package android.security.keystore2;

import android.annotation.NonNull;
import android.annotation.Nullable;
import android.app.AppGlobals;
import android.hardware.security.keymint.EcCurve;
import android.hardware.security.keymint.KeyParameter;
import android.net.connectivity.org.chromium.net.NetError;
import android.os.Build;
import android.os.StrictMode;
import android.security.Flags;
import android.security.KeyPairGeneratorSpec;
import android.security.KeyStore2;
import android.security.KeyStoreException;
import android.security.KeyStoreSecurityLevel;
import android.security.keymaster.KeymasterArguments;
import android.security.keystore.ArrayUtils;
import android.security.keystore.DeviceIdAttestationException;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyProperties;
import android.security.keystore.SecureKeyImportUnavailableException;
import android.security.keystore.StrongBoxUnavailableException;
import android.system.keystore2.Authorization;
import android.system.keystore2.KeyDescriptor;
import android.system.keystore2.KeyEntryResponse;
import android.telephony.TelephonyManager;
import android.text.TextUtils;
import android.util.ArraySet;
import android.util.Log;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyPair;
import java.security.KeyPairGeneratorSpi;
import java.security.ProviderException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.NamedParameterSpec;
import java.security.spec.RSAKeyGenParameterSpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import libcore.util.EmptyArray;

/* loaded from: input_file:android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi.class */
public abstract class AndroidKeyStoreKeyPairGeneratorSpi extends KeyPairGeneratorSpi {
    private static final String TAG = "AndroidKeyStoreKeyPairGeneratorSpi";
    private static final int ALGORITHM_XDH = 1203;
    private static final int ALGORITHM_ED25519 = 1204;
    private static final int EC_DEFAULT_KEY_SIZE = 256;
    private static final int RSA_DEFAULT_KEY_SIZE = 2048;
    private static final int RSA_MIN_KEY_SIZE = 512;
    private static final int RSA_MAX_KEY_SIZE = 8192;
    private static final Map<String, Integer> SUPPORTED_EC_CURVE_NAME_TO_SIZE = new HashMap();
    private static final List<String> SUPPORTED_EC_CURVE_NAMES = new ArrayList();
    private static final List<Integer> SUPPORTED_EC_CURVE_SIZES = new ArrayList();
    private static final String CURVE_X_25519 = NamedParameterSpec.X25519.getName();
    private static final String CURVE_ED_25519 = NamedParameterSpec.ED25519.getName();
    private final int mOriginalKeymasterAlgorithm;
    private KeyStore2 mKeyStore;
    private KeyGenParameterSpec mSpec;
    private String mEntryAlias;
    private int mEntryNamespace;
    private String mJcaKeyAlgorithm;
    private int mKeymasterAlgorithm = -1;
    private int mKeySizeBits;
    private SecureRandom mRng;
    private KeyDescriptor mAttestKeyDescriptor;
    private String mEcCurveName;
    private int[] mKeymasterPurposes;
    private int[] mKeymasterBlockModes;
    private int[] mKeymasterEncryptionPaddings;
    private int[] mKeymasterSignaturePaddings;
    private int[] mKeymasterDigests;
    private int[] mKeymasterMgf1Digests;
    private Long mRSAPublicExponent;

    /* loaded from: input_file:android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi$EC.class */
    public static class EC extends AndroidKeyStoreKeyPairGeneratorSpi {
        public EC() {
            super(3);
        }
    }

    /* loaded from: input_file:android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi$ED25519.class */
    public static class ED25519 extends AndroidKeyStoreKeyPairGeneratorSpi {
        public ED25519() {
            super(1204);
        }
    }

    /* loaded from: input_file:android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi$RSA.class */
    public static class RSA extends AndroidKeyStoreKeyPairGeneratorSpi {
        public RSA() {
            super(1);
        }
    }

    /* loaded from: input_file:android/security/keystore2/AndroidKeyStoreKeyPairGeneratorSpi$XDH.class */
    public static class XDH extends AndroidKeyStoreKeyPairGeneratorSpi {
        public XDH() {
            super(1203);
        }
    }

    protected AndroidKeyStoreKeyPairGeneratorSpi(int i) {
        this.mOriginalKeymasterAlgorithm = i;
    }

    @EcCurve
    private static int keySizeAndNameToEcCurve(int i, String str) throws InvalidAlgorithmParameterException {
        switch (i) {
            case 224:
                return 0;
            case 256:
                return isCurve25519(str) ? 4 : 1;
            case 384:
                return 2;
            case 521:
                return 3;
            default:
                throw new InvalidAlgorithmParameterException("Unsupported EC curve keysize: " + i);
        }
    }

    @Override // java.security.KeyPairGeneratorSpi
    public void initialize(int i, SecureRandom secureRandom) {
        throw new IllegalArgumentException(KeyGenParameterSpec.class.getName() + " or " + KeyPairGeneratorSpec.class.getName() + " required to initialize this KeyPairGenerator");
    }

