package com.sap.cloud.mobile.foundation.common;

import android.content.Context;
import android.content.SharedPreferences;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import com.google.common.base.Ascii;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.EnumMap;
import java.util.Iterator;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.PBEKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes7.dex */
public final class EncryptionHelper {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    static final String ALGORITHM = "AES";
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    private static final String BLOCK_MODE = "GCM";
    static final int GCM_AUTHENTICATION_TAG_LENGTH = 128;
    static final int IV_LENGTH = 12;
    private static final String IV_PREFERENCE_SUFFIX = "_i_v";
    private static final int KEY_LENGTH_IN_BITS = 256;
    private static final int KEY_LENGTH_IN_BYTES = 32;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) EncryptionHelper.class);
    static final int MIN_ITERATION_COUNT = 1000;
    private static final String PADDING = "NoPadding";
    private static final String PBKDF2_HMAC_SHA1_ALGORITHM = "PBKDF2WithHmacSHA1";
    private static final int SALT_LENGTH_IN_BYTES = 32;
    private static final int SALT_WITH_ITERATION_LENGTH_IN_BYTES = 36;
    private static final String SHARED_PREFERENCES_SUFFIX = "_sharedPreference##";
    static final String TRANSFORMATION = "AES/GCM/NoPadding";
    private static KeyStore keyStore;
    private String alias;
    private EncryptionData autoEncryptionKey;
    private EncryptionData biometricEncryptionKey;
    private String cipherAlias;
    private String cipherIvPreference;
    private boolean hasStrongBox;
    private EncryptionData passcodeCheck;
    private EncryptionData passcodeEncryptionKey;
    private EncryptionData salt;
    private SharedPreferences sharedPreferences;
    private EnumMap<EncryptionState, EncryptionData> stateMap = new EnumMap<>(EncryptionState.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes7.dex */
    public class EncryptionData {
        private String ivPreference;
        private String preference;
        private List<String> preferenceList = new ArrayList();
        private EncryptionData[] subEncryptionData;

        EncryptionData(String str, EncryptionState encryptionState, EncryptionData... encryptionDataArr) {
            this.preference = str;
            this.subEncryptionData = (EncryptionData[]) encryptionDataArr.clone();
            this.ivPreference = str + EncryptionHelper.IV_PREFERENCE_SUFFIX;
            this.preferenceList.add(this.preference);
            this.preferenceList.add(this.ivPreference);
            if (encryptionState != null) {
                EncryptionHelper.this.stateMap.put((EnumMap) encryptionState, (EncryptionState) this);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] decrypt() throws EncryptionError {
            try {
                return getCipher(false).doFinal(getEncrypted());
            } catch (BadPaddingException | IllegalBlockSizeException e) {
                throw new EncryptionError("Failed to decrypt", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] decrypt(Key key) throws EncryptionError {
            try {
                return getCipher(key, false).doFinal(getEncrypted());
            } catch (BadPaddingException | IllegalBlockSizeException e) {
                throw new EncryptionError("Failed to decrypt with a secret key", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public byte[] decrypt(Cipher cipher) throws EncryptionError {
            try {
                return cipher.doFinal(getEncrypted());
            } catch (IllegalStateException e) {
                throw new EncryptionError("Encryption cipher is used for decryption.", e);
            } catch (BadPaddingException e2) {
                e = e2;
                throw new EncryptionError("Failed to decrypt with the provided cipher", e);
            } catch (IllegalBlockSizeException e3) {
                e = e3;
                throw new EncryptionError("Failed to decrypt with the provided cipher", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void encrypt(Key key, byte[] bArr) throws EncryptionError {
            try {
                saveEncrypted(getCipher(key, true).doFinal(bArr));
            } catch (BadPaddingException | IllegalBlockSizeException e) {
                throw new EncryptionError("Failed to encrypt with a secret key.", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void encrypt(Cipher cipher, byte[] bArr) throws EncryptionError {
            try {
                saveEncrypted(cipher.doFinal(bArr));
            } catch (BadPaddingException | IllegalBlockSizeException e) {
                throw new EncryptionError("Failed to encrypt with the provided cipher", e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void encrypt(byte[] bArr) throws EncryptionError {
            try {
                saveEncrypted(getCipher(true).doFinal(bArr));
            } catch (BadPaddingException | IllegalBlockSizeException e) {
                throw new EncryptionError("Failed to encrypt", e);
            }
        }

