package com.microsoft.identity.broker.crypto.keyloaders;

import android.security.keystore.KeyProtection;
import android.util.Base64;
import com.google.android.gms.stats.CodePackage;
import com.microsoft.identity.broker.crypto.AndroidKeyStoreCryptoFactory;
import com.microsoft.identity.broker.crypto.keymanagers.AndroidKeyStoreKeyManager;
import com.microsoft.identity.broker.prt.protos.PrtProtos;
import com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.IKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.RawSymmetricKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.keyaccessors.IAsymmetricKeyEntryAccessor;
import com.microsoft.identity.broker4j.broker.crypto.keyfactories.AbstractBrokerKeyFactory;
import com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader;
import com.microsoft.identity.broker4j.broker.crypto.keyloaders.RawSessionKeyLoader;
import com.microsoft.identity.broker4j.broker.platform.components.IAccountDataStorage;
import com.microsoft.identity.broker4j.broker.prt.PrtConstants;
import com.microsoft.identity.broker4j.broker.prt.PrtProtocolVersion;
import com.microsoft.identity.broker4j.broker.prt.SessionKeyUtil;
import com.microsoft.identity.broker4j.opentelemetry.AttributeName;
import com.microsoft.identity.common.java.base64.Base64Util;
import com.microsoft.identity.common.java.broker.IBrokerAccount;
import com.microsoft.identity.common.java.controllers.ExceptionAdapter;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.exception.ServiceException;
import com.microsoft.identity.common.java.logging.Logger;
import com.microsoft.identity.common.java.opentelemetry.OTelUtility;
import com.microsoft.identity.common.java.opentelemetry.SpanExtension;
import com.microsoft.identity.common.java.platform.JweResponse;
import com.microsoft.identity.common.java.providers.oauth2.IDToken;
import com.microsoft.identity.common.java.util.StringUtil;
import com.microsoft.identity.common.java.util.ThrowableUtil;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.opentelemetry.api.common.AttributeKey;
import io.opentelemetry.api.common.Attributes;
import io.opentelemetry.api.metrics.LongCounter;
import io.opentelemetry.semconv.trace.attributes.SemanticAttributes;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import javax.crypto.spec.SecretKeySpec;
import lombok.NonNull;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.DERTaggedObject;
import org.json.JSONException;

/* loaded from: classes2.dex */
public class AndroidKeyStoreSessionKeyLoader extends AliasBasedSessionKeyLoader {
    private static final int KM_ALGORITHM_HMAC = 128;
    private static final int KM_DIGEST_SHA_2_256 = 4;
    private static final long KM_KEY_FORMAT_RAW = 3;
    private static final int KM_KEY_SIZE_256 = 256;
    private static final int KM_PURPOSE_SIGN = 2;
    private static final int KM_TAG_ALGORITHM = 2;
    private static final int KM_TAG_DIGEST = 5;
    private static final int KM_TAG_KEY_SIZE = 3;
    private static final int KM_TAG_MIN_MAC_LENGTH = 8;
    private static final int KM_TAG_NO_AUTH_REQUIRED = 503;
    private static final String TAG = "AndroidKeyStoreSessionKeyLoader";
    private static final int WRAPPED_FORMAT_VERSION = 0;
    private static final LongCounter sFailedSessionKeyLoaderOperationCount = OTelUtility.createLongCounter("failed_session_key_loader_operation_count", "Number of failed Android KeyStore SessionKeyLoader operations");

    public AndroidKeyStoreSessionKeyLoader(@NonNull AndroidKeyStoreKeyManager androidKeyStoreKeyManager) {
        super(androidKeyStoreKeyManager);
        if (androidKeyStoreKeyManager == null) {
            throw new NullPointerException("mKeyManager is marked non-null but is null");
        }
    }

    private static String copyRawSessionKeyToKeyStore(@NonNull IAccountDataStorage iAccountDataStorage, @NonNull IBrokerAccount iBrokerAccount, @NonNull PrtProtocolVersion prtProtocolVersion, @NonNull String str) throws ServiceException, KeyStoreException, CertificateException, IOException, NoSuchAlgorithmException {
        if (iAccountDataStorage == null) {
            throw new NullPointerException("storage is marked non-null but is null");
        }
        if (iBrokerAccount == null) {
            throw new NullPointerException("account is marked non-null but is null");
        }
        if (prtProtocolVersion == null) {
            throw new NullPointerException("prtProtocolVersion is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("rawSessionKey is marked non-null but is null");
        }
        String str2 = AbstractBrokerKeyFactory.SESSION_KEY_ALIAS_PREFIX + ((String) IDToken.parseJWT(PrtProtos.PRT.parseFrom(Base64.decode(iAccountDataStorage.getData(iBrokerAccount, PrtConstants.PRT_PROTO_BASE64_ENCODED), 0)).getIdToken()).get("oid"));
        iAccountDataStorage.setData(iBrokerAccount, prtProtocolVersion.getAliasBasedSessionKeyStorageKey(), str2);
        KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
        keyStore.load(null);
        keyStore.setEntry(str2, new KeyStore.SecretKeyEntry(new SecretKeySpec(Base64Util.decodeNoWrap(str), "HmacSHA256")), new KeyProtection.Builder(4).setBlockModes(CodePackage.GCM).setEncryptionPaddings("NoPadding").build());
        return str2;
    }

