package com.android.identity.securearea;

import co.nstant.in.cbor.CborDecoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.model.Array;
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.Map;
import co.nstant.in.cbor.model.UnicodeString;
import com.android.identity.internal.Util;
import com.android.identity.securearea.SecureArea;
import com.android.identity.storage.StorageEngine;
import java.io.ByteArrayInputStream;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: classes3.dex */
public class BouncyCastleSecureArea implements SecureArea {
    private static final String PREFIX = "IC_BouncyCastleSA_";
    private static final String TAG = "BouncyCastleSA";
    private final StorageEngine mStorageEngine;

    /* loaded from: classes3.dex */
    public static class CreateKeySettings extends SecureArea.CreateKeySettings {
        private final String mAttestationKeyAlias;
        private final int mEcCurve;
        private int mKeyPurposes;
        private final String mPassphrase;
        private final boolean mPassphraseRequired;

        /* loaded from: classes3.dex */
        public static class Builder {
            private String mAttestationKeyAlias;
            private boolean mPassphraseRequired;
            private int mKeyPurposes = 1;
            private int mEcCurve = 1;
            private String mPassphrase = "";

            public CreateKeySettings build() {
                return new CreateKeySettings(this.mPassphraseRequired, this.mPassphrase, this.mEcCurve, this.mKeyPurposes, this.mAttestationKeyAlias);
            }

            public Builder setAttestationKeyAlias(String str) {
                this.mAttestationKeyAlias = str;
                return this;
            }

            public Builder setEcCurve(int i) {
                this.mEcCurve = i;
                return this;
            }

            public Builder setKeyPurposes(int i) {
                if (i == 0) {
                    throw new IllegalArgumentException("Purpose cannot be empty");
                }
                this.mKeyPurposes = i;
                return this;
            }

            public Builder setPassphraseRequired(boolean z, String str) {
                if (this.mPassphraseRequired && str == null) {
                    throw new IllegalStateException("Passphrase cannot be null if it's required");
                }
                this.mPassphraseRequired = z;
                this.mPassphrase = str;
                return this;
            }
        }

        private CreateKeySettings(boolean z, String str, int i, int i2, String str2) {
            super(BouncyCastleSecureArea.class);
            this.mPassphraseRequired = z;
            this.mPassphrase = str;
            this.mEcCurve = i;
            this.mKeyPurposes = i2;
            this.mAttestationKeyAlias = str2;
        }

        public String getAttestationKeyAlias() {
            return this.mAttestationKeyAlias;
        }

        public int getEcCurve() {
            return this.mEcCurve;
        }

        public int getKeyPurposes() {
            return this.mKeyPurposes;
        }

        public String getPassphrase() {
            return this.mPassphrase;
        }

        public boolean getPassphraseRequired() {
            return this.mPassphraseRequired;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes3.dex */
    public static class KeyData {
        int curve;
        int keyPurposes;
        PrivateKey privateKey;

        private KeyData() {
        }
    }

    /* loaded from: classes3.dex */
    public static class KeyInfo extends SecureArea.KeyInfo {
        private final String mAttestationKeyAlias;
        private final boolean mIsPassphraseProtected;

        KeyInfo(List<X509Certificate> list, int i, int i2, boolean z, boolean z2, String str) {
            super(list, i, i2, z);
            this.mIsPassphraseProtected = z2;
            this.mAttestationKeyAlias = str;
        }

        public String getAttestationKeyAlias() {
            return this.mAttestationKeyAlias;
        }

        public boolean isPassphraseProtected() {
            return this.mIsPassphraseProtected;
        }
    }

    /* loaded from: classes3.dex */
    public static class KeyUnlockData implements SecureArea.KeyUnlockData {
        private final String mPassphrase;

        public KeyUnlockData(String str) {
            this.mPassphrase = str;
        }
    }

    public BouncyCastleSecureArea(StorageEngine storageEngine) {
        this.mStorageEngine = storageEngine;
    }

    private SecretKey derivePrivateKeyEncryptionKey(byte[] bArr, String str) {
        return new SecretKeySpec(Util.computeHkdf("HmacSha256", str.getBytes(StandardCharsets.UTF_8), bArr, "ICPrivateKeyEncryption1".getBytes(StandardCharsets.UTF_8), 32), "AES");
    }

