package com.okta.android.security.keys.keystore;

import android.content.Context;
import android.security.keystore.KeyGenParameterSpec;
import android.text.TextUtils;
import com.google.common.io.ByteStreams;
import com.okta.android.security.keys.KeyManager;
import com.okta.android.security.keys.KeyUtils;
import com.okta.android.security.keys.exception.KeyNotFoundException;
import com.okta.android.security.keys.exception.KeystoreLockedException;
import com.okta.android.security.keys.exception.OktaKeystoreException;
import com.okta.android.security.keys.keystore.storage.DbHandler;
import com.okta.android.security.keys.keystore.storage.KeyMetadata;
import com.okta.android.security.keys.tool.PasswordGenerator;
import com.okta.lib.android.common.data.CommonPreferences;
import com.okta.lib.android.common.utilities.Clock;
import com.okta.lib.android.common.utilities.CommonUtil;
import com.okta.lib.android.common.utilities.Log;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.inject.Inject;
import javax.inject.Named;
import org.spongycastle.asn1.ASN1Encodable;
import org.spongycastle.asn1.x500.X500Name;
import org.spongycastle.asn1.x509.Extension;
import org.spongycastle.asn1.x509.KeyUsage;
import org.spongycastle.cert.CertIOException;
import org.spongycastle.cert.jcajce.JcaX509CertificateConverter;
import org.spongycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.spongycastle.operator.OperatorCreationException;
import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: classes2.dex */
public class LocalKeyManager implements KeyManager {
    private static final String KEYPAIR_ALGORITHM = "RSA";
    private static final int KEYPAIR_KEY_SIZE = 2048;
    private static final String KEYSTORE_PREF_SUFFIX = "_ks";
    private static final String KEY_ENTRY_PREF_SUFFIX = "_ke";
    private static final String MUST_HAVE_AN_ALIAS = "Must have an alias";
    private static final String NOT_SUPPORTED = "Not Supported";
    private static final String TAG = "LocalKeyManager";
    private final Clock clock;
    private final CommonUtil commonUtil;
    private final Context context;
    private final DbHandler dbHandler;
    private final KeyUtils keyUtils;
    private final PasswordGenerator passwordGenerator;
    private final CommonPreferences prefs;
    private HashMap<String, KeyStore> keystoreCache = new HashMap<>();
    private HashMap<String, String> keyCache = new HashMap<>();
    private HashMap<String, byte[]> keystoreFileCache = new HashMap<>();

    @Inject
    public LocalKeyManager(@Named("prefs.security") CommonPreferences commonPreferences, Context context, PasswordGenerator passwordGenerator, Clock clock, CommonUtil commonUtil, KeyUtils keyUtils, DbHandler dbHandler) {
        this.prefs = commonPreferences;
        this.context = context;
        this.passwordGenerator = passwordGenerator;
        this.clock = clock;
        this.commonUtil = commonUtil;
        this.keyUtils = keyUtils;
        this.dbHandler = dbHandler;
    }

    private X509Certificate buildCertificate(KeyPair keyPair, Set<Integer> set, X500Name x500Name) throws CertIOException, OperatorCreationException, CertificateException {
        BigInteger valueOf = BigInteger.valueOf(this.clock.currentTimeMillis());
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(1, 1);
        JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, valueOf, time, calendar.getTime(), x500Name, keyPair.getPublic());
        jcaX509v3CertificateBuilder.addExtension(Extension.keyUsage, false, (ASN1Encodable) new KeyUsage(144));
        return new JcaX509CertificateConverter().getCertificate(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate())));
    }

    private void clearCache(String str) {
        this.keyCache.remove(str);
        this.keystoreCache.remove(getFilename(str));
        this.keystoreFileCache.remove(getFilename(str));
    }

    private static boolean closeFileStream(InputStream inputStream) {
        if (inputStream == null) {
            return false;
        }
        try {
            inputStream.close();
            return true;
        } catch (IOException e) {
            Log.e(TAG, "InputStream close failed.", e);
            return false;
        }
    }

