;
    }

    private SecretKey getKeyForVersion(String str) throws GeneralSecurityException, IOException {
        if (str.equals(VERSION_USER_DEFINED)) {
            return getSecretKey(AuthenticationSettings.INSTANCE.getSecretKeyData());
        }
        if (!str.equals(VERSION_ANDROID_KEY_STORE)) {
            throw new IllegalArgumentException("keyVersion = " + str);
        }
        try {
            return getSecretKeyFromAndroidKeyStore();
        } catch (IOException | GeneralSecurityException e) {
            Logger.e(TAG, "Failed to get private key from AndroidKeyStore", "", ADALError.ANDROIDKEYSTORE_FAILED, e);
            throw e;
        }
    }

    private synchronized KeyPair getKeyPairFromAndroidKeyStore() throws GeneralSecurityException, IOException {
        KeyStore.PrivateKeyEntry privateKeyEntry;
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        try {
            if (keyStore.containsAlias(KEY_STORE_CERT_ALIAS)) {
                Logger.v(TAG, "Key entry is available");
            } else {
                Logger.v(TAG, "Key entry is not available");
                Calendar calendar = Calendar.getInstance();
                Calendar calendar2 = Calendar.getInstance();
                calendar2.add(1, 100);
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
                keyPairGenerator.initialize(getKeyPairGeneratorSpec(this.mContext, calendar.getTime(), calendar2.getTime()));
                try {
                    keyPairGenerator.generateKeyPair();
                    Logger.v(TAG, "Key entry is generated");
                } catch (IllegalStateException e) {
                    throw new KeyStoreException(e);
                }
            }
            Logger.v(TAG, "Reading Key entry");
            try {
                privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(KEY_STORE_CERT_ALIAS, null);
            } catch (RuntimeException e2) {
                throw new KeyStoreException(e2);
            }
        } catch (NullPointerException e3) {
            throw new KeyStoreException(e3);
        }
        return new KeyPair(privateKeyEntry.getCertificate().getPublicKey(), privateKeyEntry.getPrivateKey());
    }

    private AlgorithmParameterSpec getKeyPairGeneratorSpec(Context context, Date date, Date date2) {
        return new KeyPairGeneratorSpec.Builder(context).setAlias(KEY_STORE_CERT_ALIAS).setSubject(new X500Principal(String.format(Locale.ROOT, "CN=%s, OU=%s", KEY_STORE_CERT_ALIAS, context.getPackageName()))).setSerialNumber(BigInteger.ONE).setStartDate(date).setEndDate(date2).build();
    }

    private SecretKey getMacKey(SecretKey secretKey) throws NoSuchAlgorithmException {
        byte[] encoded = secretKey.getEncoded();
        return encoded != null ? new SecretKeySpec(MessageDigest.getInstance("SHA256").digest(encoded), KEYSPEC_ALGORITHM) : secretKey;
    }

    private SecretKey getSecretKey(byte[] bArr) {
        if (bArr != null) {
            return new SecretKeySpec(bArr, KEYSPEC_ALGORITHM);
        }
        throw new IllegalArgumentException("rawBytes");
    }

    private final synchronized SecretKey getSecretKeyFromAndroidKeyStore() throws IOException, GeneralSecurityException {
        SecretKey secretKey = sSecretKeyFromAndroidKeyStore;
        if (secretKey != null) {
            return secretKey;
        }
        Context context = this.mContext;
        File file = new File(context.getDir(context.getPackageName(), 0), ADALKS);
        if (this.mKeyPair == null) {
            this.mKeyPair = getKeyPairFromAndroidKeyStore();
            Logger.v(TAG, "Retrived keypair from androidKeyStore");
        }
        Cipher cipher = Cipher.getInstance(WRAP_ALGORITHM);
        if (!file.exists()) {
            Logger.v(TAG, "Key file does not exists");
            SecretKey generateSecretKey = generateSecretKey();
            Logger.v(TAG, "Wrapping SecretKey");
            byte[] wrap = wrap(cipher, generateSecretKey);
            Logger.v(TAG, "Writing SecretKey");
            writeKeyData(file, wrap);
            Logger.v(TAG, "Finished writing SecretKey");
        }
        Logger.v(TAG, "Reading SecretKey");
        try {
            byte[] readKeyData = readKeyData(file);
            if (readKeyData == null || readKeyData.length == 0) {
                throw new UnrecoverableKeyException("Couldn't find encrypted key in file");
            }
            sSecretKeyFromAndroidKeyStore = unwrap(cipher, readKeyData);
            Logger.v(TAG, "Finished reading SecretKey");
            return sSecretKeyFromAndroidKeyStore;
        } catch (IOException | GeneralSecurityException e) {
            Logger.e(TAG, "Unwrap failed for AndroidKeyStore", "", ADALError.ANDROIDKEYSTORE_FAILED, e);
            this.mKeyPair = null;
            sSecretKeyFromAndroidKeyStore = null;
            deleteKeyFile();
            resetKeyPairFromAndroidKeyStore();
            Logger.v(TAG, "Removed previous key pair info.");
            throw e;
        }
    }

    private static byte[] readKeyData(File file) throws IOException {
        Logger.v(TAG, "Reading key data from a file");
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[1024];
            while (true) {
                int read = fileInputStream.read(bArr);
                if (read == -1) {
                    return byteArrayOutputStream.toByteArray();
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
        } finally {
            fileInputStream.close();
        }
    }

    private synchronized void resetKeyPairFromAndroidKeyStore() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        keyStore.deleteEntry(KEY_STORE_CERT_ALIAS);
    }

