package com.android.identity.android.securearea;

import android.app.KeyguardManager;
import android.content.Context;
import android.content.pm.FeatureInfo;
import android.content.pm.PackageManager;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.security.keystore.UserNotAuthenticatedException;
import com.android.identity.android.securearea.AndroidKeystoreCreateKeySettings;
import com.android.identity.cbor.Cbor;
import com.android.identity.cbor.CborBuilder;
import com.android.identity.cbor.CborMap;
import com.android.identity.cbor.DataItem;
import com.android.identity.cbor.MapBuilder;
import com.android.identity.crypto.Algorithm;
import com.android.identity.crypto.EcCurve;
import com.android.identity.crypto.EcPublicKey;
import com.android.identity.crypto.EcPublicKeyJvmKt;
import com.android.identity.crypto.EcSignature;
import com.android.identity.crypto.X509Cert;
import com.android.identity.crypto.X509CertChain;
import com.android.identity.securearea.CreateKeySettings;
import com.android.identity.securearea.KeyAttestation;
import com.android.identity.securearea.KeyInvalidatedException;
import com.android.identity.securearea.KeyLockedException;
import com.android.identity.securearea.KeyPurpose;
import com.android.identity.securearea.KeyPurposeKt;
import com.android.identity.securearea.KeyUnlockData;
import com.android.identity.securearea.SecureArea;
import com.android.identity.storage.StorageEngine;
import com.android.identity.util.Logger;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.util.ArrayList;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.crypto.KeyAgreement;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.StringsKt;
import kotlinx.datetime.Instant;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.ASN1Sequence;

/* compiled from: AndroidKeystoreSecureArea.kt */
@Metadata(d1 = {"\u0000~\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0002\b\u0005\n\u0002\u0010\b\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0012\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\u0018\u0000 12\u00020\u0001:\u000201B\u0017\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005¢\u0006\u0004\b\u0006\u0010\u0007J\u0018\u0010\u0011\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\t2\u0006\u0010\u0014\u001a\u00020\u0015H\u0016J\u000e\u0010\u0016\u001a\u00020\u00122\u0006\u0010\u0017\u001a\u00020\tJ\u0010\u0010\u0018\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\tH\u0016J*\u0010\u0019\u001a\u00020\u001a2\u0006\u0010\u0013\u001a\u00020\t2\u0006\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u001d\u001a\u00020\u001e2\b\u0010\u001f\u001a\u0004\u0018\u00010 H\u0016J\"\u0010!\u001a\u00020\u001e2\u0006\u0010\u0013\u001a\u00020\t2\u0006\u0010\"\u001a\u00020#2\b\u0010\u001f\u001a\u0004\u0018\u00010 H\u0016J\u001c\u0010$\u001a\u000e\u0012\u0004\u0012\u00020&\u0012\u0004\u0012\u00020\u001e0%2\u0006\u0010\u0013\u001a\u00020\tH\u0002J\u0010\u0010'\u001a\u00020(2\u0006\u0010\u0013\u001a\u00020\tH\u0016J\u0010\u0010)\u001a\u00020*2\u0006\u0010\u0013\u001a\u00020\tH\u0016J \u0010+\u001a\u00020\u00122\u0006\u0010\u0013\u001a\u00020\t2\u0006\u0010,\u001a\u00020-2\u0006\u0010.\u001a\u00020/H\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n\u0000R\u0014\u0010\b\u001a\u00020\t8VX\u0096\u0004¢\u0006\u0006\u001a\u0004\b\n\u0010\u000bR\u0014\u0010\f\u001a\u00020\t8VX\u0096\u0004¢\u0006\u0006\u001a\u0004\b\r\u0010\u000bR\u000e\u0010\u000e\u001a\u00020\u000fX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0010\u001a\u00020\u000fX\u0082\u0004¢\u0006\u0002\n\u0000¨\u00062"}, d2 = {"Lcom/android/identity/android/securearea/AndroidKeystoreSecureArea;", "Lcom/android/identity/securearea/SecureArea;", "context", "Landroid/content/Context;", "storageEngine", "Lcom/android/identity/storage/StorageEngine;", "<init>", "(Landroid/content/Context;Lcom/android/identity/storage/StorageEngine;)V", "identifier", "", "getIdentifier", "()Ljava/lang/String;", "displayName", "getDisplayName", "keymintTeeFeatureLevel", "", "keymintSbFeatureLevel", "createKey", "", "alias", "createKeySettings", "Lcom/android/identity/securearea/CreateKeySettings;", "createKeyForExistingAlias", "existingAlias", "deleteKey", "sign", "Lcom/android/identity/crypto/EcSignature;", "signatureAlgorithm", "Lcom/android/identity/crypto/Algorithm;", "dataToSign", "", "keyUnlockData", "Lcom/android/identity/securearea/KeyUnlockData;", "keyAgreement", "otherKey", "Lcom/android/identity/crypto/EcPublicKey;", "loadKey", "Lkotlin/Pair;", "Ljava/security/KeyStore$Entry;", "getKeyInvalidated", "", "getKeyInfo", "Lcom/android/identity/android/securearea/AndroidKeystoreKeyInfo;", "saveKeyMetadata", "settings", "Lcom/android/identity/android/securearea/AndroidKeystoreCreateKeySettings;", "attestation", "Lcom/android/identity/crypto/X509CertChain;", "Capabilities", "Companion", "identity-android_release"}, k = 1, mv = {2, 0, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class AndroidKeystoreSecureArea implements SecureArea {

