package com.microsoft.scmx.features.naas.vpn.certificate;

import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import androidx.compose.ui.graphics.p0;
import androidx.constraintlayout.motion.widget.c;
import com.google.android.gms.measurement.internal.d2;
import com.microsoft.identity.common.java.crypto.key.AES256KeyLoader;
import com.microsoft.scmx.libraries.diagnostics.log.MDLog;
import com.microsoft.scmx.libraries.sharedpref.SharedPrefManager;
import com.microsoft.scmx.xplat.dto.TelemetryEventSeverity;
import hn.a;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import kk.l;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Result;
import kotlin.collections.m;
import kotlin.f;
import kotlin.jvm.internal.Ref$ObjectRef;
import kotlin.jvm.internal.p;

@Metadata(d1 = {"\u0000R\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0003\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0002\b\n\u0018\u0000 *2\u00020\u0001:\u0001+B\u0007¢\u0006\u0004\b(\u0010)J\b\u0010\u0003\u001a\u00020\u0002H\u0002J\u0010\u0010\u0007\u001a\u00020\u00062\u0006\u0010\u0005\u001a\u00020\u0004H\u0002J\u001a\u0010\u000b\u001a\u00020\u00022\b\u0010\t\u001a\u0004\u0018\u00010\b2\u0006\u0010\n\u001a\u00020\u0002H\u0002J\u0010\u0010\u000e\u001a\u00020\r2\u0006\u0010\f\u001a\u00020\u0002H\u0002J\u0010\u0010\u000f\u001a\u00020\r2\u0006\u0010\f\u001a\u00020\u0002H\u0002J\"\u0010\u0013\u001a\u0004\u0018\u00010\b2\u0006\u0010\u0010\u001a\u00020\u00022\u0006\u0010\u0011\u001a\u00020\r2\u0006\u0010\u0012\u001a\u00020\u0002H\u0002J \u0010\u0019\u001a\u00020\u00062\u0006\u0010\u0014\u001a\u00020\u00022\u0006\u0010\u0016\u001a\u00020\u00152\u0006\u0010\u0018\u001a\u00020\u0017H\u0002J\u0014\u0010\u001d\u001a\u00020\u00062\n\u0010\u001c\u001a\u00060\u001aj\u0002`\u001bH\u0002J\u0010\u0010\u001f\u001a\u00020\u00062\b\u0010\u001e\u001a\u0004\u0018\u00010\bJ\u0006\u0010!\u001a\u00020 J\u0012\u0010#\u001a\u000e\u0012\u0004\u0012\u00020\u0002\u0012\u0004\u0012\u00020\u00020\"J\u0012\u0010$\u001a\u00020\u00022\b\u0010\t\u001a\u0004\u0018\u00010\bH\u0007J\u0012\u0010%\u001a\u00020\u00022\b\u0010\t\u001a\u0004\u0018\u00010\bH\u0007J(\u0010'\u001a\u0010\u0012\u0004\u0012\u00020\b\u0012\u0004\u0012\u00020\b\u0018\u00010\"2\u0006\u0010&\u001a\u00020\b2\b\u0010\u0011\u001a\u0004\u0018\u00010\rH\u0007¨\u0006,"}, d2 = {"Lcom/microsoft/scmx/features/naas/vpn/certificate/NaaSCertificateHandler;", "", "", "getKeyStoreAlias", "", "throwable", "Lkotlin/p;", "handleAndLogException", "", "value", "type", "encodeToPEM", "keyStoreAlias", "Ljavax/crypto/SecretKey;", "getOrCreateAesKey", "generateAesKey", "encryptedText", "secretKey", "cipherIV", "decryptData", "cnName", "Ljava/security/cert/X509Certificate;", "certificate", "Ljava/security/PrivateKey;", "privateKey", "storeCertificateInfo", "Ljava/lang/Exception;", "Lkotlin/Exception;", "e", "handleException", "certificateData", "storeCertificateData", "", "isCertificatePresent", "Lkotlin/Pair;", "loadCertificateData", "encodeToPEMPrivate", "encodeToPEMCert", "data", "encryptData", "<init>", "()V", "Companion", "a", "naas-vpn_prodRelease"}, k = 1, mv = {1, 8, 0})
/* loaded from: classes3.dex */
public final class NaaSCertificateHandler {
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    private static final String ANDROID_PKCS12_STORE = "PKCS12";
    private static final String CERTIFICATE_HANDLER_ERROR = "NaaSCertificateHandleError";
    private static final String LOG_TAG = "NAAS_CERTIFICATE_HANDLER";

    private final byte[] decryptData(String encryptedText, SecretKey secretKey, String cipherIV) {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(2, secretKey, new GCMParameterSpec(128, Base64.decode(cipherIV, 0)));
        return cipher.doFinal(Base64.decode(encryptedText, 0));
    }

