package at.asitplus.utils;

import android.content.Context;
import android.hardware.biometrics.BiometricManager;
import android.hardware.fingerprint.FingerprintManager;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import at.asitplus.common.exception.detail.InsufficientCapabilitiesException;
import at.asitplus.common.exception.internal.CryptoException;
import at.asitplus.oegvat.BuildConfig;
import at.asitplus.oegvat.R;
import at.asitplus.utils.KeyStoreService;
import at.asitplus.utils.biometrics.BiometricAuthenticationDialog;
import at.atrust.mobsig.library.util.KeystoreUtil;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import javax.security.auth.x500.X500Principal;
import okhttp3.OkHttpClient;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes.dex */
public class AndroidKeyStoreService implements KeyStoreService {
    public static final String BINDING_CERT_ALIAS = "binding-cert";
    public static final String BINDING_KEY_ALIAS = "binding-key";
    public static final String DEMO_VDA_ALIAS = "demo-vda-key";
    public static final Logger e = LoggerFactory.getLogger((Class<?>) AndroidKeyStoreService.class);
    public final FragmentShowDelegate a;
    public final Context b;
    public final String c;
    public final String d;

    public AndroidKeyStoreService(Context context, FragmentShowDelegate fragmentShowDelegate, String str, String str2) {
        this.b = context;
        this.a = fragmentShowDelegate;
        this.c = str;
        this.d = str2;
    }

    public final JWSObject a(JWTClaimsSet jWTClaimsSet, JWSAlgorithm jWSAlgorithm) throws Exception {
        X509CertificateHolder loadCertificate = loadCertificate();
        return new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).x509CertChain(Collections.singletonList(Base64.encode(loadCertificate.getEncoded()))).build(), new JWTClaimsSet.Builder(jWTClaimsSet).subject(loadCertificate.getSubject().toString()).build());
    }

    public final PrivateKey a() throws CryptoException {
        try {
            e.debug("loadKey: " + this.c);
            return (PrivateKey) b().getKey(this.c, null);
        } catch (Throwable th) {
            e.warn("loadKey: error", th);
            throw new CryptoException(th);
        }
    }

    public final void a(KeyStoreService.SignJwsCallback signJwsCallback, KeyStoreService.CallbackError callbackError, PrivateKey privateKey, JWSAlgorithm jWSAlgorithm, JWSObject jWSObject, CharSequence charSequence, CharSequence charSequence2, CharSequence charSequence3) throws Exception {
        e.info("showFingerprintDialogForJws called");
        Signature signature = Signature.getInstance(privateKey instanceof ECKey ? "SHA256withECDSA" : "SHA256withRSA");
        signature.initSign(privateKey);
        new BiometricAuthenticationDialog(charSequence, charSequence2, charSequence3, signature, new d(jWSObject, jWSAlgorithm, signJwsCallback, callbackError), this.b, this.a).launchSupportedDialog();
    }

