package webauthnkit.core.authenticator.internal.key;

import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyInfo;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import com.davemorrissey.labs.subscaleview.BuildConfig;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import kotlin.Metadata;
import kotlin.jvm.internal.n0;
import kotlin.jvm.internal.t;
import webauthnkit.core.authenticator.e;
import webauthnkit.core.authenticator.g;
import webauthnkit.core.authenticator.h;
import webauthnkit.core.error.d;
import webauthnkit.core.error.i;

@Metadata(d1 = {"\u0000J\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0010\b\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u0012\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\t\b\u0007\u0018\u0000 \"2\u00020\u0001:\u0001\u001cB\u000f\u0012\u0006\u0010\u0003\u001a\u00020\u0002¢\u0006\u0004\b\u0004\u0010\u0005J'\u0010\r\u001a\u00020\f2\u0006\u0010\u0007\u001a\u00020\u00062\u0006\u0010\t\u001a\u00020\b2\u0006\u0010\u000b\u001a\u00020\nH\u0002¢\u0006\u0004\b\r\u0010\u000eJ\u0017\u0010\u000f\u001a\u00020\n2\u0006\u0010\u0007\u001a\u00020\u0006H\u0002¢\u0006\u0004\b\u000f\u0010\u0010J'\u0010\u0012\u001a\u00020\u00112\u0006\u0010\u0007\u001a\u00020\u00062\u0006\u0010\t\u001a\u00020\b2\u0006\u0010\u000b\u001a\u00020\nH\u0016¢\u0006\u0004\b\u0012\u0010\u0013J\u0017\u0010\u0015\u001a\u00020\u00142\u0006\u0010\u0007\u001a\u00020\u0006H\u0016¢\u0006\u0004\b\u0015\u0010\u0016J7\u0010\u001c\u001a\u00020\u001b2\u0006\u0010\u0007\u001a\u00020\u00062\u0006\u0010\t\u001a\u00020\b2\u0006\u0010\u0018\u001a\u00020\u00172\u0006\u0010\u0019\u001a\u00020\u00142\u0006\u0010\u001a\u001a\u00020\nH\u0016¢\u0006\u0004\b\u001c\u0010\u001dJ\u001f\u0010\u001f\u001a\u00020\b2\u0006\u0010\u0019\u001a\u00020\u00142\u0006\u0010\u001e\u001a\u00020\bH\u0016¢\u0006\u0004\b\u001f\u0010 R\u001a\u0010\u0003\u001a\u00020\u00028\u0016X\u0096\u0004¢\u0006\f\n\u0004\b\u001c\u0010!\u001a\u0004\b\"\u0010#¨\u0006$"}, d2 = {"Lwebauthnkit/core/authenticator/internal/key/a;", "Lwebauthnkit/core/authenticator/internal/key/b;", BuildConfig.FLAVOR, "alg", "<init>", "(I)V", BuildConfig.FLAVOR, "alias", BuildConfig.FLAVOR, "clientDataHash", BuildConfig.FLAVOR, "invalidateByBiometricEnrollment", "Landroid/security/keystore/KeyGenParameterSpec;", "f", "(Ljava/lang/String;[BZ)Landroid/security/keystore/KeyGenParameterSpec;", "g", "(Ljava/lang/String;)Z", "Lwebauthnkit/core/authenticator/g;", "e", "(Ljava/lang/String;[BZ)Lwebauthnkit/core/authenticator/g;", "Ljava/security/Signature;", "c", "(Ljava/lang/String;)Ljava/security/Signature;", "Lwebauthnkit/core/authenticator/e;", "authenticatorData", "signature", "requireTEE", "Lwebauthnkit/core/authenticator/a;", "a", "(Ljava/lang/String;[BLwebauthnkit/core/authenticator/e;Ljava/security/Signature;Z)Lwebauthnkit/core/authenticator/a;", "data", "d", "(Ljava/security/Signature;[B)[B", "I", "b", "()I", "webauthnkit_release"}, k = 1, mv = {1, 5, 1})
/* loaded from: classes3.dex */
public final class a implements b {
    private static final String c;

