package com.gallagher.security.fidoauthenticators;

import android.app.Activity;
import android.app.FragmentManager;
import android.content.Context;
import android.content.SharedPreferences;
import android.os.Build;
import android.os.SystemClock;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Objects;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import rx.Observable;
import rx.functions.Func1;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class FidoPinAuthenticationManager {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static final String BACKOFF_TIME_KEY = "com.gallagher.security.fidoauthenticators.BACK_OFF_INTERVAL";
    private static final String HASH_ALGORITHM = "PBKDF2withHmacSHA256";
    private static final int HASH_ALGORITHM_CODE = 2;
    private static final int HASH_ALGORITHM_CODE_LEGACY = 1;
    private static final String HASH_ALGORITHM_LEGACY = "PBKDF2withHmacSHA1";
    private static final int HASH_ITERATIONS = 1000;
    private static final int HASH_OUTPUT_LENGTH = 256;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) FidoPinAuthenticationManager.class);
    private static final int MAX_AUTHENTICATION_ATTEMPTS = 3;
    private static final int MAX_BACKOFF_TIME = 3600;
    private static final String NEXT_ALLOWED_ATTEMPT_TIME_KEY = "com.gallagher.security.fidoauthenticators.NEXT_ALLOWED_ATTEMPT_TIME";
    private static final int REQUIRED_PIN_LENGTH = 4;
    private static final String SHARED_PREFERENCES = "com.gallagher.security.mobileaccess.pinauthenticationmanager";
    private int mAuthenticationAttempts;
    private final Context mContext;
    private final FragmentManager mFragmentManager;
    private final String mPinAlgorithmKey;
    private final FidoPinAuthenticationFragment mPinAuthenticationFragment;
    private final String mPinHashKey;
    private final String mPinIterationsKey;
    private final String mPinSaltKey;
    private final SharedPreferences mSharedPreferences;

    /* JADX INFO: Access modifiers changed from: package-private */
    public FidoPinAuthenticationManager(Activity activity, String str, String str2, String str3) {
        FidoPinAuthenticationFragment fidoPinAuthenticationFragment = new FidoPinAuthenticationFragment();
        this.mPinAuthenticationFragment = fidoPinAuthenticationFragment;
        this.mAuthenticationAttempts = 0;
        this.mFragmentManager = activity.getFragmentManager();
        fidoPinAuthenticationFragment.title = str;
        fidoPinAuthenticationFragment.description = str2;
        fidoPinAuthenticationFragment.requiredPinLength = 4;
        this.mSharedPreferences = activity.getSharedPreferences(SHARED_PREFERENCES, 0);
        this.mContext = activity;
        String substring = str3.substring(12);
        this.mPinHashKey = substring + "/hash";
        this.mPinSaltKey = substring + "/salt";
        this.mPinAlgorithmKey = substring + "/algorithm";
        this.mPinIterationsKey = substring + "/iterations";
    }

    static /* synthetic */ int access$308(FidoPinAuthenticationManager fidoPinAuthenticationManager) {
        int i = fidoPinAuthenticationManager.mAuthenticationAttempts;
        fidoPinAuthenticationManager.mAuthenticationAttempts = i + 1;
        return i;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void deregister(String str, Context context) {
        SharedPreferences sharedPreferences = context.getSharedPreferences(SHARED_PREFERENCES, 0);
        if (sharedPreferences.contains(str + "/hash")) {
            sharedPreferences.edit().remove(str + "/hash").remove(str + "salt").remove(str + "/algorithm").remove(str + "/pin/iterations").apply();
        }
    }

    private byte[] generateSalt() {
        byte[] bArr = new byte[32];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] hash(String str, int i, byte[] bArr, String str2) throws GeneralSecurityException {
        return SecretKeyFactory.getInstance(str).generateSecret(new PBEKeySpec(str2.toCharArray(), bArr, i, 256)).getEncoded();
    }

    public static boolean isUserLockedOut(long j, long j2, long j3) {
        return timeRemainingLockedOut(j, j2, j3) > 0;
    }