    private IKeyEntry decryptAndImportSessionKey(@NonNull String str, @NonNull JweResponse jweResponse, @NonNull IAsymmetricKeyEntryAccessor iAsymmetricKeyEntryAccessor) throws ClientException {
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        if (jweResponse == null) {
            throw new NullPointerException("jweResponse is marked non-null but is null");
        }
        if (iAsymmetricKeyEntryAccessor == null) {
            throw new NullPointerException("sessionTransportKey is marked non-null but is null");
        }
        String str2 = TAG + ":decryptAndImportSessionKey";
        Logger.info(str2, "Decrypting session key from jwe");
        try {
            byte[] decryptWithIv = iAsymmetricKeyEntryAccessor.decryptWithIv(jweResponse.getEncryptedKey(), null);
            Logger.info(str2, "Importing decrypted session key to key store");
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null);
            keyStore.setEntry(str, new KeyStore.SecretKeyEntry(new SecretKeySpec(decryptWithIv, "HmacSHA256")), new KeyProtection.Builder(4).setBlockModes(CodePackage.GCM).setEncryptionPaddings("NoPadding").build());
            return RawSymmetricKeyEntry.builder().alias(str).keyData(decryptWithIv).build();
        } catch (Throwable th) {
            Logger.error(str2, "Failed to decryptAndImportSessionKey session key " + th.getMessage(), th);
            ClientException clientExceptionFromException = ExceptionAdapter.clientExceptionFromException(th);
            sFailedSessionKeyLoaderOperationCount.add(1L, Attributes.builder().put(AttributeName.session_key_loader_operation.name(), "decryptAndImportSessionKey").put(AttributeName.error_code.name(), clientExceptionFromException.getErrorCode()).put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.session_key_loader_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            throw clientExceptionFromException;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] getEncodedWrappedKey(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) throws IOException {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1Integer(3L));
        aSN1EncodableVector.add(getSessionKeyAuthorizations());
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(new ASN1Integer(0L));
        aSN1EncodableVector2.add(new DEROctetString(bArr));
        aSN1EncodableVector2.add(new DEROctetString(bArr2));
        aSN1EncodableVector2.add(dERSequence);
        aSN1EncodableVector2.add(new DEROctetString(bArr3));
        aSN1EncodableVector2.add(new DEROctetString(bArr4));
        return new DERSequence(aSN1EncodableVector2).getEncoded(ASN1Encoding.DER);
    }

