package com.oblador.keychain.cipherStorage;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.util.Log;
import com.microsoft.identity.common.java.crypto.key.AES256KeyLoader;
import com.oblador.keychain.SecurityLevel;
import com.oblador.keychain.cipherStorage.CipherStorage;
import com.oblador.keychain.exceptions.CryptoFailedException;
import com.oblador.keychain.exceptions.KeyStoreAccessException;
import io.sentry.android.core.SentryLogcatAdapter;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.Cipher;
import javax.crypto.CipherOutputStream;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.IvParameterSpec;

/* loaded from: classes2.dex */
public class CipherStorageKeystoreAESCBC implements CipherStorage {
    private boolean retry = true;

    private String decryptBytes(Key key, byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            cipher.init(2, key, new IvParameterSpec(bArr, 0, 16));
            return new String(cipher.doFinal(bArr, 16, bArr.length - 16), Charset.forName("UTF-8"));
        } catch (Exception e) {
            throw new CryptoFailedException("Could not decrypt bytes: " + e.getMessage(), e);
        }
    }

    private byte[] encryptString(Key key, String str, String str2) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
            cipher.init(1, key);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] iv = cipher.getIV();
            byteArrayOutputStream.write(iv, 0, iv.length);
            CipherOutputStream cipherOutputStream = new CipherOutputStream(byteArrayOutputStream, cipher);
            cipherOutputStream.write(str2.getBytes("UTF-8"));
            cipherOutputStream.close();
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new CryptoFailedException("Could not encrypt value for service " + str + ", message: " + e.getMessage(), e);
        }
    }

    private SecretKey generateKey(KeyGenParameterSpec keyGenParameterSpec) {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(AES256KeyLoader.AES_ALGORITHM, "AndroidKeyStore");
        keyGenerator.init(keyGenParameterSpec);
        return keyGenerator.generateKey();
    }

    private void generateKeyAndStoreUnderAlias(String str, SecurityLevel securityLevel) {
        SecretKey tryGenerateStrongBoxSecurityKey = tryGenerateStrongBoxSecurityKey(str);
        if (tryGenerateStrongBoxSecurityKey == null) {
            tryGenerateStrongBoxSecurityKey = tryGenerateRegularSecurityKey(str);
        }
        if (validateKeySecurityLevel(securityLevel, tryGenerateStrongBoxSecurityKey)) {
            return;
        }
        try {
            removeKey(str);
        } catch (KeyStoreAccessException e) {
            SentryLogcatAdapter.e("KeystoreAESCBC", "Unable to remove key from keychain", e);
        }
        throw new CryptoFailedException("Cannot generate keys with required security guarantees");
    }

    private String getDefaultServiceIfEmpty(String str) {
        return str.isEmpty() ? "RN_KEYCHAIN_DEFAULT_ALIAS" : str;
    }

    private KeyGenParameterSpec.Builder getKeyGenSpecBuilder(String str) {
        return new KeyGenParameterSpec.Builder(str, 3).setBlockModes("CBC").setEncryptionPaddings("PKCS7Padding").setRandomizedEncryptionRequired(true).setKeySize(256);
    }

    private KeyStore getKeyStoreAndLoad() {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            return keyStore;
        } catch (IOException | NoSuchAlgorithmException | CertificateException e) {
            throw new KeyStoreAccessException("Could not access Keystore", e);
        }
    }

    private SecurityLevel getSecurityLevel(SecretKey secretKey) {
        try {
            return ((KeyInfo) SecretKeyFactory.getInstance(secretKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(secretKey, KeyInfo.class)).isInsideSecureHardware() ? SecurityLevel.SECURE_HARDWARE : SecurityLevel.SECURE_SOFTWARE;
        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeySpecException unused) {
            return SecurityLevel.ANY;
        }
    }

    private SecretKey tryGenerateRegularSecurityKey(String str) {
        return generateKey(getKeyGenSpecBuilder(str).build());
    }

    private SecretKey tryGenerateStrongBoxSecurityKey(String str) {
        KeyGenParameterSpec.Builder isStrongBoxBacked;
        if (Build.VERSION.SDK_INT < 28) {
            return null;
        }
        try {
            isStrongBoxBacked = getKeyGenSpecBuilder(str).setIsStrongBoxBacked(true);
            return generateKey(isStrongBoxBacked.build());
        } catch (Exception e) {
            if (CipherStorageKeystoreAESCBC$$ExternalSyntheticApiModelOutline0.m(e)) {
                Log.i("KeystoreAESCBC", "StrongBox is unavailable on this device");
            } else {
                SentryLogcatAdapter.e("KeystoreAESCBC", "An error occurred when trying to generate a StrongBoxSecurityKey: " + e.getMessage());
            }
            return null;
        }
    }

