package com.microsoft.identity.common.java.crypto;

import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.crypto.key.AbstractSecretKeyLoader;
import com.microsoft.identity.common.java.crypto.key.KeyUtil;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.exception.ErrorStrings;
import com.microsoft.identity.common.java.logging.Logger;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.util.List;
import java.util.Objects;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import lombok.NonNull;
import ot.a;

/* loaded from: classes2.dex */
public abstract class StorageEncryptionManager implements IKeyAccessor {
    private static final String ENCODE_VERSION = "E1";
    public static final int IV_LENGTH = 16;
    public static final int MAC_DIGEST_LENGTH = 32;
    private static final String TAG = StorageEncryptionManager.class.getSimpleName() + "#";
    private final IVGenerator mGenerator;

    public StorageEncryptionManager() {
        this.mGenerator = new IVGenerator() { // from class: com.microsoft.identity.common.java.crypto.StorageEncryptionManager.1
            final SecureRandom mRandom = new SecureRandom();

            @Override // com.microsoft.identity.common.java.crypto.IVGenerator
            public byte[] generate() {
                byte[] bArr = new byte[16];
                this.mRandom.nextBytes(bArr);
                return bArr;
            }
        };
    }

    StorageEncryptionManager(@NonNull IVGenerator iVGenerator) {
        Objects.requireNonNull(iVGenerator, "generator is marked non-null but is null");
        this.mGenerator = iVGenerator;
    }

    private void assertHMac(byte[] bArr, int i10, int i11, byte[] bArr2) throws ClientException {
        if (bArr2.length != i11 - i10) {
            throw new ClientException(ClientException.UNEXPECTED_HMAC_LENGTH);
        }
        byte b10 = 0;
        for (int i12 = i10; i12 < i11; i12++) {
            b10 = (byte) (b10 | (bArr2[i12 - i10] ^ bArr[i12]));
        }
        if (b10 != 0) {
            throw new ClientException(ClientException.HMAC_MISMATCH);
        }
    }

    @NonNull
    private byte[] decryptWithSecretKey(@NonNull byte[] bArr, @NonNull AbstractSecretKeyLoader abstractSecretKeyLoader) throws ClientException {
        String str;
        Objects.requireNonNull(bArr, "encryptedBlobWithoutEncodeVersion is marked non-null but is null");
        Objects.requireNonNull(abstractSecretKeyLoader, "keyLoader is marked non-null but is null");
        try {
            SecretKey key = abstractSecretKeyLoader.getKey();
            SecretKey hMacKey = KeyUtil.getHMacKey(key);
            int length = (bArr.length - 16) - 32;
            int length2 = bArr.length - 32;
            int length3 = abstractSecretKeyLoader.getKeyTypeIdentifier().getBytes(AuthenticationConstants.ENCODING_UTF8).length;
            Cipher cipher = Cipher.getInstance(abstractSecretKeyLoader.getCipherAlgorithm());
            Mac mac = Mac.getInstance(KeyUtil.HMAC_ALGORITHM);
            mac.init(hMacKey);
            mac.update(bArr, 0, length2);
            assertHMac(bArr, length2, bArr.length, mac.doFinal());
            cipher.init(2, key, new IvParameterSpec(bArr, length, 16));
            return cipher.doFinal(bArr, length3, length - length3);
        } catch (IllegalArgumentException e10) {
            e = e10;
            str = ClientException.DATA_MALFORMED;
            throw new ClientException(str, e.getMessage(), e);
        } catch (InvalidAlgorithmParameterException e11) {
            e = e11;
            str = ClientException.INVALID_ALG_PARAMETER;
            throw new ClientException(str, e.getMessage(), e);
        } catch (InvalidKeyException e12) {
            e = e12;
            str = ClientException.INVALID_KEY;
            throw new ClientException(str, e.getMessage(), e);
        } catch (NoSuchAlgorithmException e13) {
            e = e13;
            str = "no_such_algorithm";
            throw new ClientException(str, e.getMessage(), e);
        } catch (BadPaddingException e14) {
            e = e14;
            str = ClientException.BAD_PADDING;
            throw new ClientException(str, e.getMessage(), e);
        } catch (IllegalBlockSizeException e15) {
            e = e15;
            str = ClientException.INVALID_BLOCK_SIZE;
            throw new ClientException(str, e.getMessage(), e);
        } catch (NoSuchPaddingException e16) {
            e = e16;
            str = ClientException.NO_SUCH_PADDING;
            throw new ClientException(str, e.getMessage(), e);
        }
    }

    private static int getEncodeVersionLengthFromCipherText(@NonNull String str) {
        Objects.requireNonNull(str, "cipherText is marked non-null but is null");
        return str.charAt(0) - 'a';
    }

