package androidx.security.identity;

import android.content.Context;
import android.icu.util.Calendar;
import android.security.keystore.KeyGenParameterSpec;
import android.util.AtomicFile;
import android.util.Log;
import android.util.Pair;
import androidx.annotation.NonNull;
import androidx.security.identity.PersonalizationData;
import f.a;
import f.c;
import f.d;
import g.b;
import j.f;
import j.k;
import j.m;
import j.u;
import j.v;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.AbstractList;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public class CredentialData {
    private static final String TAG = "CredentialData";
    private AbstractMap<Integer, String> mAcpTimeoutKeyAliases;
    private Context mContext;
    private String mCredentialName;
    private String mDocType = "";
    private String mCredentialKeyAlias = "";
    private Collection<X509Certificate> mCertificateChain = null;
    private byte[] mProofOfProvisioningSha256 = null;
    private AbstractList<AccessControlProfile> mAccessControlProfiles = new ArrayList();
    private AbstractMap<Integer, AccessControlProfile> mProfileIdToAcpMap = new HashMap();
    private AbstractList<PersonalizationData.NamespaceData> mNamespaceDatas = new ArrayList();
    private int mAuthKeyCount = 0;
    private int mAuthMaxUsesPerKey = 1;
    private String mPerReaderSessionKeyAlias = "";
    private AbstractList<AuthKeyData> mAuthKeyDatas = new ArrayList();

    /* loaded from: classes.dex */
    public static class AuthKeyData {
        public String mAlias = "";
        public byte[] mCertificate = new byte[0];
        public byte[] mStaticAuthenticationData = new byte[0];
        public int mUseCount = 0;
        public String mPendingAlias = "";
        public byte[] mPendingCertificate = new byte[0];
        public Calendar mExpirationDate = null;
    }

    private CredentialData(Context context, String str) {
        this.mContext = context;
        this.mCredentialName = str;
    }

    public static byte[] buildProofOfDeletionSignature(String str, PrivateKey privateKey, byte[] bArr) {
        a aVar = new a();
        b<a> k10 = aVar.k();
        k10.h("ProofOfDeletion").h(str);
        if (bArr != null) {
            k10.j(bArr);
        }
        k10.i(false);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new c(byteArrayOutputStream).a(aVar.m().get(0));
            return Util.cborEncode(Util.coseSign1Sign(privateKey, byteArrayOutputStream.toByteArray(), (byte[]) null, (Collection<X509Certificate>) null));
        } catch (d | InvalidKeyException | NoSuchAlgorithmException | CertificateEncodingException e10) {
            throw new RuntimeException("Error building ProofOfDeletion", e10);
        }
    }

    private boolean checkUserAuthenticationTimeout(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(str, null)).getSecretKey();
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            cipher.doFinal(new byte[]{1, 2});
            return true;
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException unused) {
            return false;
        }
    }

    public static CredentialData createCredentialData(Context context, String str, String str2, String str3, Collection<X509Certificate> collection, PersonalizationData personalizationData, byte[] bArr, boolean z9) {
        if (!z9 && credentialAlreadyExists(context, str2)) {
            throw new RuntimeException("Credential with given name already exists");
        }
        CredentialData credentialData = new CredentialData(context, str2);
        credentialData.mDocType = str;
        credentialData.mCredentialKeyAlias = str3;
        credentialData.mCertificateChain = collection;
        credentialData.mProofOfProvisioningSha256 = bArr;
        credentialData.mAccessControlProfiles = new ArrayList();
        credentialData.mProfileIdToAcpMap = new HashMap();
        for (AccessControlProfile accessControlProfile : personalizationData.getAccessControlProfiles()) {
            credentialData.mAccessControlProfiles.add(accessControlProfile);
            credentialData.mProfileIdToAcpMap.put(Integer.valueOf(accessControlProfile.getAccessControlProfileId().getId()), accessControlProfile);
        }
        ArrayList arrayList = new ArrayList();
        credentialData.mNamespaceDatas = arrayList;
        arrayList.addAll(personalizationData.getNamespaceDatas());
        credentialData.mAcpTimeoutKeyAliases = new HashMap();
        for (AccessControlProfile accessControlProfile2 : personalizationData.getAccessControlProfiles()) {
            boolean isUserAuthenticationRequired = accessControlProfile2.isUserAuthenticationRequired();
            long userAuthenticationTimeout = accessControlProfile2.getUserAuthenticationTimeout();
            if (isUserAuthenticationRequired) {
                ensurePerReaderSessionKey(str2, credentialData);
                ensureAcpTimoutKeyForProfile(str2, credentialData, accessControlProfile2, userAuthenticationTimeout);
            }
        }
        credentialData.createDataEncryptionKey();
        credentialData.saveToDisk();
        return credentialData;
    }

