package duo.labs.webauthn.util;

import android.content.Context;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborEncoder;
import co.nstant.in.cbor.CborException;
import duo.labs.webauthn.exceptions.VirgilException;
import duo.labs.webauthn.models.PublicKeyCredentialSource;
import duo.labs.webauthn.util.database.CredentialDatabase;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.InvalidKeySpecException;
import java.util.List;

/* loaded from: classes4.dex */
public class CredentialSafe {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static final String CURVE_NAME = "secp256r1";
    private static final String KEYSTORE_TYPE = "AndroidKeyStore";
    private boolean authenticationRequired;
    private CredentialDatabase db;
    private KeyStore keyStore;
    private boolean strongboxRequired;

    public CredentialSafe(Context context) throws VirgilException {
        this(context, true, true);
    }

    public CredentialSafe(Context context, boolean z, boolean z2) throws VirgilException {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            this.keyStore = keyStore;
            keyStore.load(null);
            this.authenticationRequired = z;
            this.strongboxRequired = z2;
            this.db = CredentialDatabase.getDatabase(context);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new VirgilException("couldn't access keystore", e);
        }
    }

    public static byte[] coseEncodePublicKey(PublicKey publicKey) throws VirgilException {
        ECPoint w = ((ECPublicKey) publicKey).getW();
        byte[] byteArray = w.getAffineX().toByteArray();
        byte[] byteArray2 = w.getAffineY().toByteArray();
        byte[] unsignedFixedLength = toUnsignedFixedLength(byteArray, 32);
        byte[] unsignedFixedLength2 = toUnsignedFixedLength(byteArray2, 32);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            new CborEncoder(byteArrayOutputStream).encode(new CborBuilder().addMap().put(1L, 2L).put(3L, -7L).put(-1L, 1L).put(-2L, unsignedFixedLength).put(-3L, unsignedFixedLength2).end().build());
            return byteArrayOutputStream.toByteArray();
        } catch (CborException e) {
            throw new VirgilException("couldn't serialize to cbor", e);
        }
    }

    private KeyPair generateNewES256KeyPair(String str) throws VirgilException {
        KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(str, 4).setAlgorithmParameterSpec(new ECGenParameterSpec(CURVE_NAME)).setDigests("SHA-256").setUserAuthenticationRequired(this.authenticationRequired).setUserConfirmationRequired(false).setInvalidatedByBiometricEnrollment(false).setIsStrongBoxBacked(this.strongboxRequired).build();
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            keyPairGenerator.initialize(build);
            return keyPairGenerator.generateKeyPair();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new VirgilException("couldn't generate key pair: " + e.toString());
        }
    }

    private static byte[] toUnsignedFixedLength(byte[] bArr, int i) {
        byte[] bArr2 = new byte[i];
        int length = i - bArr.length;
        System.arraycopy(bArr, Math.max(-length, 0), bArr2, Math.max(length, 0), Math.min(bArr.length, i));
        return bArr2;
    }

    public void deleteCredential(PublicKeyCredentialSource publicKeyCredentialSource) {
        this.db.credentialDao().delete(publicKeyCredentialSource);
    }

    public PublicKeyCredentialSource generateCredential(String str, byte[] bArr, String str2) throws VirgilException {
        PublicKeyCredentialSource publicKeyCredentialSource = new PublicKeyCredentialSource(str, bArr, str2);
        generateNewES256KeyPair(publicKeyCredentialSource.keyPairAlias);
        this.db.credentialDao().insert(publicKeyCredentialSource);
        return publicKeyCredentialSource;
    }

    public PublicKeyCredentialSource getCredentialSourceById(byte[] bArr) {
        return this.db.credentialDao().getById(bArr);
    }

    public KeyPair getKeyPairByAlias(String str) throws VirgilException {
        try {
            return new KeyPair(this.keyStore.getCertificate(str).getPublicKey(), (PrivateKey) this.keyStore.getKey(str, null));
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
            throw new VirgilException("couldn't get key by alias", e);
        }
    }

    public List<PublicKeyCredentialSource> getKeysForEntity(String str) {
        return this.db.credentialDao().getAllByRpId(str);
    }

    public int incrementCredentialUseCounter(PublicKeyCredentialSource publicKeyCredentialSource) {
        return this.db.credentialDao().incrementUseCounter(publicKeyCredentialSource);
    }

    public boolean keyRequiresVerification(String str) throws VirgilException {
        PrivateKey privateKey = getKeyPairByAlias(str).getPrivate();
        try {
            try {
                return ((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, KeyInfo.class)).isUserAuthenticationRequired();
            } catch (InvalidKeySpecException e) {
                throw new VirgilException("Not an android keystore key: " + e.toString());
            }
        } catch (NoSuchAlgorithmException | NoSuchProviderException e2) {
            throw new VirgilException("Couldn't build key factory: " + e2.toString());
        }
    }

    public boolean supportsUserVerification() {
        return this.authenticationRequired;
    }
}
