package com.microsoft.intune.cryptography.androidapicomponent.implementation;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import com.microsoft.identity.common.adal.internal.cache.StorageHelper;
import com.microsoft.identity.common.internal.platform.DevicePopManager;
import com.microsoft.intune.common.domain.INtpClient;
import com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore;
import com.microsoft.intune.utils.LoggingExtensionsKt;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.security.auth.x500.X500Principal;
import kotlin.Lazy;
import kotlin.LazyKt__LazyJVMKt;
import kotlin.Metadata;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Reflection;
import kotlin.reflect.KClass;

/* compiled from: AndroidLocalKeyStore.kt */
@Metadata(bv = {1, 0, 3}, d1 = {"\u0000h\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010 \n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000b\n\u0002\b\u0002\b\u0007\u0018\u0000 %2\u00020\u0001:\u0001%B\u000f\b\u0007\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u000e\u0010\u000b\u001a\b\u0012\u0004\u0012\u00020\r0\fH\u0016J\u0010\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u001a\u0010\u0011\u001a\u0004\u0018\u00010\u00122\u0006\u0010\u0010\u001a\u00020\r2\u0006\u0010\u0013\u001a\u00020\u0014H\u0016J\u0010\u0010\u0015\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u001e\u0010\u0016\u001a\u0004\u0018\u00010\u00172\u0006\u0010\u0010\u001a\u00020\r2\n\b\u0002\u0010\u0018\u001a\u0004\u0018\u00010\u0019H\u0002J\u0012\u0010\u001a\u001a\u0004\u0018\u00010\u001b2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u0012\u0010\u001c\u001a\u0004\u0018\u00010\u001d2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u0012\u0010\u001e\u001a\u0004\u0018\u00010\u001f2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u0012\u0010 \u001a\u0004\u0018\u00010!2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u0012\u0010\"\u001a\u0004\u0018\u00010\u001f2\u0006\u0010\u0010\u001a\u00020\rH\u0016J\u0010\u0010#\u001a\u00020$2\u0006\u0010\u0010\u001a\u00020\rH\u0016R\u001b\u0010\u0005\u001a\u00020\u00068BX\u0082\u0084\u0002¢\u0006\f\n\u0004\b\t\u0010\n\u001a\u0004\b\u0007\u0010\bR\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006&"}, d2 = {"Lcom/microsoft/intune/cryptography/androidapicomponent/implementation/AndroidLocalKeyStore;", "Lcom/microsoft/intune/cryptography/androidapicomponent/abstraction/ILocalKeyStore;", "ntpClient", "Lcom/microsoft/intune/common/domain/INtpClient;", "(Lcom/microsoft/intune/common/domain/INtpClient;)V", "keyStore", "Ljava/security/KeyStore;", "getKeyStore", "()Ljava/security/KeyStore;", "keyStore$delegate", "Lkotlin/Lazy;", "aliases", "", "", "deleteEntry", "", "alias", "generateKeyPair", "Ljava/security/KeyPair;", "validityPeriodDays", "", "generateSecretKey", "getEntrySafe", "Ljava/security/KeyStore$Entry;", "protParam", "Ljava/security/KeyStore$ProtectionParameter;", "getPrivateKey", "Ljava/security/PrivateKey;", "getPublicKey", "Ljava/security/PublicKey;", "getPublicKeyCert", "Ljava/security/cert/X509Certificate;", "getSecretKey", "Ljavax/crypto/SecretKey;", "getTrustedCertificate", "isKeyHardwareBacked", "", "Companion", "base_userOfficialRelease"}, k = 1, mv = {1, 4, 0})
/* loaded from: classes.dex */
public final class AndroidLocalKeyStore implements ILocalKeyStore {
    public static final String DISTINGUISHED_NAME = "CN=IntuneAEDeviceEncryptionCert, OU=Microsoft Corporation";
    public static final String KEYSTORE_TYPE = "AndroidKeyStore";

