package at.asitplus.utils;

import android.app.Activity;
import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.util.Log;
import at.asitplus.checklib.AuthCheckStatus;
import at.asitplus.checklib.AuthChecks;
import at.asitplus.common.AuthSelection;
import at.asitplus.common.exception.detail.InsufficientCapabilitiesException;
import at.asitplus.common.exception.detail.UnsupportedAuthenticationSelectionException;
import at.asitplus.common.exception.internal.CryptoException;
import at.asitplus.oegvat.R;
import at.asitplus.utils.KeyStoreService;
import at.asitplus.utils.biometrics.BiometricAuthenticationDialog;
import at.asitplus.utils.devicecapabilty.DeviceCapabilityCheck;
import at.atrust.mobsig.library.constants.GetTanConst;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes4.dex */
public class AndroidKeyStoreService implements KeyStoreService {
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    public static final String BINDING_CERT_ALIAS = "binding-cert";
    public static final String BINDING_KEY_ALIAS = "binding-key";
    public static final String CHECK_BINDING_CERT_ALIAS = "check-binding-cert";
    public static final String CHECK_BINDING_KEY_ALIAS = "check-binding-key";
    public static final String DEMO_VDA_ALIAS = "demo-vda-key";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AndroidKeyStoreService.class);
    private final Activity activity;
    private final String certAlias;
    private final DeviceCapabilityCheck deviceCapabilityCheck;
    private final String keyAlias;
    private String tempKeyCreationError;

    public AndroidKeyStoreService(Activity activity, DeviceCapabilityCheck deviceCapabilityCheck, String str, String str2) {
        this.activity = activity;
        this.deviceCapabilityCheck = deviceCapabilityCheck;
        this.keyAlias = str;
        this.certAlias = str2;
    }

    private JWSObject buildJwsObject(Payload payload, JWSAlgorithm jWSAlgorithm) throws Exception {
        return new JWSObject(new JWSHeader.Builder(jWSAlgorithm).x509CertChain(Collections.singletonList(Base64.encode(loadCertificate().getEncoded()))).type(new JOSEObjectType("bindingAuth")).build(), payload);
    }

    private JWSObject buildJwsObject(JWTClaimsSet jWTClaimsSet, JWSAlgorithm jWSAlgorithm) throws Exception {
        X509CertificateHolder loadCertificate = loadCertificate();
        return new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).x509CertChain(Collections.singletonList(Base64.encode(loadCertificate.getEncoded()))).build(), new JWTClaimsSet.Builder(jWTClaimsSet).subject(loadCertificate.getSubject().toString()).build());
    }

    private Signature getCryptoObject(KeyPair keyPair, String str, int i) throws NoSuchAlgorithmException, InvalidKeyException {
        if (i > 0) {
            return null;
        }
        Signature signature = Signature.getInstance(str);
        signature.initSign(keyPair.getPrivate());
        return signature;
    }

    private JWSAlgorithm getJwsAlgorithm(PrivateKey privateKey) {
        return privateKey instanceof ECKey ? JWSAlgorithm.ES256 : JWSAlgorithm.RS256;
    }

    private String getSignatureAlgorithm(Key key) {
        return key instanceof ECKey ? "SHA256withECDSA" : "SHA256withRSA";
    }

    private PrivateKey loadKey() throws KeyPermanentlyInvalidatedException {
        try {
            log.debug("loadKey: " + this.keyAlias);
            return (PrivateKey) loadKeyStore().getKey(this.keyAlias, null);
        } catch (Throwable th) {
            log.warn("loadKey: error", th);
            throw new KeyPermanentlyInvalidatedException(th.getMessage());
        }
    }

    private KeyStore loadKeyStore() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null, null);
        return keyStore;
    }