    /* renamed from: Companion, reason: from kotlin metadata */
    public static final Companion INSTANCE = new Companion(null);
    private static final String PREFIX = "IC_AndroidKeystore_";
    private static final String TAG = "AndroidKeystoreSA";
    private final Context context;
    private final int keymintSbFeatureLevel;
    private final int keymintTeeFeatureLevel;
    private final StorageEngine storageEngine;

    /* compiled from: AndroidKeystoreSecureArea.kt */
    @Metadata(d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\b\n\u0002\b\u0003\n\u0002\u0010\u000b\n\u0002\b\u0013\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\n\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u000b\u001a\u00020\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u0011\u0010\f\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u000e\u0010\u000fR\u0011\u0010\u0010\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u0011\u0010\u000fR\u0011\u0010\u0012\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u0013\u0010\u000fR\u0011\u0010\u0014\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u0015\u0010\u000fR\u0011\u0010\u0016\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u0017\u0010\u000fR\u0011\u0010\u0018\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u0019\u0010\u000fR\u0011\u0010\u001a\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u001b\u0010\u000fR\u0011\u0010\u001c\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u001d\u0010\u000fR\u0011\u0010\u001e\u001a\u00020\r8F¢\u0006\u0006\u001a\u0004\b\u001f\u0010\u000f¨\u0006 "}, d2 = {"Lcom/android/identity/android/securearea/AndroidKeystoreSecureArea$Capabilities;", "", "context", "Landroid/content/Context;", "<init>", "(Landroid/content/Context;)V", "keyguardManager", "Landroid/app/KeyguardManager;", "apiLevel", "", "teeFeatureLevel", "sbFeatureLevel", "secureLockScreenSetup", "", "getSecureLockScreenSetup", "()Z", "multipleAuthenticationTypesSupported", "getMultipleAuthenticationTypesSupported", "attestKeySupported", "getAttestKeySupported", "keyAgreementSupported", "getKeyAgreementSupported", "curve25519Supported", "getCurve25519Supported", "strongBoxSupported", "getStrongBoxSupported", "strongBoxAttestKeySupported", "getStrongBoxAttestKeySupported", "strongBoxKeyAgreementSupported", "getStrongBoxKeyAgreementSupported", "strongBoxCurve25519Supported", "getStrongBoxCurve25519Supported", "identity-android_release"}, k = 1, mv = {2, 0, 0}, xi = 48)
    /* loaded from: classes4.dex */
    public static final class Capabilities {
        private final int apiLevel;
        private final KeyguardManager keyguardManager;
        private final int sbFeatureLevel;
        private final int teeFeatureLevel;

        public Capabilities(Context context) {
            Intrinsics.checkNotNullParameter(context, "context");
            Object systemService = context.getSystemService("keyguard");
            Intrinsics.checkNotNull(systemService, "null cannot be cast to non-null type android.app.KeyguardManager");
            this.keyguardManager = (KeyguardManager) systemService;
            this.teeFeatureLevel = AndroidKeystoreSecureArea.INSTANCE.getFeatureVersionKeystore(context, false);
            this.sbFeatureLevel = AndroidKeystoreSecureArea.INSTANCE.getFeatureVersionKeystore(context, true);
            this.apiLevel = Build.VERSION.SDK_INT;
        }

        public final boolean getAttestKeySupported() {
            return this.teeFeatureLevel >= 100;
        }

        public final boolean getCurve25519Supported() {
            return this.teeFeatureLevel >= 200;
        }

        public final boolean getKeyAgreementSupported() {
            return this.teeFeatureLevel >= 100;
        }

        public final boolean getMultipleAuthenticationTypesSupported() {
            return this.apiLevel >= 30;
        }

        public final boolean getSecureLockScreenSetup() {
            return this.keyguardManager.isDeviceSecure();
        }

        public final boolean getStrongBoxAttestKeySupported() {
            return this.sbFeatureLevel >= 100;
        }

        public final boolean getStrongBoxCurve25519Supported() {
            return this.sbFeatureLevel >= 200;
        }

        public final boolean getStrongBoxKeyAgreementSupported() {
            return this.sbFeatureLevel >= 100;
        }

        public final boolean getStrongBoxSupported() {
            return this.sbFeatureLevel > 0;
        }
    }

