package com.microsoft.identity.broker.crypto.keymanagers;

import android.security.keystore.KeyGenParameterSpec;
import com.microsoft.identity.broker.crypto.AndroidKeyStoreAsymmetricKeyEntry;
import com.microsoft.identity.broker.crypto.AndroidKeyStoreCryptoFactory;
import com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.IAsymmetricKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.IBrokerCryptoFactory;
import com.microsoft.identity.broker4j.broker.crypto.IKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.KeySecurityLevel;
import com.microsoft.identity.broker4j.broker.crypto.RawSymmetricKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.keyfactories.AbstractBrokerKeyFactory;
import com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager;
import com.microsoft.identity.broker4j.broker.flighting.Broker4jFlightsManager;
import com.microsoft.identity.broker4j.broker.flighting.BrokerFlight;
import com.microsoft.identity.broker4j.broker.flighting.IBrokerFlightsProvider;
import com.microsoft.identity.broker4j.opentelemetry.AttributeName;
import com.microsoft.identity.broker4j.workplacejoin.ProviderUtil;
import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.controllers.ExceptionAdapter;
import com.microsoft.identity.common.java.crypto.SP800108KeyGen;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.opentelemetry.OTelUtility;
import com.microsoft.identity.common.java.util.ThrowableUtil;
import com.microsoft.identity.common.logging.Logger;
import com.nimbusds.jose.util.X509CertUtils;
import io.opentelemetry.api.common.Attributes;
import io.opentelemetry.api.metrics.LongCounter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.UUID;

/* loaded from: classes2.dex */
public class AndroidKeyStoreKeyManager implements IKeyManager {
    private static final LongCounter sFailedAndroidKeyStoreKeyManagerOperationCount = OTelUtility.createLongCounter("failed_keystore_key_manager_operation_count", "Number of failed Android KeyStore KeyManager operations");
    private final String TAG;
    private final IBrokerCryptoFactory mCryptoFactory;
    private final boolean mHasStrongbox;

    public AndroidKeyStoreKeyManager(IBrokerCryptoFactory iBrokerCryptoFactory) {
        this.TAG = AndroidKeyStoreKeyManager.class.getSimpleName();
        this.mCryptoFactory = iBrokerCryptoFactory;
        this.mHasStrongbox = false;
    }

