package ch.admin.bag.covidcertificate.wallet.transfercode.logic;

import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import ch.admin.bag.covidcertificate.sdk.core.extensions.StringExtensionsKt;
import ch.admin.bag.covidcertificate.wallet.data.WalletSecureStorage;
import j$.time.Instant;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.Security;
import java.security.Signature;
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import javax.crypto.Cipher;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.OAEPParameterSpec;
import javax.crypto.spec.PSource;
import javax.crypto.spec.SecretKeySpec;
import kotlin.Metadata;
import kotlin.collections.ArraysKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.ranges.IntRange;
import kotlin.text.StringsKt;
import kotlinx.coroutines.sync.Mutex;
import kotlinx.coroutines.sync.MutexKt;
import kotlinx.serialization.json.internal.JsonLexerKt;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.pqc.jcajce.spec.McElieceCCA2KeyGenParameterSpec;

/* compiled from: TransferCodeCrypto.kt */
@Metadata(d1 = {"\u0000<\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u0002\n\u0002\b\u0006\bÆ\u0002\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0016\u0010\n\u001a\u00020\u00042\u0006\u0010\u000b\u001a\u00020\u00042\u0006\u0010\f\u001a\u00020\u0004J\u0018\u0010\r\u001a\u0004\u0018\u00010\u000e2\u0006\u0010\u000f\u001a\u00020\u00042\u0006\u0010\u0010\u001a\u00020\u0011J\u0018\u0010\u0012\u001a\u0004\u0018\u00010\u00042\u0006\u0010\u0013\u001a\u00020\u000e2\u0006\u0010\u0014\u001a\u00020\u0004J\u0016\u0010\u0015\u001a\u00020\u00162\u0006\u0010\u000f\u001a\u00020\u00042\u0006\u0010\u0010\u001a\u00020\u0011J\u000e\u0010\u0017\u001a\u00020\b2\u0006\u0010\u0018\u001a\u00020\u0004J\u0018\u0010\u0019\u001a\u0004\u0018\u00010\u000e2\u0006\u0010\u000f\u001a\u00020\u00042\u0006\u0010\u0010\u001a\u00020\u0011J\u0018\u0010\u001a\u001a\u0004\u0018\u00010\u00042\u0006\u0010\u0013\u001a\u00020\u000e2\u0006\u0010\u001b\u001a\u00020\u0004R\u000e\u0010\u0003\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n\u0000R\u000e\u0010\u0005\u001a\u00020\u0004X\u0086T¢\u0006\u0002\n\u0000R*\u0010\u0006\u001a\u001e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\b0\u0007j\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\b`\tX\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u001c"}, d2 = {"Lch/admin/bag/covidcertificate/wallet/transfercode/logic/TransferCodeCrypto;", "", "()V", "ANDROID_KEYSTORE_NAME", "", "BOUNCY_CASTLE_PROVIDER", "mutexMap", "Ljava/util/HashMap;", "Lkotlinx/coroutines/sync/Mutex;", "Lkotlin/collections/HashMap;", "buildMessage", "action", "transferCode", "createKeyPair", "Ljava/security/KeyPair;", "keyAlias", "context", "Landroid/content/Context;", "decrypt", "keyPair", "ciphertextBase64", "deleteKeyEntry", "", "getMutex", "alias", "loadKeyPair", "sign", "message", "wallet_prodRelease"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes.dex */
public final class TransferCodeCrypto {
    public static final String ANDROID_KEYSTORE_NAME = "AndroidKeyStore";
    public static final String BOUNCY_CASTLE_PROVIDER = "BC";
    public static final TransferCodeCrypto INSTANCE = new TransferCodeCrypto();
    private static final HashMap<String, Mutex> mutexMap;

    static {
        if (Build.VERSION.SDK_INT < 24) {
            Security.removeProvider("BC");
            Security.addProvider(new BouncyCastleProvider());
        }
        mutexMap = new HashMap<>();
    }

    private TransferCodeCrypto() {
    }

    public final String buildMessage(String action, String transferCode) {
        Intrinsics.checkNotNullParameter(action, "action");
        Intrinsics.checkNotNullParameter(transferCode, "transferCode");
        return action + JsonLexerKt.COLON + transferCode + JsonLexerKt.COLON + Instant.now().toEpochMilli();
    }

