package com.microsoft.identity.common.internal.platform;

import android.annotation.SuppressLint;
import android.content.Context;
import android.os.Build;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import com.microsoft.identity.common.internal.util.AndroidKeyStoreUtil;
import com.microsoft.identity.common.java.WarningType;
import com.microsoft.identity.common.java.crypto.IDevicePopManager;
import com.microsoft.identity.common.java.crypto.IKeyStoreKeyManager;
import com.microsoft.identity.common.java.crypto.SecureHardwareState;
import com.microsoft.identity.common.java.crypto.key.KeyUtil;
import com.microsoft.identity.common.java.platform.AbstractDevicePopManager;
import com.microsoft.identity.common.java.util.ported.DateUtilities;
import com.microsoft.identity.common.logging.Logger;
import com.nimbusds.jose.crypto.impl.RSAKeyUtils;
import defpackage.C1573a4;
import defpackage.M0;
import defpackage.N0;
import defpackage.P1;
import defpackage.R1;
import defpackage.S0;
import defpackage.Y3;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.security.auth.x500.X500Principal;
import lombok.NonNull;

/* loaded from: classes.dex */
public class AndroidDevicePopManager extends AbstractDevicePopManager {
    private static final String ANDROID_KEYSTORE = "AndroidKeyStore";
    public static final String FAILED_TO_GENERATE_ATTESTATION_CERTIFICATE_CHAIN = "Failed to generate attestation certificate chain";
    public static final String NEGATIVE_THOUSAND_INTERNAL_ERROR = "internal Keystore code: -1000";
    private static final int RSA_KEY_SIZE = 2048;
    public static final String STRONG_BOX_UNAVAILABLE_EXCEPTION = "StrongBoxUnavailableException";
    private static final String TAG = "AndroidDevicePopManager";
    private final Context mContext;

    public AndroidDevicePopManager(@NonNull Context context) {
        this(context, AbstractDevicePopManager.DEFAULT_KEYSTORE_ENTRY_ALIAS);
        if (context == null) {
            throw new NullPointerException("context is marked non-null but is null");
        }
    }

    public AndroidDevicePopManager(@NonNull Context context, @NonNull String str) {
        super(createKeyStoreKeyManager(str));
        if (context == null) {
            throw new NullPointerException("context is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        this.mContext = context;
    }

    @SuppressLint({WarningType.NewApi})
    private static KeyGenParameterSpec.Builder applyHardwareIsolation(KeyGenParameterSpec.Builder builder) {
        KeyGenParameterSpec.Builder isStrongBoxBacked;
        isStrongBoxBacked = builder.setIsStrongBoxBacked(true);
        return isStrongBoxBacked;
    }

    private static IKeyStoreKeyManager<KeyStore.PrivateKeyEntry> createKeyStoreKeyManager(@NonNull String str) {
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE);
        keyStore.load(null);
        return AndroidDeviceKeyManager.builder().keyAlias(str).keyStore(keyStore).build();
    }

    private KeyPair generateNewKeyPair(Context context, boolean z, boolean z2, boolean z3) {
        KeyPair generateKeyPair;
        synchronized ((DateUtilities.isLocaleCalendarNonGregorian(Locale.getDefault()) ? DateUtilities.LOCALE_CHANGE_LOCK : new Object())) {
            try {
                Locale locale = Locale.getDefault();
                AndroidKeyStoreUtil.applyKeyStoreLocaleWorkarounds(locale);
                try {
                    generateKeyPair = getInitializedRsaKeyPairGenerator(context, 2048, z, z2, z3).generateKeyPair();
                } finally {
                    Locale.setDefault(locale);
                }
            } catch (Throwable th) {
                throw th;
            }
        }
        return generateKeyPair;
    }

