package com.gallagher.security.fidoauthenticators;

import android.content.Context;
import android.content.pm.PackageManager;
import android.os.Build;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.util.Calendar;
import java.util.Locale;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import rx.Observable;
import rx.Subscriber;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class FidoEngine {
    private static final String AES_TRANSFORMATION = "AES/CBC/PKCS7Padding";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) FidoEngine.class);
    final Context context;
    private final FidoAuthenticatorParams mAuthenticatorParams;
    private final String mFinalChallengeParams;
    private final byte[] mKeyID;
    KeyPair mKeyPair;
    private final Signature signature;

    /* JADX INFO: Access modifiers changed from: package-private */
    public FidoEngine(Context context, FidoAuthenticatorParams fidoAuthenticatorParams, String str, byte[] bArr, String str2) throws GeneralSecurityException {
        this.context = context;
        this.mAuthenticatorParams = fidoAuthenticatorParams;
        this.mFinalChallengeParams = str;
        this.mKeyID = bArr;
        try {
            Signature signature = Signature.getInstance("SHA256withECDSA");
            this.signature = signature;
            if (str2.equals("Reg")) {
                KeyPair generateKeyPair = generateKeyPair(context, getKeyName(), fidoAuthenticatorParams.isKeyEncryptionRequired, fidoAuthenticatorParams.isUserAuthenticationRequired);
                this.mKeyPair = generateKeyPair;
                signature.initSign(generateKeyPair.getPrivate());
            } else if (str2.equals("Auth")) {
                KeyPair loadKeyPair = loadKeyPair(getKeyName());
                this.mKeyPair = loadKeyPair;
                signature.initSign(loadKeyPair.getPrivate());
            }
        } catch (NoSuchAlgorithmException unused) {
            throw new FatalError("We only support SHA256withECDSA");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void deleteEntry(String str) throws GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        try {
            keyStore.load(null);
            keyStore.deleteEntry(str);
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] generateKeyID(String str, String str2, String str3) {
        return Base64.encodeBase64UrlSafe((str + str2 + str3).getBytes(FidoAssertionBuilder.UTF8)).getBytes(FidoAssertionBuilder.UTF8);
    }

    private static KeyPair generateKeyPair(Context context, String str, boolean z, boolean z2) throws GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        try {
            keyStore.load(null);
            keyStore.deleteEntry(str);
            if (Build.VERSION.SDK_INT < 23) {
                Calendar calendar = Calendar.getInstance();
                Calendar calendar2 = Calendar.getInstance();
                calendar2.add(1, 20);
                KeyPairGeneratorSpec.Builder endDate = new KeyPairGeneratorSpec.Builder(context).setAlias(str).setKeyType("EC").setKeySize(256).setSubject(new X500Principal(String.format(Locale.US, "CN=%s, OU=%s", str, context.getPackageName()))).setSerialNumber(BigInteger.ONE).setStartDate(calendar.getTime()).setEndDate(calendar2.getTime());
                if (z) {
                    endDate.setEncryptionRequired();
                }
                KeyPairGeneratorSpec build = endDate.build();
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "AndroidKeyStore");
                keyPairGenerator.initialize(build);
                return keyPairGenerator.generateKeyPair();
            }
            KeyPairGenerator keyPairGenerator2 = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            KeyGenParameterSpec.Builder digests = new KeyGenParameterSpec.Builder(str, 12).setDigests("SHA-256");
            if (z2) {
                digests.setUserAuthenticationRequired(true);
            }
            if (Build.VERSION.SDK_INT >= 28 && context.getPackageManager().hasSystemFeature("android.hardware.strongbox_keystore")) {
                digests.setIsStrongBoxBacked(true);
                try {
                    keyPairGenerator2.initialize(digests.build());
                    return keyPairGenerator2.generateKeyPair();
                } catch (Exception unused) {
                    digests.setIsStrongBoxBacked(false);
                }
            }
            keyPairGenerator2.initialize(digests.build());
            return keyPairGenerator2.generateKeyPair();
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getApplicationFacetId(Context context, String str) {
        if (str == null || context == null) {
            return "android:apk-key-hash:123908412098213490281390210391";
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
            messageDigest.update(getApplicationSignature(context, str).toByteArray());
            return "android:apk-key-hash:" + android.util.Base64.encodeToString(messageDigest.digest(), 3);
        } catch (PackageManager.NameNotFoundException | NoSuchAlgorithmException e) {
            throw new RuntimeException("Unable to generate facetID.", e);
        }
    }