    private static boolean closeFileStream(OutputStream outputStream) {
        if (outputStream == null) {
            return false;
        }
        try {
            outputStream.close();
            return true;
        } catch (IOException e) {
            Log.e(TAG, "OutputStream close failed.", e);
            return false;
        }
    }

    private KeyStore createKeystore(String str) throws KeyStoreException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Must have an alias");
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        try {
            if (!loadKeyStore(keyStore, (FileInputStream) null, (String) null)) {
                throw new KeyStoreException("Failed to create keystore");
            }
            this.keystoreCache.put(getFilename(str), keyStore);
            return keyStore;
        } catch (GeneralSecurityException e) {
            throw new KeyStoreException(e);
        }
    }

    private List<String> findAllAliases() {
        List<KeyMetadata> fetchKeyMetadata = this.dbHandler.fetchKeyMetadata(KeyManagerType.LOCAL);
        ArrayList arrayList = new ArrayList(fetchKeyMetadata.size());
        Iterator<KeyMetadata> it = fetchKeyMetadata.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().keyAlias);
        }
        return arrayList;
    }

    private String findKeyPassword(String str) {
        return this.prefs.getString(str + KEY_ENTRY_PREF_SUFFIX, null);
    }

    private String findKeystorePassword(String str) {
        return this.prefs.getString(str + KEYSTORE_PREF_SUFFIX, null);
    }

    private String getFilename(String str) {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Alias empty when finding keystore filename");
        }
        return str + ".keystore";
    }

    private KeyStore getKeystore(String str) throws KeyStoreException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Must have an alias");
        }
        String filename = getFilename(str);
        KeyStore keyStore = this.keystoreCache.get(filename);
        if (keyStore != null) {
            return keyStore;
        }
        String findKeystorePassword = findKeystorePassword(str);
        try {
            String str2 = TAG;
            Log.d(str2, "Starting to unlock keystore: " + str.substring(0, 3));
            KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
            if (!loadKeyStore(keyStore2, filename, this.passwordGenerator.bruteForcePredictablePassword(findKeystorePassword))) {
                throw new KeyStoreException("Failed to load keystore");
            }
            Log.i(str2, "Successfully unlocked keystore for " + str.substring(0, 3));
            this.keystoreCache.put(filename, keyStore2);
            return keyStore2;
        } catch (GeneralSecurityException e) {
            Log.e(TAG, "error when trying to decrypt keystore from disk");
            throw new KeyStoreException(e);
        }
    }

    private File getKeystoreFile(String str) {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Alias empty when finding keystore file");
        }
        return this.context.getFileStreamPath(getFilename(str));
    }

    private boolean keyStoreToDisk(KeyStore keyStore, String str) {
        try {
            FileOutputStream openFileOutput = this.context.openFileOutput(getFilename(str), 0);
            byte[] generateRandomPassword = this.passwordGenerator.generateRandomPassword();
            try {
                try {
                    try {
                        keyStore.store(openFileOutput, this.keyUtils.encodeBase64(generateRandomPassword).toCharArray());
                        storeKeystorePassword(str, generateRandomPassword);
                        return closeFileStream(openFileOutput);
                    } catch (IOException e) {
                        Log.e(TAG, "Could not read from file stream", e);
                        return false;
                    } catch (KeyStoreException e2) {
                        Log.e(TAG, "Key store not initialized", e2);
                        return false;
                    }
                } catch (NoSuchAlgorithmException e3) {
                    Log.e(TAG, "No Algorithm", e3);
                    return false;
                } catch (CertificateException e4) {
                    Log.e(TAG, "Could not load certificates", e4);
                    return false;
                } catch (GeneralSecurityException e5) {
                    Log.e(TAG, "Failed to store keystore password", e5);
                    return false;
                }
            } finally {
                closeFileStream(openFileOutput);
            }
        } catch (FileNotFoundException e6) {
            Log.e(TAG, "File could not be found", e6);
            return false;
        }
    }