    /* compiled from: AndroidKeystoreSecureArea.kt */
    @Metadata(d1 = {"\u0000D\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0012\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\b\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\b\u0086\u0003\u0018\u00002\u00020\u0001B\t\b\u0002¢\u0006\u0004\b\u0002\u0010\u0003J\u0015\u0010\u0007\u001a\u00020\u00052\u0006\u0010\b\u001a\u00020\tH\u0000¢\u0006\u0002\b\nJ\u0010\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\fH\u0002J\u001d\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\fH\u0000¢\u0006\u0002\b\u0013J\u0018\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\u0006\u0010\u0018\u001a\u00020\u0019H\u0002R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082T¢\u0006\u0002\n\u0000R\u000e\u0010\u0006\u001a\u00020\u0005X\u0082T¢\u0006\u0002\n\u0000¨\u0006\u001a"}, d2 = {"Lcom/android/identity/android/securearea/AndroidKeystoreSecureArea$Companion;", "", "<init>", "()V", "TAG", "", "PREFIX", "getSignatureAlgorithmName", "signatureAlgorithm", "Lcom/android/identity/crypto/Algorithm;", "getSignatureAlgorithmName$identity_android_release", "stripLeadingZeroes", "", "array", "signatureFromDer", "Lcom/android/identity/crypto/EcSignature;", "curve", "Lcom/android/identity/crypto/EcCurve;", "derEncodedSignature", "signatureFromDer$identity_android_release", "getFeatureVersionKeystore", "", "appContext", "Landroid/content/Context;", "useStrongbox", "", "identity-android_release"}, k = 1, mv = {2, 0, 0}, xi = 48)
    /* loaded from: classes4.dex */
    public static final class Companion {

        /* compiled from: AndroidKeystoreSecureArea.kt */
        @Metadata(k = 3, mv = {2, 0, 0}, xi = 48)
        /* loaded from: classes4.dex */
        public /* synthetic */ class WhenMappings {
            public static final /* synthetic */ int[] $EnumSwitchMapping$0;

            static {
                int[] iArr = new int[Algorithm.values().length];
                try {
                    iArr[Algorithm.ES256.ordinal()] = 1;
                } catch (NoSuchFieldError unused) {
                }
                try {
                    iArr[Algorithm.ES384.ordinal()] = 2;
                } catch (NoSuchFieldError unused2) {
                }
                try {
                    iArr[Algorithm.ES512.ordinal()] = 3;
                } catch (NoSuchFieldError unused3) {
                }
                try {
                    iArr[Algorithm.EDDSA.ordinal()] = 4;
                } catch (NoSuchFieldError unused4) {
                }
                $EnumSwitchMapping$0 = iArr;
            }
        }

        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final int getFeatureVersionKeystore(Context appContext, boolean useStrongbox) {
            FeatureInfo featureInfo;
            String str = useStrongbox ? "android.hardware.strongbox_keystore" : "android.hardware.hardware_keystore";
            PackageManager packageManager = appContext.getPackageManager();
            if (!packageManager.hasSystemFeature(str)) {
                return !useStrongbox ? 41 : 0;
            }
            FeatureInfo[] systemAvailableFeatures = packageManager.getSystemAvailableFeatures();
            Intrinsics.checkNotNullExpressionValue(systemAvailableFeatures, "getSystemAvailableFeatures(...)");
            int length = systemAvailableFeatures.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    featureInfo = null;
                    break;
                }
                featureInfo = systemAvailableFeatures[i];
                if (Intrinsics.areEqual(featureInfo.name, str)) {
                    break;
                }
                i++;
            }
            int i2 = featureInfo != null ? featureInfo.version : 0;
            if (i2 < 41) {
                return 41;
            }
            return i2;
        }

        private final byte[] stripLeadingZeroes(byte[] array) {
            int length = array.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    i = -1;
                    break;
                }
                if (array[i] != 0) {
                    break;
                }
                i++;
            }
            return i == -1 ? array : ArraysKt.copyOfRange(array, i, array.length);
        }

        public final String getSignatureAlgorithmName$identity_android_release(Algorithm signatureAlgorithm) {
            Intrinsics.checkNotNullParameter(signatureAlgorithm, "signatureAlgorithm");
            int i = WhenMappings.$EnumSwitchMapping$0[signatureAlgorithm.ordinal()];
            if (i == 1) {
                return "SHA256withECDSA";
            }
            if (i == 2) {
                return "SHA384withECDSA";
            }
            if (i == 3) {
                return "SHA512withECDSA";
            }
            if (i == 4) {
                return "Ed25519";
            }
            throw new IllegalArgumentException("Unsupported signing algorithm with id " + signatureAlgorithm);
        }