        private Cipher getCipher(Key key, boolean z) throws EncryptionError {
            Cipher cipherInstance = EncryptionHelper.this.getCipherInstance();
            try {
                cipherInstance.init(z ? 1 : 2, key, new GCMParameterSpec(128, getIv(z)));
                return cipherInstance;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e) {
                throw new EncryptionError("Failed to get AES cipher with a secret key", e);
            }
        }

        private Cipher getCipher(boolean z) throws EncryptionError {
            Cipher cipherInstance = EncryptionHelper.this.getCipherInstance();
            try {
                cipherInstance.init(z ? 1 : 2, EncryptionHelper.this.getKeyStoreKey(false, z), new GCMParameterSpec(128, getIv(z)));
                return cipherInstance;
            } catch (InvalidAlgorithmParameterException | InvalidKeyException e) {
                throw new EncryptionError("Failed to get AES cipher", e);
            }
        }

        private byte[] getEncrypted() {
            return EncryptionHelper.this.getPreference(this.preference);
        }

        private byte[] getIv(boolean z) {
            if (!z) {
                return getIv();
            }
            byte[] iv = getIv();
            if (iv.length != 0) {
                return iv;
            }
            byte[] generateRandom = EncryptionHelper.generateRandom(12);
            saveIv(generateRandom);
            return generateRandom;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void saveEncrypted(byte[] bArr) {
            EncryptionHelper.this.savePreference(this.preference, bArr);
        }

        void clear() {
            if (exists()) {
                SharedPreferences.Editor edit = EncryptionHelper.this.sharedPreferences.edit();
                Iterator<String> it = this.preferenceList.iterator();
                while (it.hasNext()) {
                    edit.remove(it.next());
                }
                edit.apply();
                for (EncryptionData encryptionData : this.subEncryptionData) {
                    encryptionData.clear();
                }
            }
        }

        boolean exists() {
            Iterator<String> it = this.preferenceList.iterator();
            boolean z = false;
            while (it.hasNext()) {
                if (EncryptionHelper.this.sharedPreferences.contains(it.next())) {
                    z = true;
                }
            }
            return z;
        }

        byte[] getIv() {
            return EncryptionHelper.this.getPreference(this.ivPreference);
        }

        void saveIv(byte[] bArr) {
            EncryptionHelper.this.savePreference(this.ivPreference, bArr);
        }
    }

    static {
        try {
            KeyStore keyStore2 = KeyStore.getInstance(ANDROID_KEY_STORE);
            keyStore = keyStore2;
            keyStore2.load(null);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            LOGGER.error("Unexpected Exception in {}", " key store initialization", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EncryptionHelper(Context context, String str) {
        if (str.isEmpty()) {
            throw new IllegalArgumentException("Empty alias.");
        }
        this.alias = str;
        this.cipherIvPreference = str + "_ci_iv";
        this.sharedPreferences = context.getSharedPreferences(str + SHARED_PREFERENCES_SUFFIX, 0);
        this.salt = new EncryptionData(str + "_s", null, new EncryptionData[0]);
        this.passcodeCheck = new EncryptionData(str + "p_chk", null, new EncryptionData[0]);
        new EncryptionData(str + "init_iv_verifier", EncryptionState.INIT, new EncryptionData[0]);
        this.autoEncryptionKey = new EncryptionData(str + "_auto_key", EncryptionState.NO_PASSCODE, new EncryptionData[0]);
        this.passcodeEncryptionKey = new EncryptionData(str + "_pCode_key", EncryptionState.PASSCODE_ONLY, this.salt, this.passcodeCheck);
        this.biometricEncryptionKey = new EncryptionData(str + "_b_m_pCode_key", EncryptionState.PASSCODE_BIOMETRIC, this.passcodeEncryptionKey);
        this.cipherAlias = str + "_biometric";
        this.hasStrongBox = false;
        if (Build.VERSION.SDK_INT >= 28) {
            this.hasStrongBox = context.getPackageManager().hasSystemFeature("android.hardware.strongbox_keystore");
        }
    }