    private KeyPair loadKey(KeyStore keyStore, String str, String str2) throws KeyStoreException, UnrecoverableEntryException {
        KeyStore.PrivateKeyEntry loadKeyEntry = loadKeyEntry(keyStore, str, str2);
        return new KeyPair(loadKeyEntry.getCertificate().getPublicKey(), loadKeyEntry.getPrivateKey());
    }

    private KeyStore.PrivateKeyEntry loadKeyEntry(KeyStore keyStore, String str, String str2) throws KeyStoreException, UnrecoverableEntryException {
        try {
            return (KeyStore.PrivateKeyEntry) keyStore.getEntry(this.keyUtils.encodeToDefaultCharset(str), new KeyStore.PasswordProtection(this.keyUtils.encodeToDefaultCharset(str2).toCharArray()));
        } catch (NoSuchAlgorithmException e) {
            Log.e(TAG, "Required algorithm is unavailable.", e);
            throw new KeyStoreException(e);
        }
    }

    private boolean loadKeyStore(KeyStore keyStore, InputStream inputStream, String str) throws InvalidAlgorithmParameterException {
        char[] charArray;
        if (str != null) {
            try {
                charArray = str.toCharArray();
            } catch (IOException unused) {
                throw new InvalidAlgorithmParameterException("Bad password when loading keystore");
            } catch (NoSuchAlgorithmException e) {
                Log.e(TAG, "No Algorithm", e);
                return false;
            } catch (CertificateException e2) {
                Log.e(TAG, "Could not load certificates", e2);
                return false;
            }
        } else {
            charArray = null;
        }
        keyStore.load(inputStream, charArray);
        return true;
    }

    private boolean loadKeyStore(KeyStore keyStore, String str, String str2) throws InvalidAlgorithmParameterException {
        InputStream openFileStream = openFileStream(str);
        if (openFileStream == null) {
            return false;
        }
        try {
            boolean loadKeyStore = loadKeyStore(keyStore, openFileStream, str2);
            if (closeFileStream(openFileStream)) {
                return loadKeyStore;
            }
            return false;
        } finally {
            closeFileStream(openFileStream);
        }
    }

    private InputStream openFileStream(String str) {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Filename cannot be blank");
        }
        byte[] bArr = this.keystoreFileCache.get(str);
        if (bArr == null) {
            try {
                byte[] byteArray = ByteStreams.toByteArray(this.context.openFileInput(str));
                this.keystoreFileCache.put(str, byteArray);
                bArr = byteArray;
            } catch (FileNotFoundException e) {
                Log.e(TAG, "File could not be found", e);
                return null;
            } catch (IOException e2) {
                Log.e(TAG, "Error converting file to byte array", e2);
                return null;
            }
        }
        return new ByteArrayInputStream(bArr);
    }

    private void storeCertificate(String str, X509Certificate x509Certificate, PrivateKey privateKey) throws KeyStoreException, OktaKeystoreException {
        KeyStore createKeystore = createKeystore(str);
        byte[] generatePredictablePassword = this.passwordGenerator.generatePredictablePassword();
        String encodeBase64 = this.keyUtils.encodeBase64(generatePredictablePassword);
        try {
            createKeystore.setEntry(str, new KeyStore.PrivateKeyEntry(privateKey, new Certificate[]{x509Certificate}), new KeyStore.PasswordProtection(encodeBase64.toCharArray()));
            if (!keyStoreToDisk(createKeystore, str)) {
                throw new OktaKeystoreException("Failed to save keystore to disk");
            }
            try {
                storeKeyPassword(str, generatePredictablePassword);
                this.keyCache.put(str, encodeBase64);
                long currentTimeMillis = this.clock.currentTimeMillis();
                this.dbHandler.postKeyMetadata(new KeyMetadata(currentTimeMillis, currentTimeMillis, str, KeyManagerType.LOCAL, this.commonUtil.getOSVersionInt(), this.commonUtil.getAppVersion()));
            } catch (GeneralSecurityException e) {
                throw new OktaKeystoreException(e);
            }
        } catch (KeyStoreException e2) {
            Log.e(TAG, "Key store is not initialized.", e2);
            throw e2;
        }
    }