        public final EcSignature signatureFromDer$identity_android_release(EcCurve curve, byte[] derEncodedSignature) {
            Intrinsics.checkNotNullParameter(curve, "curve");
            Intrinsics.checkNotNullParameter(derEncodedSignature, "derEncodedSignature");
            try {
                ASN1Primitive readObject = new ASN1InputStream(new ByteArrayInputStream(derEncodedSignature)).readObject();
                Intrinsics.checkNotNull(readObject, "null cannot be cast to non-null type org.bouncycastle.asn1.ASN1Sequence");
                ASN1Encodable[] array = ((ASN1Sequence) readObject).toArray();
                if (array.length != 2) {
                    throw new IllegalArgumentException("Expected two items in sequence".toString());
                }
                ASN1Primitive aSN1Primitive = array[0].toASN1Primitive();
                Intrinsics.checkNotNull(aSN1Primitive, "null cannot be cast to non-null type org.bouncycastle.asn1.ASN1Integer");
                byte[] byteArray = ((ASN1Integer) aSN1Primitive).getValue().toByteArray();
                Intrinsics.checkNotNullExpressionValue(byteArray, "toByteArray(...)");
                byte[] stripLeadingZeroes = stripLeadingZeroes(byteArray);
                ASN1Primitive aSN1Primitive2 = array[1].toASN1Primitive();
                Intrinsics.checkNotNull(aSN1Primitive2, "null cannot be cast to non-null type org.bouncycastle.asn1.ASN1Integer");
                byte[] byteArray2 = ((ASN1Integer) aSN1Primitive2).getValue().toByteArray();
                Intrinsics.checkNotNullExpressionValue(byteArray2, "toByteArray(...)");
                byte[] stripLeadingZeroes2 = stripLeadingZeroes(byteArray2);
                int bitSize = (curve.getBitSize() + 7) / 8;
                if (stripLeadingZeroes.length > bitSize) {
                    throw new IllegalStateException("Check failed.".toString());
                }
                if (stripLeadingZeroes2.length > bitSize) {
                    throw new IllegalStateException("Check failed.".toString());
                }
                byte[] bArr = new byte[bitSize];
                byte[] bArr2 = new byte[bitSize];
                ArraysKt.copyInto$default(stripLeadingZeroes, bArr, bitSize - stripLeadingZeroes.length, 0, 0, 12, (Object) null);
                ArraysKt.copyInto$default(stripLeadingZeroes2, bArr2, bitSize - stripLeadingZeroes2.length, 0, 0, 12, (Object) null);
                return new EcSignature(bArr, bArr2);
            } catch (IOException e) {
                throw new IllegalArgumentException("Error decoding DER signature", e);
            }
        }
    }

    /* compiled from: AndroidKeystoreSecureArea.kt */
    @Metadata(k = 3, mv = {2, 0, 0}, xi = 48)
    /* loaded from: classes4.dex */
    public /* synthetic */ class WhenMappings {
        public static final /* synthetic */ int[] $EnumSwitchMapping$0;

        static {
            int[] iArr = new int[EcCurve.values().length];
            try {
                iArr[EcCurve.P256.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                iArr[EcCurve.ED25519.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                iArr[EcCurve.X25519.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                iArr[EcCurve.BRAINPOOLP256R1.ordinal()] = 4;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                iArr[EcCurve.BRAINPOOLP320R1.ordinal()] = 5;
            } catch (NoSuchFieldError unused5) {
            }
            try {
                iArr[EcCurve.BRAINPOOLP384R1.ordinal()] = 6;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                iArr[EcCurve.BRAINPOOLP512R1.ordinal()] = 7;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                iArr[EcCurve.ED448.ordinal()] = 8;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                iArr[EcCurve.P384.ordinal()] = 9;
            } catch (NoSuchFieldError unused9) {
            }
            try {
                iArr[EcCurve.P521.ordinal()] = 10;
            } catch (NoSuchFieldError unused10) {
            }
            try {
                iArr[EcCurve.X448.ordinal()] = 11;
            } catch (NoSuchFieldError unused11) {
            }
            $EnumSwitchMapping$0 = iArr;
        }
    }

    public AndroidKeystoreSecureArea(Context context, StorageEngine storageEngine) {
        Intrinsics.checkNotNullParameter(context, "context");
        Intrinsics.checkNotNullParameter(storageEngine, "storageEngine");
        this.context = context;
        this.storageEngine = storageEngine;
        Companion companion = INSTANCE;
        this.keymintTeeFeatureLevel = companion.getFeatureVersionKeystore(context, false);
        this.keymintSbFeatureLevel = companion.getFeatureVersionKeystore(context, true);
    }

    private final Pair<KeyStore.Entry, byte[]> loadKey(String alias) {
        byte[] bArr = this.storageEngine.get(PREFIX + alias);
        if (bArr == null) {
            throw new IllegalArgumentException("No key with given alias");
        }
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        KeyStore.Entry entry = keyStore.getEntry(alias, null);
        if (entry != null) {
            return new Pair<>(entry, bArr);
        }
        throw new KeyInvalidatedException("This key is no longer available");
    }

