package com.squareup.cryptoattestation.compatibilitycheck;

import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.SecureKeyImportUnavailableException;
import android.security.keystore.WrappedKeyEntry;
import com.squareup.cryptoattestation.attestation.ParsedAttestationRecord;
import com.squareup.services.payment.PaymentSourceConstants;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Calendar;
import java.util.Date;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import kotlin.Metadata;
import kotlin.collections.ArraysKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;

/* compiled from: KeyStoreCipherUtilities.kt */
@Metadata(d1 = {"\u0000T\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0006\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\b\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0004\bÆ\u0002\u0018\u00002\u00020\u0001:\u0001%B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0006\u0010\f\u001a\u00020\rJ\u0018\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u0004H\u0007J\u0006\u0010\u0011\u001a\u00020\u0006J\u000e\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u0014\u001a\u00020\u0004J\b\u0010\u0015\u001a\u00020\u000fH\u0007J\u000e\u0010\u0016\u001a\u00020\u00172\u0006\u0010\u0014\u001a\u00020\u0004J\u000e\u0010\u0018\u001a\u00020\u00192\u0006\u0010\u001a\u001a\u00020\u0004J\u001a\u0010\u001b\u001a\u00020\u001c2\u0006\u0010\u001d\u001a\u00020\u001e2\b\u0010\u001a\u001a\u0004\u0018\u00010\u0004H\u0007J&\u0010\u001f\u001a\u00020\u001e2\u0006\u0010 \u001a\u00020\r2\u0006\u0010!\u001a\u00020\"2\u0006\u0010#\u001a\u00020\u001e2\u0006\u0010$\u001a\u00020\u001eR\u000e\u0010\u0003\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n\u0000R&\u0010\u0005\u001a\u0004\u0018\u00010\u00068\u0000@\u0000X\u0081\u000e¢\u0006\u0014\n\u0000\u0012\u0004\b\u0007\u0010\u0002\u001a\u0004\b\b\u0010\t\"\u0004\b\n\u0010\u000b¨\u0006&"}, d2 = {"Lcom/squareup/cryptoattestation/compatibilitycheck/KeyStoreCipherUtilities;", "", "()V", "ANDROID_KEY_STORE", "", "keyStore", "Ljava/security/KeyStore;", "getKeyStore$impl_release$annotations", "getKeyStore$impl_release", "()Ljava/security/KeyStore;", "setKeyStore$impl_release", "(Ljava/security/KeyStore;)V", "generateKey", "Ljava/security/KeyPair;", "keySize", "", "alias", "getAndroidKeyStoreInstance", "getCipherInstance", "Ljavax/crypto/Cipher;", "algorithm", "getKeyMasterVersion", "getMACInstance", "Ljavax/crypto/Mac;", "getSecretKey", "Ljavax/crypto/SecretKey;", "keyAlias", "importKey", "", "wrappedKey", "", "wrapKey", "keyPair", "keyDescription", "Lcom/squareup/cryptoattestation/compatibilitycheck/AndroidKeyDescription;", "transportKey", "contentKey", "WrappedRealKey", "impl_release"}, k = 1, mv = {1, 8, 0}, xi = 48)
/* loaded from: classes6.dex */
public final class KeyStoreCipherUtilities {
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    public static final KeyStoreCipherUtilities INSTANCE = new KeyStoreCipherUtilities();
    private static KeyStore keyStore;

    /* compiled from: KeyStoreCipherUtilities.kt */
    @Metadata(d1 = {"\u0000\u0018\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0010\u0012\n\u0002\b\t\n\u0002\u0010\b\n\u0000\u0018\u00002\u00020\u0001B\u0015\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0003¢\u0006\u0002\u0010\u0005R\u000e\u0010\u0004\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u0011\u0010\u0006\u001a\u00020\u00038F¢\u0006\u0006\u001a\u0004\b\u0007\u0010\bR\u0011\u0010\t\u001a\u00020\u00038F¢\u0006\u0006\u001a\u0004\b\n\u0010\bR\u0011\u0010\u0002\u001a\u00020\u0003¢\u0006\b\n\u0000\u001a\u0004\b\u000b\u0010\bR\u000e\u0010\f\u001a\u00020\rX\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u000e"}, d2 = {"Lcom/squareup/cryptoattestation/compatibilitycheck/KeyStoreCipherUtilities$WrappedRealKey;", "", "iv", "", PaymentSourceConstants.CIPHERTEXT_KEY, "([B[B)V", "encryptedKey", "getEncryptedKey", "()[B", "gcmTag", "getGcmTag", "getIv", "keySize", "", "impl_release"}, k = 1, mv = {1, 8, 0}, xi = 48)
    /* loaded from: classes6.dex */
    public static final class WrappedRealKey {
        private final byte[] ciphertext;
        private final byte[] iv;
        private final int keySize;