    private SecretKey unwrap(Cipher cipher, byte[] bArr) throws GeneralSecurityException {
        cipher.init(4, this.mKeyPair.getPrivate());
        try {
            return (SecretKey) cipher.unwrap(bArr, KEYSPEC_ALGORITHM, 3);
        } catch (IllegalArgumentException e) {
            throw new KeyStoreException(e);
        }
    }

    private byte[] wrap(Cipher cipher, SecretKey secretKey) throws GeneralSecurityException {
        cipher.init(3, this.mKeyPair.getPublic());
        return cipher.wrap(secretKey);
    }

    private static void writeKeyData(File file, byte[] bArr) throws IOException {
        Logger.v(TAG, "Writing key data to a file");
        FileOutputStream fileOutputStream = new FileOutputStream(file);
        try {
            fileOutputStream.write(bArr);
        } finally {
            fileOutputStream.close();
        }
    }

    public String decrypt(String str) throws GeneralSecurityException, IOException {
        Logger.v(TAG, "Starting decryption");
        if (StringExtensions.IsNullOrBlank(str)) {
            throw new IllegalArgumentException("Input is empty or null");
        }
        int charAt = str.charAt(0) - 'a';
        if (charAt <= 0) {
            throw new IllegalArgumentException(String.format("Encode version length: '%s' is not valid, it must be greater of equal to 0", Integer.valueOf(charAt)));
        }
        int i = charAt + 1;
        if (!str.substring(1, i).equals(ENCODE_VERSION)) {
            throw new IllegalArgumentException(String.format("Encode version received was: '%s', Encode version supported is: '%s'", str, ENCODE_VERSION));
        }
        byte[] decode = Base64.decode(str.substring(i), 0);
        String str2 = new String(decode, 0, 4, "UTF_8");
        Logger.v(TAG, "Encrypt version:".concat(str2));
        SecretKey keyForVersion = getKeyForVersion(str2);
        SecretKey macKey = getMacKey(keyForVersion);
        int length = (decode.length - 16) - 32;
        int length2 = decode.length - 32;
        int i2 = length - 4;
        if (length < 0 || length2 < 0 || i2 < 0) {
            throw new IllegalArgumentException("Given value is smaller than the IV vector and MAC length");
        }
        Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
        Mac mac = Mac.getInstance(MAC_ALGORITHM);
        mac.init(macKey);
        mac.update(decode, 0, length2);
        assertMac(decode, length2, decode.length, mac.doFinal());
        cipher.init(2, keyForVersion, new IvParameterSpec(decode, length, 16));
        String str3 = new String(cipher.doFinal(decode, 4, i2), "UTF_8");
        Logger.v(TAG, "Finished decryption");
        return str3;
    }

    public String encrypt(String str) throws GeneralSecurityException, IOException {
        Logger.v(TAG, "Starting encryption");
        if (StringExtensions.IsNullOrBlank(str)) {
            throw new IllegalArgumentException("Input is empty or null");
        }
        loadSecretKeyForAPI();
        Logger.v(TAG, "Encrypt version:" + this.mBlobVersion);
        byte[] bytes = this.mBlobVersion.getBytes("UTF_8");
        byte[] bytes2 = str.getBytes("UTF_8");
        byte[] bArr = new byte[16];
        this.mRandom.nextBytes(bArr);
        IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
        Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM);
        Mac mac = Mac.getInstance(MAC_ALGORITHM);
        cipher.init(1, this.mKey, ivParameterSpec);
        byte[] doFinal = cipher.doFinal(bytes2);
        mac.init(this.mMacKey);
        mac.update(bytes);
        mac.update(doFinal);
        mac.update(bArr);
        byte[] doFinal2 = mac.doFinal();
        byte[] bArr2 = new byte[bytes.length + doFinal.length + 16 + doFinal2.length];
        System.arraycopy(bytes, 0, bArr2, 0, bytes.length);
        System.arraycopy(doFinal, 0, bArr2, bytes.length, doFinal.length);
        System.arraycopy(bArr, 0, bArr2, bytes.length + doFinal.length, 16);
        System.arraycopy(doFinal2, 0, bArr2, bytes.length + doFinal.length + 16, doFinal2.length);
        String str2 = new String(Base64.encode(bArr2, 2), "UTF_8");
        Logger.v(TAG, "Finished encryption");
        return getEncodeVersionLengthPrefix() + ENCODE_VERSION + str2;
    }

    public synchronized SecretKey loadSecretKeyForAPI() throws IOException, GeneralSecurityException {
        SecretKey secretKey = this.mKey;
        if (secretKey != null && this.mMacKey != null) {
            return secretKey;
        }
        byte[] secretKeyData = AuthenticationSettings.INSTANCE.getSecretKeyData();
        if (secretKeyData != null) {
            Logger.v(TAG, "Encryption will use secret key from Settings");
            SecretKey secretKey2 = getSecretKey(secretKeyData);
            this.mKey = secretKey2;
            this.mMacKey = getMacKey(secretKey2);
            this.mBlobVersion = VERSION_USER_DEFINED;
        } else {
            try {
                SecretKey secretKeyFromAndroidKeyStore = getSecretKeyFromAndroidKeyStore();
                this.mKey = secretKeyFromAndroidKeyStore;
                this.mMacKey = getMacKey(secretKeyFromAndroidKeyStore);
                this.mBlobVersion = VERSION_ANDROID_KEY_STORE;
            } catch (IOException | GeneralSecurityException e) {
                Logger.e(TAG, "Failed to get private key from AndroidKeyStore", "", ADALError.ANDROIDKEYSTORE_FAILED, e);
                throw e;
            }
        }
        return this.mKey;
    }
}