    private final void saveKeyMetadata(String alias, AndroidKeystoreCreateKeySettings settings, X509CertChain attestation) {
        MapBuilder<CborBuilder> builder = CborMap.INSTANCE.builder();
        builder.put("keyPurposes", KeyPurpose.INSTANCE.encodeSet(settings.getKeyPurposes()));
        if (settings.getAttestKeyAlias() != null) {
            builder.put("attestKeyAlias", settings.getAttestKeyAlias());
        }
        builder.put("userAuthenticationRequired", settings.getUserAuthenticationRequired());
        builder.put("userAuthenticationTimeoutMillis", settings.getUserAuthenticationTimeoutMillis());
        builder.put("useStrongBox", settings.getUseStrongBox());
        builder.put("attestation", attestation.toDataItem());
        builder.put("curve", settings.getEcCurve().getCoseCurveIdentifier());
        this.storageEngine.put(PREFIX + alias, Cbor.INSTANCE.encode(builder.end().getItem()));
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // com.android.identity.securearea.SecureArea
    public void createKey(String alias, CreateKeySettings createKeySettings) {
        AndroidKeystoreCreateKeySettings build;
        Intrinsics.checkNotNullParameter(alias, "alias");
        Intrinsics.checkNotNullParameter(createKeySettings, "createKeySettings");
        if (createKeySettings instanceof AndroidKeystoreCreateKeySettings) {
            build = (AndroidKeystoreCreateKeySettings) createKeySettings;
        } else {
            byte[] bytes = "".getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
            build = new AndroidKeystoreCreateKeySettings.Builder(bytes).build();
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            int i = build.getKeyPurposes().contains(KeyPurpose.SIGN) ? 4 : 0;
            if (build.getKeyPurposes().contains(KeyPurpose.AGREE_KEY)) {
                if (Build.VERSION.SDK_INT < 31) {
                    throw new IllegalArgumentException("PURPOSE_AGREE_KEY not supported on this device");
                }
                i |= 64;
                if (build.getUseStrongBox()) {
                    if (this.keymintSbFeatureLevel < 100) {
                        throw new IllegalArgumentException("PURPOSE_AGREE_KEY not supported on this StrongBox KeyMint version".toString());
                    }
                } else if (this.keymintTeeFeatureLevel < 100) {
                    throw new IllegalArgumentException("PURPOSE_AGREE_KEY not supported on this KeyMint version".toString());
                }
            }
            KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, i);
            switch (WhenMappings.$EnumSwitchMapping$0[build.getEcCurve().ordinal()]) {
                case 1:
                    builder.setDigests("SHA-256");
                    break;
                case 2:
                    if (!build.getKeyPurposes().contains(KeyPurpose.SIGN)) {
                        throw new IllegalArgumentException("Curve Ed25519 only works with purpose SIGN".toString());
                    }
                    builder.setAlgorithmParameterSpec(new ECGenParameterSpec("ed25519"));
                    break;
                case 3:
                    if (!build.getKeyPurposes().contains(KeyPurpose.AGREE_KEY)) {
                        throw new IllegalArgumentException("Curve X25519 only works with purpose AGREE_KEY".toString());
                    }
                    builder.setAlgorithmParameterSpec(new ECGenParameterSpec("x25519"));
                    break;
                case 4:
                case 5:
                case 6:
                case 7:
                case 8:
                case 9:
                case 10:
                case 11:
                    throw new IllegalArgumentException("Curve is not supported");
                default:
                    throw new IllegalArgumentException("Curve is not supported");
            }
            if (build.getUserAuthenticationRequired()) {
                Object systemService = this.context.getSystemService("keyguard");
                Intrinsics.checkNotNull(systemService, "null cannot be cast to non-null type android.app.KeyguardManager");
                if (!((KeyguardManager) systemService).isDeviceSecure()) {
                    throw new ScreenLockRequiredException("Screen lock must be set up to create keys with user authentication");
                }
                builder.setUserAuthenticationRequired(true);
                long userAuthenticationTimeoutMillis = build.getUserAuthenticationTimeoutMillis();
                if (Build.VERSION.SDK_INT >= 30) {
                    Set<UserAuthenticationType> userAuthenticationTypes = build.getUserAuthenticationTypes();
                    boolean contains = userAuthenticationTypes.contains(UserAuthenticationType.LSKF);
                    int i2 = contains;
                    if (userAuthenticationTypes.contains(UserAuthenticationType.BIOMETRIC)) {
                        i2 = (contains ? 1 : 0) | 2;
                    }
                    if (userAuthenticationTimeoutMillis == 0) {
                        builder.setUserAuthenticationParameters(0, i2);
                    } else {
                        builder.setUserAuthenticationParameters((int) Math.max(1L, userAuthenticationTimeoutMillis / 1000), i2);
                    }
                } else if (userAuthenticationTimeoutMillis == 0) {
                    builder.setUserAuthenticationValidityDurationSeconds(-1);
                } else {
                    builder.setUserAuthenticationValidityDurationSeconds((int) Math.max(1L, userAuthenticationTimeoutMillis / 1000));
                }
                builder.setInvalidatedByBiometricEnrollment(false);
            }
            if (build.getUseStrongBox() && Build.VERSION.SDK_INT >= 28) {
                builder.setIsStrongBoxBacked(true);
            }
            if (build.getAttestKeyAlias() != null && Build.VERSION.SDK_INT >= 31) {
                builder.setAttestKeyAlias(build.getAttestKeyAlias());
            }
            builder.setAttestationChallenge(build.getAttestationChallenge());
            if (build.getValidFrom() != null) {
                Date date = new Date(build.getValidFrom().toEpochMilliseconds());
                Instant validUntil = build.getValidUntil();
                Intrinsics.checkNotNull(validUntil);
                Date date2 = new Date(validUntil.toEpochMilliseconds());
                builder.setKeyValidityStart(date);
                builder.setCertificateNotBefore(date);
                builder.setKeyValidityEnd(date2);
                builder.setCertificateNotAfter(date2);
            }
            try {
                keyPairGenerator.initialize(builder.build());
                keyPairGenerator.generateKeyPair();
                ArrayList arrayList = new ArrayList();
                try {
                    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    Certificate[] certificateChain = keyStore.getCertificateChain(alias);
                    Intrinsics.checkNotNullExpressionValue(certificateChain, "getCertificateChain(...)");
                    for (Certificate certificate : certificateChain) {
                        byte[] encoded = certificate.getEncoded();
                        Intrinsics.checkNotNullExpressionValue(encoded, "getEncoded(...)");
                        arrayList.add(new X509Cert(encoded));
                    }
                    Logger.INSTANCE.d(TAG, "EC key with alias '" + alias + "' created");
                    saveKeyMetadata(alias, build, new X509CertChain(arrayList));
                } catch (Exception e) {
                    throw new IllegalStateException(e);
                }
            } catch (InvalidAlgorithmParameterException e2) {
                throw new IllegalStateException(e2);
            }
        } catch (NoSuchAlgorithmException e3) {
            throw new IllegalStateException("Error creating key", e3);
        } catch (NoSuchProviderException e4) {
            throw new IllegalStateException("Error creating key", e4);
        }
    }