    private boolean validateKeySecurityLevel(SecurityLevel securityLevel, SecretKey secretKey) {
        return getSecurityLevel(secretKey).satisfiesSafetyThreshold(securityLevel);
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public CipherStorage.DecryptionResult decrypt(String str, byte[] bArr, byte[] bArr2) {
        try {
            Key key = getKeyStoreAndLoad().getKey(getDefaultServiceIfEmpty(str), null);
            if (key != null) {
                return new CipherStorage.DecryptionResult(decryptBytes(key, bArr), decryptBytes(key, bArr2), getSecurityLevel((SecretKey) key));
            }
            throw new CryptoFailedException("The provided service/key could not be found in the Keystore");
        } catch (KeyStoreAccessException e) {
            throw new CryptoFailedException("Could not access Keystore", e);
        } catch (KeyStoreException e2) {
            e = e2;
            throw new CryptoFailedException("Could not get key from Keystore", e);
        } catch (NoSuchAlgorithmException e3) {
            e = e3;
            throw new CryptoFailedException("Could not get key from Keystore", e);
        } catch (UnrecoverableKeyException e4) {
            e = e4;
            throw new CryptoFailedException("Could not get key from Keystore", e);
        } catch (Exception e5) {
            throw new CryptoFailedException("Unknown error: " + e5.getMessage(), e5);
        }
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public CipherStorage.EncryptionResult encrypt(String str, String str2, String str3, SecurityLevel securityLevel) {
        String defaultServiceIfEmpty = getDefaultServiceIfEmpty(str);
        try {
            try {
                KeyStore keyStoreAndLoad = getKeyStoreAndLoad();
                if (!keyStoreAndLoad.containsAlias(defaultServiceIfEmpty)) {
                    generateKeyAndStoreUnderAlias(defaultServiceIfEmpty, securityLevel);
                }
                try {
                    Key key = keyStoreAndLoad.getKey(defaultServiceIfEmpty, null);
                    byte[] encryptString = encryptString(key, defaultServiceIfEmpty, str2);
                    byte[] encryptString2 = encryptString(key, defaultServiceIfEmpty, str3);
                    this.retry = true;
                    return new CipherStorage.EncryptionResult(encryptString, encryptString2, this);
                } catch (UnrecoverableKeyException e) {
                    e.printStackTrace();
                    if (!this.retry) {
                        throw e;
                    }
                    this.retry = false;
                    keyStoreAndLoad.deleteEntry(defaultServiceIfEmpty);
                    return encrypt(defaultServiceIfEmpty, str2, str3, securityLevel);
                }
            } catch (UnrecoverableKeyException e2) {
                e = e2;
                throw new CryptoFailedException("Could not encrypt data for service " + defaultServiceIfEmpty, e);
            }
        } catch (KeyStoreAccessException e3) {
            e = e3;
            throw new CryptoFailedException("Could not access Keystore for service " + defaultServiceIfEmpty, e);
        } catch (InvalidAlgorithmParameterException e4) {
            e = e4;
            throw new CryptoFailedException("Could not encrypt data for service " + defaultServiceIfEmpty, e);
        } catch (KeyStoreException e5) {
            e = e5;
            throw new CryptoFailedException("Could not access Keystore for service " + defaultServiceIfEmpty, e);
        } catch (NoSuchAlgorithmException e6) {
            e = e6;
            throw new CryptoFailedException("Could not encrypt data for service " + defaultServiceIfEmpty, e);
        } catch (NoSuchProviderException e7) {
            e = e7;
            throw new CryptoFailedException("Could not encrypt data for service " + defaultServiceIfEmpty, e);
        } catch (Exception e8) {
            throw new CryptoFailedException("Unknown error: " + e8.getMessage(), e8);
        }
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public String getCipherStorageName() {
        return "KeystoreAESCBC";
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public int getMinSupportedApiLevel() {
        return 23;
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public void removeKey(String str) {
        String defaultServiceIfEmpty = getDefaultServiceIfEmpty(str);
        try {
            KeyStore keyStoreAndLoad = getKeyStoreAndLoad();
            if (keyStoreAndLoad.containsAlias(defaultServiceIfEmpty)) {
                keyStoreAndLoad.deleteEntry(defaultServiceIfEmpty);
            }
        } catch (KeyStoreException e) {
            throw new KeyStoreAccessException("Failed to access Keystore", e);
        } catch (Exception e2) {
            throw new KeyStoreAccessException("Unknown error " + e2.getMessage(), e2);
        }
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public SecurityLevel securityLevel() {
        return SecurityLevel.SECURE_HARDWARE;
    }

    @Override // com.oblador.keychain.cipherStorage.CipherStorage
    public boolean supportsSecureHardware() {
        try {
            try {
                boolean validateKeySecurityLevel = validateKeySecurityLevel(SecurityLevel.SECURE_HARDWARE, tryGenerateRegularSecurityKey("AndroidKeyStore#supportsSecureHardware"));
                try {
                    removeKey("AndroidKeyStore#supportsSecureHardware");
                } catch (KeyStoreAccessException e) {
                    SentryLogcatAdapter.e("KeystoreAESCBC", "Unable to remove temp key from keychain", e);
                }
                return validateKeySecurityLevel;
            } catch (KeyStoreAccessException e2) {
                SentryLogcatAdapter.e("KeystoreAESCBC", "Unable to remove temp key from keychain", e2);
                return false;
            }
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException unused) {
            removeKey("AndroidKeyStore#supportsSecureHardware");
            return false;
        } catch (Throwable th) {
            try {
                removeKey("AndroidKeyStore#supportsSecureHardware");
            } catch (KeyStoreAccessException e3) {
                SentryLogcatAdapter.e("KeystoreAESCBC", "Unable to remove temp key from keychain", e3);
            }
            throw th;
        }
    }
}