    private void showFingerprintDialogForJws(KeyStoreService.SignJwsCallback signJwsCallback, KeyStoreService.CallbackError callbackError, PrivateKey privateKey, JWSAlgorithm jWSAlgorithm, JWSObject jWSObject, CharSequence charSequence, CharSequence charSequence2, CharSequence charSequence3) throws NoSuchAlgorithmException, InsufficientCapabilitiesException, InvalidKeyException {
        log.info("showFingerprintDialogForJws called");
        Signature signature = Signature.getInstance(getSignatureAlgorithm(privateKey));
        AuthSelection loadAuthSelection = AuthSelection.loadAuthSelection(this.activity.getApplicationContext());
        this.deviceCapabilityCheck.performCapabilityChecks();
        SignJwsFingerprintCallback signJwsFingerprintCallback = new SignJwsFingerprintCallback(jWSObject, jWSAlgorithm, signJwsCallback, callbackError);
        if (Build.VERSION.SDK_INT == 29) {
            new BiometricAuthenticationDialog(charSequence, charSequence2, charSequence3, signature, signJwsFingerprintCallback, this.activity, loadAuthSelection).launchSupportedDialogAPI29(loadKey());
        } else {
            if (privateKey == null) {
                throw new KeyPermanentlyInvalidatedException("Key not longer usable.");
            }
            signature.initSign(privateKey);
            new BiometricAuthenticationDialog(charSequence, charSequence2, charSequence3, signature, signJwsFingerprintCallback, this.activity, loadAuthSelection).launchSupportedDialog();
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void destroyBinding() throws CryptoException {
        try {
            log.debug("destroyBinding: " + this.keyAlias + ", " + this.certAlias);
            KeyStore loadKeyStore = loadKeyStore();
            loadKeyStore.deleteEntry(this.keyAlias);
            loadKeyStore.deleteEntry(this.certAlias);
        } catch (Throwable th) {
            log.warn("destroyBinding: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void generateCsr(KeyPair keyPair, String str, int i, AuthSelection authSelection, KeyStoreService.GenerateCsrCallback generateCsrCallback, KeyStoreService.CallbackError callbackError) {
        log.debug("generateCsr: " + str);
        try {
            String signatureAlgorithm = getSignatureAlgorithm(keyPair.getPrivate());
            try {
                BiometricAuthenticationDialog biometricAuthenticationDialog = new BiometricAuthenticationDialog(this.activity.getApplicationContext().getText(R.string.dialog_binding_create_title), null, null, getCryptoObject(keyPair, signatureAlgorithm, i), new CsrFingerprintCallback(str, keyPair, signatureAlgorithm, generateCsrCallback, callbackError), this.activity, authSelection);
                if (Build.VERSION.SDK_INT == 29) {
                    biometricAuthenticationDialog.launchSupportedDialogAPI29(keyPair.getPrivate());
                } else {
                    biometricAuthenticationDialog.launchSupportedDialog();
                }
            } catch (InvalidKeyException e) {
                e = e;
                log.error("generateCsr: Error", e);
                callbackError.error(e);
            } catch (NoSuchAlgorithmException e2) {
                e = e2;
                log.error("generateCsr: Error", e);
                callbackError.error(e);
            }
        } catch (InvalidKeyException | NoSuchAlgorithmException e3) {
            e = e3;
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public KeyPair generateKeyPair(int i, String str, boolean z, int i2, byte[] bArr) throws CryptoException, UnsupportedAuthenticationSelectionException {
        return generateKeyPair(i, str, z, i2, bArr, AuthSelection.ONLY_BIOMETRY);
    }

