package com.auth0.android.authentication.storage;

import android.app.KeyguardManager;
import android.content.Context;
import android.content.Intent;
import android.os.Build;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
import coil.fetch.ContentUriFetcher$$ExternalSyntheticApiModelOutline0;
import com.amazonaws.services.s3.model.InstructionFileId;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Calendar;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.x500.X500Principal;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes4.dex */
public class CryptoUtil {
    private static final int AES_KEY_SIZE = 256;
    private static final String AES_TRANSFORMATION = "AES/GCM/NOPADDING";
    private static final String ALGORITHM_AES = "AES";
    private static final String ALGORITHM_RSA = "RSA";
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    private static final int RSA_KEY_SIZE = 2048;
    private static final String RSA_TRANSFORMATION = "RSA/ECB/PKCS1Padding";
    private static final String TAG = "CryptoUtil";
    private final String KEY_ALIAS;
    private final String KEY_IV_ALIAS;
    private final String OLD_KEY_ALIAS;
    private final String OLD_KEY_IV_ALIAS;
    private final Context context;
    private final Storage storage;

    public CryptoUtil(Context context, Storage storage, String str) {
        String trim = str.trim();
        if (TextUtils.isEmpty(trim)) {
            throw new IllegalArgumentException("RSA and AES Key alias must be valid.");
        }
        this.OLD_KEY_ALIAS = trim;
        this.OLD_KEY_IV_ALIAS = trim + "_iv";
        this.KEY_ALIAS = context.getPackageName() + InstructionFileId.DOT + trim;
        this.KEY_IV_ALIAS = context.getPackageName() + InstructionFileId.DOT + trim + "_iv";
        this.context = context;
        this.storage = storage;
    }

    private void deleteAESKeys() {
        this.storage.remove(this.KEY_ALIAS);
        this.storage.remove(this.KEY_IV_ALIAS);
        this.storage.remove(this.OLD_KEY_ALIAS);
        this.storage.remove(this.OLD_KEY_IV_ALIAS);
    }

    private void deleteRSAKeys() {
        try {
            KeyStore keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
            keyStore.load(null);
            keyStore.deleteEntry(this.KEY_ALIAS);
            keyStore.deleteEntry(this.OLD_KEY_ALIAS);
            Log.d(TAG, "Deleting the existing RSA key pair from the KeyStore.");
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            Log.e(TAG, "Failed to remove the RSA KeyEntry from the Android KeyStore.", e);
        }
    }

    private KeyStore.PrivateKeyEntry getKeyEntryCompat(KeyStore keyStore, String str) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException {
        PrivateKey privateKey;
        if (Build.VERSION.SDK_INT >= 28 && (privateKey = (PrivateKey) keyStore.getKey(str, null)) != null) {
            Certificate certificate = keyStore.getCertificate(str);
            if (certificate == null) {
                return null;
            }
            return new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{certificate});
        }
        return (KeyStore.PrivateKeyEntry) keyStore.getEntry(str, null);
    }

    byte[] RSADecrypt(byte[] bArr) throws IncompatibleDeviceException, CryptoException {
        try {
            PrivateKey privateKey = getRSAKeyEntry().getPrivateKey();
            Cipher cipher = Cipher.getInstance(RSA_TRANSFORMATION);
            cipher.init(2, privateKey);
            return cipher.doFinal(bArr);
        } catch (IllegalArgumentException e) {
            e = e;
            deleteAESKeys();
            throw new CryptoException("The RSA encrypted input is corrupted and cannot be recovered. Please discard it.", e);
        } catch (InvalidKeyException e2) {
            e = e2;
            Log.e(TAG, "The device can't decrypt input using a RSA Key.", e);
            throw new IncompatibleDeviceException(e);
        } catch (NoSuchAlgorithmException e3) {
            e = e3;
            Log.e(TAG, "The device can't decrypt input using a RSA Key.", e);
            throw new IncompatibleDeviceException(e);
        } catch (BadPaddingException e4) {
            e = e4;
            deleteAESKeys();
            throw new CryptoException("The RSA encrypted input is corrupted and cannot be recovered. Please discard it.", e);
        } catch (IllegalBlockSizeException e5) {
            e = e5;
            deleteAESKeys();
            throw new CryptoException("The RSA encrypted input is corrupted and cannot be recovered. Please discard it.", e);
        } catch (NoSuchPaddingException e6) {
            e = e6;
            Log.e(TAG, "The device can't decrypt input using a RSA Key.", e);
            throw new IncompatibleDeviceException(e);
        }
    }