    private char getEncodeVersionLengthPrefix() {
        return (char) 99;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static String getKeyIdentifierFromCipherText(@NonNull byte[] bArr) {
        Objects.requireNonNull(bArr, "cipherText is marked non-null but is null");
        try {
            return new String(stripEncodeVersionFromCipherText(bArr), 0, 4, AuthenticationConstants.ENCODING_UTF8);
        } catch (Exception e10) {
            Logger.verbose(TAG + ":getKeyIdentifierFromCipherText", e10.getMessage());
            return "EXCEPTION OCCURRED GETTING KEY IDENTIFIER";
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean isEncryptedByThisKeyIdentifier(@NonNull byte[] bArr, @NonNull String str) {
        Objects.requireNonNull(bArr, "cipherText is marked non-null but is null");
        Objects.requireNonNull(str, "keyIdentifier is marked non-null but is null");
        try {
            return str.equalsIgnoreCase(new String(stripEncodeVersionFromCipherText(bArr), 0, str.length(), AuthenticationConstants.ENCODING_UTF8));
        } catch (Exception e10) {
            Logger.verbose(TAG + ":isEncryptedByThisKeyIdentifier", e10.getMessage());
            return false;
        }
    }

    private byte[] prefixWithEncodeVersion(@NonNull byte[] bArr) {
        Objects.requireNonNull(bArr, "encryptedData is marked non-null but is null");
        return (getEncodeVersionLengthPrefix() + ENCODE_VERSION + a.f(bArr, 2)).getBytes(AuthenticationConstants.ENCODING_UTF8);
    }

    @NonNull
    private static byte[] stripEncodeVersionFromCipherText(@NonNull byte[] bArr) throws ClientException {
        Objects.requireNonNull(bArr, "cipherText is marked non-null but is null");
        if (bArr.length < 1) {
            throw new IllegalArgumentException("Input blob is null or length < 1");
        }
        String str = new String(bArr, AuthenticationConstants.ENCODING_UTF8);
        int encodeVersionLengthFromCipherText = getEncodeVersionLengthFromCipherText(str);
        validateEncodeVersion(str, encodeVersionLengthFromCipherText);
        return a.a(str.substring(encodeVersionLengthFromCipherText + 1), 0);
    }