    private void createDataEncryptionKey() {
        try {
            String dataKeyAliasFromCredentialName = getDataKeyAliasFromCredentialName(this.mCredentialName);
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
            keyGenerator.init(new KeyGenParameterSpec.Builder(dataKeyAliasFromCredentialName, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setKeySize(128).build());
            keyGenerator.generateKey();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e10) {
            throw new RuntimeException("Error creating data encryption key", e10);
        }
    }

    public static boolean credentialAlreadyExists(Context context, String str) {
        try {
            new AtomicFile(context.getFileStreamPath(getFilenameForCredentialData(str))).openRead();
            return true;
        } catch (FileNotFoundException unused) {
            return false;
        }
    }

    public static byte[] delete(Context context, String str, byte[] bArr) {
        CredentialData credentialData;
        AtomicFile atomicFile = new AtomicFile(context.getFileStreamPath(getFilenameForCredentialData(str)));
        try {
            atomicFile.openRead();
            credentialData = new CredentialData(context, str);
        } catch (FileNotFoundException unused) {
        }
        try {
            credentialData.loadFromDisk(getDataKeyAliasFromCredentialName(str));
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                byte[] buildProofOfDeletionSignature = buildProofOfDeletionSignature(credentialData.mDocType, ((KeyStore.PrivateKeyEntry) keyStore.getEntry(credentialData.mCredentialKeyAlias, null)).getPrivateKey(), bArr);
                atomicFile.delete();
                try {
                    keyStore.deleteEntry(credentialData.mCredentialKeyAlias);
                    if (!credentialData.mPerReaderSessionKeyAlias.isEmpty()) {
                        keyStore.deleteEntry(credentialData.mPerReaderSessionKeyAlias);
                    }
                    Iterator<String> it = credentialData.mAcpTimeoutKeyAliases.values().iterator();
                    while (it.hasNext()) {
                        keyStore.deleteEntry(it.next());
                    }
                    Iterator<AuthKeyData> it2 = credentialData.mAuthKeyDatas.iterator();
                    while (it2.hasNext()) {
                        AuthKeyData next = it2.next();
                        if (!next.mAlias.isEmpty()) {
                            keyStore.deleteEntry(next.mAlias);
                        }
                        if (!next.mPendingAlias.isEmpty()) {
                            keyStore.deleteEntry(next.mPendingAlias);
                        }
                    }
                    return buildProofOfDeletionSignature;
                } catch (KeyStoreException e10) {
                    throw new RuntimeException("Error deleting key", e10);
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e11) {
                throw new RuntimeException("Error loading keystore", e11);
            }
        } catch (RuntimeException unused2) {
            Log.e(TAG, "Error parsing file on disk (old version?). Deleting anyway.");
            atomicFile.delete();
            return null;
        }
    }

    private static void ensureAcpTimoutKeyForProfile(String str, CredentialData credentialData, AccessControlProfile accessControlProfile, long j10) {
        if (j10 > 0) {
            int id = accessControlProfile.getAccessControlProfileId().getId();
            String acpTimeoutKeyAliasFromCredentialName = getAcpTimeoutKeyAliasFromCredentialName(str, id);
            try {
                int i10 = (int) (j10 / 1000);
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
                keyGenerator.init(new KeyGenParameterSpec.Builder(acpTimeoutKeyAliasFromCredentialName, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds(i10).setKeySize(128).build());
                keyGenerator.generateKey();
                credentialData.mAcpTimeoutKeyAliases.put(Integer.valueOf(id), acpTimeoutKeyAliasFromCredentialName);
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e10) {
                throw new RuntimeException("Error creating ACP auth-bound timeout key", e10);
            }
        }
    }

