package at.atrust.mobsig.library.util;

import android.content.Context;
import android.security.KeyPairGeneratorSpec;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import at.atrust.mobsig.library.preferences.PreferenceData;
import at.atrust.mobsig.library.preferences.UserPreferences;
import at.atrust.mobsig.library.used.KeyStoreServiceException;
import java.io.IOException;
import java.io.StringWriter;
import java.math.BigInteger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.util.Objects;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spongycastle.math.ec.Tnaf;
import org.spongycastle.pkcs.PKCS10CertificationRequest;
import org.spongycastle.util.io.pem.PemObject;
import org.spongycastle.util.io.pem.PemWriter;

/* loaded from: classes18.dex */
public class KeystoreUtil {
    private static final String ALGORITHM_EC = "EC";
    private static final String ALGORITHM_RSA = "RSA";
    private static final int ALL_PURPOSES = 15;
    public static final String CSR_HEADER = "CERTIFICATE REQUEST";
    public static final String JSON_ENCRYPTION_KEY = "JsonEncryptionKey";
    public static final String JSON_SIGNATURE_KEY = "JsonSignatureKey";
    public static final String KEYSTORE_PROVIDER = "AndroidKeyStore";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) KeystoreUtil.class);
    public static final String MESSAGE_SIGNING_KEY = "MessageSigningKey";
    public static final String RSA_ECB_PKCS1PADDING = "RSA/ECB/PKCS1Padding";
    public static final String RSA_OEAP = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding";
    public static final String RSA_OEAP_256 = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding";
    public static final String SECOND_FACTOR_KEY = "SecondFactorKey";
    public static final String TEST_KEY = "TestKey";

    public static String TestRSAEncryption(Context context) {
        byte[] bArr = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, Tnaf.POW_2_WIDTH, 17, 18, 19, 20, 21, 22, 23, 24, 25, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 48, 49};
        String[] strArr = {RSA_ECB_PKCS1PADDING, "RSA/ECB/OAEPPadding", RSA_OEAP, "RSA/ECB/OAEPWithSHA-224AndMGF1Padding", RSA_OEAP_256, "RSA/ECB/OAEPWithSHA-384AndMGF1Padding", "RSA/ECB/OAEPWithSHA-512AndMGF1Padding", "RSA/ECB/NoPadding"};
        String str = null;
        try {
            deleteKeyPair(TEST_KEY);
            createRsaKey(TEST_KEY, context);
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str2 = strArr[i];
                boolean z = true;
                byte[] encryptWithKeystore = encryptWithKeystore(TEST_KEY, bArr, str2);
                if (encryptWithKeystore == null) {
                    z = false;
                } else if (decryptWithKeystore(TEST_KEY, encryptWithKeystore, str2) == null) {
                    z = false;
                }
                if (z) {
                    LOGGER.debug("Algorithm " + str2 + " is supported");
                    str = str2;
                    break;
                }
                LOGGER.warn("Algorithm " + str2 + " not supported");
                i++;
            }
            deleteKeyPair(TEST_KEY);
        } catch (Exception e) {
            LOGGER.debug("Exception", (Throwable) e);
        }
        return str;
    }

    public static void clear() {
        LOGGER.warn("DELETE ALL KEYS IN KEYSTORE");
        deleteKeyPair(MESSAGE_SIGNING_KEY);
        deleteKeyPair(SECOND_FACTOR_KEY);
        deleteKeyPair(TEST_KEY);
        deleteKeyPair(JSON_SIGNATURE_KEY);
        deleteKeyPair(JSON_ENCRYPTION_KEY);
    }

    private static boolean createRsaKey(String str, Context context) {
        if (hasKeyForAlias(str)) {
            LOGGER.info("delete old keypair for " + str);
            deleteKeyPair(str);
        }
        return createRsaKeyAndroidM(str);
    }

    private static boolean createRsaKeyAndroidM(String str) {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ALGORITHM_RSA, KEYSTORE_PROVIDER);
            keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(str, 15).setKeySize(2048).setCertificateSubject(new X500Principal("CN=test1")).setCertificateSerialNumber(BigInteger.valueOf(1L)).setCertificateNotBefore(DateUtil.getNotBefore()).setCertificateNotAfter(DateUtil.getNotAfter()).setEncryptionPaddings("PKCS1Padding").setSignaturePaddings("PKCS1").setDigests("SHA-256").setBlockModes("CBC", "CTR", "ECB", "GCM").build());
            keyPairGenerator.generateKeyPair();
            return true;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    public static byte[] decryptWithKeystore(String str, byte[] bArr) {
        return decryptWithKeystore(str, bArr, RSA_ECB_PKCS1PADDING);
    }