    private void storeKeyPassword(String str, byte[] bArr) throws GeneralSecurityException {
        this.prefs.set(str + KEY_ENTRY_PREF_SUFFIX, this.passwordGenerator.encryptPasswordToString(bArr));
    }

    private void storeKeystorePassword(String str, byte[] bArr) throws GeneralSecurityException {
        this.prefs.set(str + KEYSTORE_PREF_SUFFIX, this.passwordGenerator.encryptPasswordToString(bArr));
    }

    private void storeUserKeypair(String str, KeyPair keyPair) throws OktaKeystoreException, KeyStoreException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Must have an alias");
        }
        try {
            X509Certificate buildCertificate = buildCertificate(keyPair, new HashSet(), new X500Name("CN=" + str));
            Log.d(TAG, buildCertificate.getSigAlgName());
            storeCertificate(str, buildCertificate, keyPair.getPrivate());
        } catch (CertificateException | CertIOException | OperatorCreationException e) {
            Log.e(TAG, "Failed to generate key certificate");
            throw new OktaKeystoreException("Failed to generate key certificate", e);
        }
    }

    @Override // com.okta.android.security.keys.KeyManager
    public void clearEntry(String str) throws KeyStoreException, KeystoreLockedException {
        File keystoreFile = getKeystoreFile(str);
        if (keystoreFile == null) {
            Log.i(TAG, "Tried to delete a key that doesn't exist");
            this.dbHandler.clearKeyMetadata(str);
            clearCache(str);
        } else {
            if (!keystoreFile.delete()) {
                throw new KeyStoreException("Failed to delete the keystore for alias: " + str);
            }
            this.dbHandler.clearKeyMetadata(str);
            clearCache(str);
        }
    }

    @Override // com.okta.android.security.keys.KeyManager
    public void clearKeystore() throws KeyStoreException, KeystoreLockedException {
        for (String str : findAllAliases()) {
            if (!getKeystoreFile(str).delete()) {
                throw new KeyStoreException("Failed to delete the keystore for alias: " + str);
            }
            clearCache(str);
        }
        this.dbHandler.clearKeyMetadata(KeyManagerType.LOCAL);
    }

    @Override // com.okta.android.security.keys.KeyManager
    public boolean containsAlias(String str) throws OktaKeystoreException {
        throw new OktaKeystoreException(NOT_SUPPORTED);
    }

    @Override // com.okta.android.security.keys.KeyManager
    public X509Certificate createCertificate(KeyPair keyPair, Set<Integer> set, X500Name x500Name) throws CertIOException, OperatorCreationException, CertificateException, OktaKeystoreException {
        X509Certificate buildCertificate = buildCertificate(keyPair, set, x500Name);
        try {
            storeCertificate(x500Name.toString(), buildCertificate, keyPair.getPrivate());
            return buildCertificate;
        } catch (KeyStoreException e) {
            throw new OktaKeystoreException(e);
        }
    }

    @Override // com.okta.android.security.keys.KeyManager
    public KeyPair generateKeyPair(String str) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException, OktaKeystoreException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Alias empty when generating keypair");
        }
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        try {
            storeUserKeypair(str, generateKeyPair);
            return generateKeyPair;
        } catch (GeneralSecurityException e) {
            Log.e(TAG, "Failed to store generated keypair", e);
            throw new OktaKeystoreException(e);
        }
    }