    private static void ensurePerReaderSessionKey(String str, CredentialData credentialData) {
        if (credentialData.mPerReaderSessionKeyAlias.isEmpty()) {
            credentialData.mPerReaderSessionKeyAlias = getAcpKeyAliasFromCredentialName(str);
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
                keyGenerator.init(new KeyGenParameterSpec.Builder(credentialData.mPerReaderSessionKeyAlias, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setKeySize(128).setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds(-1).build());
                keyGenerator.generateKey();
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e10) {
                throw new RuntimeException("Error creating ACP auth-bound key", e10);
            }
        }
    }

    public static String escapeCredentialName(String str, String str2) {
        try {
            return "identity_credential_" + str + "_" + URLEncoder.encode(str2, "UTF-8");
        } catch (UnsupportedEncodingException e10) {
            throw new RuntimeException("Unexpected UnsupportedEncodingException", e10);
        }
    }

    public static String getAcpKeyAliasFromCredentialName(String str) {
        return escapeCredentialName("acp", str);
    }

    public static String getAcpTimeoutKeyAliasFromCredentialName(String str, int i10) {
        return escapeCredentialName("acp_timeout_for_id" + i10, str);
    }

    public static String getAliasFromCredentialName(String str) {
        return escapeCredentialName("credkey", str);
    }

    public static String getDataKeyAliasFromCredentialName(String str) {
        return escapeCredentialName("datakey", str);
    }

    public static String getFilenameForCredentialData(String str) {
        return escapeCredentialName("data", str);
    }

    private void loadAccessControlProfiles(k kVar) {
        f i10 = kVar.i(new u("accessControlProfiles"));
        if (!(i10 instanceof j.c)) {
            throw new RuntimeException("accessControlProfiles not found or not array");
        }
        this.mAccessControlProfiles = new ArrayList();
        this.mProfileIdToAcpMap = new HashMap();
        Iterator<f> it = ((j.c) i10).j().iterator();
        while (it.hasNext()) {
            AccessControlProfile accessControlProfileFromCbor = Util.accessControlProfileFromCbor(it.next());
            this.mAccessControlProfiles.add(accessControlProfileFromCbor);
            this.mProfileIdToAcpMap.put(Integer.valueOf(accessControlProfileFromCbor.getAccessControlProfileId().getId()), accessControlProfileFromCbor);
        }
    }

    private void loadAuthKey(k kVar) {
        this.mPerReaderSessionKeyAlias = ((u) kVar.i(new u("perReaderSessionKeyAlias"))).i();
        f i10 = kVar.i(new u("acpTimeoutKeyMap"));
        if (!(i10 instanceof k)) {
            throw new RuntimeException("acpTimeoutKeyMap not found or not map");
        }
        this.mAcpTimeoutKeyAliases = new HashMap();
        k kVar2 = (k) i10;
        for (f fVar : kVar2.j()) {
            if (!(fVar instanceof v)) {
                throw new RuntimeException("Key in acpTimeoutKeyMap is not an integer");
            }
            int intValue = ((v) fVar).g().intValue();
            f i11 = kVar2.i(fVar);
            if (!(i11 instanceof u)) {
                throw new RuntimeException("Item in acpTimeoutKeyMap is not a string");
            }
            this.mAcpTimeoutKeyAliases.put(Integer.valueOf(intValue), ((u) i11).i());
        }
        this.mAuthKeyCount = ((m) kVar.i(new u("authKeyCount"))).g().intValue();
        this.mAuthMaxUsesPerKey = ((m) kVar.i(new u("authKeyMaxUses"))).g().intValue();
        f i12 = kVar.i(new u("authKeyDatas"));
        if (!(i12 instanceof j.c)) {
            throw new RuntimeException("authKeyDatas not found or not array");
        }
        this.mAuthKeyDatas = new ArrayList();
        for (f fVar2 : ((j.c) i12).j()) {
            AuthKeyData authKeyData = new AuthKeyData();
            k kVar3 = (k) fVar2;
            authKeyData.mAlias = ((u) kVar3.i(new u("alias"))).i();
            authKeyData.mUseCount = ((m) kVar3.i(new u("useCount"))).g().intValue();
            authKeyData.mCertificate = ((j.d) kVar3.i(new u("certificate"))).i();
            authKeyData.mStaticAuthenticationData = ((j.d) kVar3.i(new u("staticAuthenticationData"))).i();
            authKeyData.mPendingAlias = ((u) kVar3.i(new u("pendingAlias"))).i();
            authKeyData.mPendingCertificate = ((j.d) kVar3.i(new u("pendingCertificate"))).i();
            long j10 = Long.MAX_VALUE;
            f i13 = kVar3.i(new u("expirationDateMillis"));
            if (i13 != null) {
                if (!(i13 instanceof m)) {
                    throw new RuntimeException("expirationDateMillis not a number");
                }
                j10 = ((m) i13).g().longValue();
            }
            Calendar calendar = Calendar.getInstance();
            calendar.setTimeInMillis(j10);
            authKeyData.mExpirationDate = calendar;
            this.mAuthKeyDatas.add(authKeyData);
        }
    }

