package de.tutao.tutanota;

import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.util.Log;
import de.tutao.tutanota.credentials.CredentialEncryptionMode;
import de.tutao.tutanota.credentials.DataKeyGenerator;
import java.io.ByteArrayOutputStream;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.spec.IvParameterSpec;
import kotlin.Lazy;
import kotlin.LazyKt__LazyJVMKt;
import kotlin.LazyThreadSafetyMode;
import kotlin.NoWhenBranchMatchedException;
import kotlin.collections.ArraysKt___ArraysJvmKt;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.jvm.functions.Function0;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;

/* loaded from: classes.dex */
public final class AndroidKeyStoreFacade {
    public static final Companion Companion = new Companion(null);
    private final AndroidNativeCryptoFacade crypto;
    private final DataKeyGenerator dataKeyGenerator;
    private final Lazy keyStore$delegate;

    /* loaded from: classes.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    /* loaded from: classes.dex */
    public /* synthetic */ class WhenMappings {
        public static final /* synthetic */ int[] $EnumSwitchMapping$0;

        static {
            int[] iArr = new int[CredentialEncryptionMode.values().length];
            try {
                iArr[CredentialEncryptionMode.DEVICE_LOCK.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                iArr[CredentialEncryptionMode.SYSTEM_PASSWORD.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                iArr[CredentialEncryptionMode.BIOMETRICS.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            $EnumSwitchMapping$0 = iArr;
        }
    }

    public AndroidKeyStoreFacade(AndroidNativeCryptoFacade crypto, DataKeyGenerator dataKeyGenerator) {
        Lazy lazy;
        Intrinsics.checkNotNullParameter(crypto, "crypto");
        Intrinsics.checkNotNullParameter(dataKeyGenerator, "dataKeyGenerator");
        this.crypto = crypto;
        this.dataKeyGenerator = dataKeyGenerator;
        lazy = LazyKt__LazyJVMKt.lazy(LazyThreadSafetyMode.SYNCHRONIZED, new Function0() { // from class: de.tutao.tutanota.AndroidKeyStoreFacade$keyStore$2
            /* JADX INFO: Access modifiers changed from: package-private */
            {
                super(0);
            }

            @Override // kotlin.jvm.functions.Function0
            public final KeyStore invoke() {
                try {
                    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    if (!keyStore.containsAlias("TutanotaAppDeviceKey") && !keyStore.containsAlias("TutanotaAppDeviceAsymmetricKey")) {
                        AndroidKeyStoreFacade.this.generateSymmetricKey();
                    }
                    return keyStore;
                } catch (Throwable th) {
                    Log.w("AndroidKeyStoreFacade", "Keystore could not be initialized", th);
                    throw th;
                }
            }
        });
        this.keyStore$delegate = lazy;
    }

    private final Cipher createRSACipher(Key key, int i) {
        try {
            Cipher cipher = Cipher.getInstance("RSA/ECB/PKCS1Padding", "AndroidOpenSSL");
            cipher.init(i, key);
            Intrinsics.checkNotNull(cipher);
            return cipher;
        } catch (InvalidKeyException e) {
            throw new CryptoError(e);
        }
    }

    private final byte[] decryptKeyStoreKey(Key key, byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
            cipher.init(2, key, new IvParameterSpec(AndroidNativeCryptoFacade.Companion.getFIXED_IV()));
            byte[] doFinal = cipher.doFinal(bArr);
            Intrinsics.checkNotNull(doFinal);
            return doFinal;
        } catch (InvalidKeyException e) {
            throw new CryptoError(e);
        } catch (BadPaddingException e2) {
            throw new CryptoError(e2);
        } catch (IllegalBlockSizeException e3) {
            throw new CryptoError(e3);
        }
    }

    private final byte[] encryptKeyStoreKey(Key key, byte[] bArr) {
        try {
            Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
            cipher.init(1, key, new IvParameterSpec(AndroidNativeCryptoFacade.Companion.getFIXED_IV()));
            byte[] doFinal = cipher.doFinal(bArr);
            Intrinsics.checkNotNull(doFinal);
            return doFinal;
        } catch (InvalidKeyException e) {
            throw new CryptoError(e);
        } catch (BadPaddingException e2) {
            throw new CryptoError(e2);
        } catch (IllegalBlockSizeException e3) {
            throw new CryptoError(e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public final void generateSymmetricKey() {
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
        keyGenerator.init(new KeyGenParameterSpec.Builder("TutanotaAppDeviceKey", 3).setBlockModes("CBC").setEncryptionPaddings("NoPadding").setRandomizedEncryptionRequired(false).build());
        keyGenerator.generateKey();
    }

    private final byte[] getData(byte[] bArr) {
        int lastIndex;
        byte[] copyOfRange;
        lastIndex = ArraysKt___ArraysKt.getLastIndex(bArr);
        copyOfRange = ArraysKt___ArraysJvmKt.copyOfRange(bArr, 16, lastIndex + 1);
        return copyOfRange;
    }

    private final Key getDataKey(CredentialEncryptionMode credentialEncryptionMode) {
        String keyAliasForEncryptionMode = keyAliasForEncryptionMode(credentialEncryptionMode);
        if (!getKeyStore().containsAlias(keyAliasForEncryptionMode)) {
            return this.dataKeyGenerator.generateDataKey(keyAliasForEncryptionMode, credentialEncryptionMode);
        }
        try {
            return getKeyStore().getKey(keyAliasForEncryptionMode, null);
        } catch (UnrecoverableKeyException e) {
            throw new KeyStoreException(e);
        }
    }

    private final byte[] getIV(byte[] bArr) {
        byte[] copyOfRange;
        copyOfRange = ArraysKt___ArraysJvmKt.copyOfRange(bArr, 0, 16);
        return copyOfRange;
    }

