package com.optum.mcoe.login.security;

import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
import com.datadog.android.rum.internal.domain.event.RumEventSerializer;
import com.optum.mcoe.login.Storage;
import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Calendar;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.security.auth.x500.X500Principal;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;

/* compiled from: CryptoUtils.kt */
@Metadata(d1 = {"\u0000<\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\n\n\u0002\u0010\u0012\n\u0002\b\u0005\n\u0002\u0010\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\u0018\u00002\u00020\u0001B\u001d\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005\u0012\u0006\u0010\u0006\u001a\u00020\u0007¢\u0006\u0002\u0010\bJ\u0010\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u0012H\u0002J\u0010\u0010\u0014\u001a\u00020\u00122\u0006\u0010\u0015\u001a\u00020\u0012H\u0002J\u000e\u0010\u0016\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\u0012J\b\u0010\u0017\u001a\u00020\u0018H\u0002J\b\u0010\u0019\u001a\u00020\u0018H\u0002J\u000e\u0010\u001a\u001a\u00020\u00122\u0006\u0010\u0015\u001a\u00020\u0012J\b\u0010\u001b\u001a\u00020\u0012H\u0002J\u0012\u0010\u001c\u001a\u0004\u0018\u00010\u001d2\u0006\u0010\u001e\u001a\u00020\u001fH\u0002J\b\u0010 \u001a\u00020\u001fH\u0002J\u0006\u0010!\u001a\u00020\u001dR\u000e\u0010\t\u001a\u00020\u0007X\u0082D¢\u0006\u0002\n\u0000R\u0011\u0010\u0002\u001a\u00020\u0003¢\u0006\b\n\u0000\u001a\u0004\b\n\u0010\u000bR\u0011\u0010\u0006\u001a\u00020\u0007¢\u0006\b\n\u0000\u001a\u0004\b\f\u0010\rR\u000e\u0010\u000e\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n\u0000R\u0011\u0010\u0004\u001a\u00020\u0005¢\u0006\b\n\u0000\u001a\u0004\b\u000f\u0010\u0010¨\u0006\""}, d2 = {"Lcom/optum/mcoe/login/security/CryptoUtils;", "", RumEventSerializer.GLOBAL_ATTRIBUTE_PREFIX, "Landroid/content/Context;", "storage", "Lcom/optum/mcoe/login/Storage;", "keyAlias", "", "(Landroid/content/Context;Lcom/optum/mcoe/login/Storage;Ljava/lang/String;)V", "TAG", "getContext", "()Landroid/content/Context;", "getKeyAlias", "()Ljava/lang/String;", "keyAliasIv", "getStorage", "()Lcom/optum/mcoe/login/Storage;", "RSADecrypt", "", "encryptedInput", "RSAEncrypt", "decryptedInput", "decrypt", "deleteAESKeys", "", "deleteRSAKeys", "encrypt", "getAESKey", "getKeyEntry", "Ljava/security/KeyStore$PrivateKeyEntry;", "keyStore", "Ljava/security/KeyStore;", "getKeystore", "getRSAKeyEntry", "login_release"}, k = 1, mv = {1, 7, 1}, xi = 48)
/* loaded from: classes3.dex */
public final class CryptoUtils {
    private final String TAG;
    private final Context context;
    private final String keyAlias;
    private final String keyAliasIv;
    private final Storage storage;

    public CryptoUtils(Context context, Storage storage, String keyAlias) {
        Intrinsics.checkNotNullParameter(context, "context");
        Intrinsics.checkNotNullParameter(storage, "storage");
        Intrinsics.checkNotNullParameter(keyAlias, "keyAlias");
        this.context = context;
        this.storage = storage;
        this.keyAlias = keyAlias;
        if (TextUtils.isEmpty(keyAlias)) {
            throw new IllegalStateException("Security key alias must not be empty");
        }
        this.keyAliasIv = keyAlias + "_iv";
        this.TAG = "CryptoUtils";
    }

    private final byte[] RSADecrypt(byte[] encryptedInput) throws IncompatibleDeviceException, CryptoException {
        try {
            PrivateKey privateKey = getRSAKeyEntry().getPrivateKey();
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
            cipher.init(2, privateKey);
            byte[] doFinal = cipher.doFinal(encryptedInput);
            Intrinsics.checkNotNullExpressionValue(doFinal, "cipher.doFinal(encryptedInput)");
            return doFinal;
        } catch (Exception e) {
            if (e instanceof NoSuchAlgorithmException ? true : e instanceof NoSuchPaddingException ? true : e instanceof InvalidKeyException) {
                Exception exc = e;
                Log.e(this.TAG, "The device can't decrypt input using a RSA key", exc);
                throw new IncompatibleDeviceException("The device can't decrypt input using a RSA key", exc);
            }
            if (!(e instanceof IllegalArgumentException ? true : e instanceof IllegalBlockSizeException ? true : e instanceof BadPaddingException)) {
                throw e;
            }
            deleteAESKeys();
            throw new CryptoException("The encrypted input is corrupted and cannot be recovered, please discard it and try again", e);
        }
    }