    @Override // at.asitplus.utils.KeyStoreService
    public KeyPair generateKeyPair(int i, String str, boolean z, int i2, byte[] bArr, AuthSelection authSelection) throws CryptoException, UnsupportedAuthenticationSelectionException {
        Logger logger;
        try {
            logger = log;
            logger.info(String.format(Locale.ENGLISH, "generateKeyPair: %s, %d, %s, %b, %s, %s, %s", this.keyAlias, Integer.valueOf(i), str, Boolean.valueOf(z), Integer.valueOf(i2), Arrays.toString(bArr), authSelection));
            if (!Objects.equals(str, "EC") && !Objects.equals(str, "RSA")) {
                logger.warn("Unexpected keyType '{}'", str);
                throw new CryptoException("KeyType");
            }
            logger.info("generateKeyPair: Loaded keystore '{}'", loadKeyStore());
        } catch (UnsupportedAuthenticationSelectionException e) {
            e = e;
        } catch (Throwable th) {
            th = th;
        }
        try {
            KeyGenParameterSpec.Builder certificateSubject = new KeyGenParameterSpec.Builder(this.keyAlias, 12).setKeySize(i).setDigests("SHA-256").setCertificateNotBefore(new Date()).setCertificateSubject(new X500Principal("CN=" + this.keyAlias));
            if (Objects.equals(str, "RSA")) {
                certificateSubject.setSignaturePaddings("PKCS1", "PSS");
            }
            if (z) {
                AuthCheckStatus currentStatus = AuthChecks.getCurrentStatus(this.activity.getApplicationContext());
                logger.info("generateKeyPair: setUserAuthenticationRequired with true");
                certificateSubject.setUserAuthenticationRequired(true);
                int i3 = Build.VERSION.SDK_INT;
                if (i3 <= 28) {
                    if (authSelection != AuthSelection.ONLY_BIOMETRY) {
                        logger.warn("Unsupported authSelection '{}': only biometric authentication is supported in this Android version", authSelection);
                        throw new UnsupportedAuthenticationSelectionException("Android Version only supports Biometric Authentication");
                    }
                    this.deviceCapabilityCheck.checkBiometry(currentStatus);
                    logger.info("generateKeyPair: setUserAuthenticationValidityDurationSeconds with '{}'", Integer.valueOf(i2));
                    certificateSubject.setUserAuthenticationValidityDurationSeconds(i2);
                    if (i3 >= 24) {
                        logger.info("generateKeyPair: setInvalidatedByBiometricEnrollment with true");
                        certificateSubject.setInvalidatedByBiometricEnrollment(true);
                    }
                } else if (i3 == 29) {
                    if (authSelection == AuthSelection.BIOMETRY_AND_PIN) {
                        this.deviceCapabilityCheck.checkBiometry(currentStatus);
                        this.deviceCapabilityCheck.checkPIN(currentStatus);
                        logger.info("generateKeyPair: setInvalidatedByBiometricEnrollment with false");
                        certificateSubject.setInvalidatedByBiometricEnrollment(false);
                        logger.info("generateKeyPair: setUserAuthenticationValidityDurationSeconds with '{}'", Integer.valueOf(i2));
                        certificateSubject.setUserAuthenticationValidityDurationSeconds(i2);
                    } else {
                        if (authSelection == AuthSelection.ONLY_PIN) {
                            logger.warn("Android Version does not support only PIN");
                            throw new UnsupportedAuthenticationSelectionException("Android Version does not support only PIN");
                        }
                        if (authSelection == AuthSelection.ONLY_BIOMETRY) {
                            this.deviceCapabilityCheck.checkBiometry(currentStatus);
                            logger.info("generateKeyPair: setInvalidatedByBiometricEnrollment with true");
                            certificateSubject.setInvalidatedByBiometricEnrollment(true);
                            logger.info("generateKeyPair: setUserAuthenticationValidityDurationSeconds with '{}'", Integer.valueOf(i2));
                            certificateSubject.setUserAuthenticationValidityDurationSeconds(i2);
                        }
                    }
                } else if (i3 >= 30) {
                    if (authSelection == AuthSelection.BIOMETRY_AND_PIN) {
                        this.deviceCapabilityCheck.checkBiometry(currentStatus);
                        this.deviceCapabilityCheck.checkPIN(currentStatus);
                        logger.info("generateKeyPair: setUserAuthenticationParameters with '{}'", Integer.valueOf(i2));
                        logger.info("generateKeyPair: setInvalidatedByBiometricEnrollment with false");
                        certificateSubject.setUserAuthenticationParameters(i2, 3).setInvalidatedByBiometricEnrollment(false);
                    } else if (authSelection == AuthSelection.ONLY_BIOMETRY) {
                        this.deviceCapabilityCheck.checkBiometry(currentStatus);
                        logger.info("generateKeyPair: setUserAuthenticationParameters with '{}'", Integer.valueOf(i2));
                        logger.info("generateKeyPair: setInvalidatedByBiometricEnrollment with true");
                        certificateSubject.setUserAuthenticationParameters(i2, 2).setInvalidatedByBiometricEnrollment(true);
                    } else if (authSelection == AuthSelection.ONLY_PIN) {
                        this.deviceCapabilityCheck.checkPIN(currentStatus);
                        logger.info("generateKeyPair: setUserAuthenticationParameters with '{}'", Integer.valueOf(i2));
                        logger.info("generateKeyPair: setInvalidatedByBiometricEnrollment with false");
                        certificateSubject.setUserAuthenticationParameters(i2, 1).setInvalidatedByBiometricEnrollment(false);
                    }
                }
            }
            if (bArr != null) {
                logger.info("generateKeyPair: setAttestationChallenge with '{}'", bArr);
                certificateSubject.setAttestationChallenge(bArr);
            }
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, "AndroidKeyStore");
            keyPairGenerator.initialize(certificateSubject.build());
            return keyPairGenerator.generateKeyPair();
        } catch (UnsupportedAuthenticationSelectionException e2) {