    private byte[] getEncodedWrappedKeyFromJwe(@NonNull JweResponse jweResponse) throws JSONException, IOException {
        if (jweResponse == null) {
            throw new NullPointerException("jweResponse is marked non-null but is null");
        }
        Logger.info(TAG + ":getEncodedWrappedKeyFromJwe", "Parsing SessionKeyJWE to get encoded wrapped key");
        return getEncodedWrappedKey(jweResponse.getEncryptedKey(), jweResponse.getIv(), jweResponse.getPayload(), jweResponse.getAuthenticationTag());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DERSequence getSessionKeyAuthorizations() {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1Integer(2L));
        DERTaggedObject dERTaggedObject = new DERTaggedObject(true, 1, (ASN1Encodable) new DERSet(aSN1EncodableVector));
        DERTaggedObject dERTaggedObject2 = new DERTaggedObject(true, 2, (ASN1Encodable) new ASN1Integer(128L));
        DERTaggedObject dERTaggedObject3 = new DERTaggedObject(true, 3, (ASN1Encodable) new ASN1Integer(256L));
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(new ASN1Integer(4L));
        DERTaggedObject dERTaggedObject4 = new DERTaggedObject(true, 5, (ASN1Encodable) new DERSet(aSN1EncodableVector2));
        DERTaggedObject dERTaggedObject5 = new DERTaggedObject(true, 8, (ASN1Encodable) new ASN1Integer(128L));
        DERTaggedObject dERTaggedObject6 = new DERTaggedObject(true, KM_TAG_NO_AUTH_REQUIRED, (ASN1Encodable) DERNull.INSTANCE);
        ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
        aSN1EncodableVector3.add(dERTaggedObject);
        aSN1EncodableVector3.add(dERTaggedObject2);
        aSN1EncodableVector3.add(dERTaggedObject3);
        aSN1EncodableVector3.add(dERTaggedObject4);
        aSN1EncodableVector3.add(dERTaggedObject5);
        aSN1EncodableVector3.add(dERTaggedObject6);
        return new DERSequence(aSN1EncodableVector3);
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader, com.microsoft.identity.broker4j.broker.crypto.keyloaders.ISessionKeyLoader
    public IKeyEntry generateSessionKey(byte[] bArr, @NonNull IAsymmetricKeyEntryAccessor iAsymmetricKeyEntryAccessor) throws ClientException {
        if (iAsymmetricKeyEntryAccessor == null) {
            throw new NullPointerException("sessionTransportKey is marked non-null but is null");
        }
        throw new UnsupportedOperationException("Not implemented");
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader, com.microsoft.identity.broker4j.broker.crypto.keyloaders.ISessionKeyLoader
    public IKeyEntry importSessionKey(@NonNull IDToken iDToken, @NonNull String str, @NonNull IAsymmetricKeyEntryAccessor iAsymmetricKeyEntryAccessor) throws ClientException {
        if (iDToken == null) {
            throw new NullPointerException("idToken is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("encryptedSessionKeyJwe is marked non-null but is null");
        }
        if (iAsymmetricKeyEntryAccessor == null) {
            throw new NullPointerException("sessionTransportKey is marked non-null but is null");
        }
        String str2 = TAG + ":importSessionKey";
        try {
            Logger.info(str2, "Getting oid value from idToken");
            String stringClaim = iDToken.getStringClaim("oid");
            if (stringClaim == null) {
                throw new ClientException("invalid_jwt", "UserObjectId is null in idToken");
            }
            String str3 = AbstractBrokerKeyFactory.SESSION_KEY_ALIAS_PREFIX + stringClaim;
            JweResponse parseJwe = JweResponse.parseJwe(str);
            JweResponse.JweHeader jweHeader = parseJwe.getJweHeader();
            SpanExtension.current().setAttribute(AttributeName.session_key_jwe_header_alg.name(), jweHeader.getAlgorithm());
            byte[] payload = parseJwe.getPayload();
            SpanExtension.current().setAttribute(AttributeName.session_key_jwe_payload_length.name(), payload.length);
            if ((!SessionKeyUtil.SESSION_KEY_JWE_ALGORITHM_RSA_OAEP_256_MGF1SHA1.equals(jweHeader.getAlgorithm()) && !SessionKeyUtil.SESSION_KEY_JWE_ALGORITHM_RSA_OAEP_256.equals(jweHeader.getAlgorithm())) || payload.length <= 1) {
                return decryptAndImportSessionKey(str3, parseJwe, iAsymmetricKeyEntryAccessor);
            }
            Logger.info(str2, "Getting encoded wrapped key from JWE");
            byte[] encodedWrappedKeyFromJwe = getEncodedWrappedKeyFromJwe(parseJwe);
            Logger.info(str2, "Importing wrapped key into Android KeyStore");
            return this.mKeyMaker.importWrappedKey(str3, encodedWrappedKeyFromJwe, iAsymmetricKeyEntryAccessor.getKeyEntry());
        } catch (IOException e) {
            Logger.error(str2, "Failed to import wrapped key: " + e.getMessage(), e);
            throw new ClientException("io_error", e.getMessage(), e);
        } catch (JSONException e2) {
            Logger.error(str2, "Failed to parse JWE: " + e2.getMessage(), e2);
            throw new ClientException("json_parse_failure", e2.getMessage(), e2);
        }
    }