    private static android.content.pm.Signature getApplicationSignature(Context context, String str) throws PackageManager.NameNotFoundException {
        return context.getPackageManager().getPackageInfo(str, 64).signatures[0];
    }

    static KeyPair loadKeyPair(String str) throws GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        try {
            keyStore.load(null);
            KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) keyStore.getEntry(str, null);
            if (privateKeyEntry == null) {
                throw new GeneralSecurityException("Failed to load key");
            }
            return new KeyPair(privateKeyEntry.getCertificate().getPublicKey(), privateKeyEntry.getPrivateKey());
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<String> authenticate(final long j) {
        return Observable.create(new Observable.OnSubscribe<String>() { // from class: com.gallagher.security.fidoauthenticators.FidoEngine.3
            static final /* synthetic */ boolean $assertionsDisabled = false;

            @Override // rx.functions.Action1
            public void call(Subscriber<? super String> subscriber) {
                try {
                    subscriber.onNext(FidoAssertionBuilder.buildAuthAssertion(FidoEngine.this.mAuthenticatorParams.aaid, FidoEngine.this.mAuthenticatorParams.version, FidoEngine.this.mAuthenticatorParams.authenticationAlgorithm, FidoEngine.this.mFinalChallengeParams, FidoEngine.this.mKeyID, FidoEngine.this.signature, j));
                    subscriber.onCompleted();
                } catch (FidoAuthenticationException | GeneralSecurityException e) {
                    subscriber.onError(new AuthenticatorException("Authentication failed", e));
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<Void> deregister() {
        return Observable.create(new Observable.OnSubscribe<Void>() { // from class: com.gallagher.security.fidoauthenticators.FidoEngine.2
            @Override // rx.functions.Action1
            public void call(Subscriber<? super Void> subscriber) {
                try {
                    FidoEngine.deleteEntry(FidoEngine.this.getKeyName());
                    subscriber.onNext(null);
                    subscriber.onCompleted();
                } catch (GeneralSecurityException e) {
                    subscriber.onError(new AuthenticatorException("Deregister failed", e));
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getKeyName() {
        try {
            return new String(Base64.decodeBase64UrlSafe(new String(this.mKeyID)));
        } catch (IllegalArgumentException unused) {
            return new String(this.mKeyID);
        }
    }

    public Signature getSignature() {
        return this.signature;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<String> register(final long j) {
        return Observable.create(new Observable.OnSubscribe<String>() { // from class: com.gallagher.security.fidoauthenticators.FidoEngine.1
            static final /* synthetic */ boolean $assertionsDisabled = false;

            @Override // rx.functions.Action1
            public void call(Subscriber<? super String> subscriber) {
                try {
                    subscriber.onNext(FidoAssertionBuilder.buildRegAssertion(FidoEngine.this.mAuthenticatorParams.aaid, FidoEngine.this.mAuthenticatorParams.version, FidoEngine.this.mAuthenticatorParams.authenticationAlgorithm, FidoEngine.this.mAuthenticatorParams.publicKeyEncoding, FidoEngine.this.mFinalChallengeParams, FidoEngine.this.mKeyID, FidoEngine.this.mKeyPair.getPublic(), FidoEngine.this.signature, j));
                    subscriber.onCompleted();
                } catch (FidoAuthenticationException | GeneralSecurityException e) {
                    subscriber.onError(new AuthenticatorException("Registration failed", e));
                }
            }
        });
    }
}