    /* renamed from: a, reason: from kotlin metadata */
    private final int alg;

    static {
        String u = n0.c(a.class).u();
        t.d(u);
        c = u;
    }

    public a(int i) {
        this.alg = i;
    }

    private final KeyGenParameterSpec f(String alias, byte[] clientDataHash, boolean invalidateByBiometricEnrollment) {
        KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(alias, 4).setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")).setDigests("SHA-256").setUserAuthenticationRequired(true).setInvalidatedByBiometricEnrollment(invalidateByBiometricEnrollment).setAttestationChallenge(clientDataHash).build();
        t.f(build, "Builder(alias, PURPOSE_SIGN)\n            .setAlgorithmParameterSpec(ECGenParameterSpec(SECP256r1))\n            .setDigests(DIGEST_SHA256)\n            .setUserAuthenticationRequired(true)\n            .setInvalidatedByBiometricEnrollment(invalidateByBiometricEnrollment)\n            .setAttestationChallenge(clientDataHash)\n            .build()");
        return build;
    }

    private final boolean g(String alias) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            Key key = keyStore.getKey(alias, null);
            KeySpec keySpec = KeyFactory.getInstance(key.getAlgorithm(), "AndroidKeyStore").getKeySpec(key, KeyInfo.class);
            if (keySpec != null) {
                return ((KeyInfo) keySpec).isInsideSecureHardware();
            }
            throw new NullPointerException("null cannot be cast to non-null type android.security.keystore.KeyInfo");
        } catch (IOException e) {
            throw new webauthnkit.core.error.c("Could not read or write keystore data", e);
        } catch (KeyStoreException e2) {
            throw new i("AndroidKeyStore key provider is not available", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new i("EC algorithm is not supported", e3);
        } catch (NoSuchProviderException e4) {
            throw new i("AndroidKeyStore key provider is not available", e4);
        } catch (UnrecoverableKeyException e5) {
            throw new webauthnkit.core.error.c("A key in keystore cannot be recovered", e5);
        } catch (CertificateException e6) {
            throw new webauthnkit.core.error.c("There is a problem with a certificate", e6);
        } catch (InvalidKeySpecException e7) {
            throw new webauthnkit.core.error.c("A key in keystore is invalid / corrupted", e7);
        }
    }

    @Override // webauthnkit.core.authenticator.internal.key.b
    public webauthnkit.core.authenticator.a a(String alias, byte[] clientDataHash, e authenticatorData, Signature signature, boolean requireTEE) {
        t.g(alias, "alias");
        t.g(clientDataHash, "clientDataHash");
        t.g(authenticatorData, "authenticatorData");
        t.g(signature, "signature");
        byte[] b = authenticatorData.b();
        if (b == null) {
            throw new webauthnkit.core.error.c("Failed to build authenticator data", null, 2, null);
        }
        byte[] d = d(signature, webauthnkit.core.util.a.a.d(b, clientDataHash));
        HashMap hashMap = new HashMap();
        hashMap.put("alg", Long.valueOf(getAlg()));
        hashMap.put("sig", d);
        if (!g(alias)) {
            webauthnkit.core.util.e.a.a(c, "This android device doesn't support secure-hardware, so build self attestation");
            if (requireTEE) {
                throw new i("This android device doesn't support secure-hardware", null, 2, null);
            }
            return new webauthnkit.core.authenticator.a("packed", authenticatorData, hashMap);
        }
        webauthnkit.core.util.e.a.a(c, "This android device supports secure-hardware, so, use 'attestation-key' format");
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            Certificate[] certificateChain = keyStore.getCertificateChain(alias);
            t.f(certificateChain, "{\n                    val keyStore = KeyStore.getInstance(Android)\n                    keyStore.load(null)\n\n                    keyStore.getCertificateChain(alias)\n\n                }");
            ArrayList arrayList = new ArrayList();
            int length = certificateChain.length;
            int i = 0;
            while (i < length) {
                Certificate certificate = certificateChain[i];
                i++;
                arrayList.add(((X509Certificate) certificate).getEncoded());
            }
            hashMap.put("x5c", arrayList);
            return new webauthnkit.core.authenticator.a("android-key", authenticatorData, hashMap);
        } catch (IOException e) {
            throw new webauthnkit.core.error.c("Could not read or write keystore data", e);
        } catch (KeyStoreException e2) {
            throw new i("AndroidKeyStore key provider is not available", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new i("EC algorithm is not supported", e3);
        } catch (CertificateException e4) {
            throw new webauthnkit.core.error.c("There is a problem with a certificate", e4);
        }
    }