        public WrappedRealKey(byte[] iv, byte[] ciphertext) {
            Intrinsics.checkNotNullParameter(iv, "iv");
            Intrinsics.checkNotNullParameter(ciphertext, "ciphertext");
            this.iv = iv;
            this.ciphertext = ciphertext;
            this.keySize = ciphertext.length - 16;
        }

        public final byte[] getEncryptedKey() {
            return ArraysKt.copyOfRange(this.ciphertext, 0, this.keySize);
        }

        public final byte[] getGcmTag() {
            byte[] bArr = this.ciphertext;
            return ArraysKt.copyOfRange(bArr, this.keySize, bArr.length);
        }

        public final byte[] getIv() {
            return this.iv;
        }
    }

    private KeyStoreCipherUtilities() {
    }

    public static /* synthetic */ void getKeyStore$impl_release$annotations() {
    }

    public final KeyPair generateKey() throws GeneralSecurityException {
        return generateKey(2048, AndroidKeyParameters.WRAPPING_KEY_ALIAS);
    }

    public final KeyPair generateKey(int keySize, String alias) throws GeneralSecurityException {
        Intrinsics.checkNotNullParameter(alias, "alias");
        KeyStore androidKeyStoreInstance = getAndroidKeyStoreInstance();
        if (androidKeyStoreInstance.containsAlias(alias)) {
            androidKeyStoreInstance.deleteEntry(alias);
        }
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(5, 365);
        Date time2 = calendar.getTime();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", androidKeyStoreInstance.getProvider());
        KeyGenParameterSpec.Builder keyValidityEnd = new KeyGenParameterSpec.Builder(alias, 32).setDigests("SHA-256").setEncryptionPaddings("OAEPPadding").setBlockModes("ECB").setIsStrongBoxBacked(false).setKeySize(keySize).setKeyValidityStart(time).setKeyValidityEnd(time2);
        String date = time.toString();
        Intrinsics.checkNotNullExpressionValue(date, "start.toString()");
        byte[] bytes = date.getBytes(Charsets.UTF_8);
        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
        KeyGenParameterSpec build = keyValidityEnd.setAttestationChallenge(bytes).build();
        Intrinsics.checkNotNullExpressionValue(build, "Builder(alias, KeyProper…Array())\n        .build()");
        keyPairGenerator.initialize(build);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        Intrinsics.checkNotNullExpressionValue(generateKeyPair, "keyGenerator.generateKeyPair()");
        return generateKeyPair;
    }

    public final synchronized KeyStore getAndroidKeyStoreInstance() throws GeneralSecurityException {
        KeyStore keyStore2;
        if (keyStore == null) {
            KeyStore keyStore3 = KeyStore.getInstance(ANDROID_KEY_STORE);
            keyStore3.load(null, null);
            keyStore = keyStore3;
        }
        keyStore2 = keyStore;
        Intrinsics.checkNotNull(keyStore2, "null cannot be cast to non-null type java.security.KeyStore");
        return keyStore2;
    }

    public final Cipher getCipherInstance(String algorithm) throws GeneralSecurityException {
        Intrinsics.checkNotNullParameter(algorithm, "algorithm");
        Cipher cipher = Cipher.getInstance(algorithm);
        Intrinsics.checkNotNullExpressionValue(cipher, "getInstance(algorithm)");
        return cipher;
    }

    public final int getKeyMasterVersion() throws GeneralSecurityException {
        KeyStore androidKeyStoreInstance = getAndroidKeyStoreInstance();
        if (!androidKeyStoreInstance.containsAlias(AndroidKeyParameters.WRAPPING_KEY_ALIAS)) {
            generateKey(2048, AndroidKeyParameters.WRAPPING_KEY_ALIAS);
        }
        Certificate[] certificateChain = androidKeyStoreInstance.getCertificateChain(AndroidKeyParameters.WRAPPING_KEY_ALIAS);
        Intrinsics.checkNotNullExpressionValue(certificateChain, "keyStore.getCertificateC…eters.WRAPPING_KEY_ALIAS)");
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Intrinsics.checkNotNullExpressionValue(certificateFactory, "getInstance(\"X.509\")");
        Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(certificateChain[0].getEncoded()));
        Intrinsics.checkNotNull(generateCertificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
        ParsedAttestationRecord createParsedAttestationRecord = ParsedAttestationRecord.createParsedAttestationRecord((X509Certificate) generateCertificate);
        Intrinsics.checkNotNullExpressionValue(createParsedAttestationRecord, "createParsedAttestationR…s X509Certificate\n      )");
        return createParsedAttestationRecord.keymasterVersion;
    }