    public final void createKeyForExistingAlias(String existingAlias) {
        int userAuthenticationType;
        int securityLevel;
        Intrinsics.checkNotNullParameter(existingAlias, "existingAlias");
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        KeyStore.Entry entry = keyStore.getEntry(existingAlias, null);
        if (entry == null) {
            throw new IllegalArgumentException("A key with this alias doesn't exist");
        }
        try {
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
            try {
                KeyInfo keyInfo = (KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, KeyInfo.class);
                Charset UTF_8 = StandardCharsets.UTF_8;
                Intrinsics.checkNotNullExpressionValue(UTF_8, "UTF_8");
                byte[] bytes = "".getBytes(UTF_8);
                Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
                AndroidKeystoreCreateKeySettings.Builder builder = new AndroidKeystoreCreateKeySettings.Builder(bytes);
                ArrayList arrayList = new ArrayList();
                try {
                    KeyStore keyStore2 = KeyStore.getInstance("AndroidKeyStore");
                    keyStore2.load(null);
                    Certificate[] certificateChain = keyStore2.getCertificateChain(existingAlias);
                    Intrinsics.checkNotNullExpressionValue(certificateChain, "getCertificateChain(...)");
                    for (Certificate certificate : certificateChain) {
                        byte[] encoded = certificate.getEncoded();
                        Intrinsics.checkNotNullExpressionValue(encoded, "getEncoded(...)");
                        arrayList.add(new X509Cert(encoded));
                    }
                    LinkedHashSet linkedHashSet = new LinkedHashSet();
                    int purposes = keyInfo.getPurposes();
                    if ((purposes & 4) != 0) {
                        linkedHashSet.add(KeyPurpose.SIGN);
                    }
                    if ((purposes & 64) != 0) {
                        linkedHashSet.add(KeyPurpose.AGREE_KEY);
                    }
                    builder.setKeyPurposes(linkedHashSet);
                    if (Build.VERSION.SDK_INT >= 31) {
                        securityLevel = keyInfo.getSecurityLevel();
                        builder.setUseStrongBox(securityLevel == 2);
                    }
                    LinkedHashSet linkedHashSet2 = new LinkedHashSet();
                    if (Build.VERSION.SDK_INT >= 30) {
                        userAuthenticationType = keyInfo.getUserAuthenticationType();
                        if ((userAuthenticationType & 1) != 0) {
                            linkedHashSet2.add(UserAuthenticationType.LSKF);
                        }
                        if ((userAuthenticationType & 2) != 0) {
                            linkedHashSet2.add(UserAuthenticationType.BIOMETRIC);
                        }
                    } else {
                        linkedHashSet2.add(UserAuthenticationType.LSKF);
                        linkedHashSet2.add(UserAuthenticationType.BIOMETRIC);
                    }
                    builder.setUserAuthenticationRequired(keyInfo.isUserAuthenticationRequired(), keyInfo.getUserAuthenticationValidityDurationSeconds() * 1000, linkedHashSet2);
                    saveKeyMetadata(existingAlias, builder.build(), new X509CertChain(arrayList));
                    Logger.INSTANCE.d(TAG, "EC existing key with alias '" + existingAlias + "' created");
                } catch (Exception e) {
                    throw new IllegalStateException(e);
                }
            } catch (InvalidKeySpecException e2) {
                throw new IllegalStateException("Given key is not an Android Keystore key", e2);
            }
        } catch (IOException e3) {
            throw new IllegalStateException(e3.getMessage(), e3);
        } catch (KeyStoreException e4) {
            throw new IllegalStateException(e4.getMessage(), e4);
        } catch (NoSuchAlgorithmException e5) {
            throw new IllegalStateException(e5.getMessage(), e5);
        } catch (NoSuchProviderException e6) {
            throw new IllegalStateException(e6.getMessage(), e6);
        } catch (UnrecoverableEntryException e7) {
            throw new IllegalStateException(e7.getMessage(), e7);
        } catch (CertificateException e8) {
            throw new IllegalStateException(e8.getMessage(), e8);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public void deleteKey(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            if (!keyStore.containsAlias(alias)) {
                Logger.INSTANCE.w(TAG, "Key with alias '" + alias + "' doesn't exist");
                return;
            }
            keyStore.deleteEntry(alias);
            this.storageEngine.delete(PREFIX + alias);
            Logger.INSTANCE.d(TAG, "EC key with alias '" + alias + "' deleted");
        } catch (IOException e) {
            throw new IllegalStateException("Error loading keystore", e);
        } catch (KeyStoreException e2) {
            throw new IllegalStateException("Error loading keystore", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new IllegalStateException("Error loading keystore", e3);
        } catch (CertificateException e4) {
            throw new IllegalStateException("Error loading keystore", e4);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public String getDisplayName() {
        return "Android Keystore Secure Area";
    }