    private boolean containsIterationCount(byte[] bArr) {
        return bArr.length == 36;
    }

    private int decodeIterationCount(byte[] bArr) {
        int length = bArr.length;
        return (bArr[length - 1] & 255) | (bArr[length - 4] << Ascii.CAN) | ((bArr[length - 3] & 255) << 16) | ((bArr[length - 2] & 255) << 8);
    }

    private void encodeIterationCount(byte[] bArr, int i) {
        int length = bArr.length;
        bArr[length - 4] = (byte) (i >> 24);
        bArr[length - 3] = (byte) (i >> 16);
        bArr[length - 2] = (byte) (i >> 8);
        bArr[length - 1] = (byte) i;
    }

    static void fakeState(Context context, String str, EncryptionState encryptionState) {
        EncryptionData encryptionData = new EncryptionHelper(context, str).getEncryptionData(encryptionState);
        encryptionData.saveEncrypted(new byte[32]);
        encryptionData.saveIv(new byte[12]);
    }

    private static byte[] generateRandom() {
        return generateRandom(32);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] generateRandom(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("generateRandom: invalid length.");
        }
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    private Key generateSecretKey(char[] cArr, int i, byte[] bArr) throws EncryptionError {
        try {
            return SecretKeyFactory.getInstance(PBKDF2_HMAC_SHA1_ALGORITHM).generateSecret(new PBEKeySpec(cArr, bArr, i, 256));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new EncryptionError("Error generating secret key", e);
        }
    }

    private Cipher getCipher(Cipher cipher, boolean z) throws EncryptionError {
        try {
            cipher.init(z ? 1 : 2, getKeyStoreKey(true, z), new GCMParameterSpec(128, getCipherIv(z)));
            return cipher;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException e) {
            throw new EncryptionError("Failed to get AES cipher", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Cipher getCipherInstance() throws EncryptionError {
        try {
            return Cipher.getInstance("AES/GCM/NoPadding");
        } catch (NoSuchAlgorithmException | NoSuchPaddingException e) {
            throw new EncryptionError("Failed to get cipher instance", e);
        }
    }

    private byte[] getCipherIv() {
        return getPreference(this.cipherIvPreference);
    }

    private byte[] getCipherIv(boolean z) {
        if (!z) {
            return getCipherIv();
        }
        byte[] generateRandom = generateRandom(12);
        saveCipherIv(generateRandom);
        return generateRandom;
    }

    private static int getDefaultIterationCount() {
        return 1000;
    }

    private EncryptionData getEncryptionData(EncryptionState encryptionState) {
        return this.stateMap.get(encryptionState);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Key getKeyStoreKey(boolean z, boolean z2) throws EncryptionError {
        String str = !z ? this.alias : this.cipherAlias;
        if (!z2) {
            try {
                KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) keyStore.getEntry(str, null);
                if (secretKeyEntry != null) {
                    return secretKeyEntry.getSecretKey();
                }
                throw new EncryptionError("KeyStore entry does not exist.");
            } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
                throw new EncryptionError("Failed to get key from key store.", e);
            }
        }
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance(ALGORITHM, ANDROID_KEY_STORE);
            KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(str, 3);
            if (z) {
                builder.setUserAuthenticationRequired(true);
            }
            builder.setBlockModes("GCM").setEncryptionPaddings(PADDING).setRandomizedEncryptionRequired(false);
            if (Build.VERSION.SDK_INT >= 28) {
                builder.setIsStrongBoxBacked(this.hasStrongBox);
            }
            keyGenerator.init(builder.build());
            return keyGenerator.generateKey();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e2) {
            throw new EncryptionError("Failed to generate key from key store.", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] getPreference(String str) {
        return !hasPreference(str) ? new byte[0] : Base64.decode(this.sharedPreferences.getString(str, null), 0);
    }

    private boolean hasPreference(String str) {
        return this.sharedPreferences.contains(str);
    }

