package com.microsoft.identity.broker.crypto.keyloaders;

import android.security.keystore.KeyProtection;
import com.google.android.gms.stats.CodePackage;
import com.microsoft.identity.broker.crypto.AndroidKeyStoreCryptoFactory;
import com.microsoft.identity.broker.crypto.keymanagers.AndroidKeyStoreKeyManager;
import com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.IKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.keyaccessors.IAsymmetricKeyEntryAccessor;
import com.microsoft.identity.broker4j.broker.crypto.keyfactories.AbstractBrokerKeyFactory;
import com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader;
import com.microsoft.identity.broker4j.broker.prt.SessionKeyUtil;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.platform.JweResponse;
import com.microsoft.identity.common.java.providers.oauth2.IDToken;
import com.microsoft.identity.common.logging.Logger;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import javax.crypto.spec.SecretKeySpec;
import lombok.NonNull;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DERNull;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERSet;
import org.bouncycastle.asn1.DERTaggedObject;
import org.json.JSONException;

/* loaded from: classes2.dex */
public class AndroidKeyStoreSessionKeyLoader extends AliasBasedSessionKeyLoader {
    private static final int KM_ALGORITHM_HMAC = 128;
    private static final int KM_DIGEST_SHA_2_256 = 4;
    private static final long KM_KEY_FORMAT_RAW = 3;
    private static final int KM_KEY_SIZE_256 = 256;
    private static final int KM_PURPOSE_SIGN = 2;
    private static final int KM_TAG_ALGORITHM = 2;
    private static final int KM_TAG_DIGEST = 5;
    private static final int KM_TAG_KEY_SIZE = 3;
    private static final int KM_TAG_MIN_MAC_LENGTH = 8;
    private static final int KM_TAG_NO_AUTH_REQUIRED = 503;
    private static final String TAG = "AndroidKeyStoreSessionKeyLoader";
    private static final int WRAPPED_FORMAT_VERSION = 0;

    public AndroidKeyStoreSessionKeyLoader(@NonNull AndroidKeyStoreKeyManager androidKeyStoreKeyManager) {
        super(androidKeyStoreKeyManager);
        if (androidKeyStoreKeyManager == null) {
            throw new NullPointerException("mKeyManager is marked non-null but is null");
        }
    }

    /* JADX WARN: Type inference failed for: r8v8, types: [com.microsoft.identity.broker4j.broker.crypto.ExportableKeyEntry$ExportableKeyEntryBuilder] */
    private IKeyEntry decryptAndImportSessionKey(@NonNull String str, @NonNull JweResponse jweResponse, @NonNull IAsymmetricKeyEntryAccessor iAsymmetricKeyEntryAccessor) throws ClientException {
        if (str == null) {
            throw new NullPointerException("alias is marked non-null but is null");
        }
        if (jweResponse == null) {
            throw new NullPointerException("jweResponse is marked non-null but is null");
        }
        if (iAsymmetricKeyEntryAccessor == null) {
            throw new NullPointerException("sessionTransportKey is marked non-null but is null");
        }
        String str2 = TAG + ":decryptAndImportSessionKey";
        byte[] decryptWithIv = iAsymmetricKeyEntryAccessor.decryptWithIv(jweResponse.getEncryptedKey(), null);
        try {
            KeyStore keyStore = KeyStore.getInstance(AndroidKeyStoreCryptoFactory.ANDROID_KEYSTORE);
            keyStore.load(null);
            keyStore.setEntry(str, new KeyStore.SecretKeyEntry(new SecretKeySpec(decryptWithIv, "HmacSHA256")), new KeyProtection.Builder(4).setBlockModes(CodePackage.GCM).setEncryptionPaddings("NoPadding").build());
            return ExportableKeyEntry.builder().alias(str).build();
        } catch (IOException e) {
            Logger.error(str2, "Failed to generate session key " + e.getMessage(), e);
            throw new ClientException("io_error", e.getMessage(), e);
        } catch (KeyStoreException e2) {
            Logger.error(str2, "Failed to generate session key " + e2.getMessage(), e2);
            throw new ClientException(ClientException.KEYSTORE_NOT_INITIALIZED, e2.getMessage(), e2);
        } catch (NoSuchAlgorithmException e3) {
            Logger.error(str2, "Failed to generate session key " + e3.getMessage(), e3);
            throw new ClientException("no_such_algorithm", e3.getMessage(), e3);
        } catch (CertificateException e4) {
            Logger.error(str2, "Failed to generate session key " + e4.getMessage(), e4);
            throw new ClientException(ClientException.CERTIFICATE_LOAD_FAILURE, e4.getMessage(), e4);
        }
    }

    static byte[] getEncodedWrappedKey(byte[] bArr, byte[] bArr2, byte[] bArr3, byte[] bArr4) throws IOException {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1Integer(3L));
        aSN1EncodableVector.add(getSessionKeyAuthorizations());
        DERSequence dERSequence = new DERSequence(aSN1EncodableVector);
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(new ASN1Integer(0L));
        aSN1EncodableVector2.add(new DEROctetString(bArr));
        aSN1EncodableVector2.add(new DEROctetString(bArr2));
        aSN1EncodableVector2.add(dERSequence);
        aSN1EncodableVector2.add(new DEROctetString(bArr3));
        aSN1EncodableVector2.add(new DEROctetString(bArr4));
        return new DERSequence(aSN1EncodableVector2).getEncoded(ASN1Encoding.DER);
    }