    /* JADX WARN: Type inference failed for: r6v9, types: [com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry$ExportableKeyEntryBuilder] */
    @Override // com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader, com.microsoft.identity.broker4j.broker.crypto.keyloaders.ISessionKeyLoader
    public IKeyEntry load(@NonNull IAccountDataStorage iAccountDataStorage, @NonNull IBrokerAccount iBrokerAccount, @NonNull PrtProtocolVersion prtProtocolVersion) {
        if (iAccountDataStorage == null) {
            throw new NullPointerException("storage is marked non-null but is null");
        }
        if (iBrokerAccount == null) {
            throw new NullPointerException("account is marked non-null but is null");
        }
        if (prtProtocolVersion == null) {
            throw new NullPointerException("prtProtocolVersion is marked non-null but is null");
        }
        String str = TAG + ":load";
        Logger.info(str, "Loading session key {prtProtocolVersion: " + prtProtocolVersion.getValue() + "}");
        Attributes of = Attributes.of(AttributeKey.stringKey(AttributeName.session_key_loader_operation.name()), "load");
        try {
            String data = iAccountDataStorage.getData(iBrokerAccount, prtProtocolVersion.getAliasBasedSessionKeyStorageKey());
            if (StringUtil.isNullOrEmpty(data)) {
                Logger.info(str, "SessionKeyAlias not found, try copying raw session key to keystore.");
                String data2 = iAccountDataStorage.getData(iBrokerAccount, prtProtocolVersion.getRawSessionKeyStorageKey());
                if (data2 == null) {
                    Logger.info(str, "Loading raw session key from legacy session key storage key.");
                    data2 = iAccountDataStorage.getData(iBrokerAccount, RawSessionKeyLoader.ENCODED_SESSION_KEY);
                }
                if (data2 == null) {
                    Logger.info(str, "SessionKey not found, returning null.");
                    return null;
                }
                Logger.info(str, "Copying raw session key to KeyStore");
                data = copyRawSessionKeyToKeyStore(iAccountDataStorage, iBrokerAccount, prtProtocolVersion, data2);
                of.toBuilder().put(AttributeName.imported_raw_session_key_to_keystore.name(), true).build();
            }
            return ExportableKeyEntry.builder().alias(data).build();
        } catch (Throwable th) {
            Logger.error(str, "Failed to load key: " + th.getMessage(), th);
            sFailedSessionKeyLoaderOperationCount.add(1L, of.toBuilder().put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.session_key_loader_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
            return null;
        }
    }

    /* JADX WARN: Type inference failed for: r1v14, types: [com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry$ExportableKeyEntryBuilder] */
    @Override // com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader, com.microsoft.identity.broker4j.broker.crypto.keyloaders.ISessionKeyLoader
    public void save(@NonNull IAccountDataStorage iAccountDataStorage, @NonNull IBrokerAccount iBrokerAccount, @Nullable IKeyEntry iKeyEntry, @NonNull PrtProtocolVersion prtProtocolVersion) {
        if (iAccountDataStorage == null) {
            throw new NullPointerException("storage is marked non-null but is null");
        }
        if (iBrokerAccount == null) {
            throw new NullPointerException("account is marked non-null but is null");
        }
        if (prtProtocolVersion == null) {
            throw new NullPointerException("prtProtocolVersion is marked non-null but is null");
        }
        String str = TAG + ":save";
        Logger.info(str, "Saving session key {prtProtocolVersion: " + prtProtocolVersion.getValue() + "}");
        AttributeName attributeName = AttributeName.session_key_loader_operation;
        Attributes of = Attributes.of(AttributeKey.stringKey(attributeName.name()), "save");
        String rawSessionKeyStorageKey = prtProtocolVersion.getRawSessionKeyStorageKey();
        try {
            if (iKeyEntry == null) {
                Logger.info(str, "Deleting session key");
                of = Attributes.of(AttributeKey.stringKey(attributeName.name()), SemanticAttributes.FaasDocumentOperationValues.DELETE);
                String data = iAccountDataStorage.getData(iBrokerAccount, prtProtocolVersion.getAliasBasedSessionKeyStorageKey());
                iAccountDataStorage.setData(iBrokerAccount, rawSessionKeyStorageKey, null);
                if (!StringUtil.isNullOrEmpty(data)) {
                    this.mKeyMaker.deleteKey(ExportableKeyEntry.builder().alias(data).build());
                }
            } else if (iKeyEntry instanceof RawSymmetricKeyEntry) {
                iAccountDataStorage.setData(iBrokerAccount, rawSessionKeyStorageKey, Base64Util.encodeToStringNoWrap(((RawSymmetricKeyEntry) iKeyEntry).getKeyData()));
            }
            super.save(iAccountDataStorage, iBrokerAccount, iKeyEntry, prtProtocolVersion);
        } catch (Throwable th) {
            Logger.error(str, "Failed to save session key" + th.getMessage(), th);
            sFailedSessionKeyLoaderOperationCount.add(1L, of.toBuilder().put(AttributeName.error_type.name(), th.getClass().getSimpleName()).put(AttributeName.session_key_loader_exception_stack_trace.name(), ThrowableUtil.getStackTraceAsString(th)).build());
        }
    }
}