    public final KeyStore b() throws Exception {
        KeyStore keyStore = KeyStore.getInstance(KeystoreUtil.KEYSTORE_PROVIDER);
        keyStore.load(null, null);
        return keyStore;
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void destroyBinding() throws CryptoException {
        try {
            e.debug("destroyBinding: " + this.c + ", " + this.d);
            KeyStore b = b();
            b.deleteEntry(this.c);
            b.deleteEntry(this.d);
        } catch (Throwable th) {
            e.warn("destroyBinding: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void generateCsr(KeyPair keyPair, String str, int i, KeyStoreService.GenerateCsrCallback generateCsrCallback, KeyStoreService.CallbackError callbackError) {
        Signature signature;
        at.asitplus.authclient.c.a("generateCsr: ", str, e);
        try {
            String str2 = keyPair.getPrivate() instanceof ECKey ? "SHA256withECDSA" : "SHA256withRSA";
            if (i <= 0) {
                signature = Signature.getInstance(str2);
                signature.initSign(keyPair.getPrivate());
            } else {
                signature = null;
            }
            b bVar = new b(str, keyPair, str2, generateCsrCallback, callbackError);
            CharSequence text = this.b.getText(R.string.dialog_binding_create_title);
            new BiometricAuthenticationDialog(text, text, null, signature, bVar, this.b, this.a).launchSupportedDialog();
        } catch (Throwable th) {
            e.error("generateCsr: Error", th);
            callbackError.error(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public KeyPair generateKeyPair(int i, String str, boolean z, int i2, byte[] bArr) throws CryptoException {
        try {
            Logger logger = e;
            logger.info(String.format(Locale.ENGLISH, "generateKeyPair: %s, %d, %s, %b, %s, %s", this.c, Integer.valueOf(i), str, Boolean.valueOf(z), Integer.valueOf(i2), Arrays.toString(bArr)));
            if (!Objects.equals(str, "EC") && !Objects.equals(str, "RSA")) {
                logger.warn("Unexpected keyType '{}'", str);
                throw new CryptoException("KeyType");
            }
            logger.info("generateKeyPair: Loaded keystore '{}'", b());
            KeyGenParameterSpec.Builder certificateSubject = new KeyGenParameterSpec.Builder(this.c, 12).setKeySize(i).setDigests("SHA-256", "SHA-1").setCertificateNotBefore(new Date()).setCertificateSubject(new X500Principal("CN=" + this.c));
            if (Objects.equals(str, "RSA")) {
                certificateSubject.setSignaturePaddings("PKCS1", "PSS");
            }
            if (z) {
                logger.info("generateKeyPair: setUserAuthenticationRequired with true");
                certificateSubject.setUserAuthenticationRequired(true);
                if (Build.VERSION.SDK_INT >= 30) {
                    int max = Math.max(i2, 0);
                    logger.info("generateKeyPair: setUserAuthenticationParameters with '{}'", Integer.valueOf(max));
                    certificateSubject.setUserAuthenticationParameters(max, 2);
                } else {
                    logger.info("generateKeyPair: setUserAuthenticationValidityDurationSeconds with '{}'", Integer.valueOf(i2));
                    certificateSubject.setUserAuthenticationValidityDurationSeconds(i2);
                }
            }
            if (Build.VERSION.SDK_INT >= 24 && bArr != null) {
                certificateSubject.setAttestationChallenge(bArr);
            }
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, KeystoreUtil.KEYSTORE_PROVIDER);
            keyPairGenerator.initialize(certificateSubject.build());
            return keyPairGenerator.generateKeyPair();
        } catch (Throwable th) {
            Logger logger2 = e;
            logger2.warn("generateKeyPair: error", th);
            if (bArr == null) {
                throw new CryptoException(th);
            }
            logger2.info("Retrying generateKeyPair without attestation challenge");
            try {
                return generateKeyPair(i, str, z, i2, null);
            } finally {
                CryptoException cryptoException = new CryptoException(th);
            }
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public boolean isKeySuitableForJwtAuth() throws CryptoException {
        try {
            PrivateKey a = a();
            boolean z = ((KeyInfo) KeyFactory.getInstance(a.getAlgorithm(), KeystoreUtil.KEYSTORE_PROVIDER).getKeySpec(a, KeyInfo.class)).getUserAuthenticationValidityDurationSeconds() <= 0;
            e.debug("isKeySuitableForJwtAuth: returns " + z);
            return z;
        } catch (Throwable th) {
            e.warn("isKeySuitableForJwtAuth: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public List<X509CertificateHolder> loadAttestationChain() throws CryptoException {
        try {
            e.debug("loadAttestationChain: " + this.c);
            KeyStore b = b();
            Certificate[] certificateChain = b.containsAlias(this.c) ? b.getCertificateChain(this.c) : null;
            if (certificateChain == null) {
                return null;
            }
            ArrayList arrayList = new ArrayList();
            for (Certificate certificate : certificateChain) {
                arrayList.add(new X509CertificateHolder(certificate.getEncoded()));
            }
            return arrayList;
        } catch (Throwable th) {
            e.warn("loadAttestationChain: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public X509CertificateHolder loadCertificate() throws CryptoException {
        try {
            e.debug("loadCertificate: " + this.d);
            KeyStore b = b();
            Certificate certificate = b.containsAlias(this.d) ? b.getCertificate(this.d) : null;
            if (certificate == null) {
                return null;
            }
            return new X509CertificateHolder(certificate.getEncoded());
        } catch (Throwable th) {
            e.warn("loadCertificate: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void performCapabilityChecks() throws InsufficientCapabilitiesException {