    private final KeyStore getKeyStore() {
        Object value = this.keyStore$delegate.getValue();
        Intrinsics.checkNotNullExpressionValue(value, "getValue(...)");
        return (KeyStore) value;
    }

    private final Key getSymmetricKey() {
        try {
            Key key = getKeyStore().getKey("TutanotaAppDeviceKey", null);
            Intrinsics.checkNotNull(key);
            return key;
        } catch (UnrecoverableKeyException e) {
            throw new KeyStoreException(e);
        }
    }

    private final String keyAliasForEncryptionMode(CredentialEncryptionMode credentialEncryptionMode) {
        int i = WhenMappings.$EnumSwitchMapping$0[credentialEncryptionMode.ordinal()];
        if (i == 1) {
            return "DeviceLockDataKey";
        }
        if (i == 2) {
            return "SystemPasswordDataKey";
        }
        if (i == 3) {
            return "BIometricsDataKey";
        }
        throw new NoWhenBranchMatchedException();
    }

    public final byte[] decryptData(byte[] dataToDecrypt, Cipher cipher) {
        Intrinsics.checkNotNullParameter(dataToDecrypt, "dataToDecrypt");
        Intrinsics.checkNotNullParameter(cipher, "cipher");
        try {
            byte[] doFinal = cipher.doFinal(getData(dataToDecrypt));
            Intrinsics.checkNotNull(doFinal);
            return doFinal;
        } catch (BadPaddingException e) {
            throw new CryptoError(e);
        } catch (IllegalBlockSizeException e2) {
            throw new CryptoError(e2);
        }
    }

    public final byte[] decryptKey(byte[] encSessionKey) {
        Intrinsics.checkNotNullParameter(encSessionKey, "encSessionKey");
        if (!getKeyStore().containsAlias("TutanotaAppDeviceAsymmetricKey")) {
            return decryptKeyStoreKey(getSymmetricKey(), encSessionKey);
        }
        try {
            Key key = getKeyStore().getKey("TutanotaAppDeviceAsymmetricKey", null);
            Intrinsics.checkNotNull(key, "null cannot be cast to non-null type java.security.PrivateKey");
            return createRSACipher((PrivateKey) key, 2).doFinal(encSessionKey);
        } catch (BadPaddingException e) {
            throw new CryptoError(e);
        } catch (IllegalBlockSizeException e2) {
            throw new CryptoError(e2);
        }
    }

    public final byte[] encryptData(byte[] data, Cipher cipher) {
        Intrinsics.checkNotNullParameter(data, "data");
        Intrinsics.checkNotNullParameter(cipher, "cipher");
        try {
            byte[] doFinal = cipher.doFinal(data);
            byte[] iv = cipher.getIV();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(doFinal.length + iv.length);
            byteArrayOutputStream.write(iv);
            byteArrayOutputStream.write(doFinal);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            Intrinsics.checkNotNull(byteArray);
            return byteArray;
        } catch (BadPaddingException e) {
            throw new CryptoError(e);
        } catch (IllegalBlockSizeException e2) {
            throw new CryptoError(e2);
        }
    }

    public final byte[] encryptKey(byte[] sessionKey) {
        Intrinsics.checkNotNullParameter(sessionKey, "sessionKey");
        if (!getKeyStore().containsAlias("TutanotaAppDeviceAsymmetricKey")) {
            return encryptKeyStoreKey(getSymmetricKey(), sessionKey);
        }
        PublicKey publicKey = getKeyStore().getCertificate("TutanotaAppDeviceAsymmetricKey").getPublicKey();
        try {
            Intrinsics.checkNotNull(publicKey);
            byte[] doFinal = createRSACipher(publicKey, 1).doFinal(sessionKey);
            Intrinsics.checkNotNull(doFinal);
            return doFinal;
        } catch (BadPaddingException e) {
            throw new CryptoError(e);
        } catch (IllegalBlockSizeException e2) {
            throw new CryptoError(e2);
        }
    }

    public final Cipher getCipherForDecryptionMode(CredentialEncryptionMode encryptionMode, byte[] dataToBeDecrypted) {
        Intrinsics.checkNotNullParameter(encryptionMode, "encryptionMode");
        Intrinsics.checkNotNullParameter(dataToBeDecrypted, "dataToBeDecrypted");
        Key dataKey = getDataKey(encryptionMode);
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "AndroidKeyStoreBCWorkaround");
        try {
            cipher.init(2, dataKey, new IvParameterSpec(getIV(dataToBeDecrypted)));
            Intrinsics.checkNotNull(cipher);
            return cipher;
        } catch (KeyPermanentlyInvalidatedException e) {
            getKeyStore().deleteEntry(keyAliasForEncryptionMode(encryptionMode));
            throw e;
        } catch (InvalidAlgorithmParameterException e2) {
            throw new CryptoError(e2);
        } catch (InvalidKeyException e3) {
            throw new KeyStoreException(e3);
        }
    }

    public final Cipher getCipherForEncryptionMode(CredentialEncryptionMode encryptionMode) {
        Intrinsics.checkNotNullParameter(encryptionMode, "encryptionMode");
        Key dataKey = getDataKey(encryptionMode);
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "AndroidKeyStoreBCWorkaround");
        try {
            cipher.init(1, dataKey);
            Intrinsics.checkNotNull(cipher);
            return cipher;
        } catch (KeyPermanentlyInvalidatedException e) {
            getKeyStore().deleteEntry(keyAliasForEncryptionMode(encryptionMode));
            throw e;
        } catch (InvalidKeyException e2) {
            throw new KeyStoreException(e2);
        }
    }
}