    private byte[] getEncodedWrappedKeyFromJwe(@NonNull JweResponse jweResponse) throws JSONException, IOException {
        if (jweResponse == null) {
            throw new NullPointerException("jweResponse is marked non-null but is null");
        }
        Logger.info(TAG + ":getEncodedWrappedKeyFromJwe", "Parsing SessionKeyJWE to get encoded wrapped key");
        return getEncodedWrappedKey(jweResponse.getEncryptedKey(), jweResponse.getIv(), jweResponse.getPayload(), jweResponse.getAuthenticationTag());
    }

    static DERSequence getSessionKeyAuthorizations() {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1Integer(2L));
        DERTaggedObject dERTaggedObject = new DERTaggedObject(true, 1, (ASN1Encodable) new DERSet(aSN1EncodableVector));
        DERTaggedObject dERTaggedObject2 = new DERTaggedObject(true, 2, (ASN1Encodable) new ASN1Integer(128L));
        DERTaggedObject dERTaggedObject3 = new DERTaggedObject(true, 3, (ASN1Encodable) new ASN1Integer(256L));
        ASN1EncodableVector aSN1EncodableVector2 = new ASN1EncodableVector();
        aSN1EncodableVector2.add(new ASN1Integer(4L));
        DERTaggedObject dERTaggedObject4 = new DERTaggedObject(true, 5, (ASN1Encodable) new DERSet(aSN1EncodableVector2));
        DERTaggedObject dERTaggedObject5 = new DERTaggedObject(true, 8, (ASN1Encodable) new ASN1Integer(128L));
        DERTaggedObject dERTaggedObject6 = new DERTaggedObject(true, KM_TAG_NO_AUTH_REQUIRED, (ASN1Encodable) DERNull.INSTANCE);
        ASN1EncodableVector aSN1EncodableVector3 = new ASN1EncodableVector();
        aSN1EncodableVector3.add(dERTaggedObject);
        aSN1EncodableVector3.add(dERTaggedObject2);
        aSN1EncodableVector3.add(dERTaggedObject3);
        aSN1EncodableVector3.add(dERTaggedObject4);
        aSN1EncodableVector3.add(dERTaggedObject5);
        aSN1EncodableVector3.add(dERTaggedObject6);
        return new DERSequence(aSN1EncodableVector3);
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader, com.microsoft.identity.broker4j.broker.crypto.keyloaders.ISessionKeyLoader
    public IKeyEntry generateSessionKey(byte[] bArr, @NonNull IAsymmetricKeyEntryAccessor iAsymmetricKeyEntryAccessor) throws ClientException {
        if (iAsymmetricKeyEntryAccessor == null) {
            throw new NullPointerException("sessionTransportKey is marked non-null but is null");
        }
        throw new UnsupportedOperationException("Not implemented");
    }

    @Override // com.microsoft.identity.broker4j.broker.crypto.keyloaders.AliasBasedSessionKeyLoader, com.microsoft.identity.broker4j.broker.crypto.keyloaders.ISessionKeyLoader
    public IKeyEntry importSessionKey(@NonNull IDToken iDToken, @NonNull String str, @NonNull IAsymmetricKeyEntryAccessor iAsymmetricKeyEntryAccessor) throws ClientException {
        if (iDToken == null) {
            throw new NullPointerException("idToken is marked non-null but is null");
        }
        if (str == null) {
            throw new NullPointerException("encryptedSessionKeyJwe is marked non-null but is null");
        }
        if (iAsymmetricKeyEntryAccessor == null) {
            throw new NullPointerException("sessionTransportKey is marked non-null but is null");
        }
        String str2 = TAG + ":importSessionKey";
        try {
            Logger.info(str2, "Getting oid value from idToken");
            String stringClaim = iDToken.getStringClaim("oid");
            if (stringClaim == null) {
                throw new ClientException("invalid_jwt", "UserObjectId is null in idToken");
            }
            String str3 = AbstractBrokerKeyFactory.SESSION_KEY_ALIAS_PREFIX + stringClaim;
            JweResponse parseJwe = JweResponse.parseJwe(str);
            if (!SessionKeyUtil.SESSION_KEY_JWE_ALGORITHM_RSA_OAEP_256.equals(parseJwe.getJweHeader().getAlgorithm()) || parseJwe.getPayload().length <= 1) {
                return decryptAndImportSessionKey(str3, parseJwe, iAsymmetricKeyEntryAccessor);
            }
            Logger.info(str2, "Getting encoded wrapped key from JWE");
            byte[] encodedWrappedKeyFromJwe = getEncodedWrappedKeyFromJwe(parseJwe);
            Logger.info(str2, "Importing wrapped key into Android KeyStore");
            return this.mKeyMaker.importWrappedKey(str3, encodedWrappedKeyFromJwe, iAsymmetricKeyEntryAccessor.getKeyEntry());
        } catch (IOException e) {
            Logger.error(str2, "Failed to import wrapped key: " + e.getMessage(), e);
            throw new ClientException("io_error", e.getMessage(), e);
        } catch (JSONException e2) {
            Logger.error(str2, "Failed to parse JWE: " + e2.getMessage(), e2);
            throw new ClientException("json_parse_failure", e2.getMessage(), e2);
        }
    }
}