    @Override // com.android.identity.securearea.SecureArea
    public String getIdentifier() {
        return "AndroidKeystoreSecureArea";
    }

    @Override // com.android.identity.securearea.SecureArea
    public AndroidKeystoreKeyInfo getKeyInfo(String alias) {
        Instant instant;
        Instant instant2;
        int userAuthenticationType;
        Intrinsics.checkNotNullParameter(alias, "alias");
        Pair<KeyStore.Entry, byte[]> loadKey = loadKey(alias);
        KeyStore.Entry component1 = loadKey.component1();
        byte[] component2 = loadKey.component2();
        try {
            Intrinsics.checkNotNull(component1, "null cannot be cast to non-null type java.security.KeyStore.PrivateKeyEntry");
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) component1).getPrivateKey();
            KeyInfo keyInfo = (KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, KeyInfo.class);
            DataItem decode = Cbor.INSTANCE.decode(component2);
            Set<KeyPurpose> keyPurposeSet = KeyPurposeKt.getKeyPurposeSet(decode.get("keyPurposes").getAsNumber());
            boolean asBoolean = decode.get("userAuthenticationRequired").getAsBoolean();
            long asNumber = decode.get("userAuthenticationTimeoutMillis").getAsNumber();
            boolean asBoolean2 = decode.get("useStrongBox").getAsBoolean();
            DataItem orNull = decode.getOrNull("attestKeyAlias");
            String asTstr = orNull != null ? orNull.getAsTstr() : null;
            if (keyInfo.getKeyValidityStart() != null) {
                Instant.Companion companion = Instant.INSTANCE;
                java.util.Date keyValidityStart = keyInfo.getKeyValidityStart();
                Intrinsics.checkNotNull(keyValidityStart);
                instant = companion.fromEpochMilliseconds(keyValidityStart.getTime());
            } else {
                instant = null;
            }
            if (keyInfo.getKeyValidityForOriginationEnd() != null) {
                Instant.Companion companion2 = Instant.INSTANCE;
                java.util.Date keyValidityForOriginationEnd = keyInfo.getKeyValidityForOriginationEnd();
                Intrinsics.checkNotNull(keyValidityForOriginationEnd);
                instant2 = companion2.fromEpochMilliseconds(keyValidityForOriginationEnd.getTime());
            } else {
                instant2 = null;
            }
            X509CertChain asX509CertChain = decode.get("attestation").getAsX509CertChain();
            EcPublicKey ecPublicKey = ((X509Cert) CollectionsKt.first((List) asX509CertChain.getCertificates())).getEcPublicKey();
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            if (Build.VERSION.SDK_INT >= 30) {
                userAuthenticationType = keyInfo.getUserAuthenticationType();
                if ((userAuthenticationType & 1) != 0) {
                    linkedHashSet.add(UserAuthenticationType.LSKF);
                }
                if ((userAuthenticationType & 2) != 0) {
                    linkedHashSet.add(UserAuthenticationType.BIOMETRIC);
                }
            } else {
                linkedHashSet.add(UserAuthenticationType.LSKF);
                linkedHashSet.add(UserAuthenticationType.BIOMETRIC);
            }
            return new AndroidKeystoreKeyInfo(ecPublicKey, new KeyAttestation(ecPublicKey, asX509CertChain), keyPurposeSet, asTstr, asBoolean, asNumber, linkedHashSet, asBoolean2, instant, instant2);
        } catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public boolean getKeyInvalidated(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        try {
            loadKey(alias);
            return false;
        } catch (KeyInvalidatedException unused) {
            return true;
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public byte[] keyAgreement(String alias, EcPublicKey otherKey, KeyUnlockData keyUnlockData) throws KeyLockedException {
        Intrinsics.checkNotNullParameter(alias, "alias");
        Intrinsics.checkNotNullParameter(otherKey, "otherKey");
        KeyStore.Entry component1 = loadKey(alias).component1();
        try {
            Intrinsics.checkNotNull(component1, "null cannot be cast to non-null type java.security.KeyStore.PrivateKeyEntry");
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) component1).getPrivateKey();
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH", "AndroidKeyStore");
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(EcPublicKeyJvmKt.getJavaPublicKey(otherKey), true);