    public static byte[] decryptWithKeystore(String str, byte[] bArr, String str2) {
        if (bArr == null || bArr.length <= 0) {
            return null;
        }
        try {
            PrivateKey loadPrivateKey = loadPrivateKey(str);
            if (loadPrivateKey == null) {
                LOGGER.error("decryptWithKeystore private key is null");
                return null;
            }
            Cipher cipher = Cipher.getInstance(str2);
            cipher.init(2, loadPrivateKey);
            return cipher.doFinal(bArr);
        } catch (InvalidKeyException e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        } catch (NoSuchAlgorithmException e2) {
            LOGGER.error(e2.getMessage(), (Throwable) e2);
            return null;
        } catch (BadPaddingException e3) {
            LOGGER.error(e3.getMessage(), (Throwable) e3);
            return null;
        } catch (IllegalBlockSizeException e4) {
            LOGGER.error(e4.getMessage(), (Throwable) e4);
            return null;
        } catch (NoSuchPaddingException e5) {
            LOGGER.error(e5.getMessage(), (Throwable) e5);
            return null;
        } catch (Exception e6) {
            LOGGER.error(e6.getMessage(), (Throwable) e6);
            return null;
        }
    }

    private static void deleteKeyPair(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null, null);
            keyStore.deleteEntry(str);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
        }
    }

    public static byte[] encryptWithKeystore(String str, byte[] bArr) {
        return encryptWithKeystore(str, bArr, RSA_ECB_PKCS1PADDING);
    }

    public static byte[] encryptWithKeystore(String str, byte[] bArr, String str2) {
        if (bArr == null || bArr.length <= 0) {
            return null;
        }
        try {
            PublicKey loadCertificate = loadCertificate(str);
            Cipher cipher = Cipher.getInstance(str2);
            cipher.init(1, loadCertificate);
            return cipher.doFinal(bArr);
        } catch (InvalidKeyException e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        } catch (NoSuchAlgorithmException e2) {
            LOGGER.error(e2.getMessage(), (Throwable) e2);
            return null;
        } catch (BadPaddingException e3) {
            LOGGER.error(e3.getMessage(), (Throwable) e3);
            return null;
        } catch (IllegalBlockSizeException e4) {
            LOGGER.error(e4.getMessage(), (Throwable) e4);
            return null;
        } catch (NoSuchPaddingException e5) {
            LOGGER.error(e5.getMessage(), (Throwable) e5);
            return null;
        }
    }

    public static boolean generateJsonKeys(Context context) {
        return createRsaKey(JSON_SIGNATURE_KEY, context) && createRsaKey(JSON_ENCRYPTION_KEY, context);
    }

    public static KeyPair generateKeyPair(String str, Context context, int i, String str2, boolean z, int i2) throws KeyStoreServiceException {
        try {
            Logger logger = LOGGER;
            logger.debug(String.format("generateKeyPair: %s, %d, %s", str, Integer.valueOf(i), str2));
            if (!Objects.equals(str2, ALGORITHM_EC) && !Objects.equals(str2, ALGORITHM_RSA)) {
                throw new KeyStoreServiceException("KeyType");
            }
            if (hasKeyForAlias(str)) {
                logger.info("delete old keypair for " + str);
                deleteKeyPair(str);
            }
            if (PreferenceData.getTestMode(context)) {
                z = false;
                logger.warn("disable biometric user authentication for test mode");
            }
            return generateKeyPairAfterM(str, i, str2, z, i2);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
            LOGGER.error("generateKeyPair: error", e);
            throw new KeyStoreServiceException(e);
        }
    }

