package com.microsoft.identity.common.internal.platform;

import android.annotation.SuppressLint;
import android.content.Context;
import android.os.Build;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.security.keystore.StrongBoxUnavailableException;
import com.microsoft.identity.common.internal.util.AndroidKeyStoreUtil;
import com.microsoft.identity.common.java.WarningType;
import com.microsoft.identity.common.java.crypto.IDevicePopManager;
import com.microsoft.identity.common.java.crypto.IKeyStoreKeyManager;
import com.microsoft.identity.common.java.crypto.SecureHardwareState;
import com.microsoft.identity.common.java.crypto.key.KeyUtil;
import com.microsoft.identity.common.java.platform.AbstractDevicePopManager;
import com.microsoft.identity.common.java.util.ported.DateUtilities;
import com.microsoft.identity.common.logging.Logger;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.Calendar;
import java.util.Date;
import java.util.Locale;
import javax.security.auth.x500.X500Principal;
import lombok.NonNull;

/* loaded from: classes3.dex */
public class AndroidDevicePopManager extends AbstractDevicePopManager {
    private static final String ANDROID_KEYSTORE = "AndroidKeyStore";
    public static final String FAILED_TO_GENERATE_ATTESTATION_CERTIFICATE_CHAIN = "Failed to generate attestation certificate chain";
    public static final String NEGATIVE_THOUSAND_INTERNAL_ERROR = "internal Keystore code: -1000";
    private static final int RSA_KEY_SIZE = 2048;
    public static final String STRONG_BOX_UNAVAILABLE_EXCEPTION = "StrongBoxUnavailableException";
    private static final String TAG = "AndroidDevicePopManager";
    private final Context mContext;

    public AndroidDevicePopManager(@NonNull Context context) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
        this(context, AbstractDevicePopManager.DEFAULT_KEYSTORE_ENTRY_ALIAS);
        if (context == null) {
            throw new NullPointerException("context is marked non-null but is null");
        }
    }

    public AndroidDevicePopManager(@NonNull Context context, @NonNull String str) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
        super(createKeyStoreKeyManager(str));
        if (context == null) {
            throw new NullPointerException("context is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        this.mContext = context;
    }

    @SuppressLint({WarningType.NewApi})
    private static KeyGenParameterSpec.Builder applyHardwareIsolation(KeyGenParameterSpec.Builder builder) {
        KeyGenParameterSpec.Builder isStrongBoxBacked;
        isStrongBoxBacked = builder.setIsStrongBoxBacked(true);
        return isStrongBoxBacked;
    }

    private static IKeyStoreKeyManager<KeyStore.PrivateKeyEntry> createKeyStoreKeyManager(@NonNull String str) throws CertificateException, NoSuchAlgorithmException, IOException, KeyStoreException {
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE);
        keyStore.load(null);
        return AndroidDeviceKeyManager.builder().keyAlias(str).keyStore(keyStore).build();
    }

    private KeyPair generateNewKeyPair(Context context, boolean z10, boolean z11, boolean z12) throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, StrongBoxUnavailableException {
        KeyPair generateKeyPair;
        synchronized ((DateUtilities.isLocaleCalendarNonGregorian(Locale.getDefault()) ? DateUtilities.LOCALE_CHANGE_LOCK : new Object())) {
            Locale locale = Locale.getDefault();
            AndroidKeyStoreUtil.applyKeyStoreLocaleWorkarounds(locale);
            try {
                generateKeyPair = getInitializedRsaKeyPairGenerator(context, 2048, z10, z11, z12).generateKeyPair();
            } finally {
                Locale.setDefault(locale);
            }
        }
        return generateKeyPair;
    }