    @Override // java.security.KeyPairGeneratorSpi
    public void initialize(AlgorithmParameterSpec algorithmParameterSpec, SecureRandom secureRandom) throws InvalidAlgorithmParameterException {
        KeyGenParameterSpec buildKeyGenParameterSpecFromLegacy;
        resetAll();
        try {
            if (algorithmParameterSpec == null) {
                throw new InvalidAlgorithmParameterException("Must supply params of type " + KeyGenParameterSpec.class.getName() + " or " + KeyPairGeneratorSpec.class.getName());
            }
            int i = (this.mOriginalKeymasterAlgorithm == 1203 || this.mOriginalKeymasterAlgorithm == 1204) ? 3 : this.mOriginalKeymasterAlgorithm;
            if (algorithmParameterSpec instanceof KeyGenParameterSpec) {
                buildKeyGenParameterSpecFromLegacy = (KeyGenParameterSpec) algorithmParameterSpec;
            } else {
                if (!(algorithmParameterSpec instanceof KeyPairGeneratorSpec)) {
                    if (!(algorithmParameterSpec instanceof NamedParameterSpec)) {
                        throw new InvalidAlgorithmParameterException("Unsupported params class: " + algorithmParameterSpec.getClass().getName() + ". Supported: " + KeyGenParameterSpec.class.getName() + ", " + KeyPairGeneratorSpec.class.getName());
                    }
                    NamedParameterSpec namedParameterSpec = (NamedParameterSpec) algorithmParameterSpec;
                    if (!namedParameterSpec.getName().equalsIgnoreCase(NamedParameterSpec.X25519.getName()) && !namedParameterSpec.getName().equalsIgnoreCase(NamedParameterSpec.ED25519.getName())) {
                        throw new InvalidAlgorithmParameterException("Unsupported algorithm specified via NamedParameterSpec: " + namedParameterSpec.getName());
                    }
                    throw new IllegalArgumentException("This KeyPairGenerator cannot be initialized using NamedParameterSpec. use " + KeyGenParameterSpec.class.getName() + " or " + KeyPairGeneratorSpec.class.getName());
                }
                KeyPairGeneratorSpec keyPairGeneratorSpec = (KeyPairGeneratorSpec) algorithmParameterSpec;
                try {
                    i = getKeymasterAlgorithmFromLegacy(i, keyPairGeneratorSpec);
                    buildKeyGenParameterSpecFromLegacy = buildKeyGenParameterSpecFromLegacy(keyPairGeneratorSpec, i);
                } catch (IllegalArgumentException | NullPointerException e) {
                    throw new InvalidAlgorithmParameterException(e);
                }
            }
            this.mEntryAlias = buildKeyGenParameterSpecFromLegacy.getKeystoreAlias();
            this.mEntryNamespace = buildKeyGenParameterSpecFromLegacy.getNamespace();
            this.mSpec = buildKeyGenParameterSpecFromLegacy;
            this.mKeymasterAlgorithm = i;
            this.mKeySizeBits = buildKeyGenParameterSpecFromLegacy.getKeySize();
            initAlgorithmSpecificParameters();
            if (this.mKeySizeBits == -1) {
                this.mKeySizeBits = getDefaultKeySize(i);
            }
            checkValidKeySize(i, this.mKeySizeBits, this.mSpec.isStrongBoxBacked(), this.mEcCurveName);
            if (buildKeyGenParameterSpecFromLegacy.getKeystoreAlias() == null) {
                throw new InvalidAlgorithmParameterException("KeyStore entry alias not provided");
            }
            try {
                String fromKeymasterAsymmetricKeyAlgorithm = KeyProperties.KeyAlgorithm.fromKeymasterAsymmetricKeyAlgorithm(i);
                this.mKeymasterPurposes = KeyProperties.Purpose.allToKeymaster(buildKeyGenParameterSpecFromLegacy.getPurposes());
                this.mKeymasterBlockModes = KeyProperties.BlockMode.allToKeymaster(buildKeyGenParameterSpecFromLegacy.getBlockModes());
                this.mKeymasterEncryptionPaddings = KeyProperties.EncryptionPadding.allToKeymaster(buildKeyGenParameterSpecFromLegacy.getEncryptionPaddings());
                if ((buildKeyGenParameterSpecFromLegacy.getPurposes() & 1) != 0 && buildKeyGenParameterSpecFromLegacy.isRandomizedEncryptionRequired()) {
                    for (int i2 : this.mKeymasterEncryptionPaddings) {
                        if (!KeymasterUtils.isKeymasterPaddingSchemeIndCpaCompatibleWithAsymmetricCrypto(i2)) {
                            throw new InvalidAlgorithmParameterException("Randomized encryption (IND-CPA) required but may be violated by padding scheme: " + KeyProperties.EncryptionPadding.fromKeymaster(i2) + ". See " + KeyGenParameterSpec.class.getName() + " documentation.");
                        }
                    }
                }
                this.mKeymasterSignaturePaddings = KeyProperties.SignaturePadding.allToKeymaster(buildKeyGenParameterSpecFromLegacy.getSignaturePaddings());
                if (buildKeyGenParameterSpecFromLegacy.isDigestsSpecified()) {
                    this.mKeymasterDigests = KeyProperties.Digest.allToKeymaster(buildKeyGenParameterSpecFromLegacy.getDigests());
                } else {
                    this.mKeymasterDigests = EmptyArray.INT;
                }
                if (buildKeyGenParameterSpecFromLegacy.isMgf1DigestsSpecified()) {
                    Set<String> mgf1Digests = buildKeyGenParameterSpecFromLegacy.getMgf1Digests();
                    this.mKeymasterMgf1Digests = new int[mgf1Digests.size()];
                    int i3 = 0;
                    Iterator<String> it = mgf1Digests.iterator();
                    while (it.hasNext()) {
                        this.mKeymasterMgf1Digests[i3] = KeyProperties.Digest.toKeymaster(it.next());
                        i3++;
                    }
                } else {
                    this.mKeymasterMgf1Digests = new int[]{KeyProperties.Digest.toKeymaster("SHA-1")};
                }
                KeyStore2ParameterUtils.addUserAuthArgs(new ArrayList(), this.mSpec);
                this.mJcaKeyAlgorithm = fromKeymasterAsymmetricKeyAlgorithm;
                this.mRng = secureRandom;
                this.mKeyStore = KeyStore2.getInstance();
                this.mAttestKeyDescriptor = buildAndCheckAttestKeyDescriptor(buildKeyGenParameterSpecFromLegacy);
                checkAttestKeyPurpose(buildKeyGenParameterSpecFromLegacy);
                checkCorrectKeyPurposeForCurve(buildKeyGenParameterSpecFromLegacy);
                if (1 == 0) {
                    resetAll();
                }
            } catch (IllegalArgumentException | IllegalStateException e2) {
                throw new InvalidAlgorithmParameterException(e2);
            }
        } catch (Throwable th) {
            if (0 == 0) {
                resetAll();
            }
            throw th;
        }
    }