    private ContentSigner getSignerForAlias(String str) {
        try {
            KeyData loadKey = loadKey(str, null);
            if ((loadKey.keyPurposes & 1) == 0) {
                throw new IllegalArgumentException("Cannot sign certificate using a key without signing purpose.");
            }
            int i = loadKey.curve;
            String str2 = "SHA256withECDSA";
            if (i != 1) {
                if (i != 2) {
                    if (i != 3) {
                        if (i == 6 || i == 7) {
                            str2 = "EdDSA";
                        } else {
                            switch (i) {
                                case -65540:
                                    break;
                                case -65539:
                                    break;
                                case -65538:
                                case -65537:
                                    break;
                                default:
                                    throw new IllegalStateException("Invalid curve " + loadKey.curve + "for attestation signing");
                            }
                        }
                    }
                    str2 = "SHA512withECDSA";
                }
                str2 = "SHA384withECDSA";
            }
            try {
                return new JcaContentSignerBuilder(str2).build(loadKey.privateKey);
            } catch (OperatorCreationException e) {
                throw new IllegalStateException("Unexpected exception", e);
            }
        } catch (SecureArea.KeyLockedException unused) {
            throw new IllegalArgumentException("Attestation key cannot be locked");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    private KeyData loadKey(String str, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        byte[] cborMapExtractByteString;
        KeyData keyData = new KeyData();
        String str2 = keyUnlockData != null ? ((KeyUnlockData) keyUnlockData).mPassphrase : null;
        byte[] bArr = this.mStorageEngine.get(PREFIX + str);
        if (bArr == null) {
            throw new IllegalArgumentException("No key with given alias");
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1) {
                throw new IllegalStateException("Expected 1 item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Map)) {
                throw new IllegalStateException("Item is not a map");
            }
            Map map = (Map) decode.get(0);
            keyData.curve = (int) Util.cborMapExtractNumber(map, "curve");
            keyData.keyPurposes = (int) Util.cborMapExtractNumber(map, "keyPurposes");
            if (!Util.cborMapExtractBoolean(map, "passphraseRequired")) {
                cborMapExtractByteString = Util.cborMapExtractByteString(map, "privateKey");
            } else {
                if (str2 == null) {
                    throw new SecureArea.KeyLockedException("No passphrase provided");
                }
                byte[] cborMapExtractByteString2 = Util.cborMapExtractByteString(map, "publicKey");
                byte[] cborMapExtractByteString3 = Util.cborMapExtractByteString(map, "encryptedPrivateKey");
                SecretKey derivePrivateKeyEncryptionKey = derivePrivateKeyEncryptionKey(cborMapExtractByteString2, str2);
                try {
                    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                    ByteBuffer wrap = ByteBuffer.wrap(cborMapExtractByteString3);
                    byte[] bArr2 = new byte[12];
                    wrap.get(bArr2);
                    byte[] bArr3 = new byte[cborMapExtractByteString3.length - 12];
                    wrap.get(bArr3);
                    cipher.init(2, derivePrivateKeyEncryptionKey, new GCMParameterSpec(128, bArr2));
                    cborMapExtractByteString = cipher.doFinal(bArr3);
                } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                }
            }
            try {
                keyData.privateKey = KeyFactory.getInstance("EC", new BouncyCastleProvider()).generatePrivate(new PKCS8EncodedKeySpec(cborMapExtractByteString));
                return keyData;
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
                throw new IllegalStateException("Error loading private key", e2);
            }
        } catch (CborException e3) {
            throw new IllegalStateException("Error decoded CBOR", e3);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:5:0x0024. Please report as an issue. */
    /* JADX WARN: Failed to find 'out' block for switch in B:7:0x002b. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:15:0x00e8 A[Catch: IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, OperatorCreationException -> 0x0235, InvalidAlgorithmParameterException -> 0x0237, CertificateException -> 0x0239, NoSuchAlgorithmException -> 0x023b, TryCatch #4 {IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, blocks: (B:3:0x000f, B:8:0x002e, B:9:0x0044, B:11:0x0045, B:13:0x00c1, B:15:0x00e8, B:16:0x00ed, B:18:0x00fd, B:19:0x0155, B:21:0x018e, B:23:0x0196, B:24:0x01b0, B:25:0x01d8, B:27:0x01de, B:29:0x01e4, B:34:0x01ee, B:35:0x01f5, B:37:0x01f6, B:39:0x01a4, B:40:0x01ab, B:41:0x01ac, B:42:0x010b, B:44:0x0123, B:48:0x022a, B:49:0x0232, B:55:0x004f, B:57:0x0059, B:58:0x0066, B:59:0x0073, B:61:0x007e, B:62:0x0089, B:64:0x0094, B:65:0x009f, B:66:0x00ab, B:67:0x00b6), top: B:2:0x000f }] */