    /* renamed from: keyStore$delegate, reason: from kotlin metadata */
    public final Lazy keyStore;
    public final INtpClient ntpClient;
    public static final Logger LOGGER = LoggingExtensionsKt.logger((KClass<?>) Reflection.getOrCreateKotlinClass(AndroidLocalKeyStore.class));

    public AndroidLocalKeyStore(INtpClient ntpClient) {
        Intrinsics.checkNotNullParameter(ntpClient, "ntpClient");
        this.ntpClient = ntpClient;
        this.keyStore = LazyKt__LazyJVMKt.lazy(new Function0<KeyStore>() { // from class: com.microsoft.intune.cryptography.androidapicomponent.implementation.AndroidLocalKeyStore$keyStore$2
            @Override // kotlin.jvm.functions.Function0
            public final KeyStore invoke() {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null, null);
                return keyStore;
            }
        });
    }

    private final KeyStore.Entry getEntrySafe(String alias, KeyStore.ProtectionParameter protParam) {
        try {
            return getKeyStore().getEntry(alias, protParam);
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Could not get entry for " + alias, (Throwable) e);
            return null;
        }
    }

    public static /* synthetic */ KeyStore.Entry getEntrySafe$default(AndroidLocalKeyStore androidLocalKeyStore, String str, KeyStore.ProtectionParameter protectionParameter, int i, Object obj) {
        if ((i & 2) != 0) {
            protectionParameter = null;
        }
        return androidLocalKeyStore.getEntrySafe(str, protectionParameter);
    }

    private final KeyStore getKeyStore() {
        return (KeyStore) this.keyStore.getValue();
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore
    public List<String> aliases() {
        Enumeration<String> aliases = getKeyStore().aliases();
        Intrinsics.checkNotNullExpressionValue(aliases, "keyStore.aliases()");
        ArrayList list = Collections.list(aliases);
        Intrinsics.checkNotNullExpressionValue(list, "java.util.Collections.list(this)");
        return list;
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore
    public void deleteEntry(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        getKeyStore().deleteEntry(alias);
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore
    public KeyPair generateKeyPair(String alias, int validityPeriodDays) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        try {
            KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, 3);
            builder.setDigests("SHA-1", "SHA-256", "SHA-512");
            builder.setEncryptionPaddings("OAEPPadding");
            builder.setKeySize(2048);
            builder.setCertificateSubject(new X500Principal(DISTINGUISHED_NAME));
            builder.setUserAuthenticationRequired(false);
            if (Build.VERSION.SDK_INT >= 28) {
                builder.setUnlockedDeviceRequired(false);
            }
            Calendar calendar = Calendar.getInstance();
            Long blockingGet = this.ntpClient.currentTimeMillis().blockingGet();
            Intrinsics.checkNotNullExpressionValue(blockingGet, "ntpClient.currentTimeMil…           .blockingGet()");
            calendar.setTimeInMillis(blockingGet.longValue());
            calendar.add(5, -1);
            Intrinsics.checkNotNullExpressionValue(calendar, "calendar");
            builder.setKeyValidityStart(calendar.getTime());
            builder.setCertificateNotBefore(calendar.getTime());
            calendar.add(5, validityPeriodDays + 1);
            builder.setKeyValidityEnd(calendar.getTime());
            builder.setKeyValidityForConsumptionEnd(calendar.getTime());
            builder.setKeyValidityForOriginationEnd(calendar.getTime());
            builder.setCertificateNotAfter(calendar.getTime());
            KeyGenParameterSpec build = builder.build();
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(DevicePopManager.KeyPairGeneratorAlgorithms.RSA, "AndroidKeyStore");
            keyPairGenerator.initialize(build);
            return keyPairGenerator.generateKeyPair();
        } catch (ProviderException e) {
            if (!(e.getCause() instanceof UnrecoverableKeyException)) {
                LOGGER.log(Level.SEVERE, "Unhandled ProviderException while trying to generate a key pair", (Throwable) e);
                return null;
            }
            try {
                KeyStore.Entry entry = getKeyStore().getEntry(alias, null);
                if (entry == null) {
                    LOGGER.severe("Newly generated keypair for ``" + alias + "`` was not found");
                    return null;
                }
                if (!(entry instanceof KeyStore.PrivateKeyEntry)) {
                    LOGGER.log(Level.SEVERE, "Newly generated keypair for ``" + alias + "`` has incorrect entry type: ``" + entry.getClass().getSimpleName() + "``", (Throwable) e);
                    return null;
                }
                KeyStore.PrivateKeyEntry privateKeyEntry = (KeyStore.PrivateKeyEntry) entry;
                PrivateKey privateKey = privateKeyEntry.getPrivateKey();
                Certificate certificate = privateKeyEntry.getCertificate();
                Intrinsics.checkNotNullExpressionValue(certificate, "entry.certificate");
                PublicKey publicKey = certificate.getPublicKey();
                if (publicKey != null) {
                    return new KeyPair(publicKey, privateKey);