    @Override // webauthnkit.core.authenticator.internal.key.b
    /* renamed from: b, reason: from getter */
    public int getAlg() {
        return this.alg;
    }

    @Override // webauthnkit.core.authenticator.internal.key.b
    public Signature c(String alias) {
        t.g(alias, "alias");
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            Key key = keyStore.getKey(alias, null);
            PrivateKey privateKey = key instanceof PrivateKey ? (PrivateKey) key : null;
            if (privateKey == null) {
                throw new webauthnkit.core.error.c(t.n("Failed to find a private key with the following alias: ", alias), null, 2, null);
            }
            Signature signature = Signature.getInstance("SHA256withECDSA");
            signature.initSign(privateKey);
            t.f(signature, "signature");
            return signature;
        } catch (KeyPermanentlyInvalidatedException e) {
            throw new d(t.n("Failed to initialize the signature, the key is invalidated: ", e.getMessage()));
        } catch (IOException e2) {
            throw new webauthnkit.core.error.c("Could not read or write keystore data", e2);
        } catch (InvalidKeyException e3) {
            throw new webauthnkit.core.error.c("A key in keystore is invalid / corrupted", e3);
        } catch (KeyStoreException e4) {
            throw new i("AndroidKeyStore key provider is not available", e4);
        } catch (NoSuchAlgorithmException e5) {
            throw new i("EC algorithm is not supported", e5);
        } catch (UnrecoverableKeyException e6) {
            throw new webauthnkit.core.error.c("A key in keystore cannot be recovered", e6);
        } catch (CertificateException e7) {
            throw new webauthnkit.core.error.c("There is a problem with a certificate", e7);
        }
    }

    @Override // webauthnkit.core.authenticator.internal.key.b
    public byte[] d(Signature signature, byte[] data) {
        t.g(signature, "signature");
        t.g(data, "data");
        try {
            signature.update(data);
            byte[] sign = signature.sign();
            if (sign != null) {
                return sign;
            }
            throw new webauthnkit.core.error.c("Failed to sign data, null is returned", null, 2, null);
        } catch (SignatureException e) {
            throw new webauthnkit.core.error.c("Failed to sign data", e);
        }
    }

    @Override // webauthnkit.core.authenticator.internal.key.b
    public g e(String alias, byte[] clientDataHash, boolean invalidateByBiometricEnrollment) {
        t.g(alias, "alias");
        t.g(clientDataHash, "clientDataHash");
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            try {
                keyPairGenerator.initialize(f(alias, clientDataHash, invalidateByBiometricEnrollment));
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                PublicKey publicKey = generateKeyPair == null ? null : generateKeyPair.getPublic();
                ECPublicKey eCPublicKey = publicKey instanceof ECPublicKey ? (ECPublicKey) publicKey : null;
                if (eCPublicKey == null) {
                    throw new webauthnkit.core.error.c("Couldn't generate a key par or get a public key from it", null, 2, null);
                }
                byte[] encoded = eCPublicKey.getEncoded();
                if (encoded.length != 91) {
                    throw new webauthnkit.core.error.c("Length of ECPublicKey should be 91", null, 2, null);
                }
                byte[] x = Arrays.copyOfRange(encoded, 27, 59);
                byte[] y = Arrays.copyOfRange(encoded, 59, 91);
                int alg = getAlg();
                t.f(x, "x");
                t.f(y, "y");
                return new h(alg, 1, x, y);
            } catch (InvalidAlgorithmParameterException e) {
                throw new i("Provided keygen parameters are not supported", e);
            }
        } catch (NoSuchAlgorithmException e2) {
            throw new i("EC algorithm is not supported", e2);
        } catch (NoSuchProviderException e3) {
            throw new i("AndroidKeyStore key provider is not available", e3);
        }
    }
}