    public AndroidKeyStoreKeyManager(IBrokerCryptoFactory iBrokerCryptoFactory, boolean z) {
        this.TAG = AndroidKeyStoreKeyManager.class.getSimpleName();
        this.mCryptoFactory = iBrokerCryptoFactory;
        this.mHasStrongbox = z;
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public void deleteKey(IKeyEntry iKeyEntry) throws ClientException {
        String str = this.TAG + ":deleteKey";
        try {
            Logger.info(str, "Deleting key");
            Logger.infoPII(str, "Deleting key with alias: " + iKeyEntry.getAlias());
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null, null);
            keyStore.deleteEntry(iKeyEntry.getAlias());
        } catch (Throwable th) {
            ClientException clientExceptionFromException = ExceptionAdapter.clientExceptionFromException(th);
            Logger.error(str, "Failed to delete key " + th.getMessage(), th);
            sFailedAndroidKeyStoreKeyManagerOperationCount.add(1L, Attributes.builder().put(AttributeName.keystore_key_manager_operation.name(), "deleteKey").put(AttributeName.error_code.name(), clientExceptionFromException.getErrorCode()).put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.keystore_key_manager_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            throw clientExceptionFromException;
        }
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public IKeyEntry generateDerivedKey(IKeyEntry iKeyEntry, byte[] bArr, byte[] bArr2, String str) throws ClientException {
        String str2 = this.TAG + ":generateDerivedKey";
        try {
            Logger.info(str2, "Generating derived key {algorithm: " + str + "}");
            StringBuilder sb = new StringBuilder();
            sb.append("Generating derived key with from key with alias: ");
            sb.append(iKeyEntry.getAlias());
            Logger.infoPII(str2, sb.toString());
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null);
            if (keyStore.containsAlias(iKeyEntry.getAlias())) {
                return RawSymmetricKeyEntry.builder().alias(UUID.randomUUID().toString()).keyData(new SP800108KeyGen(this.mCryptoFactory).generateDerivedKey(((KeyStore.SecretKeyEntry) keyStore.getEntry(iKeyEntry.getAlias(), null)).getSecretKey(), bArr, bArr2)).keyAlgorithm(str).build();
            }
            Logger.infoPII(str2, "Key with alias: " + iKeyEntry.getAlias() + " does not exist in keyStore");
            throw new ClientException(ClientException.INVALID_KEY, "keyToDerive entry does not exist in keyStore");
        } catch (Throwable th) {
            ClientException clientExceptionFromException = ExceptionAdapter.clientExceptionFromException(th);
            Logger.error(str2, "Failed to generate derived key " + th.getMessage(), th);
            sFailedAndroidKeyStoreKeyManagerOperationCount.add(1L, Attributes.builder().put(AttributeName.keystore_key_manager_operation.name(), "generateDerivedKey").put(AttributeName.error_code.name(), clientExceptionFromException.getErrorCode()).put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.keystore_key_manager_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            throw clientExceptionFromException;
        }
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public IAsymmetricKeyEntry generateKeyPair(String str, String str2, int i) throws ClientException {
        KeyGenParameterSpec.Builder isStrongBoxBacked;
        KeyGenParameterSpec.Builder isStrongBoxBacked2;
        String str3 = this.TAG + ":generateKeyPair";
        try {
            Logger.info(str3, "Generating key pair {algorithm: " + str2 + ", keySize: " + i + "}");
            StringBuilder sb = new StringBuilder();
            sb.append("Generating key pair with alias: ");
            sb.append(str);
            Logger.infoPII(str3, sb.toString());
            KeyPairGenerator keyPairGenerator = this.mCryptoFactory.getKeyPairGenerator(str2);
            IBrokerFlightsProvider flightsProvider = Broker4jFlightsManager.INSTANCE.getFlightsProvider();
            boolean z = flightsProvider != null && flightsProvider.isFlightEnabled(BrokerFlight.ENABLE_PRTV4_FOR_REGISTERED_DEVICE_PRT);
            Logger.info(str3, "PrtV4 is enabled : " + z);
            isStrongBoxBacked = new KeyGenParameterSpec.Builder(str, str.startsWith(AbstractBrokerKeyFactory.SESSION_TRANSPORT_KEY_ALIAS_PREFIX) ? (!z || AbstractBrokerKeyFactory.SESSION_TRANSPORT_KEY_PER_DEVICE_ALIAS.equals(str)) ? 6 : 38 : 4).setKeySize(i).setSignaturePaddings("PKCS1").setEncryptionPaddings("OAEPPadding", "PKCS1Padding").setDigests("SHA-256", "SHA-1").setIsStrongBoxBacked(this.mHasStrongbox);
            keyPairGenerator.initialize(isStrongBoxBacked.build());
            AndroidKeyStoreAsymmetricKeyEntry build = AndroidKeyStoreAsymmetricKeyEntry.builder().keyPair(keyPairGenerator.generateKeyPair()).alias(str).build();
            if (!z || !str.startsWith(AbstractBrokerKeyFactory.SESSION_TRANSPORT_KEY_ALIAS_PREFIX) || AbstractBrokerKeyFactory.SESSION_TRANSPORT_KEY_PER_DEVICE_ALIAS.equals(str) || build.getKeySecurityLevel() == KeySecurityLevel.HARDWARE_BACKED) {
                return build;
            }
            Logger.info(str3, "Generated STK is not hardware backed.");
            deleteKey(build);
            isStrongBoxBacked2 = new KeyGenParameterSpec.Builder(str, 2).setKeySize(i).setSignaturePaddings("PKCS1").setEncryptionPaddings("OAEPPadding", "PKCS1Padding").setDigests("SHA-1").setIsStrongBoxBacked(this.mHasStrongbox);
            KeyPairGenerator keyPairGenerator2 = this.mCryptoFactory.getKeyPairGenerator(str2);
            keyPairGenerator2.initialize(isStrongBoxBacked2.build());
            return AndroidKeyStoreAsymmetricKeyEntry.builder().keyPair(keyPairGenerator2.generateKeyPair()).alias(str).build();
        } catch (Throwable th) {
            ClientException clientExceptionFromException = ExceptionAdapter.clientExceptionFromException(th);
            Logger.error(str3, "Failed to generate keyPair " + th.getMessage(), th);
            sFailedAndroidKeyStoreKeyManagerOperationCount.add(1L, Attributes.builder().put(AttributeName.keystore_key_manager_operation.name(), "generateKeyPair").put(AttributeName.error_code.name(), clientExceptionFromException.getErrorCode()).put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.keystore_key_manager_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            throw clientExceptionFromException;
        }
    }