    /* JADX WARN: Removed duplicated region for block: B:18:0x00fd A[Catch: IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, OperatorCreationException -> 0x0235, InvalidAlgorithmParameterException -> 0x0237, CertificateException -> 0x0239, NoSuchAlgorithmException -> 0x023b, TryCatch #4 {IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, blocks: (B:3:0x000f, B:8:0x002e, B:9:0x0044, B:11:0x0045, B:13:0x00c1, B:15:0x00e8, B:16:0x00ed, B:18:0x00fd, B:19:0x0155, B:21:0x018e, B:23:0x0196, B:24:0x01b0, B:25:0x01d8, B:27:0x01de, B:29:0x01e4, B:34:0x01ee, B:35:0x01f5, B:37:0x01f6, B:39:0x01a4, B:40:0x01ab, B:41:0x01ac, B:42:0x010b, B:44:0x0123, B:48:0x022a, B:49:0x0232, B:55:0x004f, B:57:0x0059, B:58:0x0066, B:59:0x0073, B:61:0x007e, B:62:0x0089, B:64:0x0094, B:65:0x009f, B:66:0x00ab, B:67:0x00b6), top: B:2:0x000f }] */
    /* JADX WARN: Removed duplicated region for block: B:21:0x018e A[Catch: IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, OperatorCreationException -> 0x0235, InvalidAlgorithmParameterException -> 0x0237, CertificateException -> 0x0239, NoSuchAlgorithmException -> 0x023b, TryCatch #4 {IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, blocks: (B:3:0x000f, B:8:0x002e, B:9:0x0044, B:11:0x0045, B:13:0x00c1, B:15:0x00e8, B:16:0x00ed, B:18:0x00fd, B:19:0x0155, B:21:0x018e, B:23:0x0196, B:24:0x01b0, B:25:0x01d8, B:27:0x01de, B:29:0x01e4, B:34:0x01ee, B:35:0x01f5, B:37:0x01f6, B:39:0x01a4, B:40:0x01ab, B:41:0x01ac, B:42:0x010b, B:44:0x0123, B:48:0x022a, B:49:0x0232, B:55:0x004f, B:57:0x0059, B:58:0x0066, B:59:0x0073, B:61:0x007e, B:62:0x0089, B:64:0x0094, B:65:0x009f, B:66:0x00ab, B:67:0x00b6), top: B:2:0x000f }] */
    /* JADX WARN: Removed duplicated region for block: B:27:0x01de A[Catch: IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, OperatorCreationException -> 0x0235, InvalidAlgorithmParameterException -> 0x0237, CertificateException -> 0x0239, NoSuchAlgorithmException -> 0x023b, TRY_LEAVE, TryCatch #4 {IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, blocks: (B:3:0x000f, B:8:0x002e, B:9:0x0044, B:11:0x0045, B:13:0x00c1, B:15:0x00e8, B:16:0x00ed, B:18:0x00fd, B:19:0x0155, B:21:0x018e, B:23:0x0196, B:24:0x01b0, B:25:0x01d8, B:27:0x01de, B:29:0x01e4, B:34:0x01ee, B:35:0x01f5, B:37:0x01f6, B:39:0x01a4, B:40:0x01ab, B:41:0x01ac, B:42:0x010b, B:44:0x0123, B:48:0x022a, B:49:0x0232, B:55:0x004f, B:57:0x0059, B:58:0x0066, B:59:0x0073, B:61:0x007e, B:62:0x0089, B:64:0x0094, B:65:0x009f, B:66:0x00ab, B:67:0x00b6), top: B:2:0x000f }] */
    /* JADX WARN: Removed duplicated region for block: B:41:0x01ac A[Catch: IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, OperatorCreationException -> 0x0235, InvalidAlgorithmParameterException -> 0x0237, CertificateException -> 0x0239, NoSuchAlgorithmException -> 0x023b, TryCatch #4 {IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, blocks: (B:3:0x000f, B:8:0x002e, B:9:0x0044, B:11:0x0045, B:13:0x00c1, B:15:0x00e8, B:16:0x00ed, B:18:0x00fd, B:19:0x0155, B:21:0x018e, B:23:0x0196, B:24:0x01b0, B:25:0x01d8, B:27:0x01de, B:29:0x01e4, B:34:0x01ee, B:35:0x01f5, B:37:0x01f6, B:39:0x01a4, B:40:0x01ab, B:41:0x01ac, B:42:0x010b, B:44:0x0123, B:48:0x022a, B:49:0x0232, B:55:0x004f, B:57:0x0059, B:58:0x0066, B:59:0x0073, B:61:0x007e, B:62:0x0089, B:64:0x0094, B:65:0x009f, B:66:0x00ab, B:67:0x00b6), top: B:2:0x000f }] */
    /* JADX WARN: Removed duplicated region for block: B:42:0x010b A[Catch: IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, OperatorCreationException -> 0x0235, InvalidAlgorithmParameterException -> 0x0237, CertificateException -> 0x0239, NoSuchAlgorithmException -> 0x023b, TRY_LEAVE, TryCatch #4 {IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException -> 0x0233, blocks: (B:3:0x000f, B:8:0x002e, B:9:0x0044, B:11:0x0045, B:13:0x00c1, B:15:0x00e8, B:16:0x00ed, B:18:0x00fd, B:19:0x0155, B:21:0x018e, B:23:0x0196, B:24:0x01b0, B:25:0x01d8, B:27:0x01de, B:29:0x01e4, B:34:0x01ee, B:35:0x01f5, B:37:0x01f6, B:39:0x01a4, B:40:0x01ab, B:41:0x01ac, B:42:0x010b, B:44:0x0123, B:48:0x022a, B:49:0x0232, B:55:0x004f, B:57:0x0059, B:58:0x0066, B:59:0x0073, B:61:0x007e, B:62:0x0089, B:64:0x0094, B:65:0x009f, B:66:0x00ab, B:67:0x00b6), top: B:2:0x000f }] */
    @Override // com.android.identity.securearea.SecureArea
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void createKey(java.lang.String r23, com.android.identity.securearea.SecureArea.CreateKeySettings r24) {
        /*
            Method dump skipped, instructions count: 612
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.android.identity.securearea.BouncyCastleSecureArea.createKey(java.lang.String, com.android.identity.securearea.SecureArea$CreateKeySettings):void");
    }