    private void loadBasic(k kVar) {
        this.mDocType = ((u) kVar.i(new u("docType"))).i();
        this.mCredentialKeyAlias = ((u) kVar.i(new u("credentialKeyAlias"))).i();
    }

    public static CredentialData loadCredentialData(Context context, String str) {
        CredentialData credentialData = new CredentialData(context, str);
        if (credentialData.loadFromDisk(getDataKeyAliasFromCredentialName(str))) {
            return credentialData;
        }
        return null;
    }

    private void loadCredentialKeyCertChain(k kVar) {
        f i10 = kVar.i(new u("credentialKeyCertChain"));
        if (!(i10 instanceof j.c)) {
            throw new RuntimeException("credentialKeyCertChain not found or not array");
        }
        this.mCertificateChain = new ArrayList();
        Iterator<f> it = ((j.c) i10).j().iterator();
        while (it.hasNext()) {
            byte[] i11 = ((j.d) it.next()).i();
            try {
                this.mCertificateChain.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(i11)));
            } catch (CertificateException e10) {
                throw new RuntimeException("Error decoding certificate blob", e10);
            }
        }
    }

    private boolean loadFromDisk(String str) {
        try {
            try {
                List<f> a10 = new f.b(new ByteArrayInputStream(loadFromDiskDecrypt(str, new AtomicFile(this.mContext.getFileStreamPath(getFilenameForCredentialData(this.mCredentialName))).readFully()))).a();
                if (a10.size() != 1) {
                    throw new RuntimeException("Expected 1 item, found " + a10.size());
                }
                if (!(a10.get(0) instanceof k)) {
                    throw new RuntimeException("Item is not a map");
                }
                k kVar = (k) a10.get(0);
                loadBasic(kVar);
                loadCredentialKeyCertChain(kVar);
                loadProofOfProvisioningSha256(kVar);
                loadAccessControlProfiles(kVar);
                loadNamespaceDatas(kVar);
                loadAuthKey(kVar);
                return true;
            } catch (d e10) {
                throw new RuntimeException("Error decoding data", e10);
            }
        } catch (Exception unused) {
            return false;
        }
    }

    private byte[] loadFromDiskDecrypt(String str, byte[] bArr) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(str, null)).getSecretKey();
            if (bArr.length < 12) {
                throw new RuntimeException("Encrypted CBOR on disk is too small");
            }
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            byte[] bArr2 = new byte[12];
            wrap.get(bArr2);
            byte[] bArr3 = new byte[bArr.length - 12];
            wrap.get(bArr3);
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(2, secretKey, new GCMParameterSpec(128, bArr2));
            return cipher.doFinal(bArr3);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e10) {
            throw new RuntimeException("Error decrypting CBOR", e10);
        }
    }

    private void loadNamespaceDatas(k kVar) {
        f i10 = kVar.i(new u("namespaceDatas"));
        if (!(i10 instanceof k)) {
            throw new RuntimeException("namespaceDatas not found or not map");
        }
        this.mNamespaceDatas = new ArrayList();
        k kVar2 = (k) i10;
        for (f fVar : kVar2.j()) {
            if (!(fVar instanceof u)) {
                throw new RuntimeException("Key in namespaceDatas is not a string");
            }
            this.mNamespaceDatas.add(Util.namespaceDataFromCbor(((u) fVar).i(), kVar2.i(fVar)));
        }
    }