    private void checkAttestKeyPurpose(KeyGenParameterSpec keyGenParameterSpec) throws InvalidAlgorithmParameterException {
        if ((keyGenParameterSpec.getPurposes() & 128) != 0 && keyGenParameterSpec.getPurposes() != 128) {
            throw new InvalidAlgorithmParameterException("PURPOSE_ATTEST_KEY may not be specified with any other purposes");
        }
    }

    private void checkCorrectKeyPurposeForCurve(KeyGenParameterSpec keyGenParameterSpec) throws InvalidAlgorithmParameterException {
        if (isCurve25519(this.mEcCurveName)) {
            if (this.mEcCurveName.equalsIgnoreCase(CURVE_X_25519) && keyGenParameterSpec.getPurposes() != 64) {
                throw new InvalidAlgorithmParameterException("x25519 may only be used for key agreement.");
            }
            if (this.mEcCurveName.equalsIgnoreCase(CURVE_ED_25519) && !hasOnlyAllowedPurposeForEd25519(keyGenParameterSpec.getPurposes())) {
                throw new InvalidAlgorithmParameterException("ed25519 may not be used for key agreement.");
            }
        }
    }

    private static boolean isCurve25519(String str) {
        if (str == null) {
            return false;
        }
        return str.equalsIgnoreCase(CURVE_X_25519) || str.equalsIgnoreCase(CURVE_ED_25519);
    }

    private static boolean hasOnlyAllowedPurposeForEd25519(int i) {
        return ((i & 140) != 0) && !((i & NetError.ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED) != 0);
    }

    private KeyDescriptor buildAndCheckAttestKeyDescriptor(KeyGenParameterSpec keyGenParameterSpec) throws InvalidAlgorithmParameterException {
        if (keyGenParameterSpec.getAttestKeyAlias() == null) {
            return null;
        }
        KeyDescriptor keyDescriptor = new KeyDescriptor();
        keyDescriptor.domain = 0;
        keyDescriptor.alias = keyGenParameterSpec.getAttestKeyAlias();
        try {
            KeyEntryResponse keyEntry = this.mKeyStore.getKeyEntry(keyDescriptor);
            checkAttestKeyChallenge(keyGenParameterSpec);
            checkAttestKeyPurpose(keyEntry.metadata.authorizations);
            checkAttestKeySecurityLevel(keyGenParameterSpec, keyEntry);
            return keyDescriptor;
        } catch (KeyStoreException e) {
            throw new InvalidAlgorithmParameterException("Invalid attestKeyAlias", e);
        }
    }

    private void checkAttestKeyChallenge(KeyGenParameterSpec keyGenParameterSpec) throws InvalidAlgorithmParameterException {
        if (keyGenParameterSpec.getAttestationChallenge() == null) {
            throw new InvalidAlgorithmParameterException("AttestKey specified but no attestation challenge provided");
        }
    }

    private void checkAttestKeyPurpose(Authorization[] authorizationArr) throws InvalidAlgorithmParameterException {
        if (Arrays.stream(authorizationArr).noneMatch(authorization -> {
            return authorization.keyParameter.tag == 536870913 && authorization.keyParameter.value.getKeyPurpose() == 7;
        })) {
            throw new InvalidAlgorithmParameterException("Invalid attestKey, does not have PURPOSE_ATTEST_KEY");
        }
    }