    public final KeyPair createKeyPair(String keyAlias, Context context) {
        Intrinsics.checkNotNullParameter(keyAlias, "keyAlias");
        Intrinsics.checkNotNullParameter(context, "context");
        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(keyAlias, 15);
        builder.setAlgorithmParameterSpec(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4));
        builder.setDigests("SHA-256", McElieceCCA2KeyGenParameterSpec.SHA1);
        builder.setEncryptionPaddings("OAEPPadding");
        builder.setSignaturePaddings("PSS");
        boolean hasSystemFeature = Build.VERSION.SDK_INT >= 28 ? context.getPackageManager().hasSystemFeature("android.hardware.strongbox_keystore") : false;
        if (Build.VERSION.SDK_INT >= 28 && hasSystemFeature) {
            builder.setIsStrongBoxBacked(true);
        }
        KeyGenParameterSpec build = builder.build();
        Intrinsics.checkNotNullExpressionValue(build, "Builder(keyAlias, keyPur…(true)\n\t\t\t\t}\n\t\t\t}.build()");
        try {
            if (Build.VERSION.SDK_INT >= 24) {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", ANDROID_KEYSTORE_NAME);
                keyPairGenerator.initialize(build);
                return keyPairGenerator.generateKeyPair();
            }
            KeyPairGenerator keyPairGenerator2 = KeyPairGenerator.getInstance("RSA", "BC");
            keyPairGenerator2.initialize(new RSAKeyGenParameterSpec(2048, RSAKeyGenParameterSpec.F4));
            KeyPair generateKeyPair = keyPairGenerator2.generateKeyPair();
            WalletSecureStorage companion = WalletSecureStorage.INSTANCE.getInstance(context);
            byte[] encoded = generateKeyPair.getPublic().getEncoded();
            Intrinsics.checkNotNullExpressionValue(encoded, "kp.public.encoded");
            companion.setTransferCodePublicKey(keyAlias, StringExtensionsKt.toBase64(encoded));
            byte[] encoded2 = generateKeyPair.getPrivate().getEncoded();
            Intrinsics.checkNotNullExpressionValue(encoded2, "kp.private.encoded");
            companion.setTransferCodePrivateKey(keyAlias, StringExtensionsKt.toBase64(encoded2));
            return generateKeyPair;
        } catch (Throwable th) {
            th.printStackTrace();
            return null;
        }
    }

    public final String decrypt(KeyPair keyPair, String ciphertextBase64) {
        byte[] rsaPlaintext;
        Intrinsics.checkNotNullParameter(keyPair, "keyPair");
        Intrinsics.checkNotNullParameter(ciphertextBase64, "ciphertextBase64");
        byte[] fromBase64 = StringExtensionsKt.fromBase64(ciphertextBase64);
        byte[] sliceArray = ArraysKt.sliceArray(fromBase64, new IntRange(0, 255));
        byte[] sliceArray2 = ArraysKt.sliceArray(fromBase64, new IntRange(256, ArraysKt.getLastIndex(fromBase64)));
        try {
            if (Build.VERSION.SDK_INT < 24) {
                OAEPParameterSpec oAEPParameterSpec = new OAEPParameterSpec("SHA-256", "MGF1", new MGF1ParameterSpec(McElieceCCA2KeyGenParameterSpec.SHA1), PSource.PSpecified.DEFAULT);
                Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPPadding", "BC");
                cipher.init(2, keyPair.getPrivate(), oAEPParameterSpec);
                rsaPlaintext = cipher.doFinal(sliceArray);
            } else {
                Cipher cipher2 = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
                cipher2.init(2, keyPair.getPrivate());
                rsaPlaintext = cipher2.doFinal(sliceArray);
            }
            Intrinsics.checkNotNullExpressionValue(rsaPlaintext, "rsaPlaintext");
            byte[] sliceArray3 = ArraysKt.sliceArray(rsaPlaintext, new IntRange(0, 11));
            byte[] sliceArray4 = ArraysKt.sliceArray(rsaPlaintext, new IntRange(12, 43));
            GCMParameterSpec gCMParameterSpec = new GCMParameterSpec(128, sliceArray3);
            SecretKeySpec secretKeySpec = new SecretKeySpec(sliceArray4, "AES");
            Cipher cipher3 = Cipher.getInstance("AES/GCM/NoPadding");
            cipher3.init(2, secretKeySpec, gCMParameterSpec);
            byte[] aesPlaintext = cipher3.doFinal(sliceArray2);
            Intrinsics.checkNotNullExpressionValue(aesPlaintext, "aesPlaintext");
            return StringsKt.decodeToString(aesPlaintext);
        } catch (Throwable th) {
            th.printStackTrace();
            return null;
        }
    }