    private static void validateEncodeVersion(@NonNull String str, int i10) throws ClientException {
        Objects.requireNonNull(str, "cipherString is marked non-null but is null");
        if (i10 <= 0) {
            throw new ClientException(ClientException.DATA_MALFORMED, String.format("Encode version length: '%s' is not valid, it must be greater of equal to 0", Integer.valueOf(i10)));
        }
        int i11 = i10 + 1;
        if (i11 > str.length()) {
            throw new ClientException(ClientException.DATA_MALFORMED, "Length of encode version string (plus the length character) is longer than the CipherString itself. The data is malformed.");
        }
        if (!str.substring(1, i11).equals(ENCODE_VERSION)) {
            throw new ClientException(ClientException.DATA_MALFORMED, String.format("Unsupported encode version received. Encode version supported is: '%s'", ENCODE_VERSION));
        }
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public byte[] decrypt(byte[] bArr) throws ClientException {
        Logger.verbose(TAG + ":decrypt", "Starting decryption");
        try {
            byte[] stripEncodeVersionFromCipherText = stripEncodeVersionFromCipherText(bArr);
            List<AbstractSecretKeyLoader> keyLoaderForDecryption = getKeyLoaderForDecryption(bArr);
            if (keyLoaderForDecryption == null || keyLoaderForDecryption.size() == 0) {
                throw new IllegalStateException("KeyLoader list must not be null or empty.");
            }
            ClientException clientException = new ClientException(ErrorStrings.DECRYPTION_FAILED, "Tried all decryption keys and decryption still fails.");
            for (AbstractSecretKeyLoader abstractSecretKeyLoader : keyLoaderForDecryption) {
                if (abstractSecretKeyLoader == null) {
                    throw new IllegalStateException("KeyLoader must not be null.");
                }
                try {
                    byte[] decryptWithSecretKey = decryptWithSecretKey(stripEncodeVersionFromCipherText, abstractSecretKeyLoader);
                    Logger.verbose(TAG + ":decrypt", "Finished decryption with key:" + abstractSecretKeyLoader.getAlias());
                    return decryptWithSecretKey;
                } catch (ClientException e10) {
                    Logger.warn(TAG + ":decrypt", "Failed to decrypt with key:" + abstractSecretKeyLoader.getAlias() + " thumbprint : " + KeyUtil.getKeyThumbPrint(abstractSecretKeyLoader));
                    handleDecryptionFailure(abstractSecretKeyLoader.getAlias(), e10);
                    clientException.addSuppressedException(e10);
                }
            }
            Logger.warn(TAG + ":decrypt", clientException.getMessage());
            throw clientException;
        } catch (ClientException e11) {
            Logger.verbose(TAG + ":decrypt", "Failed to strip encode version from cipherText, string might not be encrypted. Exception: ", e11.getMessage());
            return bArr;
        }
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    @NonNull
    public byte[] encrypt(@NonNull byte[] bArr) throws ClientException {
        String str;
        Objects.requireNonNull(bArr, "plaintext is marked non-null but is null");
        StringBuilder sb2 = new StringBuilder();
        String str2 = TAG;
        sb2.append(str2);
        sb2.append(":encrypt");
        Logger.verbose(sb2.toString(), "Starting encryption");
        try {
            AbstractSecretKeyLoader keyLoaderForEncryption = getKeyLoaderForEncryption();
            if (keyLoaderForEncryption == null) {
                throw new IllegalStateException("KeyLoader must not be null.");
            }
            SecretKey key = keyLoaderForEncryption.getKey();
            SecretKey hMacKey = KeyUtil.getHMacKey(key);
            byte[] bytes = keyLoaderForEncryption.getKeyTypeIdentifier().getBytes(AuthenticationConstants.ENCODING_UTF8);
            byte[] generate = this.mGenerator.generate();
            IvParameterSpec ivParameterSpec = new IvParameterSpec(generate);
            Cipher cipher = Cipher.getInstance(keyLoaderForEncryption.getCipherAlgorithm());
            Mac mac = Mac.getInstance(KeyUtil.HMAC_ALGORITHM);
            cipher.init(1, key, ivParameterSpec);
            byte[] doFinal = cipher.doFinal(bArr);
            mac.init(hMacKey);
            mac.update(bytes);
            mac.update(doFinal);
            mac.update(generate);
            byte[] doFinal2 = mac.doFinal();
            byte[] bArr2 = new byte[bytes.length + doFinal.length + generate.length + doFinal2.length];
            System.arraycopy(bytes, 0, bArr2, 0, bytes.length);
            System.arraycopy(doFinal, 0, bArr2, bytes.length, doFinal.length);
            System.arraycopy(generate, 0, bArr2, bytes.length + doFinal.length, generate.length);
            System.arraycopy(doFinal2, 0, bArr2, bytes.length + doFinal.length + generate.length, doFinal2.length);
            Logger.verbose(str2 + ":encrypt", "Finished encryption");
            return prefixWithEncodeVersion(bArr2);
        } catch (InvalidAlgorithmParameterException e10) {
            e = e10;
            str = ClientException.INVALID_ALG_PARAMETER;
            throw new ClientException(str, e.getMessage(), e);
        } catch (InvalidKeyException e11) {
            e = e11;
            str = ClientException.INVALID_KEY;
            throw new ClientException(str, e.getMessage(), e);
        } catch (NoSuchAlgorithmException e12) {
            e = e12;
            str = "no_such_algorithm";
            throw new ClientException(str, e.getMessage(), e);
        } catch (BadPaddingException e13) {
            e = e13;
            str = ClientException.BAD_PADDING;
            throw new ClientException(str, e.getMessage(), e);
        } catch (IllegalBlockSizeException e14) {
            e = e14;
            str = ClientException.INVALID_BLOCK_SIZE;
            throw new ClientException(str, e.getMessage(), e);
        } catch (NoSuchPaddingException e15) {
            e = e15;
            str = ClientException.NO_SUCH_PADDING;
            throw new ClientException(str, e.getMessage(), e);
        }
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public IKeyAccessor generateDerivedKey(byte[] bArr, byte[] bArr2, CryptoSuite cryptoSuite) {
        throw new UnsupportedOperationException();
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public Certificate[] getCertificateChain() {
        throw new UnsupportedOperationException();
    }

    @NonNull
    public abstract List<AbstractSecretKeyLoader> getKeyLoaderForDecryption(@NonNull byte[] bArr) throws ClientException;

    @NonNull
    public abstract AbstractSecretKeyLoader getKeyLoaderForEncryption() throws ClientException;

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public SecureHardwareState getSecureHardwareState() {
        return SecureHardwareState.FALSE;
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public byte[] getThumbprint() {
        throw new UnsupportedOperationException();
    }

    protected void handleDecryptionFailure(@NonNull String str, @NonNull Exception exc) {
        Objects.requireNonNull(str, "keyAlias is marked non-null but is null");
        Objects.requireNonNull(exc, "exception is marked non-null but is null");
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public byte[] sign(byte[] bArr) {
        throw new UnsupportedOperationException();
    }

    @Override // com.microsoft.identity.common.java.crypto.IKeyAccessor
    public boolean verify(byte[] bArr, byte[] bArr2) {
        throw new UnsupportedOperationException();
    }
}