    @SuppressLint({WarningType.NewApi})
    private KeyPair generateNewRsaKeyPair(Context context, int i) {
        boolean z;
        ProviderException e;
        for (int i2 = 0; i2 < 4; i2++) {
            KeyPair keyPair = null;
            boolean z2 = false;
            boolean z3 = true;
            boolean z4 = true;
            boolean z5 = true;
            while (!z2) {
                try {
                    keyPair = generateNewKeyPair(context, z3, z4, z5);
                } catch (ProviderException e2) {
                    z = z2;
                    e = e2;
                }
                try {
                    Logger.info(TAG, "Key pair generated successfully (StrongBox [" + z3 + "], Import [" + z4 + "], Attestation Challenge [" + z5 + "])");
                    z2 = true;
                } catch (ProviderException e3) {
                    e = e3;
                    z = true;
                    if (z3 && isStrongBoxUnavailableException(e)) {
                        Logger.error(TAG, "StrongBox unavailable. Skipping StrongBox then retry.", e);
                    } else if (z4 && e.getClass().getSimpleName().equals("SecureKeyImportUnavailableException")) {
                        Logger.error(TAG, "Import unsupported. Skipping import flag then retry.", e);
                        if (z3 && e.getCause() != null && (isStrongBoxUnavailableException(e.getCause()) || isNegativeInternalError(e.getCause()))) {
                            z3 = false;
                        }
                        z2 = z;
                        z4 = false;
                    } else if (z5 && FAILED_TO_GENERATE_ATTESTATION_CERTIFICATE_CHAIN.equalsIgnoreCase(e.getMessage())) {
                        Logger.error(TAG, "Failed to generate attestation cert. Skipping attestation then retry.", e);
                        z2 = z;
                        z5 = false;
                    } else {
                        if (!z3 || Build.VERSION.SDK_INT < 34 || e.getCause() == null || !isNegativeInternalError(e.getCause())) {
                            clearAsymmetricKey();
                            throw e;
                        }
                        Logger.error(TAG, "Android 14 Internal Key store error with StrongBox. Skipping strongbox then retry.", e);
                    }
                    z2 = z;
                    z3 = false;
                }
            }
            int keyBitLength = RSAKeyUtils.keyBitLength(keyPair.getPrivate());
            if (keyBitLength >= i || keyBitLength < 0) {
                getSecureHardwareState(keyPair);
                return keyPair;
            }
        }
        clearAsymmetricKey();
        throw new UnsupportedOperationException("Failed to generate valid KeyPair. Attempted 4 times.");
    }

    private KeyPairGenerator getInitializedRsaKeyPairGenerator(Context context, int i, boolean z, boolean z2, boolean z3) {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA, ANDROID_KEYSTORE);
        initialize(context, keyPairGenerator, i, z, z2, z3);
        return keyPairGenerator;
    }

    private void initialize(Context context, KeyPairGenerator keyPairGenerator, int i, boolean z, boolean z2, boolean z3) {
        int i2 = Build.VERSION.SDK_INT;
        if (i2 < 23) {
            initializePre23(context, keyPairGenerator, i);
        } else if (i2 < 28) {
            initialize23(keyPairGenerator, i, z, z3);
        } else {
            initialize28(keyPairGenerator, i, z, z2, z3);
        }
    }

    @SuppressLint({"InlinedApi"})
    private void initialize23(KeyPairGenerator keyPairGenerator, int i, boolean z, boolean z2) {
        KeyGenParameterSpec.Builder keySize;
        KeyGenParameterSpec.Builder signaturePaddings;
        KeyGenParameterSpec.Builder digests;
        KeyGenParameterSpec.Builder encryptionPaddings;
        KeyGenParameterSpec build;
        N0.d();
        keySize = C1573a4.a(this.mKeyManager.getKeyAlias()).setKeySize(i);
        signaturePaddings = keySize.setSignaturePaddings("PKCS1");
        digests = signaturePaddings.setDigests("NONE", IDevicePopManager.SHA_1, KeyUtil.HMAC_KEY_HASH_ALGORITHM);
        encryptionPaddings = digests.setEncryptionPaddings("OAEPPadding", "PKCS1Padding");
        if (z2 && Build.VERSION.SDK_INT >= 24) {
            encryptionPaddings = setAttestationChallenge(encryptionPaddings);
        }
        if (Build.VERSION.SDK_INT >= 28 && z) {
            Logger.verbose(TAG, "Attempting to apply StrongBox isolation.");
            encryptionPaddings = applyHardwareIsolation(encryptionPaddings);
        }
        build = encryptionPaddings.build();
        keyPairGenerator.initialize(build);
    }

    @SuppressLint({"InlinedApi"})
    private void initialize28(KeyPairGenerator keyPairGenerator, int i, boolean z, boolean z2, boolean z3) {
        KeyGenParameterSpec.Builder keySize;
        KeyGenParameterSpec.Builder signaturePaddings;
        KeyGenParameterSpec.Builder digests;
        KeyGenParameterSpec.Builder encryptionPaddings;
        KeyGenParameterSpec build;
        int i2 = (!z2 || Build.VERSION.SDK_INT < 28) ? 15 : 47;
        N0.d();
        keySize = M0.c(i2, this.mKeyManager.getKeyAlias()).setKeySize(i);
        signaturePaddings = keySize.setSignaturePaddings("PKCS1");
        digests = signaturePaddings.setDigests("NONE", IDevicePopManager.SHA_1, KeyUtil.HMAC_KEY_HASH_ALGORITHM);
        encryptionPaddings = digests.setEncryptionPaddings("OAEPPadding", "PKCS1Padding");
        if (z3 && Build.VERSION.SDK_INT >= 24) {
            encryptionPaddings = setAttestationChallenge(encryptionPaddings);
        }
        if (Build.VERSION.SDK_INT >= 28 && z) {
            Logger.verbose(TAG, "Attempting to apply StrongBox isolation.");
            encryptionPaddings = applyHardwareIsolation(encryptionPaddings);
        }
        build = encryptionPaddings.build();
        keyPairGenerator.initialize(build);
    }