    private final byte[] RSAEncrypt(byte[] decryptedInput) throws IncompatibleDeviceException, CryptoException {
        try {
            Certificate certificate = getRSAKeyEntry().getCertificate();
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding");
            cipher.init(1, certificate);
            byte[] doFinal = cipher.doFinal(decryptedInput);
            Intrinsics.checkNotNullExpressionValue(doFinal, "cipher.doFinal(decryptedInput)");
            return doFinal;
        } catch (Exception e) {
            if (e instanceof NoSuchAlgorithmException ? true : e instanceof NoSuchPaddingException ? true : e instanceof InvalidKeyException) {
                Exception exc = e;
                Log.e(this.TAG, "The device can't encrypt input using a RSA key", exc);
                throw new IncompatibleDeviceException("The device can't encrypt input using a RSA key", exc);
            }
            if (!(e instanceof IllegalBlockSizeException ? true : e instanceof BadPaddingException)) {
                throw e;
            }
            deleteAESKeys();
            throw new CryptoException("The decrypted input is invalid", e);
        }
    }

    private final void deleteAESKeys() {
        this.storage.remove(this.keyAlias);
        this.storage.remove(this.keyAliasIv);
    }

    private final void deleteRSAKeys() {
        try {
            getKeystore().deleteEntry(this.keyAlias);
            Log.d(this.TAG, "Deleting the existing RSA key pair from the KeyStore");
        } catch (Exception e) {
            Log.e(this.TAG, "Failed to remove the RSA KeyEntry from the Keystore", e);
        }
    }

    private final byte[] getAESKey() throws IncompatibleDeviceException, CryptoException {
        String retrieveString = this.storage.retrieveString(this.keyAlias);
        if (retrieveString != null) {
            byte[] encryptedAES = Base64.decode(retrieveString, 0);
            Intrinsics.checkNotNullExpressionValue(encryptedAES, "encryptedAES");
            byte[] RSADecrypt = RSADecrypt(encryptedAES);
            if (RSADecrypt != null && RSADecrypt.length == 32) {
                return RSADecrypt;
            }
        }
        try {
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
            keyGenerator.init(256);
            byte[] aes = keyGenerator.generateKey().getEncoded();
            Intrinsics.checkNotNullExpressionValue(aes, "aes");
            byte[] encode = Base64.encode(RSAEncrypt(aes), 0);
            Intrinsics.checkNotNullExpressionValue(encode, "encode(encryptedAes, Base64.DEFAULT)");
            this.storage.store(this.keyAlias, new String(encode, Charsets.UTF_8));
            return aes;
        } catch (NoSuchAlgorithmException e) {
            NoSuchAlgorithmException noSuchAlgorithmException = e;
            Log.e(this.TAG, "Error while creating the AES key", noSuchAlgorithmException);
            throw new IncompatibleDeviceException(noSuchAlgorithmException);
        }
    }

    private final KeyStore.PrivateKeyEntry getKeyEntry(KeyStore keyStore) {
        PrivateKey privateKey;
        if (Build.VERSION.SDK_INT >= 28 && (privateKey = (PrivateKey) keyStore.getKey(this.keyAlias, null)) != null) {
            return new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{keyStore.getCertificate(this.keyAlias)});
        }
        return (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.keyAlias, null);
    }

    private final KeyStore getKeystore() throws KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        Intrinsics.checkNotNullExpressionValue(keyStore, "getInstance(\"AndroidKeyS…     load(null)\n        }");
        return keyStore;
    }