    private void checkAttestKeySecurityLevel(KeyGenParameterSpec keyGenParameterSpec, KeyEntryResponse keyEntryResponse) throws InvalidAlgorithmParameterException {
        boolean z = keyEntryResponse.metadata.keySecurityLevel == 2;
        if (keyGenParameterSpec.isStrongBoxBacked() != z) {
            if (!z) {
                throw new InvalidAlgorithmParameterException("Invalid security level: Cannot sign StrongBox key with non-StrongBox attestKey");
            }
            throw new InvalidAlgorithmParameterException("Invalid security level: Cannot sign non-StrongBox key with StrongBox attestKey");
        }
    }

    private int getKeymasterAlgorithmFromLegacy(int i, KeyPairGeneratorSpec keyPairGeneratorSpec) throws InvalidAlgorithmParameterException {
        String keyType = keyPairGeneratorSpec.getKeyType();
        if (keyType != null) {
            try {
                i = KeyProperties.KeyAlgorithm.toKeymasterAsymmetricKeyAlgorithm(keyType);
            } catch (IllegalArgumentException e) {
                throw new InvalidAlgorithmParameterException("Invalid key type in parameters", e);
            }
        }
        return i;
    }

    private KeyGenParameterSpec buildKeyGenParameterSpecFromLegacy(KeyPairGeneratorSpec keyPairGeneratorSpec, int i) {
        KeyGenParameterSpec.Builder builder;
        switch (i) {
            case 1:
                builder = new KeyGenParameterSpec.Builder(keyPairGeneratorSpec.getKeystoreAlias(), 15);
                builder.setDigests(KeyProperties.DIGEST_NONE, KeyProperties.DIGEST_MD5, "SHA-1", KeyProperties.DIGEST_SHA224, "SHA-256", KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512);
                builder.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE, KeyProperties.ENCRYPTION_PADDING_RSA_PKCS1, KeyProperties.ENCRYPTION_PADDING_RSA_OAEP);
                builder.setSignaturePaddings(KeyProperties.SIGNATURE_PADDING_RSA_PKCS1, KeyProperties.SIGNATURE_PADDING_RSA_PSS);
                builder.setRandomizedEncryptionRequired(false);
                break;
            case 3:
                builder = new KeyGenParameterSpec.Builder(keyPairGeneratorSpec.getKeystoreAlias(), 12);
                builder.setDigests(KeyProperties.DIGEST_NONE, "SHA-1", KeyProperties.DIGEST_SHA224, "SHA-256", KeyProperties.DIGEST_SHA384, KeyProperties.DIGEST_SHA512);
                break;
            default:
                throw new ProviderException("Unsupported algorithm: " + this.mKeymasterAlgorithm);
        }
        if (keyPairGeneratorSpec.getKeySize() != -1) {
            builder.setKeySize(keyPairGeneratorSpec.getKeySize());
        }
        if (keyPairGeneratorSpec.getAlgorithmParameterSpec() != null) {
            builder.setAlgorithmParameterSpec(keyPairGeneratorSpec.getAlgorithmParameterSpec());
        }
        builder.setCertificateSubject(keyPairGeneratorSpec.getSubjectDN());
        builder.setCertificateSerialNumber(keyPairGeneratorSpec.getSerialNumber());
        builder.setCertificateNotBefore(keyPairGeneratorSpec.getStartDate());
        builder.setCertificateNotAfter(keyPairGeneratorSpec.getEndDate());
        builder.setUserAuthenticationRequired(false);
        return builder.build();
    }

    private void resetAll() {
        this.mEntryAlias = null;
        this.mEntryNamespace = -1;
        this.mJcaKeyAlgorithm = null;
        this.mKeymasterAlgorithm = -1;
        this.mKeymasterPurposes = null;
        this.mKeymasterBlockModes = null;
        this.mKeymasterEncryptionPaddings = null;
        this.mKeymasterSignaturePaddings = null;
        this.mKeymasterDigests = null;
        this.mKeymasterMgf1Digests = null;
        this.mKeySizeBits = 0;
        this.mSpec = null;
        this.mRSAPublicExponent = null;
        this.mRng = null;
        this.mKeyStore = null;
        this.mEcCurveName = null;
    }