    private void loadProofOfProvisioningSha256(k kVar) {
        f i10 = kVar.i(new u("proofOfProvisioningSha256"));
        if (!(i10 instanceof j.d)) {
            throw new RuntimeException("proofOfProvisioningSha256 not found or not bstr");
        }
        this.mProofOfProvisioningSha256 = ((j.d) i10).i();
    }

    private void saveToDisk() {
        FileOutputStream fileOutputStream;
        a aVar = new a();
        g.c<a> l10 = aVar.l();
        saveToDiskBasic(l10);
        saveToDiskAuthDatas(l10);
        saveToDiskACPs(l10);
        saveToDiskNamespaceDatas(l10);
        saveToDiskAuthKeys(l10);
        byte[] saveToDiskEncrypt = saveToDiskEncrypt(saveToDiskEncode(aVar));
        AtomicFile atomicFile = new AtomicFile(this.mContext.getFileStreamPath(getFilenameForCredentialData(this.mCredentialName)));
        try {
            fileOutputStream = atomicFile.startWrite();
        } catch (IOException e10) {
            e = e10;
            fileOutputStream = null;
        }
        try {
            fileOutputStream.write(saveToDiskEncrypt);
            fileOutputStream.close();
            atomicFile.finishWrite(fileOutputStream);
        } catch (IOException e11) {
            e = e11;
            if (fileOutputStream != null) {
                atomicFile.failWrite(fileOutputStream);
            }
            throw new RuntimeException("Error writing data", e);
        }
    }

    private void saveToDiskACPs(g.c<a> cVar) {
        b<g.c<a>> o10 = cVar.o("accessControlProfiles");
        Iterator<AccessControlProfile> it = this.mAccessControlProfiles.iterator();
        while (it.hasNext()) {
            o10.g(Util.accessControlProfileToCbor(it.next()));
        }
    }

    private void saveToDiskAuthDatas(g.c<a> cVar) {
        b<g.c<a>> o10 = cVar.o("authKeyDatas");
        Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
        while (it.hasNext()) {
            AuthKeyData next = it.next();
            long j10 = Long.MAX_VALUE;
            Calendar calendar = next.mExpirationDate;
            if (calendar != null) {
                j10 = calendar.getTimeInMillis();
            }
            o10.k().k("alias", next.mAlias).j("useCount", next.mUseCount).m("certificate", next.mCertificate).m("staticAuthenticationData", next.mStaticAuthenticationData).k("pendingAlias", next.mPendingAlias).m("pendingCertificate", next.mPendingCertificate).j("expirationDateMillis", j10).f();
        }
    }

    private void saveToDiskAuthKeys(g.c<a> cVar) {
        cVar.k("perReaderSessionKeyAlias", this.mPerReaderSessionKeyAlias);
        g.c<g.c<a>> p10 = cVar.p("acpTimeoutKeyMap");
        Iterator<Map.Entry<Integer, String>> it = this.mAcpTimeoutKeyAliases.entrySet().iterator();
        while (it.hasNext()) {
            p10.i(new v(r1.getKey().intValue()), new u(it.next().getValue()));
        }
    }

    private void saveToDiskBasic(g.c<a> cVar) {
        cVar.k("docType", this.mDocType);
        cVar.k("credentialKeyAlias", this.mCredentialKeyAlias);
        b<g.c<a>> o10 = cVar.o("credentialKeyCertChain");
        Iterator<X509Certificate> it = this.mCertificateChain.iterator();
        while (it.hasNext()) {
            try {
                o10.j(it.next().getEncoded());
            } catch (CertificateEncodingException e10) {
                throw new RuntimeException("Error encoding certificate", e10);
            }
        }
        cVar.m("proofOfProvisioningSha256", this.mProofOfProvisioningSha256);
        cVar.j("authKeyCount", this.mAuthKeyCount);
        cVar.j("authKeyMaxUses", this.mAuthMaxUsesPerKey);
    }