    private static boolean isValid(int i) {
        return i >= 1000;
    }

    private void reject(boolean z, EncryptionState... encryptionStateArr) {
        if (!z) {
            LOGGER.debug("Skipping State check.");
            return;
        }
        List asList = Arrays.asList(encryptionStateArr);
        EncryptionState currentState = getCurrentState();
        if (asList.contains(currentState)) {
            throw new IllegalStateException(currentState + " is not allowed");
        }
    }

    private void reject(EncryptionState... encryptionStateArr) {
        reject(true, encryptionStateArr);
    }

    private void saveCipherIv(byte[] bArr) {
        savePreference(this.cipherIvPreference, bArr);
    }

    private void saveEncryptionKey(char[] cArr, boolean z, int i, byte[] bArr) throws EncryptionError {
        byte[] copyOfRange;
        if (this.salt.exists()) {
            copyOfRange = this.salt.getIv();
            if (containsIterationCount(copyOfRange)) {
                if (!z) {
                    i = decodeIterationCount(copyOfRange);
                }
                copyOfRange = Arrays.copyOfRange(copyOfRange, 0, 32);
            }
        } else {
            byte[] generateRandom = generateRandom(36);
            encodeIterationCount(generateRandom, i);
            this.salt.saveIv(generateRandom);
            copyOfRange = Arrays.copyOfRange(generateRandom, 0, 32);
        }
        Key generateSecretKey = generateSecretKey(cArr, i, copyOfRange);
        this.passcodeCheck.encrypt(generateSecretKey, copyOfRange);
        this.passcodeEncryptionKey.encrypt(generateSecretKey, bArr);
    }

    private void saveEncryptionKey(char[] cArr, byte[] bArr) throws EncryptionError {
        saveEncryptionKey(cArr, false, getDefaultIterationCount(), bArr);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void savePreference(String str, byte[] bArr) {
        this.sharedPreferences.edit().putString(str, Base64.encodeToString(bArr, 0)).apply();
    }