    private void initAlgorithmSpecificParameters() throws InvalidAlgorithmParameterException {
        AlgorithmParameterSpec algorithmParameterSpec = this.mSpec.getAlgorithmParameterSpec();
        switch (this.mKeymasterAlgorithm) {
            case 1:
                BigInteger bigInteger = null;
                if (algorithmParameterSpec instanceof RSAKeyGenParameterSpec) {
                    RSAKeyGenParameterSpec rSAKeyGenParameterSpec = (RSAKeyGenParameterSpec) algorithmParameterSpec;
                    if (this.mKeySizeBits == -1) {
                        this.mKeySizeBits = rSAKeyGenParameterSpec.getKeysize();
                    } else if (this.mKeySizeBits != rSAKeyGenParameterSpec.getKeysize()) {
                        throw new InvalidAlgorithmParameterException("RSA key size must match  between " + this.mSpec + " and " + algorithmParameterSpec + ": " + this.mKeySizeBits + " vs " + rSAKeyGenParameterSpec.getKeysize());
                    }
                    bigInteger = rSAKeyGenParameterSpec.getPublicExponent();
                } else if (algorithmParameterSpec != null) {
                    throw new InvalidAlgorithmParameterException("RSA may only use RSAKeyGenParameterSpec");
                }
                if (bigInteger == null) {
                    bigInteger = RSAKeyGenParameterSpec.F4;
                }
                if (bigInteger.compareTo(BigInteger.ZERO) < 1) {
                    throw new InvalidAlgorithmParameterException("RSA public exponent must be positive: " + bigInteger);
                }
                if (bigInteger.signum() == -1 || bigInteger.compareTo(KeymasterArguments.UINT64_MAX_VALUE) > 0) {
                    throw new InvalidAlgorithmParameterException("Unsupported RSA public exponent: " + bigInteger + ". Maximum supported value: " + KeymasterArguments.UINT64_MAX_VALUE);
                }
                this.mRSAPublicExponent = Long.valueOf(bigInteger.longValue());
                return;
            case 3:
                if (!(algorithmParameterSpec instanceof ECGenParameterSpec)) {
                    if (algorithmParameterSpec != null) {
                        throw new InvalidAlgorithmParameterException("EC may only use ECGenParameterSpec");
                    }
                    return;
                }
                this.mEcCurveName = ((ECGenParameterSpec) algorithmParameterSpec).getName();
                if (this.mOriginalKeymasterAlgorithm == 1203 && !this.mEcCurveName.equalsIgnoreCase("x25519")) {
                    throw new InvalidAlgorithmParameterException("XDH algorithm only supports x25519 curve.");
                }
                if (this.mOriginalKeymasterAlgorithm == 1204 && !this.mEcCurveName.equalsIgnoreCase("ed25519")) {
                    throw new InvalidAlgorithmParameterException("Ed25519 algorithm only supports ed25519 curve.");
                }
                Integer num = SUPPORTED_EC_CURVE_NAME_TO_SIZE.get(this.mEcCurveName.toLowerCase(Locale.US));
                if (num == null) {
                    throw new InvalidAlgorithmParameterException("Unsupported EC curve name: " + this.mEcCurveName + ". Supported: " + SUPPORTED_EC_CURVE_NAMES);
                }
                if (this.mKeySizeBits == -1) {
                    this.mKeySizeBits = num.intValue();
                    return;
                } else {
                    if (this.mKeySizeBits != num.intValue()) {
                        throw new InvalidAlgorithmParameterException("EC key size must match  between " + this.mSpec + " and " + algorithmParameterSpec + ": " + this.mKeySizeBits + " vs " + num);
                    }
                    return;
                }
            default:
                throw new ProviderException("Unsupported algorithm: " + this.mKeymasterAlgorithm);
        }
    }

    @Override // java.security.KeyPairGeneratorSpi
    public KeyPair generateKeyPair() {
        StrictMode.noteSlowCall("generateKeyPair");
        if (this.mKeyStore == null || this.mSpec == null) {
            throw new IllegalStateException("Not initialized");
        }
        int i = this.mSpec.isStrongBoxBacked() ? 2 : 1;
        int i2 = this.mSpec.isCriticalToDeviceEncryption() ? 1 : 0;
        byte[] randomBytesToMixIntoKeystoreRng = KeyStoreCryptoOperationUtils.getRandomBytesToMixIntoKeystoreRng(this.mRng, (this.mKeySizeBits + 7) / 8);
        KeyDescriptor keyDescriptor = new KeyDescriptor();
        keyDescriptor.alias = this.mEntryAlias;
        keyDescriptor.domain = this.mEntryNamespace == -1 ? 0 : 2;
        keyDescriptor.nspace = this.mEntryNamespace;
        keyDescriptor.blob = null;
        boolean z = false;
        try {
            try {
                try {
                    KeyStoreSecurityLevel securityLevel = this.mKeyStore.getSecurityLevel(i);
                    AndroidKeyStorePublicKey makeAndroidKeyStorePublicKeyFromKeyEntryResponse = AndroidKeyStoreProvider.makeAndroidKeyStorePublicKeyFromKeyEntryResponse(keyDescriptor, securityLevel.generateKey(keyDescriptor, this.mAttestKeyDescriptor, constructKeyGenerationArguments(), i2, randomBytesToMixIntoKeystoreRng), securityLevel, this.mKeymasterAlgorithm);
                    z = true;
                    KeyPair keyPair = new KeyPair(makeAndroidKeyStorePublicKeyFromKeyEntryResponse, makeAndroidKeyStorePublicKeyFromKeyEntryResponse.getPrivateKey());
                    if (1 == 0) {
                        try {
                            this.mKeyStore.deleteKey(keyDescriptor);
                        } catch (KeyStoreException e) {
                            if (e.getErrorCode() != 7) {
                                Log.e(TAG, "Failed to delete newly generated key after generation failed unexpectedly.", e);
                            }
                        }
                    }
                    return keyPair;
                } catch (Throwable th) {
                    if (!z) {
                        try {
                            this.mKeyStore.deleteKey(keyDescriptor);
                        } catch (KeyStoreException e2) {
                            if (e2.getErrorCode() != 7) {
                                Log.e(TAG, "Failed to delete newly generated key after generation failed unexpectedly.", e2);
                            }
                        }
                    }
                    throw th;
                }
            } catch (DeviceIdAttestationException | IllegalArgumentException | InvalidAlgorithmParameterException | UnrecoverableKeyException e3) {
                throw new ProviderException("Failed to construct key object from newly generated key pair.", e3);
            }
        } catch (KeyStoreException e4) {
            switch (e4.getErrorCode()) {
                case -68:
                    throw new StrongBoxUnavailableException("Failed to generated key pair.", e4);
                default:
                    ProviderException providerException = new ProviderException("Failed to generate key pair.", e4);
                    if ((this.mSpec.getPurposes() & 32) != 0) {
                        throw new SecureKeyImportUnavailableException(providerException);
                    }
                    throw providerException;
            }
        }
    }