    private byte[] saveToDiskEncode(a aVar) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            new c(byteArrayOutputStream).b(aVar.m());
            return byteArrayOutputStream.toByteArray();
        } catch (d e10) {
            throw new RuntimeException("Error encoding data", e10);
        }
    }

    private byte[] saveToDiskEncrypt(byte[] bArr) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(getDataKeyAliasFromCredentialName(this.mCredentialName), null)).getSecretKey();
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            byte[] doFinal = cipher.doFinal(bArr);
            ByteBuffer allocate = ByteBuffer.allocate(doFinal.length + 12);
            allocate.put(cipher.getIV());
            allocate.put(doFinal);
            return allocate.array();
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e10) {
            throw new RuntimeException("Error encrypting CBOR for saving to disk", e10);
        }
    }

    private void saveToDiskNamespaceDatas(g.c<a> cVar) {
        g.c<g.c<a>> p10 = cVar.p("namespaceDatas");
        Iterator<PersonalizationData.NamespaceData> it = this.mNamespaceDatas.iterator();
        while (it.hasNext()) {
            PersonalizationData.NamespaceData next = it.next();
            p10.i(new u(next.getNamespaceName()), Util.namespaceDataToCbor(next));
        }
    }

    public boolean checkUserAuthentication(AccessControlProfileId accessControlProfileId, boolean z9) {
        if (getAccessControlProfile(accessControlProfileId).getUserAuthenticationTimeout() == 0) {
            return z9;
        }
        String str = this.mAcpTimeoutKeyAliases.get(Integer.valueOf(accessControlProfileId.getId()));
        if (str != null) {
            return checkUserAuthenticationTimeout(str);
        }
        throw new RuntimeException("No key alias for ACP with ID " + accessControlProfileId.getId());
    }

    public void deleteKeysForReplacement() {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            try {
                if (!this.mPerReaderSessionKeyAlias.isEmpty()) {
                    keyStore.deleteEntry(this.mPerReaderSessionKeyAlias);
                }
                Iterator<String> it = this.mAcpTimeoutKeyAliases.values().iterator();
                while (it.hasNext()) {
                    keyStore.deleteEntry(it.next());
                }
                Iterator<AuthKeyData> it2 = this.mAuthKeyDatas.iterator();
                while (it2.hasNext()) {
                    AuthKeyData next = it2.next();
                    if (!next.mAlias.isEmpty()) {
                        keyStore.deleteEntry(next.mAlias);
                    }
                    if (!next.mPendingAlias.isEmpty()) {
                        keyStore.deleteEntry(next.mPendingAlias);
                    }
                }
            } catch (KeyStoreException e10) {
                throw new RuntimeException("Error deleting key", e10);
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e11) {
            throw new RuntimeException("Error loading keystore", e11);
        }
    }

    public AccessControlProfile getAccessControlProfile(AccessControlProfileId accessControlProfileId) {
        AccessControlProfile accessControlProfile = this.mProfileIdToAcpMap.get(Integer.valueOf(accessControlProfileId.getId()));
        if (accessControlProfile != null) {
            return accessControlProfile;
        }
        throw new RuntimeException("No profile with id " + accessControlProfileId.getId());
    }

    public Collection<AccessControlProfile> getAccessControlProfiles() {
        return this.mAccessControlProfiles;
    }

    public int getAuthKeyCount() {
        return this.mAuthKeyCount;
    }

    public int[] getAuthKeyUseCounts() {
        int[] iArr = new int[this.mAuthKeyCount];
        Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
        int i10 = 0;
        while (it.hasNext()) {
            iArr[i10] = it.next().mUseCount;
            i10++;
        }
        return iArr;
    }