    private final String encodeToPEM(byte[] value, String type) {
        StringBuilder sb2 = new StringBuilder();
        sb2.append("-----BEGIN " + type + "-----\n");
        sb2.append(Base64.encodeToString(value, 0));
        sb2.append("-----END " + type + "-----\n");
        String sb3 = sb2.toString();
        p.f(sb3, "toString(...)");
        return sb3;
    }

    private final SecretKey generateAesKey(String keyStoreAlias) {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(AES256KeyLoader.AES_ALGORITHM, ANDROID_KEY_STORE);
        try {
            KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(keyStoreAlias, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build();
            p.f(build, "Builder(keyStoreAlias,\n …\n                .build()");
            keyGenerator.init(build);
        } catch (Exception unused) {
            MDLog.d(LOG_TAG, "Added for test cases");
        }
        SecretKey generateKey = keyGenerator.generateKey();
        p.f(generateKey, "keyGenerator.generateKey()");
        return generateKey;
    }

    private final String getKeyStoreAlias() {
        String string = SharedPrefManager.getString("naas_certificate_data", "naasCertificateCN");
        return string == null ? "" : string;
    }

    private final SecretKey getOrCreateAesKey(String keyStoreAlias) {
        KeyStore keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
        keyStore.load(null);
        Key key = keyStore.getKey(keyStoreAlias, null);
        SecretKey secretKey = key instanceof SecretKey ? (SecretKey) key : null;
        return secretKey == null ? generateAesKey(keyStoreAlias) : secretKey;
    }

    private final void handleAndLogException(Throwable th2) {
        if (th2 instanceof Exception) {
            handleException((Exception) th2);
        } else {
            MDLog.c(LOG_TAG, "An unexpected error occurred", th2);
        }
    }

    private final void handleException(Exception exc) {
        String message = exc instanceof KeyStoreException ? c.b("KeyStore initialization error: ", exc.getMessage()) : exc instanceof CertificateException ? c.b("Certificate processing error: ", exc.getMessage()) : exc instanceof UnrecoverableKeyException ? c.b("Private key retrieval error: ", exc.getMessage()) : exc instanceof IOException ? c.b("Certificate data reading error: ", exc.getMessage()) : exc instanceof NoSuchAlgorithmException ? c.b("Algorithm not available: ", exc.getMessage()) : exc instanceof NoSuchPaddingException ? c.b("Padding scheme not available: ", exc.getMessage()) : exc instanceof InvalidKeyException ? c.b("Invalid key: ", exc.getMessage()) : exc instanceof InvalidAlgorithmParameterException ? c.b("Invalid algorithm parameters: ", exc.getMessage()) : exc instanceof IllegalBlockSizeException ? c.b("Illegal block size: ", exc.getMessage()) : exc instanceof BadPaddingException ? c.b("Bad padding: ", exc.getMessage()) : exc instanceof IllegalArgumentException ? c.b("Invalid argument: ", exc.getMessage()) : c.b("An unexpected error occurred: ", exc.getMessage());
        p.g(message, "message");
        try {
            a aVar = new a(CERTIFICATE_HANDLER_ERROR, TelemetryEventSeverity.NORMAL);
            aVar.a("subEvent", "NaaS");
            aVar.a("message", message);
            l.c(aVar);
        } catch (Exception e10) {
            p0.a("Unable to send telemetry data due to error ", e10.getMessage(), "NAAS_TELEMETRY_SENDER");
        }
        MDLog.c(LOG_TAG, message, exc);
    }

    private final void storeCertificateInfo(String str, X509Certificate x509Certificate, PrivateKey privateKey) {
        SharedPrefManager.setString("naas_certificate_data", "naasCertificateCN", str);
        SecretKey orCreateAesKey = getOrCreateAesKey(str);
        byte[] encoded = privateKey.getEncoded();
        p.f(encoded, "privateKey.encoded");
        Pair<byte[], byte[]> encryptData = encryptData(encoded, orCreateAesKey);
        if (encryptData != null) {
            byte[] component1 = encryptData.component1();
            byte[] component2 = encryptData.component2();
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedKey", Base64.encodeToString(component1, 0));
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedKeyIV", Base64.encodeToString(component2, 0));
        }
        byte[] encoded2 = x509Certificate.getEncoded();
        p.f(encoded2, "certificate.encoded");
        Pair<byte[], byte[]> encryptData2 = encryptData(encoded2, orCreateAesKey);
        if (encryptData2 != null) {
            byte[] component12 = encryptData2.component1();
            byte[] component22 = encryptData2.component2();
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedCert", Base64.encodeToString(component12, 0));
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedCertIV", Base64.encodeToString(component22, 0));
        }
    }

    public final String encodeToPEMCert(byte[] value) {
        return encodeToPEM(value, "CERTIFICATE");
    }

    public final String encodeToPEMPrivate(byte[] value) {
        return encodeToPEM(value, "PRIVATE KEY");
    }