    private void addAttestationParameters(@NonNull List<KeyParameter> list) throws ProviderException, IllegalArgumentException, DeviceIdAttestationException {
        byte[] attestationChallenge = this.mSpec.getAttestationChallenge();
        if (attestationChallenge != null) {
            list.add(KeyStore2ParameterUtils.makeBytes(-1879047484, attestationChallenge));
            if (this.mSpec.isDevicePropertiesAttestationIncluded()) {
                list.add(KeyStore2ParameterUtils.makeBytes(-1879047482, (isPropertyEmptyOrUnknown(Build.BRAND_FOR_ATTESTATION) ? Build.BRAND : Build.BRAND_FOR_ATTESTATION).getBytes(StandardCharsets.UTF_8)));
                list.add(KeyStore2ParameterUtils.makeBytes(-1879047481, (isPropertyEmptyOrUnknown(Build.DEVICE_FOR_ATTESTATION) ? Build.DEVICE : Build.DEVICE_FOR_ATTESTATION).getBytes(StandardCharsets.UTF_8)));
                list.add(KeyStore2ParameterUtils.makeBytes(-1879047480, (isPropertyEmptyOrUnknown(Build.PRODUCT_FOR_ATTESTATION) ? Build.PRODUCT : Build.PRODUCT_FOR_ATTESTATION).getBytes(StandardCharsets.UTF_8)));
                list.add(KeyStore2ParameterUtils.makeBytes(-1879047476, (isPropertyEmptyOrUnknown(Build.MANUFACTURER_FOR_ATTESTATION) ? Build.MANUFACTURER : Build.MANUFACTURER_FOR_ATTESTATION).getBytes(StandardCharsets.UTF_8)));
                list.add(KeyStore2ParameterUtils.makeBytes(-1879047475, (isPropertyEmptyOrUnknown(Build.MODEL_FOR_ATTESTATION) ? Build.MODEL : Build.MODEL_FOR_ATTESTATION).getBytes(StandardCharsets.UTF_8)));
            }
            int[] attestationIds = this.mSpec.getAttestationIds();
            if (attestationIds.length == 0) {
                return;
            }
            ArraySet<Integer> arraySet = new ArraySet(attestationIds.length);
            for (int i : attestationIds) {
                arraySet.add(Integer.valueOf(i));
            }
            TelephonyManager telephonyManager = null;
            if (arraySet.contains(2) || arraySet.contains(3)) {
                telephonyManager = (TelephonyManager) AppGlobals.getInitialApplication().getSystemService("phone");
                if (telephonyManager == null) {
                    throw new DeviceIdAttestationException("Unable to access telephony service");
                }
            }
            for (Integer num : arraySet) {
                switch (num.intValue()) {
                    case 1:
                        list.add(KeyStore2ParameterUtils.makeBytes(-1879047479, Build.getSerial().getBytes(StandardCharsets.UTF_8)));
                        break;
                    case 2:
                        String imei = telephonyManager.getImei(0);
                        if (imei == null) {
                            throw new DeviceIdAttestationException("Unable to retrieve IMEI");
                        }
                        list.add(KeyStore2ParameterUtils.makeBytes(-1879047478, imei.getBytes(StandardCharsets.UTF_8)));
                        String imei2 = telephonyManager.getImei(1);
                        if (TextUtils.isEmpty(imei2)) {
                            break;
                        } else {
                            list.add(KeyStore2ParameterUtils.makeBytes(-1879047469, imei2.getBytes(StandardCharsets.UTF_8)));
                            break;
                        }
                    case 3:
                        String meid = telephonyManager.getMeid(0);
                        if (meid == null) {
                            throw new DeviceIdAttestationException("Unable to retrieve MEID");
                        }
                        list.add(KeyStore2ParameterUtils.makeBytes(-1879047477, meid.getBytes(StandardCharsets.UTF_8)));
                        break;
                    case 4:
                        list.add(KeyStore2ParameterUtils.makeBool(1879048912));
                        break;
                    default:
                        throw new IllegalArgumentException("Unknown device ID type " + num);
                }
            }
        }
    }

