package com.okta.oidc.storage.security;

import android.annotation.TargetApi;
import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.support.v4.media.b;
import android.util.Log;
import androidx.annotation.Nullable;
import com.microsoft.identity.common.java.crypto.key.KeyUtil;
import com.microsoft.identity.common.java.platform.AbstractDevicePopManager;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.spec.InvalidKeySpecException;
import javax.crypto.Cipher;

@TargetApi(23)
/* loaded from: classes2.dex */
class EncryptionManagerAPI23 extends BaseEncryptionManager {
    private static final String TAG = "EncryptionManagerAPI23";
    private final int mValidityDurationSeconds;

    public EncryptionManagerAPI23(Context context, String str, String str2, boolean z10, int i10, boolean z11) {
        super(str, str2);
        this.mKeyStoreAlgorithm = AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA;
        this.mBlockMode = "ECB";
        this.mEncryptionPadding = "OAEPPadding";
        StringBuilder sb2 = new StringBuilder();
        sb2.append(this.mKeyStoreAlgorithm);
        sb2.append("/");
        this.mTransformationString = b.g(sb2, this.mBlockMode, "/OAEPWithSHA-256AndMGF1Padding");
        this.mIsAuthenticateUserRequired = z10;
        if (Build.VERSION.SDK_INT >= 30 && i10 == -1) {
            i10 = 0;
        }
        this.mValidityDurationSeconds = i10;
        prepare(context, z11);
    }

    @Override // com.okta.oidc.storage.security.BaseEncryptionManager
    public boolean generateKeyPair(Context context, KeyPairGenerator keyPairGenerator, String str, int i10, String str2, String str3, boolean z10, @Nullable byte[] bArr) {
        try {
            KeyGenParameterSpec.Builder userAuthenticationRequired = new KeyGenParameterSpec.Builder(str, 3).setKeySize(i10).setBlockModes(str3).setDigests(KeyUtil.HMAC_KEY_HASH_ALGORITHM, "SHA-512").setEncryptionPaddings(str2).setUserAuthenticationRequired(this.mIsAuthenticateUserRequired);
            if (Build.VERSION.SDK_INT >= 30) {
                userAuthenticationRequired.setUserAuthenticationParameters(this.mValidityDurationSeconds, 3);
            } else {
                userAuthenticationRequired.setUserAuthenticationValidityDurationSeconds(this.mValidityDurationSeconds);
            }
            if (bArr == null || bArr.length <= 0) {
                keyPairGenerator.initialize(userAuthenticationRequired.build());
            } else {
                keyPairGenerator.initialize(userAuthenticationRequired.build(), new SecureRandom(bArr));
            }
            return true;
        } catch (InvalidAlgorithmParameterException e10) {
            Log.e(TAG, "initialize KeyPairGenerator: ", e10);
            return false;
        }
    }

    @Override // com.okta.oidc.storage.security.BaseEncryptionManager, com.okta.oidc.storage.security.EncryptionManager
    public boolean isHardwareBackedKeyStore() {
        PrivateKey privateKey;
        try {
            KeyStore keyStore = this.mKeyStore;
            if (keyStore == null || !keyStore.containsAlias(this.mKeyAlias) || (privateKey = (PrivateKey) this.mKeyStore.getKey(this.mKeyAlias, null)) == null) {
                return false;
            }
            try {
                return ((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), this.mKeyStoreName).getKeySpec(privateKey, KeyInfo.class)).isInsideSecureHardware();
            } catch (InvalidKeySpecException e10) {
                Log.w(TAG, "isHardwareBackedKeyStore: ", e10);
                return false;
            }
        } catch (KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | UnrecoverableKeyException e11) {
            Log.w(TAG, "isHardwareBackedKeyStore: ", e11);
            return false;
        }
    }

    @Override // com.okta.oidc.storage.security.EncryptionManager
    public boolean isUserAuthenticatedOnDevice() {
        PrivateKey privateKey;
        if (this.mCipher == null) {
            return false;
        }
        try {
            privateKey = (PrivateKey) this.mKeyStore.getKey(this.mKeyAlias, null);
        } catch (GeneralSecurityException unused) {
        }
        try {
            if (!((KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), this.mKeyStoreName).getKeySpec(privateKey, KeyInfo.class)).isUserAuthenticationRequired()) {
                return true;
            }
            this.mCipher.init(2, privateKey);
            return true;
        } catch (NoSuchProviderException e10) {
            e = e10;
            Log.w(TAG, "Error during Read private key info: ", e);
            return false;
        } catch (InvalidKeySpecException e11) {
            e = e11;
            Log.w(TAG, "Error during Read private key info: ", e);
            return false;
        }
    }

    @Override // com.okta.oidc.storage.security.EncryptionManager
    public boolean isValidKeys() {
        try {
            Cipher createCipher = createCipher(this.mTransformationString);
            PrivateKey privateKey = (PrivateKey) this.mKeyStore.getKey(this.mKeyAlias, null);
            if (privateKey == null) {
                return false;
            }
            try {
                createCipher.init(2, privateKey);
                return true;
            } catch (NoSuchProviderException e10) {
                e = e10;
                Log.w(TAG, "Error during Read private key info: ", e);
                return false;
            } catch (InvalidKeySpecException e11) {
                e = e11;
                Log.w(TAG, "Error during Read private key info: ", e);
                return false;
            }
        } catch (GeneralSecurityException unused) {
        }
    }
}