    /* JADX WARN: Type inference failed for: r8v5, types: [com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry$ExportableKeyEntryBuilder] */
    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public IKeyEntry importWrappedKey(String str, byte[] bArr, IKeyEntry iKeyEntry) throws ClientException {
        String str2 = this.TAG + ":importWrappedKey";
        String alias = iKeyEntry.getAlias();
        try {
            Logger.info(str2, "Importing wrapped key");
            Logger.infoPII(str2, "Importing wrapped key with alias: " + str);
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null);
            KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(alias, 32).setDigests("SHA-256").build();
            AndroidKeyStoreKeyManager$$ExternalSyntheticApiModelOutline2.m();
            keyStore.setEntry(str, AndroidKeyStoreKeyManager$$ExternalSyntheticApiModelOutline1.m(bArr, alias, "RSA/ECB/OAEPPadding", build), null);
            return ExportableKeyEntry.builder().alias(str).build();
        } catch (Throwable th) {
            ClientException clientExceptionFromException = ExceptionAdapter.clientExceptionFromException(th);
            Logger.error(str2, "Failed to import wrapped key " + th.getMessage(), th);
            sFailedAndroidKeyStoreKeyManagerOperationCount.add(1L, Attributes.builder().put(AttributeName.keystore_key_manager_operation.name(), "importWrappedKey").put(AttributeName.error_code.name(), clientExceptionFromException.getErrorCode()).put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.keystore_key_manager_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            throw clientExceptionFromException;
        }
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public IAsymmetricKeyEntry loadKeyPair(String str) throws ClientException {
        String str2 = this.TAG + ":loadKeyPair";
        try {
            Logger.info(str2, "Loading key pair");
            Logger.infoPII(str2, "Loading key pair with alias: " + str);
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null, null);
            return AndroidKeyStoreAsymmetricKeyEntry.builder().keyPair(new KeyPair(keyStore.getCertificate(str).getPublicKey(), ((KeyStore.PrivateKeyEntry) keyStore.getEntry(str, null)).getPrivateKey())).alias(str).build();
        } catch (Throwable th) {
            ClientException clientExceptionFromException = ExceptionAdapter.clientExceptionFromException(th);
            Logger.error(str2, "Failed to load keyPair " + th.getMessage(), th);
            sFailedAndroidKeyStoreKeyManagerOperationCount.add(1L, Attributes.builder().put(AttributeName.keystore_key_manager_operation.name(), "loadKeyPair").put(AttributeName.error_code.name(), clientExceptionFromException.getErrorCode()).put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.keystore_key_manager_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            throw clientExceptionFromException;
        }
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public IKeyEntry persistKey(byte[] bArr, IKeyEntry iKeyEntry) {
        throw new UnsupportedOperationException();
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keymanagers.IKeyManager
    public void saveCertificate(String str, KeyPair keyPair, byte[] bArr) throws ClientException {
        throw new UnsupportedOperationException("Not implemented");
    }

    public void setCertificateEntry(String str, String str2) throws ClientException {
        String str3 = this.TAG + ":setCertificateEntry";
        try {
            Logger.info(str3, "Setting certificate entry");
            Logger.infoPII(str3, "Setting certificate entry with alias: " + str);
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance(ProviderUtil.X509).generateCertificate(new ByteArrayInputStream((X509CertUtils.PEM_BEGIN_MARKER + System.getProperty("line.separator") + str2 + System.getProperty("line.separator") + X509CertUtils.PEM_END_MARKER).getBytes(AuthenticationConstants.ENCODING_UTF8)));
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null, null);
            keyStore.setCertificateEntry(str, x509Certificate);
        } catch (IOException e) {
            Logger.error(str3, "Failed to set certificate entry " + e.getMessage(), e);
            throw new ClientException("io_error", e.getMessage(), e);
        } catch (KeyStoreException e2) {
            Logger.error(str3, "Failed to set certificate entry " + e2.getMessage(), e2);
            throw new ClientException(ClientException.KEYSTORE_NOT_INITIALIZED, e2.getMessage(), e2);
        } catch (NoSuchAlgorithmException e3) {
            Logger.error(str3, "Failed to set certificate entry " + e3.getMessage(), e3);
            throw new ClientException("no_such_algorithm", e3.getMessage(), e3);
        } catch (CertificateException e4) {
            Logger.error(str3, "Failed to set certificate entry " + e4.getMessage(), e4);
            throw new ClientException(ClientException.CERTIFICATE_LOAD_FAILURE, e4.getMessage(), e4);
        }
    }
}