    private Collection<KeyParameter> constructKeyGenerationArguments() throws DeviceIdAttestationException, IllegalArgumentException, InvalidAlgorithmParameterException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(KeyStore2ParameterUtils.makeInt(805306371, this.mKeySizeBits));
        arrayList.add(KeyStore2ParameterUtils.makeEnum(268435458, this.mKeymasterAlgorithm));
        if (this.mKeymasterAlgorithm == 3) {
            arrayList.add(KeyStore2ParameterUtils.makeEnum(268435466, keySizeAndNameToEcCurve(this.mKeySizeBits, this.mEcCurveName)));
        }
        ArrayUtils.forEach(this.mKeymasterPurposes, num -> {
            arrayList.add(KeyStore2ParameterUtils.makeEnum(536870913, num.intValue()));
        });
        ArrayUtils.forEach(this.mKeymasterBlockModes, num2 -> {
            arrayList.add(KeyStore2ParameterUtils.makeEnum(536870916, num2.intValue()));
        });
        ArrayUtils.forEach(this.mKeymasterEncryptionPaddings, num3 -> {
            arrayList.add(KeyStore2ParameterUtils.makeEnum(536870918, num3.intValue()));
            if (num3.intValue() == 2) {
                ArrayUtils.forEach(this.mKeymasterMgf1Digests, num3 -> {
                    arrayList.add(KeyStore2ParameterUtils.makeEnum(536871115, num3.intValue()));
                });
                if (getMgf1DigestSetterFlag()) {
                    return;
                }
                int keymaster = KeyProperties.Digest.toKeymaster("SHA-1");
                ArrayUtils.forEach(this.mKeymasterDigests, num4 -> {
                    if (num4.intValue() != keymaster) {
                        arrayList.add(KeyStore2ParameterUtils.makeEnum(536871115, num4.intValue()));
                    }
                });
            }
        });
        ArrayUtils.forEach(this.mKeymasterSignaturePaddings, num4 -> {
            arrayList.add(KeyStore2ParameterUtils.makeEnum(536870918, num4.intValue()));
        });
        ArrayUtils.forEach(this.mKeymasterDigests, num5 -> {
            arrayList.add(KeyStore2ParameterUtils.makeEnum(536870917, num5.intValue()));
        });
        KeyStore2ParameterUtils.addUserAuthArgs(arrayList, this.mSpec);
        if (this.mSpec.getKeyValidityStart() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeDate(1610613136, this.mSpec.getKeyValidityStart()));
        }
        if (this.mSpec.getKeyValidityForOriginationEnd() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeDate(1610613137, this.mSpec.getKeyValidityForOriginationEnd()));
        }
        if (this.mSpec.getKeyValidityForConsumptionEnd() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeDate(1610613138, this.mSpec.getKeyValidityForConsumptionEnd()));
        }
        if (this.mSpec.getCertificateNotAfter() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeDate(1610613745, this.mSpec.getCertificateNotAfter()));
        }
        if (this.mSpec.getCertificateNotBefore() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeDate(1610613744, this.mSpec.getCertificateNotBefore()));
        }
        if (this.mSpec.getCertificateSerialNumber() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeBignum(-2147482642, this.mSpec.getCertificateSerialNumber()));
        }
        if (this.mSpec.getCertificateSubject() != null) {
            arrayList.add(KeyStore2ParameterUtils.makeBytes(-1879047185, this.mSpec.getCertificateSubject().getEncoded()));
        }
        if (this.mSpec.getMaxUsageCount() != -1) {
            arrayList.add(KeyStore2ParameterUtils.makeInt(805306773, this.mSpec.getMaxUsageCount()));
        }
        addAlgorithmSpecificParameters(arrayList);
        if (this.mSpec.isUniqueIdIncluded()) {
            arrayList.add(KeyStore2ParameterUtils.makeBool(1879048394));
        }
        addAttestationParameters(arrayList);
        return arrayList;
    }

    private static boolean getMgf1DigestSetterFlag() {
        try {
            return Flags.mgf1DigestSetterV2();
        } catch (SecurityException e) {
            Log.w(TAG, "Cannot read MGF1 Digest setter flag value", e);
            return false;
        }
    }

    private void addAlgorithmSpecificParameters(List<KeyParameter> list) {
        switch (this.mKeymasterAlgorithm) {
            case 1:
                list.add(KeyStore2ParameterUtils.makeLong(1342177480, this.mRSAPublicExponent.longValue()));
                return;
            case 3:
                return;
            default:
                throw new ProviderException("Unsupported algorithm: " + this.mKeymasterAlgorithm);
        }
    }

    private static int getDefaultKeySize(int i) {
        switch (i) {
            case 1:
                return 2048;
            case 3:
                return 256;
            default:
                throw new ProviderException("Unsupported algorithm: " + i);
        }
    }

    private static void checkValidKeySize(int i, int i2, boolean z, String str) throws InvalidAlgorithmParameterException {
        switch (i) {
            case 1:
                if (i2 < 512 || i2 > 8192) {
                    throw new InvalidAlgorithmParameterException("RSA key size must be >= 512 and <= 8192");
                }
                return;
            case 3:
                if (z && i2 != 256) {
                    throw new InvalidAlgorithmParameterException("Unsupported StrongBox EC key size: " + i2 + " bits. Supported: 256");
                }
                if (z && isCurve25519(str)) {
                    throw new InvalidAlgorithmParameterException("Unsupported StrongBox EC: " + str);
                }
                if (!SUPPORTED_EC_CURVE_SIZES.contains(Integer.valueOf(i2))) {
                    throw new InvalidAlgorithmParameterException("Unsupported EC key size: " + i2 + " bits. Supported: " + SUPPORTED_EC_CURVE_SIZES);
                }
                return;
            default:
                throw new ProviderException("Unsupported algorithm: " + i);
        }
    }