    public final void deleteKeyEntry(String keyAlias, Context context) {
        Intrinsics.checkNotNullParameter(keyAlias, "keyAlias");
        Intrinsics.checkNotNullParameter(context, "context");
        if (Build.VERSION.SDK_INT < 24) {
            WalletSecureStorage companion = WalletSecureStorage.INSTANCE.getInstance(context);
            companion.setTransferCodePublicKey(keyAlias, null);
            companion.setTransferCodePrivateKey(keyAlias, null);
        } else {
            KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE_NAME);
            keyStore.load(null);
            if (keyStore.containsAlias(keyAlias)) {
                keyStore.deleteEntry(keyAlias);
            }
        }
    }

    public final synchronized Mutex getMutex(String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        HashMap<String, Mutex> hashMap = mutexMap;
        Mutex mutex = hashMap.get(alias);
        if (mutex != null) {
            return mutex;
        }
        Mutex Mutex$default = MutexKt.Mutex$default(false, 1, null);
        hashMap.put(alias, Mutex$default);
        return Mutex$default;
    }

    public final KeyPair loadKeyPair(String keyAlias, Context context) {
        Intrinsics.checkNotNullParameter(keyAlias, "keyAlias");
        Intrinsics.checkNotNullParameter(context, "context");
        if (Build.VERSION.SDK_INT >= 24) {
            KeyStore keyStore = KeyStore.getInstance(ANDROID_KEYSTORE_NAME);
            keyStore.load(null);
            if (!keyStore.containsAlias(keyAlias)) {
                return null;
            }
            KeyStore.Entry entry = keyStore.getEntry(keyAlias, null);
            KeyStore.PrivateKeyEntry privateKeyEntry = entry instanceof KeyStore.PrivateKeyEntry ? (KeyStore.PrivateKeyEntry) entry : null;
            if (privateKeyEntry == null) {
                return null;
            }
            return new KeyPair(privateKeyEntry.getCertificate().getPublicKey(), privateKeyEntry.getPrivateKey());
        }
        WalletSecureStorage companion = WalletSecureStorage.INSTANCE.getInstance(context);
        String transferCodePublicKey = companion.getTransferCodePublicKey(keyAlias);
        byte[] fromBase64 = transferCodePublicKey == null ? null : StringExtensionsKt.fromBase64(transferCodePublicKey);
        String transferCodePrivateKey = companion.getTransferCodePrivateKey(keyAlias);
        byte[] fromBase642 = transferCodePrivateKey == null ? null : StringExtensionsKt.fromBase64(transferCodePrivateKey);
        if (fromBase64 == null || fromBase642 == null) {
            return (KeyPair) null;
        }
        KeyFactory keyFactory = KeyFactory.getInstance("RSA", "BC");
        return new KeyPair(keyFactory.generatePublic(new X509EncodedKeySpec(fromBase64)), keyFactory.generatePrivate(new PKCS8EncodedKeySpec(fromBase642)));
    }

    public final String sign(KeyPair keyPair, String message) {
        Intrinsics.checkNotNullParameter(keyPair, "keyPair");
        Intrinsics.checkNotNullParameter(message, "message");
        byte[] encodeToByteArray = StringsKt.encodeToByteArray(message);
        try {
            Signature signature = Signature.getInstance("SHA256withRSA/PSS");
            signature.initSign(keyPair.getPrivate());
            signature.update(encodeToByteArray);
            byte[] signature2 = signature.sign();
            Intrinsics.checkNotNullExpressionValue(signature2, "signature");
            return StringExtensionsKt.toBase64(signature2);
        } catch (Throwable th) {
            th.printStackTrace();
            return (String) null;
        }
    }
}