    private static KeyPair generateKeyPairAfterM(String str, int i, String str2, boolean z, int i2) throws NoSuchProviderException, NoSuchAlgorithmException, InvalidAlgorithmParameterException {
        LOGGER.debug(String.format("generateKeyPairAfterM: %s, %d, %s", str, Integer.valueOf(i), str2));
        KeyGenParameterSpec.Builder certificateSubject = new KeyGenParameterSpec.Builder(str, 12).setDigests("SHA-256", "SHA-1", "NONE").setKeySize(i).setCertificateNotBefore(DateUtil.getNotBefore()).setCertificateNotAfter(DateUtil.getNotAfter()).setCertificateSubject(new X500Principal("CN=" + str));
        if (Objects.equals(str2, ALGORITHM_RSA)) {
            certificateSubject = certificateSubject.setSignaturePaddings("PKCS1", "PSS");
        }
        if (z) {
            certificateSubject = certificateSubject.setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds(i2);
        }
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2, KEYSTORE_PROVIDER);
        keyPairGenerator.initialize(certificateSubject.build());
        return keyPairGenerator.generateKeyPair();
    }

    private static KeyPair generateKeyPairBeforeM(String str, Context context, int i, String str2) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException {
        Logger logger = LOGGER;
        logger.debug(String.format("generateKeyPairBeforeM: %s, %d, %s", str, Integer.valueOf(i), str2));
        KeyPairGeneratorSpec.Builder keySize = new KeyPairGeneratorSpec.Builder(context).setAlias(str).setStartDate(DateUtil.getNotBefore()).setEndDate(DateUtil.getNotAfter()).setSerialNumber(BigInteger.ONE).setSubject(new X500Principal("CN=" + str)).setKeyType(str2).setKeySize(i);
        if (PreferenceData.getTestMode(context)) {
            logger.warn("disable setEncryptionRequired()  for test mode");
        } else {
            keySize = keySize.setEncryptionRequired();
        }
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str2, KEYSTORE_PROVIDER);
        keyPairGenerator.initialize(keySize.build());
        return keyPairGenerator.generateKeyPair();
    }

    public static boolean generateMessageKey(Context context) {
        return initKeyStore(CryptoLoader.ALIAS, context);
    }

    public static boolean generateMessageSigningKey(Context context) {
        return createRsaKey(MESSAGE_SIGNING_KEY, context);
    }

    public static KeyPair generateSecondFactorKeypair(Context context) throws KeyStoreServiceException {
        return generateKeyPair(SECOND_FACTOR_KEY, context, 2048, ALGORITHM_RSA, true, -1);
    }

    private static byte[] getCsr(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null);
            PKCS10CertificationRequest generateCSR = CsrUtil.generateCSR((PrivateKey) keyStore.getKey(str, null), keyStore.getCertificate(str).getPublicKey(), "");
            if (generateCSR != null) {
                return generateCSR.getEncoded();
            }
            return null;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    public static String getCsrAsPem(String str) {
        byte[] csr = getCsr(str);
        if (csr == null) {
            return null;
        }
        StringWriter stringWriter = new StringWriter();
        try {
            PemWriter pemWriter = new PemWriter(stringWriter);
            pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr));
            pemWriter.flush();
            pemWriter.close();
            return stringWriter.toString();
        } catch (IOException e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    public static KeyType getKeyType(String str) {
        KeyType keyType;
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null);
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(str, null);
            if (privateKey.getAlgorithm().equals(ALGORITHM_EC)) {
                keyType = KeyType.EC;
            } else if (privateKey.getAlgorithm().equals(ALGORITHM_RSA)) {
                keyType = KeyType.RSA;
            } else {
                LOGGER.error("Unsupported key algorithm" + privateKey.getAlgorithm());
                keyType = null;
            }
            return keyType;
        } catch (Exception e) {
            LOGGER.error("exception KeyType", (Throwable) e);
            return null;
        }
    }

    public static boolean hasJsonEncKey() {
        return hasKeyForAlias(JSON_ENCRYPTION_KEY);
    }

    public static boolean hasJsonKeys() {
        return hasJsonSigKey() && hasJsonEncKey();
    }

    public static boolean hasJsonSigKey() {
        return hasKeyForAlias(JSON_SIGNATURE_KEY);
    }

    private static boolean hasKeyForAlias(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null, null);
            return keyStore.containsAlias(str);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    public static boolean hasKeyStore(Context context) {
        boolean z;
        if (SystemInfo.isBlackberry()) {
            LOGGER.debug("hasKeyStore isBlackberry");
            z = false;
        } else if (UserPreferences.isAppPinNeeded(context)) {
            LOGGER.debug("hasKeyStore UserPreferences.isAppPinNeeded()");
            z = false;
        } else {
            z = true;
        }
        LOGGER.debug("hasKeyStore returns " + String.valueOf(z));
        return z;
    }

    public static boolean hasSecondFactorKey() {
        return hasKeyForAlias(SECOND_FACTOR_KEY);
    }