    @SuppressLint({WarningType.NewApi})
    private KeyPair generateNewRsaKeyPair(Context context, int i10) throws UnsupportedOperationException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException {
        boolean z10;
        ProviderException e10;
        for (int i11 = 0; i11 < 4; i11++) {
            KeyPair keyPair = null;
            boolean z11 = false;
            boolean z12 = true;
            boolean z13 = true;
            boolean z14 = true;
            while (!z11) {
                try {
                    keyPair = generateNewKeyPair(context, z12, z13, z14);
                } catch (ProviderException e11) {
                    z10 = z11;
                    e10 = e11;
                }
                try {
                    Logger.info(TAG, String.format("Key pair generated successfully (StrongBox [%b], Import [%b], Attestation Challenge [%b])", Boolean.valueOf(z12), Boolean.valueOf(z13), Boolean.valueOf(z14)));
                    z11 = true;
                } catch (ProviderException e12) {
                    e10 = e12;
                    z10 = true;
                    if (z12 && isStrongBoxUnavailableException(e10)) {
                        Logger.error(TAG, "StrongBox unavailable. Skipping StrongBox then retry.", e10);
                    } else {
                        if (z13 && e10.getClass().getSimpleName().equals("SecureKeyImportUnavailableException")) {
                            Logger.error(TAG, "Import unsupported. Skipping import flag then retry.", e10);
                            if (z12 && e10.getCause() != null && (isStrongBoxUnavailableException(e10.getCause()) || isNegativeInternalError(e10.getCause()))) {
                                z12 = false;
                            }
                            z13 = false;
                        } else if (z14 && FAILED_TO_GENERATE_ATTESTATION_CERTIFICATE_CHAIN.equalsIgnoreCase(e10.getMessage())) {
                            Logger.error(TAG, "Failed to generate attestation cert. Skipping attestation then retry.", e10);
                            z14 = false;
                        } else {
                            if (!z12 || Build.VERSION.SDK_INT < 34 || e10.getCause() == null || !isNegativeInternalError(e10.getCause())) {
                                clearAsymmetricKey();
                                throw e10;
                            }
                            Logger.error(TAG, "Android 14 Internal Key store error with StrongBox. Skipping strongbox then retry.", e10);
                        }
                        z11 = z10;
                    }
                    z12 = false;
                    z11 = z10;
                }
            }
            int a10 = vu.c.a(keyPair.getPrivate());
            if (a10 >= i10 || a10 < 0) {
                getSecureHardwareState(keyPair);
                return keyPair;
            }
        }
        clearAsymmetricKey();
        throw new UnsupportedOperationException("Failed to generate valid KeyPair. Attempted 4 times.");
    }

    private KeyPairGenerator getInitializedRsaKeyPairGenerator(Context context, int i10, boolean z10, boolean z11, boolean z12) throws InvalidAlgorithmParameterException, NoSuchProviderException, NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA, ANDROID_KEYSTORE);
        initialize(context, keyPairGenerator, i10, z10, z11, z12);
        return keyPairGenerator;
    }

    private void initialize(Context context, KeyPairGenerator keyPairGenerator, int i10, boolean z10, boolean z11, boolean z12) throws InvalidAlgorithmParameterException {
        if (Build.VERSION.SDK_INT < 28) {
            initialize23(keyPairGenerator, i10, z10, z12);
        } else {
            initialize28(keyPairGenerator, i10, z10, z11, z12);
        }
    }

    @SuppressLint({"InlinedApi"})
    private void initialize23(KeyPairGenerator keyPairGenerator, int i10, boolean z10, boolean z11) throws InvalidAlgorithmParameterException {
        KeyGenParameterSpec.Builder encryptionPaddings = new KeyGenParameterSpec.Builder(this.mKeyManager.getKeyAlias(), 15).setKeySize(i10).setSignaturePaddings("PKCS1").setDigests("NONE", IDevicePopManager.SHA_1, KeyUtil.HMAC_KEY_HASH_ALGORITHM).setEncryptionPaddings("OAEPPadding", "PKCS1Padding");
        if (z11 && Build.VERSION.SDK_INT >= 24) {
            encryptionPaddings = setAttestationChallenge(encryptionPaddings);
        }
        if (Build.VERSION.SDK_INT >= 28 && z10) {
            Logger.verbose(TAG, "Attempting to apply StrongBox isolation.");
            encryptionPaddings = applyHardwareIsolation(encryptionPaddings);
        }
        keyPairGenerator.initialize(encryptionPaddings.build());
    }