    public final byte[] decrypt(byte[] encryptedInput) throws IncompatibleDeviceException, CryptoException {
        Intrinsics.checkNotNullParameter(encryptedInput, "encryptedInput");
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(getAESKey(), "AES");
            Cipher cipher = Cipher.getInstance("AES/GCM/NOPADDING");
            String retrieveString = this.storage.retrieveString(this.keyAliasIv);
            if (TextUtils.isEmpty(retrieveString)) {
                throw new CryptoException("The encryption keys changed recently, You need to re-encrypt something first");
            }
            cipher.init(2, secretKeySpec, new IvParameterSpec(Base64.decode(retrieveString, 0)));
            byte[] doFinal = cipher.doFinal(encryptedInput);
            Intrinsics.checkNotNullExpressionValue(doFinal, "cipher.doFinal(encryptedInput)");
            return doFinal;
        } catch (Exception e) {
            if (e instanceof NoSuchAlgorithmException ? true : e instanceof NoSuchPaddingException ? true : e instanceof InvalidKeyException ? true : e instanceof InvalidAlgorithmParameterException) {
                Exception exc = e;
                Log.e(this.TAG, "Error while decrypting the input", exc);
                throw new IncompatibleDeviceException(exc);
            }
            if (e instanceof BadPaddingException ? true : e instanceof IllegalBlockSizeException) {
                throw new CryptoException("The AES encrypted input is corrupted and cannot be recovered, please discard it", e);
            }
            throw e;
        }
    }

    public final byte[] encrypt(byte[] decryptedInput) throws IncompatibleDeviceException, CryptoException {
        Intrinsics.checkNotNullParameter(decryptedInput, "decryptedInput");
        try {
            SecretKeySpec secretKeySpec = new SecretKeySpec(getAESKey(), "AES");
            Cipher cipher = Cipher.getInstance("AES/GCM/NOPADDING");
            cipher.init(1, secretKeySpec);
            byte[] encrypted = cipher.doFinal(decryptedInput);
            byte[] encodedIv = Base64.encode(cipher.getIV(), 0);
            Storage storage = this.storage;
            String str = this.keyAliasIv;
            Intrinsics.checkNotNullExpressionValue(encodedIv, "encodedIv");
            storage.store(str, new String(encodedIv, Charsets.UTF_8));
            Intrinsics.checkNotNullExpressionValue(encrypted, "encrypted");
            return encrypted;
        } catch (Exception e) {
            if (e instanceof NoSuchAlgorithmException ? true : e instanceof NoSuchPaddingException ? true : e instanceof InvalidKeyException) {
                Exception exc = e;
                Log.e(this.TAG, "Error while encrypting the input", exc);
                throw new IncompatibleDeviceException(exc);
            }
            if (e instanceof IllegalBlockSizeException ? true : e instanceof BadPaddingException) {
                throw new CryptoException("The AES decrypted input is invalid", e);
            }
            throw e;
        }
    }

    public final Context getContext() {
        return this.context;
    }

    public final String getKeyAlias() {
        return this.keyAlias;
    }

    public final KeyStore.PrivateKeyEntry getRSAKeyEntry() {
        KeyStore.PrivateKeyEntry keyEntry;
        try {
            KeyStore keystore = getKeystore();
            if (keystore.containsAlias(this.keyAlias) && (keyEntry = getKeyEntry(keystore)) != null) {
                return keyEntry;
            }
            Calendar calendar = Calendar.getInstance();
            Calendar calendar2 = Calendar.getInstance();
            calendar2.add(1, 25);
            KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(this.keyAlias, 3).setCertificateSubject(new X500Principal("CN=McoeLogin.Android,O=Mcoe")).setCertificateSerialNumber(BigInteger.ONE).setCertificateNotBefore(calendar.getTime()).setCertificateNotAfter(calendar2.getTime()).setKeySize(2048).setEncryptionPaddings("PKCS1Padding").setBlockModes("ECB").build();
            Intrinsics.checkNotNullExpressionValue(build, "Builder(keyAlias,\n      …                 .build()");
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
            keyPairGenerator.initialize(build);
            keyPairGenerator.generateKeyPair();
            return getRSAKeyEntry();
        } catch (Exception e) {
            if (e instanceof CertificateException ? true : e instanceof InvalidAlgorithmParameterException ? true : e instanceof NoSuchProviderException ? true : e instanceof NoSuchAlgorithmException ? true : e instanceof KeyStoreException ? true : e instanceof ProviderException) {
                Exception exc = e;
                Log.e(this.TAG, "The device can't generate a new RSA key pair", exc);
                String localizedMessage = e.getLocalizedMessage();
                throw new IncompatibleDeviceException(localizedMessage != null ? localizedMessage : "The device can't generate a new RSA key pair", exc);
            }
            if (!(e instanceof IOException ? true : e instanceof UnrecoverableEntryException)) {
                throw e;
            }
            deleteRSAKeys();
            deleteAESKeys();
            throw new CryptoException("The existing RSA key pair could not be recovered and has been deleted, This occasionally happens when the lock screen settings are changed and you can retry this operation", e);
        }
    }

    public final Storage getStorage() {
        return this.storage;
    }
}