    private Key verifyPasscode(char[] cArr) throws EncryptionError {
        byte[] iv = this.salt.getIv();
        int defaultIterationCount = getDefaultIterationCount();
        if (containsIterationCount(iv)) {
            defaultIterationCount = decodeIterationCount(iv);
            iv = Arrays.copyOfRange(iv, 0, 32);
        }
        Key generateSecretKey = generateSecretKey(cArr, defaultIterationCount, iv);
        if (Arrays.equals(iv, this.passcodeCheck.decrypt(generateSecretKey))) {
            return generateSecretKey;
        }
        throw new EncryptionError("Incorrect passcode.");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void changeIterationCount(char[] cArr, int i) throws EncryptionError {
        reject(EncryptionState.INIT, EncryptionState.NO_PASSCODE);
        if (!isValid(i)) {
            throw new IllegalArgumentException("Invalid iteration count, must >= 1000.");
        }
        byte[] decrypt = this.passcodeEncryptionKey.decrypt(verifyPasscode(cArr));
        this.passcodeEncryptionKey.clear();
        saveEncryptionKey(cArr, true, i, decrypt);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void changePasscode(char[] cArr, char[] cArr2) throws EncryptionError {
        reject(EncryptionState.INIT, EncryptionState.NO_PASSCODE);
        saveEncryptionKey(cArr2, this.passcodeEncryptionKey.decrypt(verifyPasscode(cArr)));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void delete() throws EncryptionError {
        for (EncryptionState encryptionState : EncryptionState.values()) {
            getEncryptionData(encryptionState).clear();
        }
        deleteKeyStoreEntry();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deleteKeyStoreEntry() throws EncryptionError {
        try {
            keyStore.deleteEntry(this.alias);
        } catch (KeyStoreException e) {
            throw new EncryptionError("Failed to delete Android Key Store entry." + e.getLocalizedMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void disableBiometric(char[] cArr) throws EncryptionError {
        reject(EncryptionState.INIT, EncryptionState.NO_PASSCODE, EncryptionState.PASSCODE_ONLY);
        byte[] decrypt = this.passcodeEncryptionKey.decrypt(verifyPasscode(cArr));
        this.biometricEncryptionKey.clear();
        saveEncryptionKey(cArr, decrypt);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void disablePasscode(Cipher cipher) throws EncryptionError {
        reject(EncryptionState.INIT, EncryptionState.NO_PASSCODE, EncryptionState.PASSCODE_ONLY);
        byte[] encryptionKey = getEncryptionKey(cipher);
        this.biometricEncryptionKey.clear();
        this.autoEncryptionKey.encrypt(encryptionKey);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void disablePasscode(char[] cArr) throws EncryptionError {
        reject(EncryptionState.INIT, EncryptionState.NO_PASSCODE);
        byte[] encryptionKey = getEncryptionKey(cArr, false);
        getEncryptionData(getCurrentState()).clear();
        this.autoEncryptionKey.encrypt(encryptionKey);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] enableBiometric(char[] cArr, Cipher cipher) throws EncryptionError {
        byte[] generateRandom;
        reject(EncryptionState.PASSCODE_BIOMETRIC);
        if (this.autoEncryptionKey.exists()) {
            generateRandom = this.autoEncryptionKey.decrypt();
        } else if (this.passcodeEncryptionKey.exists()) {
            generateRandom = this.passcodeEncryptionKey.decrypt(verifyPasscode(cArr));
        } else {
            generateRandom = generateRandom();
        }
        this.biometricEncryptionKey.encrypt(cipher, generateRandom);
        saveEncryptionKey(cArr, generateRandom);
        this.autoEncryptionKey.clear();
        return generateRandom;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] enablePasscode(char[] cArr, boolean z) throws EncryptionError {
        reject(z, EncryptionState.PASSCODE_ONLY, EncryptionState.PASSCODE_BIOMETRIC);
        byte[] decrypt = this.autoEncryptionKey.exists() ? this.autoEncryptionKey.decrypt() : generateRandom();
        saveEncryptionKey(cArr, decrypt);
        this.autoEncryptionKey.clear();
        return decrypt;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Cipher getCipher() throws EncryptionError {
        return getCipher(getCipherInstance(), getCurrentState() != EncryptionState.PASSCODE_BIOMETRIC);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public EncryptionState getCurrentState() {
        EncryptionState encryptionState = EncryptionState.INIT;
        for (EncryptionState encryptionState2 : EncryptionState.values()) {
            if (getEncryptionData(encryptionState2).exists()) {
                encryptionState = encryptionState2;
            }
        }
        return encryptionState;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getEncryptionKey() throws EncryptionError {
        reject(EncryptionState.PASSCODE_ONLY, EncryptionState.PASSCODE_BIOMETRIC);
        if (this.autoEncryptionKey.exists()) {
            return this.autoEncryptionKey.decrypt();
        }
        byte[] generateRandom = generateRandom();
        this.autoEncryptionKey.encrypt(generateRandom);
        return generateRandom;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getEncryptionKey(Cipher cipher) throws EncryptionError {
        reject(EncryptionState.INIT, EncryptionState.NO_PASSCODE, EncryptionState.PASSCODE_ONLY);
        return this.biometricEncryptionKey.decrypt(cipher);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getEncryptionKey(char[] cArr, Cipher cipher) throws EncryptionError {
        reject(EncryptionState.NO_PASSCODE, EncryptionState.PASSCODE_ONLY);
        if (!this.biometricEncryptionKey.exists()) {
            return enableBiometric(cArr, cipher);
        }
        verifyPasscode(cArr);
        return this.biometricEncryptionKey.decrypt(cipher);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] getEncryptionKey(char[] cArr, boolean z) throws EncryptionError {
        reject(z, EncryptionState.NO_PASSCODE);
        if (!this.passcodeEncryptionKey.exists()) {
            return enablePasscode(cArr, z);
        }
        return this.passcodeEncryptionKey.decrypt(verifyPasscode(cArr));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getIterationCount() {
        byte[] iv = this.salt.getIv();
        return containsIterationCount(iv) ? decodeIterationCount(iv) : getDefaultIterationCount();
    }
}