    @SuppressLint({WarningType.NewApi})
    private void initializePre23(Context context, KeyPairGenerator keyPairGenerator, int i) {
        Calendar calendar = Calendar.getInstance();
        Date now = AbstractDevicePopManager.getNow(calendar);
        calendar.add(1, 99);
        KeyPairGeneratorSpec.Builder subject = new KeyPairGeneratorSpec.Builder(context).setAlias(this.mKeyManager.getKeyAlias()).setStartDate(now).setEndDate(calendar.getTime()).setSerialNumber(AbstractDevicePopManager.CertificateProperties.SERIAL_NUMBER).setSubject(new X500Principal(AbstractDevicePopManager.CertificateProperties.COMMON_NAME));
        subject.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(i, RSAKeyGenParameterSpec.F4));
        keyPairGenerator.initialize(subject.build());
    }

    private static boolean isNegativeInternalError(Throwable th) {
        boolean z = th.getMessage() != null && th.getMessage().contains(NEGATIVE_THOUSAND_INTERNAL_ERROR);
        if (z) {
            Logger.error(TAG, "StrongBox not supported. internal Keystore code: -1000", th);
        }
        return z;
    }

    private static boolean isStrongBoxUnavailableException(Throwable th) {
        boolean equals = th.getClass().getSimpleName().equals("StrongBoxUnavailableException");
        if (equals) {
            Logger.error(TAG + ":isStrongBoxUnavailableException", "StrongBox not supported.", th);
        }
        return equals;
    }

    @SuppressLint({WarningType.NewApi})
    private KeyGenParameterSpec.Builder setAttestationChallenge(KeyGenParameterSpec.Builder builder) {
        KeyGenParameterSpec.Builder attestationChallenge;
        attestationChallenge = builder.setAttestationChallenge(null);
        return attestationChallenge;
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public KeyPair generateNewRsaKeyPair(int i) {
        return generateNewRsaKeyPair(this.mContext, i);
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public SecureHardwareState getSecureHardwareState(@NonNull KeyPair keyPair) {
        boolean isInsideSecureHardware;
        if (keyPair == null) {
            throw new NullPointerException("kp is marked non-null but is null");
        }
        String h = R1.h(new StringBuilder(), TAG, ":getSecureHardwareState");
        if (Build.VERSION.SDK_INT < 23) {
            Logger.info(h, "Cannot query secure hardware state (API unavailable <23)");
            return SecureHardwareState.UNKNOWN_DOWNLEVEL;
        }
        try {
            PrivateKey privateKey = keyPair.getPrivate();
            isInsideSecureHardware = P1.c(KeyFactory.getInstance(privateKey.getAlgorithm(), ANDROID_KEYSTORE).getKeySpec(privateKey, Y3.e())).isInsideSecureHardware();
            Logger.info(h, "SecretKey is secure hardware backed? " + isInsideSecureHardware);
            return isInsideSecureHardware ? SecureHardwareState.TRUE_UNATTESTED : SecureHardwareState.FALSE;
        } catch (NoSuchAlgorithmException e) {
            e = e;
            Logger.error(h, "Failed to query secure hardware state.", e);
            return SecureHardwareState.UNKNOWN_QUERY_ERROR;
        } catch (NoSuchProviderException e2) {
            e = e2;
            Logger.error(h, "Failed to query secure hardware state.", e);
            return SecureHardwareState.UNKNOWN_QUERY_ERROR;
        } catch (InvalidKeySpecException e3) {
            e = e3;
            Logger.error(h, "Failed to query secure hardware state.", e);
            return SecureHardwareState.UNKNOWN_QUERY_ERROR;
        }
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public void performCleanupIfMintShrFails(@NonNull Exception exc) {
        if (exc == null) {
            throw new NullPointerException("e is marked non-null but is null");
        }
        String h = R1.h(new StringBuilder(), TAG, ":performCleanupIfMintShrFails");
        if (Build.VERSION.SDK_INT < 23 || !S0.h(exc.getCause())) {
            return;
        }
        Logger.warn(h, "Unable to access asymmetric key - clearing.");
        clearAsymmetricKey();
    }
}