    @Override // com.android.identity.securearea.SecureArea
    public void deleteKey(String str) {
        this.mStorageEngine.delete(PREFIX + str);
    }

    @Override // com.android.identity.securearea.SecureArea
    public KeyInfo getKeyInfo(String str) {
        byte[] bArr = this.mStorageEngine.get(PREFIX + str);
        if (bArr == null) {
            throw new IllegalArgumentException("No key with given alias");
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1) {
                throw new IllegalStateException("Expected 1 item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Map)) {
                throw new IllegalStateException("Item is not a map");
            }
            Map map = (Map) decode.get(0);
            int cborMapExtractNumber = (int) Util.cborMapExtractNumber(map, "curve");
            int cborMapExtractNumber2 = (int) Util.cborMapExtractNumber(map, "keyPurposes");
            boolean cborMapExtractBoolean = Util.cborMapExtractBoolean(map, "passphraseRequired");
            String cborMapExtractString = Util.cborMapHasKey(map, "attestationKeyAlias") ? Util.cborMapExtractString(map, "attestationKeyAlias") : null;
            DataItem dataItem = map.get(new UnicodeString("attestation"));
            if (!(dataItem instanceof Array)) {
                throw new IllegalStateException("attestation not found or not array");
            }
            ArrayList arrayList = new ArrayList();
            Iterator<DataItem> it = ((Array) dataItem).getDataItems().iterator();
            while (it.hasNext()) {
                try {
                    arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((ByteString) it.next()).getBytes())));
                } catch (CertificateException e) {
                    throw new IllegalStateException("Error decoding certificate blob", e);
                }
            }
            return new KeyInfo(arrayList, cborMapExtractNumber2, cborMapExtractNumber, false, cborMapExtractBoolean, cborMapExtractString);
        } catch (CborException e2) {
            throw new IllegalStateException("Error decoded CBOR", e2);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public byte[] keyAgreement(String str, PublicKey publicKey, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        KeyData loadKey = loadKey(str, keyUnlockData);
        if ((loadKey.keyPurposes & 2) == 0) {
            throw new IllegalArgumentException("Key does not have purpose KEY_PURPOSE_AGREE_KEY");
        }
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
            keyAgreement.init(loadKey.privateKey);
            keyAgreement.doPhase(publicKey, true);
            return keyAgreement.generateSecret();
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalStateException("Unexpected Exception", e);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public byte[] sign(String str, int i, byte[] bArr, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        String str2;
        KeyData loadKey = loadKey(str, keyUnlockData);
        if ((loadKey.keyPurposes & 1) == 0) {
            throw new IllegalArgumentException("Key does not have purpose KEY_PURPOSE_SIGN");
        }
        if (i == -36) {
            str2 = "SHA512withECDSA";
        } else if (i == -35) {
            str2 = "SHA384withECDSA";
        } else if (i != -8) {
            if (i != -7) {
                throw new IllegalArgumentException("Unsupported signing algorithm  with id " + i);
            }
            str2 = "SHA256withECDSA";
        } else if (loadKey.curve == 6) {
            str2 = EdDSAParameterSpec.Ed25519;
        } else {
            if (loadKey.curve != 7) {
                throw new IllegalArgumentException("ALGORITHM_EDDSA can only be used with EC_CURVE_ED_25519 and EC_CURVE_ED_448");
            }
            str2 = EdDSAParameterSpec.Ed448;
        }
        try {
            Signature signature = Signature.getInstance(str2);
            signature.initSign(loadKey.privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new IllegalStateException("Unexpected Exception", e);
        }
    }
}