                }
                LOGGER.severe("Newly generated keypair for ``" + alias + "`` is missing the public key");
                return null;
            } catch (Exception e2) {
                LOGGER.log(Level.SEVERE, "Unexpected exception trying to retrieve newly generated keypair for ``" + alias + "``", (Throwable) e2);
                return null;
            }
        } catch (Exception e3) {
            LOGGER.log(Level.SEVERE, "Unexpected error trying to generate a key pair", (Throwable) e3);
            return null;
        }
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore
    public void generateSecretKey(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        try {
            KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(alias, 3);
            builder.setKeySize(128);
            builder.setBlockModes("CBC");
            builder.setEncryptionPaddings("PKCS7Padding");
            KeyGenParameterSpec build = builder.build();
            KeyGenerator keyGenerator = KeyGenerator.getInstance(StorageHelper.KEYSPEC_ALGORITHM, "AndroidKeyStore");
            keyGenerator.init(build);
            keyGenerator.generateKey();
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Unexpected error trying to generate a secret key", (Throwable) e);
        }
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.IKeyPairStore
    public PrivateKey getPrivateKey(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        KeyStore.Entry entrySafe$default = getEntrySafe$default(this, alias, null, 2, null);
        if (entrySafe$default instanceof KeyStore.PrivateKeyEntry) {
            return ((KeyStore.PrivateKeyEntry) entrySafe$default).getPrivateKey();
        }
        LOGGER.log(Level.WARNING, "Entry for " + alias + " is not a private key");
        return null;
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.IKeyPairStore
    public PublicKey getPublicKey(String alias) {
        Certificate certificate;
        Intrinsics.checkNotNullParameter(alias, "alias");
        KeyStore.Entry entrySafe$default = getEntrySafe$default(this, alias, null, 2, null);
        if (!(entrySafe$default instanceof KeyStore.PrivateKeyEntry) || (certificate = ((KeyStore.PrivateKeyEntry) entrySafe$default).getCertificate()) == null) {
            return null;
        }
        return certificate.getPublicKey();
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.IKeyPairStore
    public X509Certificate getPublicKeyCert(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        KeyStore.Entry entrySafe$default = getEntrySafe$default(this, alias, null, 2, null);
        if (!(entrySafe$default instanceof KeyStore.PrivateKeyEntry)) {
            return null;
        }
        Certificate certificate = ((KeyStore.PrivateKeyEntry) entrySafe$default).getCertificate();
        if (!(certificate instanceof X509Certificate)) {
            certificate = null;
        }
        return (X509Certificate) certificate;
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ISecretKeyStore
    public SecretKey getSecretKey(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        KeyStore.Entry entrySafe$default = getEntrySafe$default(this, alias, null, 2, null);
        if (entrySafe$default instanceof KeyStore.SecretKeyEntry) {
            return ((KeyStore.SecretKeyEntry) entrySafe$default).getSecretKey();
        }
        return null;
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ITrustedCertificateStore
    public X509Certificate getTrustedCertificate(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        KeyStore.Entry entrySafe$default = getEntrySafe$default(this, alias, null, 2, null);
        if (!(entrySafe$default instanceof KeyStore.TrustedCertificateEntry)) {
            return null;
        }
        Certificate trustedCertificate = ((KeyStore.TrustedCertificateEntry) entrySafe$default).getTrustedCertificate();
        if (!(trustedCertificate instanceof X509Certificate)) {
            trustedCertificate = null;
        }
        return (X509Certificate) trustedCertificate;
    }

    @Override // com.microsoft.intune.cryptography.androidapicomponent.abstraction.ILocalKeyStore
    public boolean isKeyHardwareBacked(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        PrivateKey privateKey = getPrivateKey(alias);
        if (privateKey != null) {
            try {
                try {
                    KeyInfo keyInfo = (KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, KeyInfo.class);
                    if (keyInfo != null) {
                        return keyInfo.isInsideSecureHardware();
                    }
                    return false;
                } catch (ProviderException e) {
                    LOGGER.log(Level.WARNING, "Could not get key info for private key to check if it is hardware backed, provider exception", (Throwable) e);
                    return false;
                } catch (InvalidKeySpecException e2) {
                    LOGGER.log(Level.WARNING, "Could not get key info for private key to check if it is hardware backed, invalid key spec", (Throwable) e2);
                    return false;
                }
            } catch (Exception e3) {
                LOGGER.log(Level.WARNING, "Could not get key factory for private key with algorithm " + privateKey.getAlgorithm(), (Throwable) e3);
            }
        }
        return false;
    }
}