    public Collection<X509Certificate> getAuthKeysNeedingCertification() {
        try {
            KeyStore.getInstance("AndroidKeyStore").load(null);
            ArrayList arrayList = new ArrayList();
            Calendar calendar = Calendar.getInstance();
            for (int i10 = 0; i10 < this.mAuthKeyCount; i10++) {
                AuthKeyData authKeyData = this.mAuthKeyDatas.get(i10);
                boolean z9 = true;
                boolean z10 = authKeyData.mUseCount >= this.mAuthMaxUsesPerKey;
                Calendar calendar2 = authKeyData.mExpirationDate;
                boolean z11 = authKeyData.mAlias.isEmpty() || z10 || (calendar2 != null ? calendar.after(calendar2) : false);
                boolean z12 = !authKeyData.mPendingAlias.isEmpty();
                if (!z11 || z12) {
                    z9 = z12;
                } else {
                    try {
                        String str = this.mCredentialKeyAlias + String.format("_auth_%d", Integer.valueOf(i10));
                        if (str.equals(authKeyData.mAlias)) {
                            str = str + "_";
                        }
                        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
                        keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(str, 12).setDigests("SHA-256", "SHA-512").build());
                        keyPairGenerator.generateKeyPair();
                        X509Certificate generateAuthenticationKeyCert = Util.generateAuthenticationKeyCert(str, this.mCredentialKeyAlias, this.mProofOfProvisioningSha256);
                        authKeyData.mPendingAlias = str;
                        authKeyData.mPendingCertificate = generateAuthenticationKeyCert.getEncoded();
                    } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException e10) {
                        throw new RuntimeException("Error creating auth key", e10);
                    }
                }
                if (z9) {
                    try {
                        arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(authKeyData.mPendingCertificate)));
                    } catch (CertificateException e11) {
                        throw new RuntimeException("Error creating certificate for auth key", e11);
                    }
                }
            }
            saveToDisk();
            return arrayList;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e12) {
            throw new RuntimeException("Error loading keystore", e12);
        }
    }

    public int getAuthMaxUsesPerKey() {
        return this.mAuthMaxUsesPerKey;
    }

    public String getCredentialKeyAlias() {
        return this.mCredentialKeyAlias;
    }

    public Collection<X509Certificate> getCredentialKeyCertificateChain() {
        return this.mCertificateChain;
    }

    public PrivateKey getCredentialKeyPrivate() {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            return ((KeyStore.PrivateKeyEntry) keyStore.getEntry(this.mCredentialKeyAlias, null)).getPrivateKey();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e10) {
            throw new RuntimeException("Error loading keystore", e10);
        }
    }

    public String getDocType() {
        return this.mDocType;
    }

    public Collection<PersonalizationData.NamespaceData> getNamespaceDatas() {
        return this.mNamespaceDatas;
    }

    public String getPerReaderSessionKeyAlias() {
        return this.mPerReaderSessionKeyAlias;
    }

    public PersonalizationData.NamespaceData lookupNamespaceData(String str) {
        Iterator<PersonalizationData.NamespaceData> it = this.mNamespaceDatas.iterator();
        while (it.hasNext()) {
            PersonalizationData.NamespaceData next = it.next();
            if (next.getNamespaceName().equals(str)) {
                return next;
            }
        }
        return null;
    }

    @NonNull
    public byte[] proveOwnership(@NonNull byte[] bArr) {
        PrivateKey credentialKeyPrivate = getCredentialKeyPrivate();
        a aVar = new a();
        aVar.k().h("ProofOfOwnership").h(this.mDocType).j(bArr).i(false);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new c(byteArrayOutputStream).a(aVar.m().get(0));
            return Util.cborEncode(Util.coseSign1Sign(credentialKeyPrivate, byteArrayOutputStream.toByteArray(), (byte[]) null, (Collection<X509Certificate>) null));
        } catch (d | InvalidKeyException | NoSuchAlgorithmException | CertificateEncodingException e10) {
            throw new RuntimeException("Error building ProofOfOwnership", e10);
        }
    }

    public Pair<PrivateKey, byte[]> selectAuthenticationKey(boolean z9, boolean z10) {
        Pair<PrivateKey, byte[]> selectAuthenticationKeyHelper = selectAuthenticationKeyHelper(z9, false);
        if (selectAuthenticationKeyHelper != null) {
            return selectAuthenticationKeyHelper;
        }
        if (z10) {
            return selectAuthenticationKeyHelper(z9, true);
        }
        return null;
    }