    private static long timeRemainingLockedOut(long j, long j2, long j3) {
        long j4 = j2 * 1000;
        if (j3 < j - j4) {
            j = j4;
        }
        return j - j3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<Void> authenticate(final FidoASMUnwrappedKeyHandle fidoASMUnwrappedKeyHandle, FidoASM fidoASM, String str, String str2) {
        final String str3;
        if (Objects.equals(fidoASMUnwrappedKeyHandle.getUsername(), Utils.MIGRATED_USERNAME) && hasLegacyPinData()) {
            Logger logger = LOG;
            logger.info("Migrating legacy PIN credential");
            String string = this.mSharedPreferences.getString(this.mPinHashKey, null);
            String string2 = this.mSharedPreferences.getString(this.mPinSaltKey, null);
            String string3 = this.mSharedPreferences.getString(this.mPinAlgorithmKey, null);
            int i = this.mSharedPreferences.getInt(this.mPinIterationsKey, 0);
            if (string == null || string2 == null || string3 == null || i == 0) {
                logger.error("Unable to fetch shared preferences");
                return Observable.error(new FidoAuthenticationException("Unable to get shared preferences for PIN credential migration"));
            }
            fidoASMUnwrappedKeyHandle.setLegacyData(1, Base64.decodeBase64UrlSafe(string), Base64.decodeBase64UrlSafe(string2), i);
            try {
                fidoASM.updateKeyHandle(this.mContext, "0041#A006", str2, str, FidoPinAuthenticator.getEncryptedKeyHandle(fidoASMUnwrappedKeyHandle).getBase64UrlSafe());
                this.mSharedPreferences.edit().remove(this.mPinHashKey).remove(this.mPinSaltKey).remove(this.mPinAlgorithmKey).remove(this.mPinIterationsKey).apply();
                logger.info("PIN credential Migration complete");
            } catch (Exception e) {
                LOG.error("Failed to encrypt key handle", (Throwable) e);
                return Observable.error(new FidoAuthenticationException("Failed to encrypt keyhandle"));
            }
        }
        long j = this.mSharedPreferences.getLong(NEXT_ALLOWED_ATTEMPT_TIME_KEY, 0L);
        if (j != 0) {
            long timeRemainingLockedOut = timeRemainingLockedOut(j, this.mSharedPreferences.getInt(BACKOFF_TIME_KEY, 0), SystemClock.elapsedRealtime());
            if (timeRemainingLockedOut > 0) {
                LOG.debug("User is locked out for {} seconds", Long.valueOf(timeRemainingLockedOut / 1000));
                return Observable.error(new FidoAuthenticationException("User is locked out", FidoASMStatusCode.UAF_ASM_STATUS_USER_LOCKOUT));
            }
        }
        this.mPinAuthenticationFragment.feedbackMessage = R.string.ggl_pin_enter;
        this.mFragmentManager.beginTransaction().add(R.id.ggl_host_activity_fragment_container, this.mPinAuthenticationFragment).commit();
        int algorithm = fidoASMUnwrappedKeyHandle.getAlgorithm();
        if (algorithm == 1) {
            str3 = HASH_ALGORITHM_LEGACY;
        } else {
            if (algorithm != 2) {
                throw new FatalError("Unknown algorithm code passed");
            }
            str3 = HASH_ALGORITHM;
        }
        return this.mPinAuthenticationFragment.onPinEntered.flatMap(new Func1<String, Observable<Void>>() { // from class: com.gallagher.security.fidoauthenticators.FidoPinAuthenticationManager.1
            @Override // rx.functions.Func1
            public Observable<Void> call(String str4) {
                if (str4 == null) {
                    return Observable.error(new FidoAuthenticationException("Cancelled", FidoASMStatusCode.UAF_ASM_STATUS_USER_CANCELLED));
                }
                try {
                    if (Arrays.equals(fidoASMUnwrappedKeyHandle.getPinHash(), FidoPinAuthenticationManager.this.hash(str3, fidoASMUnwrappedKeyHandle.getIterationCount(), fidoASMUnwrappedKeyHandle.getPinSalt(), str4))) {
                        FidoPinAuthenticationManager.this.mSharedPreferences.edit().putInt(FidoPinAuthenticationManager.BACKOFF_TIME_KEY, 0).putLong(FidoPinAuthenticationManager.NEXT_ALLOWED_ATTEMPT_TIME_KEY, 0L).apply();
                        return Observable.just(null);
                    }
                    FidoPinAuthenticationManager.access$308(FidoPinAuthenticationManager.this);
                    FidoPinAuthenticationManager.this.mPinAuthenticationFragment.showVerifyPinFailed();
                    int i2 = FidoPinAuthenticationManager.this.mSharedPreferences.getInt(FidoPinAuthenticationManager.BACKOFF_TIME_KEY, 0);
                    if (FidoPinAuthenticationManager.this.mAuthenticationAttempts >= 3 || i2 == FidoPinAuthenticationManager.MAX_BACKOFF_TIME) {
                        i2 = i2 != 0 ? i2 != 30 ? i2 != 300 ? FidoPinAuthenticationManager.MAX_BACKOFF_TIME : 1800 : 300 : 30;
                        FidoPinAuthenticationManager.LOG.debug("User is locked out for {}", Integer.valueOf(i2));
                        FidoPinAuthenticationManager.this.mSharedPreferences.edit().putInt(FidoPinAuthenticationManager.BACKOFF_TIME_KEY, i2).putLong(FidoPinAuthenticationManager.NEXT_ALLOWED_ATTEMPT_TIME_KEY, SystemClock.elapsedRealtime() + (i2 * 1000)).apply();
                    }
                    return (FidoPinAuthenticationManager.this.mAuthenticationAttempts >= 3 || i2 == FidoPinAuthenticationManager.MAX_BACKOFF_TIME) ? Observable.error(new FidoASMException("Unable to authenticate, user exceeded maximum PIN attempts", FidoASMStatusCode.UAF_ASM_STATUS_USER_LOCKOUT, null)) : Observable.empty();
                } catch (GeneralSecurityException e2) {
                    FidoPinAuthenticationManager.LOG.error("Cannot hash pin", (Throwable) e2);
                    return Observable.error(new FidoAuthenticationException("Unable to hash PIN for authentication"));
                }
            }
        }).first();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canRegister() {
        return true;
    }