        BiometricManager biometricManager;
        Logger logger = e;
        boolean z = false;
        int i = Build.VERSION.SDK_INT;
        logger.info("This is {} {}, running on Android {} (SDK {}), Device {}, {}, {}, {}, {}, {}", BuildConfig.LIBRARY_PACKAGE_NAME, BuildConfig.VERSION_NAME, Build.VERSION.RELEASE, Integer.valueOf(i), Build.MANUFACTURER, Build.BRAND, Build.MODEL, Build.DEVICE, Build.PRODUCT, Build.DISPLAY);
        if (this.b.getPackageManager() == null) {
            logger.error("No package manager available");
            throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.INTERNAL);
        }
        if (i >= 29 && (biometricManager = (BiometricManager) this.b.getSystemService(BiometricManager.class)) != null) {
            int canAuthenticate = biometricManager.canAuthenticate();
            if (i >= 30) {
                canAuthenticate = biometricManager.canAuthenticate(15);
            }
            if (canAuthenticate == 11) {
                logger.error("No enrolled biometrics");
                throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.NO_BIOMETRIC_ENROLLED);
            }
            if (canAuthenticate == 12) {
                logger.error("No biometric hardware");
                throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.NO_BIOMETRIC_HARDWARE);
            }
            if (canAuthenticate == 1) {
                logger.error("Biometric hardware unavailable. Try again later?");
                throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.BIOMETRIC_HARDWARE_UNAVAILABLE);
            }
            if (canAuthenticate == 0) {
                logger.info("Biometric hardware available");
                z = true;
            }
        }
        if (z) {
            return;
        }
        FingerprintManager fingerprintManager = (FingerprintManager) this.b.getSystemService(FingerprintManager.class);
        if (fingerprintManager == null) {
            logger.error("No fingerprint manager available");
            throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.NO_FINGERPRINT_HARDWARE);
        }
        if (!fingerprintManager.isHardwareDetected()) {
            logger.error("No fingerprint hardware");
            throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.NO_FINGERPRINT_HARDWARE);
        }
        if (fingerprintManager.hasEnrolledFingerprints()) {
            return;
        }
        logger.error("No enrolled fingerprints");
        throw new InsufficientCapabilitiesException(InsufficientCapabilitiesException.Reason.NO_FINGERPRINT_ENROLLED);
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void signJwsForEidAuth(String str, String str2, Payload payload, KeyStoreService.SignJwsCallback signJwsCallback, KeyStoreService.CallbackError callbackError) {
        e.info("signJwsForEidAuth: '{}', '{}'", this.c, this.d);
        try {
            PrivateKey a = a();
            JWSAlgorithm jWSAlgorithm = a instanceof ECKey ? JWSAlgorithm.ES256 : JWSAlgorithm.RS256;
            a(signJwsCallback, callbackError, a, jWSAlgorithm, new JWSObject(new JWSHeader.Builder(jWSAlgorithm).x509CertChain(Collections.singletonList(Base64.encode(loadCertificate().getEncoded()))).type(new JOSEObjectType("bindingAuth")).build(), payload), this.b.getString(R.string.dialog_auth_fingerprint_title, str), this.b.getString(R.string.dialog_auth_extBiometrics_title, str), str2 != null ? this.b.getString(R.string.dialog_auth_detail, str2) : null);
        } catch (Throwable th) {
            e.error("signJwsForEidAuth: Error", th);
            callbackError.error(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void signJwsForSamlAuth(String str, JWTClaimsSet jWTClaimsSet, KeyStoreService.SignJwsCallback signJwsCallback, KeyStoreService.CallbackError callbackError) {
        Logger logger = e;
        StringBuilder a = at.asitplus.authclient.a.a("signJwsForSamlAuth: ");
        a.append(this.c);
        a.append(", ");
        a.append(this.d);
        logger.debug(a.toString());
        try {
            PrivateKey a2 = a();
            JWSAlgorithm jWSAlgorithm = a2 instanceof ECKey ? JWSAlgorithm.ES256 : JWSAlgorithm.RS256;
            a(signJwsCallback, callbackError, a2, jWSAlgorithm, a(jWTClaimsSet, jWSAlgorithm), this.b.getString(R.string.dialog_auth_fingerprint_title, str), this.b.getString(R.string.dialog_auth_extBiometrics_title, str), null);
        } catch (Throwable th) {
            e.error("signJwsForSamlAuth: Error", th);
            callbackError.error(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void storeBinding(X509CertificateHolder x509CertificateHolder) throws CryptoException {
        try {
            e.debug("storeBinding: " + this.d);
            KeyStore b = b();
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509CertificateHolder);
            if (b.isKeyEntry(this.d)) {
                b.setKeyEntry(this.d, b.getKey(this.d, null), null, new Certificate[]{certificate});
            } else {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                keyPairGenerator.initialize(4096);
                b.setKeyEntry(this.d, keyPairGenerator.generateKeyPair().getPrivate(), null, new Certificate[]{certificate});
            }
        } catch (Throwable th) {
            e.warn("storeBinding: error", th);
            throw new CryptoException(th);
        }
    }

    @Override // at.asitplus.utils.KeyStoreService
    public void wrapWithClientTls(OkHttpClient.Builder builder, KeyStoreService.WrapWithClientTlsCallback wrapWithClientTlsCallback, KeyStoreService.CallbackError callbackError) {
        Logger logger = e;
        StringBuilder a = at.asitplus.authclient.a.a("wrapWithClientTls: ");
        a.append(this.c);
        a.append(", ");
        a.append(this.d);
        logger.debug(a.toString());
        new BiometricAuthenticationDialog(this.b.getText(R.string.dialog_auth_fingerprint_title), this.b.getText(R.string.dialog_auth_extBiometrics_title), null, null, new a(this.c, this.d, builder, wrapWithClientTlsCallback, callbackError), this.b, this.a).launchSupportedDialog();
    }
}