    byte[] RSAEncrypt(byte[] bArr) throws IncompatibleDeviceException, CryptoException {
        try {
            Certificate certificate = getRSAKeyEntry().getCertificate();
            Cipher cipher = Cipher.getInstance(RSA_TRANSFORMATION);
            cipher.init(1, certificate);
            return cipher.doFinal(bArr);
        } catch (InvalidKeyException e) {
            e = e;
            Log.e(TAG, "The device can't encrypt input using a RSA Key.", e);
            throw new IncompatibleDeviceException(e);
        } catch (NoSuchAlgorithmException e2) {
            e = e2;
            Log.e(TAG, "The device can't encrypt input using a RSA Key.", e);
            throw new IncompatibleDeviceException(e);
        } catch (BadPaddingException e3) {
            e = e3;
            deleteAESKeys();
            throw new CryptoException("The RSA decrypted input is invalid.", e);
        } catch (IllegalBlockSizeException e4) {
            e = e4;
            deleteAESKeys();
            throw new CryptoException("The RSA decrypted input is invalid.", e);
        } catch (NoSuchPaddingException e5) {
            e = e5;
            Log.e(TAG, "The device can't encrypt input using a RSA Key.", e);
            throw new IncompatibleDeviceException(e);
        }
    }

    public byte[] decrypt(byte[] bArr) throws CryptoException, IncompatibleDeviceException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(getAESKey(), "AES");
            Cipher cipher = Cipher.getInstance(AES_TRANSFORMATION);
            String retrieveString = this.storage.retrieveString(this.KEY_IV_ALIAS);
            if (TextUtils.isEmpty(retrieveString)) {
                retrieveString = this.storage.retrieveString(this.OLD_KEY_IV_ALIAS);
                if (TextUtils.isEmpty(retrieveString)) {
                    throw new CryptoException("The encryption keys changed recently. You need to re-encrypt something first.", null);
                }
            }
            cipher.init(2, secretKeySpec, new IvParameterSpec(Base64.decode(retrieveString, 0)));
            return cipher.doFinal(bArr);
        } catch (InvalidAlgorithmParameterException e) {
            e = e;
            Log.e(TAG, "Error while decrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        } catch (InvalidKeyException e2) {
            e = e2;
            Log.e(TAG, "Error while decrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        } catch (NoSuchAlgorithmException e3) {
            e = e3;
            Log.e(TAG, "Error while decrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        } catch (BadPaddingException e4) {
            e = e4;
            throw new CryptoException("The AES encrypted input is corrupted and cannot be recovered. Please discard it.", e);
        } catch (IllegalBlockSizeException e5) {
            e = e5;
            throw new CryptoException("The AES encrypted input is corrupted and cannot be recovered. Please discard it.", e);
        } catch (NoSuchPaddingException e6) {
            e = e6;
            Log.e(TAG, "Error while decrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        }
    }

    public byte[] encrypt(byte[] bArr) throws CryptoException, IncompatibleDeviceException {
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(getAESKey(), "AES");
            Cipher cipher = Cipher.getInstance(AES_TRANSFORMATION);
            cipher.init(1, secretKeySpec);
            byte[] doFinal = cipher.doFinal(bArr);
            this.storage.store(this.KEY_IV_ALIAS, new String(Base64.encode(cipher.getIV(), 0), StandardCharsets.UTF_8));
            return doFinal;
        } catch (InvalidKeyException e) {
            e = e;
            Log.e(TAG, "Error while encrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        } catch (NoSuchAlgorithmException e2) {
            e = e2;
            Log.e(TAG, "Error while encrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        } catch (BadPaddingException e3) {
            e = e3;
            throw new CryptoException("The AES decrypted input is invalid.", e);
        } catch (IllegalBlockSizeException e4) {
            e = e4;
            throw new CryptoException("The AES decrypted input is invalid.", e);
        } catch (NoSuchPaddingException e5) {
            e = e5;
            Log.e(TAG, "Error while encrypting the input.", e);
            throw new IncompatibleDeviceException(e);
        }
    }

    byte[] getAESKey() throws IncompatibleDeviceException, CryptoException {
        byte[] RSADecrypt;
        String retrieveString = this.storage.retrieveString(this.KEY_ALIAS);
        if (TextUtils.isEmpty(retrieveString)) {
            retrieveString = this.storage.retrieveString(this.OLD_KEY_ALIAS);
        }
        if (retrieveString != null && (RSADecrypt = RSADecrypt(Base64.decode(retrieveString, 0))) != null && RSADecrypt.length == 32) {
            return RSADecrypt;
        }
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(256);
            byte[] encoded = keyGenerator.generateKey().getEncoded();
            this.storage.store(this.KEY_ALIAS, new String(Base64.encode(RSAEncrypt(encoded), 0), StandardCharsets.UTF_8));
            return encoded;
        } catch (NoSuchAlgorithmException e) {
            Log.e(TAG, "Error while creating the AES key.", e);
            throw new IncompatibleDeviceException(e);
        }
    }