            e = e2;
            log.warn("generateKeyPair: error", (Throwable) e);
            throw e;
        } catch (Throwable th2) {
            th = th2;
            Throwable th3 = th;
            log.warn("generateKeyPair: error", th3);
            if (bArr == null) {
                throw new CryptoException(th3);
            }
            this.tempKeyCreationError = th3.getClass().getName() + "\n" + th3.getMessage() + "\n" + Log.getStackTraceString(th3);
            try {
                return generateKeyPair(i, str, z, i2, null, authSelection);
            } finally {
                CryptoException cryptoException = new CryptoException(th3);
            }
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public boolean isKeySuitableForJwtAuth() throws CryptoException {
        try {
            PrivateKey loadKey = loadKey();
            boolean z = ((KeyInfo) KeyFactory.getInstance(loadKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(loadKey, KeyInfo.class)).getUserAuthenticationValidityDurationSeconds() <= 0;
            log.debug("isKeySuitableForJwtAuth: returns " + z);
            return z;
        } catch (Throwable th) {
            log.warn("isKeySuitableForJwtAuth: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public List<byte[]> loadAttestationChain() {
        try {
            Logger logger = log;
            logger.debug("loadAttestationChain: " + this.keyAlias);
            ArrayList arrayList = new ArrayList();
            KeyStore loadKeyStore = loadKeyStore();
            String str = this.tempKeyCreationError;
            if (str != null) {
                logger.debug("Returning key creation error: {}", str);
                arrayList.add(GetTanConst.ERROR_KEY.getBytes(StandardCharsets.UTF_8));
                arrayList.add(this.tempKeyCreationError.getBytes(StandardCharsets.UTF_8));
                return arrayList;
            }
            Certificate[] certificateChain = loadKeyStore.containsAlias(this.keyAlias) ? loadKeyStore.getCertificateChain(this.keyAlias) : null;
            if (certificateChain == null) {
                return null;
            }
            for (Certificate certificate : certificateChain) {
                arrayList.add(certificate.getEncoded());
            }
            return arrayList;
        } catch (Throwable th) {
            log.warn("loadAttestationChain: error", th);
            return null;
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public X509CertificateHolder loadCertificate() throws CryptoException {
        try {
            log.debug("loadCertificate: " + this.certAlias);
            KeyStore loadKeyStore = loadKeyStore();
            Certificate certificate = loadKeyStore.containsAlias(this.certAlias) ? loadKeyStore.getCertificate(this.certAlias) : null;
            if (certificate == null) {
                return null;
            }
            return new X509CertificateHolder(certificate.getEncoded());
        } catch (Throwable th) {
            log.warn("loadCertificate: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void signJwsForEidAuth(String str, String str2, Payload payload, KeyStoreService.SignJwsCallback signJwsCallback, KeyStoreService.CallbackError callbackError) {
        log.info("signJwsForEidAuth: '{}', '{}'", this.keyAlias, this.certAlias);
        try {
            this.deviceCapabilityCheck.performCapabilityChecks();
            PrivateKey loadKey = loadKey();
            JWSAlgorithm jwsAlgorithm = getJwsAlgorithm(loadKey);
            try {
                JWSObject buildJwsObject = buildJwsObject(payload, jwsAlgorithm);
                Context applicationContext = this.activity.getApplicationContext();
                showFingerprintDialogForJws(signJwsCallback, callbackError, loadKey, jwsAlgorithm, buildJwsObject, applicationContext.getString(R.string.dialog_auth_fingerprint_title, str), applicationContext.getString(R.string.dialog_auth_extBiometrics_title, str), str2 != null ? applicationContext.getString(R.string.dialog_auth_detail, str2) : null);
            } catch (Throwable th) {
                th = th;
                log.error("signJwsForEidAuth: Error", th);
                callbackError.error(th);
            }
        } catch (Throwable th2) {
            th = th2;
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void signJwsForSamlAuth(String str, JWTClaimsSet jWTClaimsSet, KeyStoreService.SignJwsCallback signJwsCallback, KeyStoreService.CallbackError callbackError) {
        log.debug("signJwsForSamlAuth: " + this.keyAlias + ", " + this.certAlias);
        try {
            this.deviceCapabilityCheck.performCapabilityChecks();
            PrivateKey loadKey = loadKey();
            JWSAlgorithm jwsAlgorithm = getJwsAlgorithm(loadKey);
            try {
                JWSObject buildJwsObject = buildJwsObject(jWTClaimsSet, jwsAlgorithm);
                Context applicationContext = this.activity.getApplicationContext();
                showFingerprintDialogForJws(signJwsCallback, callbackError, loadKey, jwsAlgorithm, buildJwsObject, applicationContext.getString(R.string.dialog_auth_fingerprint_title, str), applicationContext.getString(R.string.dialog_auth_extBiometrics_title, str), null);
            } catch (Throwable th) {
                th = th;
                log.error("signJwsForSamlAuth: Error", th);
                callbackError.error(th);
            }
        } catch (Throwable th2) {
            th = th2;
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void storeBinding(X509CertificateHolder x509CertificateHolder) throws CryptoException {
        try {
            log.debug("storeBinding: " + this.certAlias);
            KeyStore loadKeyStore = loadKeyStore();
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509CertificateHolder);
            if (loadKeyStore.isKeyEntry(this.certAlias)) {
                loadKeyStore.setKeyEntry(this.certAlias, loadKeyStore.getKey(this.certAlias, null), null, new Certificate[]{certificate});
            } else {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                keyPairGenerator.initialize(4096);
                loadKeyStore.setKeyEntry(this.certAlias, keyPairGenerator.generateKeyPair().getPrivate(), null, new Certificate[]{certificate});
            }
        } catch (Throwable th) {
            log.warn("storeBinding: error", th);
            throw new CryptoException(th);
        }
    }
}