    @Override // com.okta.android.security.keys.KeyManager
    public KeyPair generateKeyPair(String str, int i, Set<Integer> set, String str2) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException, OktaKeystoreException {
        return generateKeyPair(str);
    }

    @Override // com.okta.android.security.keys.KeyManager
    public KeyPair generateKeyPair(String str, String str2, AlgorithmParameterSpec algorithmParameterSpec) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, NoSuchProviderException, OktaKeystoreException {
        return generateKeyPair(str);
    }

    @Override // com.okta.android.security.keys.KeyManager
    public SecretKey generateSecretKey(String str, KeyGenParameterSpec keyGenParameterSpec) throws InvalidAlgorithmParameterException, NoSuchProviderException, NoSuchAlgorithmException, OktaKeystoreException {
        throw new OktaKeystoreException(NOT_SUPPORTED);
    }

    @Override // com.okta.android.security.keys.KeyManager
    public SecretKey generateSecretKey(String str, boolean z) throws InvalidAlgorithmParameterException, NoSuchProviderException, NoSuchAlgorithmException, OktaKeystoreException {
        throw new OktaKeystoreException(NOT_SUPPORTED);
    }

    @Override // com.okta.android.security.keys.KeyManager
    public X509Certificate getCertificate(String str) throws GeneralSecurityException, OktaKeystoreException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Must have an alias");
        }
        KeyStore keystore = getKeystore(str);
        String str2 = this.keyCache.get(str);
        if (!TextUtils.isEmpty(str2)) {
            try {
                return (X509Certificate) loadKeyEntry(keystore, str, str2).getCertificate();
            } catch (UnrecoverableEntryException e) {
                Log.w(TAG, "Cached password failed", e);
            }
        }
        try {
            String bruteForcePredictablePassword = this.passwordGenerator.bruteForcePredictablePassword(findKeyPassword(str));
            try {
                X509Certificate x509Certificate = (X509Certificate) loadKeyEntry(keystore, str, bruteForcePredictablePassword).getCertificate();
                this.keyCache.put(str, bruteForcePredictablePassword);
                return x509Certificate;
            } catch (UnrecoverableEntryException unused) {
                Log.e(TAG, "Stored key failed to decrypt the certificate");
                throw new KeyStoreException("Failed to find password for certificate");
            }
        } catch (GeneralSecurityException unused2) {
            throw new KeyStoreException("Failed to find password for the certificate");
        }
    }

    @Override // com.okta.android.security.keys.KeyManager
    public KeyPair getKeypair(String str) throws KeyStoreException, KeystoreLockedException, KeyNotFoundException {
        if (TextUtils.isEmpty(str)) {
            throw new IllegalArgumentException("Must have an alias");
        }
        KeyStore keystore = getKeystore(str);
        String str2 = this.keyCache.get(str);
        if (!TextUtils.isEmpty(str2)) {
            try {
                return loadKey(keystore, str, str2);
            } catch (UnrecoverableEntryException e) {
                Log.w(TAG, "Cached password failed", e);
            }
        }
        try {
            String bruteForcePredictablePassword = this.passwordGenerator.bruteForcePredictablePassword(findKeyPassword(str));
            try {
                KeyPair loadKey = loadKey(keystore, str, bruteForcePredictablePassword);
                this.keyCache.put(str, bruteForcePredictablePassword);
                return loadKey;
            } catch (UnrecoverableEntryException unused) {
                Log.e(TAG, "Stored key failed to decrypt key entry");
                throw new KeyStoreException("Failed to find password for key");
            }
        } catch (GeneralSecurityException unused2) {
            throw new KeyStoreException("Failed to find password for the stored key");
        }
    }

    @Override // com.okta.android.security.keys.KeyManager
    public SecretKey getSecretKey(String str) throws KeyStoreException, KeystoreLockedException, KeyNotFoundException, UnrecoverableKeyException, NoSuchAlgorithmException, OktaKeystoreException {
        throw new OktaKeystoreException(NOT_SUPPORTED);
    }
}