    public Pair<PrivateKey, byte[]> selectAuthenticationKeyHelper(boolean z9, boolean z10) {
        Calendar calendar;
        Calendar calendar2 = Calendar.getInstance();
        AuthKeyData authKeyData = null;
        for (int i10 = 0; i10 < this.mAuthKeyCount; i10++) {
            AuthKeyData authKeyData2 = this.mAuthKeyDatas.get(i10);
            if (!authKeyData2.mAlias.isEmpty() && (((calendar = authKeyData2.mExpirationDate) == null || !calendar2.after(calendar) || z10) && (authKeyData == null || authKeyData2.mUseCount < authKeyData.mUseCount))) {
                authKeyData = authKeyData2;
            }
        }
        if (authKeyData == null) {
            return null;
        }
        if (authKeyData.mUseCount >= this.mAuthMaxUsesPerKey && !z9) {
            return null;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            Pair<PrivateKey, byte[]> pair = new Pair<>(((KeyStore.PrivateKeyEntry) keyStore.getEntry(authKeyData.mAlias, null)).getPrivateKey(), authKeyData.mStaticAuthenticationData);
            authKeyData.mUseCount++;
            saveToDisk();
            return pair;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e10) {
            throw new RuntimeException("Error loading keystore", e10);
        }
    }

    public void setAvailableAuthenticationKeys(int i10, int i11) {
        int i12 = this.mAuthKeyCount;
        this.mAuthKeyCount = i10;
        this.mAuthMaxUsesPerKey = i11;
        if (i12 < i10) {
            while (i12 < this.mAuthKeyCount) {
                this.mAuthKeyDatas.add(new AuthKeyData());
                i12++;
            }
        } else if (i12 > i10) {
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                int i13 = i12 - this.mAuthKeyCount;
                for (int i14 = 0; i14 < i13; i14++) {
                    AuthKeyData authKeyData = this.mAuthKeyDatas.get(0);
                    if (!authKeyData.mAlias.isEmpty()) {
                        try {
                            if (keyStore.containsAlias(authKeyData.mAlias)) {
                                keyStore.deleteEntry(authKeyData.mAlias);
                            }
                        } catch (KeyStoreException e10) {
                            throw new RuntimeException("Error deleting auth key with mAlias " + authKeyData.mAlias, e10);
                        }
                    }
                    if (!authKeyData.mPendingAlias.isEmpty()) {
                        try {
                            if (keyStore.containsAlias(authKeyData.mPendingAlias)) {
                                keyStore.deleteEntry(authKeyData.mPendingAlias);
                            }
                        } catch (KeyStoreException e11) {
                            throw new RuntimeException("Error deleting auth key with mPendingAlias " + authKeyData.mPendingAlias, e11);
                        }
                    }
                    this.mAuthKeyDatas.remove(0);
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e12) {
                throw new RuntimeException("Error loading keystore", e12);
            }
        }
        saveToDisk();
    }

    public void storeStaticAuthenticationData(X509Certificate x509Certificate, Calendar calendar, byte[] bArr) {
        AuthKeyData authKeyData;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
            while (true) {
                if (!it.hasNext()) {
                    authKeyData = null;
                    break;
                }
                authKeyData = it.next();
                if (authKeyData.mPendingCertificate.length > 0 && ((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(authKeyData.mPendingCertificate))).equals(x509Certificate)) {
                    break;
                }
            }
            if (authKeyData == null) {
                throw new UnknownAuthenticationKeyException("No such authentication key");
            }
            if (!authKeyData.mAlias.isEmpty()) {
                try {
                    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    if (keyStore.containsAlias(authKeyData.mAlias)) {
                        keyStore.deleteEntry(authKeyData.mAlias);
                    }
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e10) {
                    throw new RuntimeException("Error deleting old authentication key", e10);
                }
            }
            authKeyData.mAlias = authKeyData.mPendingAlias;
            authKeyData.mCertificate = authKeyData.mPendingCertificate;
            authKeyData.mStaticAuthenticationData = bArr;
            authKeyData.mUseCount = 0;
            authKeyData.mPendingAlias = "";
            authKeyData.mPendingCertificate = new byte[0];
            authKeyData.mExpirationDate = calendar;
            saveToDisk();
        } catch (CertificateException e11) {
            throw new RuntimeException("Error encoding certificate", e11);
        }
    }
}