    @Nullable
    private static String getCertificateSignatureAlgorithm(int i, int i2, KeyGenParameterSpec keyGenParameterSpec) {
        if ((keyGenParameterSpec.getPurposes() & 4) == 0 || keyGenParameterSpec.isUserAuthenticationRequired() || !keyGenParameterSpec.isDigestsSpecified()) {
            return null;
        }
        switch (i) {
            case 1:
                if (!com.android.internal.util.ArrayUtils.contains(KeyProperties.SignaturePadding.allToKeymaster(keyGenParameterSpec.getSignaturePaddings()), 5)) {
                    return null;
                }
                int i3 = i2 - 240;
                int i4 = -1;
                int i5 = -1;
                Iterator<Integer> it = getAvailableKeymasterSignatureDigests(keyGenParameterSpec.getDigests(), AndroidKeyStoreBCWorkaroundProvider.getSupportedEcdsaSignatureDigests()).iterator();
                while (it.hasNext()) {
                    int intValue = it.next().intValue();
                    int digestOutputSizeBits = KeymasterUtils.getDigestOutputSizeBits(intValue);
                    if (digestOutputSizeBits <= i3) {
                        if (i4 == -1) {
                            i4 = intValue;
                            i5 = digestOutputSizeBits;
                        } else if (digestOutputSizeBits > i5) {
                            i4 = intValue;
                            i5 = digestOutputSizeBits;
                        }
                    }
                }
                if (i4 == -1) {
                    return null;
                }
                return KeyProperties.Digest.fromKeymasterToSignatureAlgorithmDigest(i4) + "WithRSA";
            case 3:
                int i6 = -1;
                int i7 = -1;
                Iterator<Integer> it2 = getAvailableKeymasterSignatureDigests(keyGenParameterSpec.getDigests(), AndroidKeyStoreBCWorkaroundProvider.getSupportedEcdsaSignatureDigests()).iterator();
                while (true) {
                    if (it2.hasNext()) {
                        int intValue2 = it2.next().intValue();
                        int digestOutputSizeBits2 = KeymasterUtils.getDigestOutputSizeBits(intValue2);
                        if (digestOutputSizeBits2 == i2) {
                            i6 = intValue2;
                        } else if (i6 == -1) {
                            i6 = intValue2;
                            i7 = digestOutputSizeBits2;
                        } else if (i7 < i2) {
                            if (digestOutputSizeBits2 > i7) {
                                i6 = intValue2;
                                i7 = digestOutputSizeBits2;
                            }
                        } else if (digestOutputSizeBits2 < i7 && digestOutputSizeBits2 >= i2) {
                            i6 = intValue2;
                            i7 = digestOutputSizeBits2;
                        }
                    }
                }
                if (i6 == -1) {
                    return null;
                }
                return KeyProperties.Digest.fromKeymasterToSignatureAlgorithmDigest(i6) + "WithECDSA";
            default:
                throw new ProviderException("Unsupported algorithm: " + i);
        }
    }

    private static Set<Integer> getAvailableKeymasterSignatureDigests(String[] strArr, String[] strArr2) {
        HashSet hashSet = new HashSet();
        for (int i : KeyProperties.Digest.allToKeymaster(strArr)) {
            hashSet.add(Integer.valueOf(i));
        }
        HashSet hashSet2 = new HashSet();
        for (int i2 : KeyProperties.Digest.allToKeymaster(strArr2)) {
            hashSet2.add(Integer.valueOf(i2));
        }
        HashSet hashSet3 = new HashSet(hashSet2);
        hashSet3.retainAll(hashSet);
        return hashSet3;
    }

    private boolean isPropertyEmptyOrUnknown(String str) {
        return TextUtils.isEmpty(str) || str.equals("unknown");
    }

    static {
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("p-224", 224);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("secp224r1", 224);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("p-256", 256);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("secp256r1", 256);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("prime256v1", 256);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put(CURVE_X_25519.toLowerCase(Locale.US), 256);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put(CURVE_ED_25519.toLowerCase(Locale.US), 256);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("p-384", 384);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("secp384r1", 384);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("p-521", 521);
        SUPPORTED_EC_CURVE_NAME_TO_SIZE.put("secp521r1", 521);
        SUPPORTED_EC_CURVE_NAMES.addAll(SUPPORTED_EC_CURVE_NAME_TO_SIZE.keySet());
        Collections.sort(SUPPORTED_EC_CURVE_NAMES);
        SUPPORTED_EC_CURVE_SIZES.addAll(new HashSet(SUPPORTED_EC_CURVE_NAME_TO_SIZE.values()));
        Collections.sort(SUPPORTED_EC_CURVE_SIZES);
    }
}