            return keyAgreement.generateSecret();
        } catch (UserNotAuthenticatedException e) {
            throw new KeyLockedException("User not authenticated", e);
        } catch (ProviderException e2) {
            if (e2.getCause() != null) {
                Throwable cause = e2.getCause();
                Intrinsics.checkNotNull(cause);
                String message = cause.getMessage();
                Intrinsics.checkNotNull(message);
                if (StringsKt.startsWith$default(message, "Key user not authenticated", false, 2, (Object) null)) {
                    throw new KeyLockedException("User not authenticated", e2);
                }
            }
            throw new IllegalArgumentException(e2);
        } catch (Exception e3) {
            throw new IllegalArgumentException(e3);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public EcSignature sign(String alias, Algorithm signatureAlgorithm, byte[] dataToSign, KeyUnlockData keyUnlockData) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        Intrinsics.checkNotNullParameter(signatureAlgorithm, "signatureAlgorithm");
        Intrinsics.checkNotNullParameter(dataToSign, "dataToSign");
        Pair<KeyStore.Entry, byte[]> loadKey = loadKey(alias);
        KeyStore.Entry component1 = loadKey.component1();
        EcCurve fromInt = EcCurve.INSTANCE.fromInt((int) Cbor.INSTANCE.decode(loadKey.component2()).get("curve").getAsNumber());
        if (keyUnlockData != null) {
            AndroidKeystoreKeyUnlockData androidKeystoreKeyUnlockData = (AndroidKeystoreKeyUnlockData) keyUnlockData;
            if (!Intrinsics.areEqual(androidKeystoreKeyUnlockData.getAlias(), alias)) {
                throw new IllegalArgumentException(("keyUnlockData has alias " + androidKeystoreKeyUnlockData.getAlias() + " which differs from passed-in alias " + alias).toString());
            }
            if (androidKeystoreKeyUnlockData.getSignature() != null) {
                if (androidKeystoreKeyUnlockData.getSignatureAlgorithm() != signatureAlgorithm) {
                    throw new IllegalArgumentException(("keyUnlockData has signature algorithm " + androidKeystoreKeyUnlockData.getSignatureAlgorithm() + " which differs from passed-in algorithm " + signatureAlgorithm).toString());
                }
                try {
                    Signature signature = androidKeystoreKeyUnlockData.getSignature();
                    Intrinsics.checkNotNull(signature);
                    signature.update(dataToSign);
                    Signature signature2 = androidKeystoreKeyUnlockData.getSignature();
                    Intrinsics.checkNotNull(signature2);
                    byte[] sign = signature2.sign();
                    Companion companion = INSTANCE;
                    Intrinsics.checkNotNull(sign);
                    return companion.signatureFromDer$identity_android_release(fromInt, sign);
                } catch (SignatureException e) {
                    throw new IllegalStateException(e.getMessage(), e);
                }
            }
        }
        try {
            Intrinsics.checkNotNull(component1, "null cannot be cast to non-null type java.security.KeyStore.PrivateKeyEntry");
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) component1).getPrivateKey();
            Companion companion2 = INSTANCE;
            Signature signature3 = Signature.getInstance(companion2.getSignatureAlgorithmName$identity_android_release(signatureAlgorithm));
            signature3.initSign(privateKey);
            signature3.update(dataToSign);
            byte[] sign2 = signature3.sign();
            Intrinsics.checkNotNull(sign2);
            return companion2.signatureFromDer$identity_android_release(fromInt, sign2);
        } catch (UserNotAuthenticatedException e2) {
            throw new KeyLockedException("User not authenticated", e2);
        } catch (SignatureException e3) {
            String message = e3.getMessage();
            Intrinsics.checkNotNull(message);
            if (StringsKt.startsWith$default(message, "android.security.KeyStoreException: Key user not authenticated", false, 2, (Object) null)) {
                throw new KeyLockedException("User not authenticated", e3);
            }
            throw new IllegalStateException(e3.getMessage(), e3);
        } catch (Exception e4) {
            throw new IllegalArgumentException(e4);
        }
    }
}