    @SuppressLint({"InlinedApi"})
    private void initialize28(KeyPairGenerator keyPairGenerator, int i10, boolean z10, boolean z11, boolean z12) throws InvalidAlgorithmParameterException {
        KeyGenParameterSpec.Builder encryptionPaddings = new KeyGenParameterSpec.Builder(this.mKeyManager.getKeyAlias(), (!z11 || Build.VERSION.SDK_INT < 28) ? 15 : 47).setKeySize(i10).setSignaturePaddings("PKCS1").setDigests("NONE", IDevicePopManager.SHA_1, KeyUtil.HMAC_KEY_HASH_ALGORITHM).setEncryptionPaddings("OAEPPadding", "PKCS1Padding");
        if (z12 && Build.VERSION.SDK_INT >= 24) {
            encryptionPaddings = setAttestationChallenge(encryptionPaddings);
        }
        if (Build.VERSION.SDK_INT >= 28 && z10) {
            Logger.verbose(TAG, "Attempting to apply StrongBox isolation.");
            encryptionPaddings = applyHardwareIsolation(encryptionPaddings);
        }
        keyPairGenerator.initialize(encryptionPaddings.build());
    }

    @SuppressLint({WarningType.NewApi})
    private void initializePre23(Context context, KeyPairGenerator keyPairGenerator, int i10) throws InvalidAlgorithmParameterException {
        Calendar calendar = Calendar.getInstance();
        Date now = AbstractDevicePopManager.getNow(calendar);
        calendar.add(1, 99);
        KeyPairGeneratorSpec.Builder subject = new KeyPairGeneratorSpec.Builder(context).setAlias(this.mKeyManager.getKeyAlias()).setStartDate(now).setEndDate(calendar.getTime()).setSerialNumber(AbstractDevicePopManager.CertificateProperties.SERIAL_NUMBER).setSubject(new X500Principal(AbstractDevicePopManager.CertificateProperties.COMMON_NAME));
        subject.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(i10, RSAKeyGenParameterSpec.F4));
        keyPairGenerator.initialize(subject.build());
    }

    private static boolean isNegativeInternalError(Throwable th2) {
        boolean z10 = th2.getMessage() != null && th2.getMessage().contains(NEGATIVE_THOUSAND_INTERNAL_ERROR);
        if (z10) {
            Logger.error(TAG, "StrongBox not supported. internal Keystore code: -1000", th2);
        }
        return z10;
    }

    private static boolean isStrongBoxUnavailableException(Throwable th2) {
        boolean equals = th2.getClass().getSimpleName().equals("StrongBoxUnavailableException");
        if (equals) {
            Logger.error(TAG + ":isStrongBoxUnavailableException", "StrongBox not supported.", th2);
        }
        return equals;
    }

    @SuppressLint({WarningType.NewApi})
    private KeyGenParameterSpec.Builder setAttestationChallenge(KeyGenParameterSpec.Builder builder) {
        KeyGenParameterSpec.Builder attestationChallenge;
        attestationChallenge = builder.setAttestationChallenge(null);
        return attestationChallenge;
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    public KeyPair generateNewRsaKeyPair(int i10) throws UnsupportedOperationException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException {
        return generateNewRsaKeyPair(this.mContext, i10);
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    protected SecureHardwareState getSecureHardwareState(@NonNull KeyPair keyPair) {
        if (keyPair == null) {
            throw new NullPointerException("kp is marked non-null but is null");
        }
        String str = TAG + ":getSecureHardwareState";
        try {
            PrivateKey privateKey = keyPair.getPrivate();
            boolean isInsideSecureHardware = ((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), ANDROID_KEYSTORE).getKeySpec(privateKey, KeyInfo.class)).isInsideSecureHardware();
            Logger.info(str, "SecretKey is secure hardware backed? " + isInsideSecureHardware);
            return isInsideSecureHardware ? SecureHardwareState.TRUE_UNATTESTED : SecureHardwareState.FALSE;
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException e10) {
            Logger.error(str, "Failed to query secure hardware state.", e10);
            return SecureHardwareState.UNKNOWN_QUERY_ERROR;
        }
    }

    @Override // com.microsoft.identity.common.java.platform.AbstractDevicePopManager
    protected void performCleanupIfMintShrFails(@NonNull Exception exc) {
        if (exc == null) {
            throw new NullPointerException("e is marked non-null but is null");
        }
        if (exc.getCause() instanceof KeyPermanentlyInvalidatedException) {
            Logger.warn(TAG, "Unable to access asymmetric key - clearing.");
            clearAsymmetricKey();
        }
    }
}