    boolean hasLegacyPinData() {
        return this.mSharedPreferences.contains(this.mPinHashKey) && this.mSharedPreferences.contains(this.mPinSaltKey);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Observable<FidoASMUnwrappedKeyHandle> register(final String str) {
        if (!canRegister()) {
            throw new FatalError("Unable to register");
        }
        this.mPinAuthenticationFragment.feedbackMessage = R.string.ggl_pin_create;
        this.mFragmentManager.beginTransaction().add(R.id.ggl_host_activity_fragment_container, this.mPinAuthenticationFragment).commit();
        final byte[][] bArr = new byte[1];
        final byte[] generateSalt = generateSalt();
        return this.mPinAuthenticationFragment.onPinEntered.flatMap(new Func1<String, Observable<FidoASMUnwrappedKeyHandle>>() { // from class: com.gallagher.security.fidoauthenticators.FidoPinAuthenticationManager.2
            @Override // rx.functions.Func1
            public Observable<FidoASMUnwrappedKeyHandle> call(String str2) {
                if (str2 == null) {
                    return Observable.error(new FidoRegistrationException("Cancelled", FidoASMStatusCode.UAF_ASM_STATUS_USER_CANCELLED));
                }
                try {
                    byte[] hash = FidoPinAuthenticationManager.this.hash(Build.VERSION.SDK_INT >= 26 ? FidoPinAuthenticationManager.HASH_ALGORITHM : FidoPinAuthenticationManager.HASH_ALGORITHM_LEGACY, 1000, generateSalt, str2);
                    byte[] bArr2 = bArr[0];
                    if (bArr2 == null) {
                        FidoPinAuthenticationManager.this.mPinAuthenticationFragment.showVerifyPin();
                        bArr[0] = hash;
                        return Observable.empty();
                    }
                    if (Arrays.equals(bArr2, hash)) {
                        return Observable.just(new FidoASMUnwrappedKeyHandle(2, hash, generateSalt, 1000, str));
                    }
                    FidoPinAuthenticationManager.this.mPinAuthenticationFragment.showVerifyPinFailed();
                    FidoPinAuthenticationManager.this.mPinAuthenticationFragment.showFeedback(R.string.ggl_pin_create);
                    bArr[0] = null;
                    return Observable.empty();
                } catch (GeneralSecurityException e) {
                    FidoPinAuthenticationManager.LOG.error("Cannot hash pin", (Throwable) e);
                    return Observable.error(new FidoRegistrationException("Unable to hash PIN for registration"));
                }
            }
        }).first();
    }
}