    public final Pair<byte[], byte[]> encryptData(byte[] data, SecretKey secretKey) {
        p.g(data, "data");
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            return new Pair<>(cipher.doFinal(data), cipher.getIV());
        } catch (Exception e10) {
            handleException(e10);
            return new Pair<>(new byte[0], new byte[0]);
        }
    }

    public final boolean isCertificatePresent() {
        if (getKeyStoreAlias().length() > 0) {
            String string = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedCert");
            if (!(string == null || string.length() == 0)) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v0, types: [java.lang.String] */
    /* JADX WARN: Type inference failed for: r1v2, types: [T] */
    /* JADX WARN: Type inference failed for: r1v3 */
    /* JADX WARN: Type inference failed for: r4v10 */
    /* JADX WARN: Type inference failed for: r4v11 */
    /* JADX WARN: Type inference failed for: r4v12, types: [T] */
    /* JADX WARN: Type inference failed for: r4v13 */
    /* JADX WARN: Type inference failed for: r4v17 */
    public final Pair<String, String> loadCertificateData() {
        Object a10;
        Object a11;
        Ref$ObjectRef ref$ObjectRef = new Ref$ObjectRef();
        ref$ObjectRef.element = "";
        Ref$ObjectRef ref$ObjectRef2 = new Ref$ObjectRef();
        ref$ObjectRef2.element = "";
        if (isCertificatePresent()) {
            String string = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedCert");
            String string2 = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedCertIV");
            String string3 = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedKey");
            String string4 = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedKeyIV");
            if (string != null && string2 != null) {
                try {
                    a11 = decryptData(string, getOrCreateAesKey(getKeyStoreAlias()), string2);
                } catch (Throwable th2) {
                    a11 = f.a(th2);
                }
                Throwable a12 = Result.a(a11);
                if (a12 != null) {
                    handleAndLogException(a12);
                    a11 = null;
                }
                byte[] bArr = (byte[]) a11;
                ?? encodeToPEMCert = bArr != null ? encodeToPEMCert(bArr) : 0;
                if (encodeToPEMCert == 0) {
                    encodeToPEMCert = "";
                }
                ref$ObjectRef2.element = encodeToPEMCert;
            }
            if (string3 != null && string4 != null) {
                try {
                    a10 = decryptData(string3, getOrCreateAesKey(getKeyStoreAlias()), string4);
                } catch (Throwable th3) {
                    a10 = f.a(th3);
                }
                Throwable a13 = Result.a(a10);
                if (a13 != null) {
                    handleAndLogException(a13);
                    a10 = null;
                }
                byte[] bArr2 = (byte[]) a10;
                String encodeToPEMPrivate = bArr2 != null ? encodeToPEMPrivate(bArr2) : null;
                ref$ObjectRef.element = encodeToPEMPrivate != null ? encodeToPEMPrivate : "";
            }
        }
        return new Pair<>(ref$ObjectRef2.element, ref$ObjectRef.element);
    }

    public final void storeCertificateData(byte[] bArr) {
        try {
            try {
            } catch (Throwable th2) {
                if (bArr != null) {
                    m.m(bArr);
                }
                throw th2;
            }
        } catch (Exception e10) {
            handleException(e10);
            if (bArr == null) {
                return;
            }
        }
        if (bArr == null) {
            throw new IllegalArgumentException("certificateData cannot be null");
        }
        KeyStore keyStore = KeyStore.getInstance(ANDROID_PKCS12_STORE);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
        try {
            char[] charArray = "".toCharArray();
            p.f(charArray, "toCharArray(...)");
            keyStore.load(byteArrayInputStream, charArray);
            kotlin.p pVar = kotlin.p.f24282a;
            d2.a(byteArrayInputStream, null);
            Enumeration<String> aliases = keyStore.aliases();
            if (!aliases.hasMoreElements()) {
                throw new IllegalStateException("No aliases found in the PKCS#12 keystore");
            }
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement)) {
                Certificate certificate = keyStore.getCertificate(nextElement);
                X509Certificate x509Certificate = certificate instanceof X509Certificate ? (X509Certificate) certificate : null;
                if (x509Certificate == null) {
                    throw new CertificateException("Retrieved certificate is not an instance of X509Certificate");
                }
                char[] charArray2 = "".toCharArray();
                p.f(charArray2, "toCharArray(...)");
                Key key = keyStore.getKey(nextElement, charArray2);
                PrivateKey privateKey = key instanceof PrivateKey ? (PrivateKey) key : null;
                if (privateKey == null) {
                    throw new UnrecoverableKeyException("Retrieved key is not an instance of PrivateKey");
                }
                String cnName = x509Certificate.getSubjectX500Principal().getName();
                p.f(cnName, "cnName");
                storeCertificateInfo(cnName, x509Certificate, privateKey);
            }
            m.m(bArr);
        } catch (Throwable th3) {
            try {
                throw th3;
            } catch (Throwable th4) {
                d2.a(byteArrayInputStream, th3);
                throw th4;
            }
        }
    }
}