    public static boolean hasSecureHardware(Context context) {
        boolean z = false;
        try {
            z = insideSecureHardWare(generateKeyPair(TEST_KEY, context, 2048, ALGORITHM_RSA, true, -1).getPrivate());
            deleteKeyPair(TEST_KEY);
        } catch (Exception e) {
            LOGGER.debug("Exception", (Throwable) e);
        }
        LOGGER.debug("Has secure hardware = " + z);
        return z;
    }

    public static boolean initKeyStore(String str, Context context) {
        boolean z = false;
        if (hasKeyStore(context)) {
            X500Principal x500Principal = new X500Principal("CN=test1");
            Logger logger = LOGGER;
            logger.debug("initialize key store");
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(ALGORITHM_RSA, KEYSTORE_PROVIDER);
                KeyPairGeneratorSpec.Builder subject = new KeyPairGeneratorSpec.Builder(context).setAlias(str).setStartDate(DateUtil.getNotBefore()).setEndDate(DateUtil.getNotAfter()).setSerialNumber(BigInteger.ONE).setSubject(x500Principal);
                if (PreferenceData.getTestMode(context)) {
                    logger.warn("disable setEncryptionRequired()  for test mode");
                } else {
                    subject = subject.setEncryptionRequired();
                }
                keyPairGenerator.initialize(subject.build());
                keyPairGenerator.generateKeyPair();
                z = true;
            } catch (Exception e) {
                LOGGER.error(e.getMessage(), (Throwable) e);
            }
        }
        LOGGER.debug("initialize key store success = " + z);
        return z;
    }

    public static boolean insideSecureHardWare(PrivateKey privateKey) {
        try {
            return ((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), KEYSTORE_PROVIDER).getKeySpec(privateKey, KeyInfo.class)).isInsideSecureHardware();
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    public static boolean isAliasHardwareBased(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null);
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(str, null);
            return ((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), KEYSTORE_PROVIDER).getKeySpec(privateKey, KeyInfo.class)).isInsideSecureHardware();
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }

    private static final PublicKey loadCertificate(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null);
            if (!keyStore.containsAlias(str)) {
                LOGGER.error("alias " + str + " not found in keystore");
            }
            Certificate certificate = keyStore.getCertificate(str);
            if (certificate == null) {
                KeyStore keyStore2 = KeyStore.getInstance(KEYSTORE_PROVIDER);
                keyStore2.load(null);
                KeyStore.Entry entry = keyStore2.getEntry(str, null);
                if (entry == null) {
                    LOGGER.error("loadCertificate - " + str + " - not found");
                    return null;
                }
                if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                    LOGGER.error("loadCertificate - " + str + " - Not an instance of a PrivateKeyEntry");
                    return null;
                }
                certificate = ((KeyStore.PrivateKeyEntry) entry).getCertificate();
            }
            return certificate.getPublicKey();
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    private static PrivateKey loadPrivateKey(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null);
            if (!keyStore.containsAlias(str)) {
                LOGGER.error("alias " + str + " not found in keystore");
            }
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(str, null);
            if (privateKey != null) {
                return privateKey;
            }
            KeyStore keyStore2 = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore2.load(null);
            KeyStore.Entry entry = keyStore2.getEntry(str, null);
            if (entry == null) {
                LOGGER.error("loadPrivateKey - " + str + " - not found");
                return null;
            }
            if (entry instanceof KeyStore.PrivateKeyEntry) {
                return ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
            }
            LOGGER.error("loadPrivateKey - " + str + " - Not an instance of a PrivateKeyEntry");
            return null;
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    private static byte[] sign(PrivateKey privateKey, byte[] bArr) {
        Signature signature = null;
        try {
            if (privateKey.getAlgorithm().equals(ALGORITHM_EC)) {
                signature = Signature.getInstance("SHA256withECDSA");
            } else if (privateKey.getAlgorithm().equals(ALGORITHM_RSA)) {
                signature = Signature.getInstance("SHA256withRSA");
            } else {
                LOGGER.error("Unsupported key algorithm" + privateKey.getAlgorithm());
            }
            if (signature == null) {
                return null;
            }
            signature.initSign(privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    public static byte[] signWithKey(String str, byte[] bArr) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_PROVIDER);
            keyStore.load(null);
            return sign((PrivateKey) keyStore.getKey(str, null), bArr);
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }
}