    KeyStore.PrivateKeyEntry getRSAKeyEntry() throws CryptoException, IncompatibleDeviceException {
        KeyStore.PrivateKeyEntry keyEntryCompat;
        AlgorithmParameterSpec build;
        KeyGenParameterSpec.Builder certificateSubject;
        KeyGenParameterSpec.Builder certificateSerialNumber;
        KeyGenParameterSpec.Builder certificateNotBefore;
        KeyGenParameterSpec.Builder certificateNotAfter;
        KeyGenParameterSpec.Builder keySize;
        KeyGenParameterSpec.Builder encryptionPaddings;
        KeyGenParameterSpec.Builder blockModes;
        try {
            KeyStore keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
            keyStore.load(null);
            if (keyStore.containsAlias(this.OLD_KEY_ALIAS)) {
                KeyStore.PrivateKeyEntry keyEntryCompat2 = getKeyEntryCompat(keyStore, this.OLD_KEY_ALIAS);
                if (keyEntryCompat2 != null) {
                    return keyEntryCompat2;
                }
            } else if (keyStore.containsAlias(this.KEY_ALIAS) && (keyEntryCompat = getKeyEntryCompat(keyStore, this.KEY_ALIAS)) != null) {
                return keyEntryCompat;
            }
            Calendar calendar = Calendar.getInstance();
            Calendar calendar2 = Calendar.getInstance();
            calendar2.add(1, 25);
            X500Principal x500Principal = new X500Principal("CN=Auth0.Android,O=Auth0");
            if (Build.VERSION.SDK_INT >= 23) {
                ContentUriFetcher$$ExternalSyntheticApiModelOutline0.m$1();
                certificateSubject = ContentUriFetcher$$ExternalSyntheticApiModelOutline0.m(this.KEY_ALIAS, 3).setCertificateSubject(x500Principal);
                certificateSerialNumber = certificateSubject.setCertificateSerialNumber(BigInteger.ONE);
                certificateNotBefore = certificateSerialNumber.setCertificateNotBefore(calendar.getTime());
                certificateNotAfter = certificateNotBefore.setCertificateNotAfter(calendar2.getTime());
                keySize = certificateNotAfter.setKeySize(2048);
                encryptionPaddings = keySize.setEncryptionPaddings("PKCS1Padding");
                blockModes = encryptionPaddings.setBlockModes("ECB");
                build = blockModes.build();
            } else {
                KeyPairGeneratorSpec.Builder endDate = new KeyPairGeneratorSpec.Builder(this.context).setAlias(this.KEY_ALIAS).setSubject(x500Principal).setKeySize(2048).setSerialNumber(BigInteger.ONE).setStartDate(calendar.getTime()).setEndDate(calendar2.getTime());
                KeyguardManager keyguardManager = (KeyguardManager) this.context.getSystemService("keyguard");
                Intent createConfirmDeviceCredentialIntent = keyguardManager.createConfirmDeviceCredentialIntent(null, null);
                if (keyguardManager.isKeyguardSecure() && createConfirmDeviceCredentialIntent != null) {
                    endDate.setEncryptionRequired();
                }
                build = endDate.build();
            }
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ALGORITHM_RSA, ANDROID_KEY_STORE);
            keyPairGenerator.initialize(build);
            keyPairGenerator.generateKeyPair();
            return getKeyEntryCompat(keyStore, this.KEY_ALIAS);
        } catch (IOException e) {
            e = e;
            deleteRSAKeys();
            deleteAESKeys();
            throw new CryptoException("The existing RSA key pair could not be recovered and has been deleted. This occasionally happens when the Lock Screen settings are changed. You can safely retry this operation.", e);
        } catch (InvalidAlgorithmParameterException e2) {
            e = e2;
            Log.e(TAG, "The device can't generate a new RSA Key pair.", e);
            throw new IncompatibleDeviceException(e);
        } catch (KeyStoreException e3) {
            e = e3;
            Log.e(TAG, "The device can't generate a new RSA Key pair.", e);
            throw new IncompatibleDeviceException(e);
        } catch (NoSuchAlgorithmException e4) {
            e = e4;
            Log.e(TAG, "The device can't generate a new RSA Key pair.", e);
            throw new IncompatibleDeviceException(e);
        } catch (NoSuchProviderException e5) {
            e = e5;
            Log.e(TAG, "The device can't generate a new RSA Key pair.", e);
            throw new IncompatibleDeviceException(e);
        } catch (ProviderException e6) {
            e = e6;
            Log.e(TAG, "The device can't generate a new RSA Key pair.", e);
            throw new IncompatibleDeviceException(e);
        } catch (UnrecoverableEntryException e7) {
            e = e7;
            deleteRSAKeys();
            deleteAESKeys();
            throw new CryptoException("The existing RSA key pair could not be recovered and has been deleted. This occasionally happens when the Lock Screen settings are changed. You can safely retry this operation.", e);
        } catch (CertificateException e8) {
            e = e8;
            Log.e(TAG, "The device can't generate a new RSA Key pair.", e);
            throw new IncompatibleDeviceException(e);
        }
    }
}