    public final KeyStore getKeyStore$impl_release() {
        return keyStore;
    }

    public final Mac getMACInstance(String algorithm) throws GeneralSecurityException {
        Intrinsics.checkNotNullParameter(algorithm, "algorithm");
        Mac mac = Mac.getInstance(algorithm);
        Intrinsics.checkNotNullExpressionValue(mac, "getInstance(algorithm)");
        return mac;
    }

    public final SecretKey getSecretKey(String keyAlias) throws GeneralSecurityException {
        Intrinsics.checkNotNullParameter(keyAlias, "keyAlias");
        KeyStore androidKeyStoreInstance = getAndroidKeyStoreInstance();
        if (!androidKeyStoreInstance.containsAlias(keyAlias)) {
            throw new GeneralSecurityException("Key " + keyAlias + " missing");
        }
        KeyStore.Entry entry = androidKeyStoreInstance.getEntry(keyAlias, null);
        if (entry == null) {
            throw new GeneralSecurityException("Key " + keyAlias + " is null");
        }
        SecretKey secretKey = ((KeyStore.SecretKeyEntry) entry).getSecretKey();
        Intrinsics.checkNotNullExpressionValue(secretKey, "secretKeyEntry.secretKey");
        return secretKey;
    }

    public final void importKey(byte[] wrappedKey, String keyAlias) throws GeneralSecurityException, IOException, SecureKeyImportUnavailableException {
        Intrinsics.checkNotNullParameter(wrappedKey, "wrappedKey");
        KeyStore androidKeyStoreInstance = getAndroidKeyStoreInstance();
        KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(AndroidKeyParameters.WRAPPING_KEY_ALIAS, 32).setDigests("SHA-256").setKeySize(2048).build();
        Intrinsics.checkNotNullExpressionValue(build, "Builder(\n      AndroidKe…ZE\n      )\n      .build()");
        androidKeyStoreInstance.setEntry(keyAlias, new WrappedKeyEntry(wrappedKey, AndroidKeyParameters.WRAPPING_KEY_ALIAS, AndroidKeyParameters.TRANSPORT_WRAPPING_ALGORITHM, build), null);
    }

    public final void setKeyStore$impl_release(KeyStore keyStore2) {
        keyStore = keyStore2;
    }

    public final byte[] wrapKey(KeyPair keyPair, AndroidKeyDescription keyDescription, byte[] transportKey, byte[] contentKey) throws GeneralSecurityException, IOException {
        Intrinsics.checkNotNullParameter(keyPair, "keyPair");
        Intrinsics.checkNotNullParameter(keyDescription, "keyDescription");
        Intrinsics.checkNotNullParameter(transportKey, "transportKey");
        Intrinsics.checkNotNullParameter(contentKey, "contentKey");
        Cipher cipher = Cipher.getInstance(AndroidKeyParameters.TRANSPORT_WRAPPING_ALGORITHM);
        cipher.init(1, keyPair.getPublic(), AndroidKeyParameters.INSTANCE.getTRANSPORT_WRAPPING_PARAMS());
        byte[] doFinal = cipher.doFinal(transportKey);
        Cipher cipher2 = Cipher.getInstance(AndroidKeyParameters.CONTENT_WRAPPING_ALGORITHM);
        cipher2.init(1, new SecretKeySpec(transportKey, "AES"));
        cipher2.updateAAD(keyDescription.getEncoded());
        byte[] encryptedAESKey = cipher2.doFinal(contentKey);
        byte[] iv = cipher2.getIV();
        Intrinsics.checkNotNullExpressionValue(iv, "contentKeyCipher.iv");
        Intrinsics.checkNotNullExpressionValue(encryptedAESKey, "encryptedAESKey");
        WrappedRealKey wrappedRealKey = new WrappedRealKey(iv, encryptedAESKey);
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1Integer(0L));
        aSN1EncodableVector.add(new DEROctetString(doFinal));
        aSN1EncodableVector.add(new DEROctetString(wrappedRealKey.getIv()));
        aSN1EncodableVector.add(keyDescription.getInstance());
        aSN1EncodableVector.add(new DEROctetString(wrappedRealKey.getEncryptedKey()));
        aSN1EncodableVector.add(new DEROctetString(wrappedRealKey.getGcmTag()));
        byte[] encoded = new DERSequence(aSN1EncodableVector).getEncoded(ASN1Encoding.DER);
        Intrinsics.checkNotNullExpressionValue(encoded, "DERSequence(wrapperItems…Encoded(ASN1Encoding.DER)");
        return encoded;
    }
}
