package com.okta.devices.encrypt;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import com.okta.devices.api.security.DeviceKeyStore;
import com.okta.devices.api.security.SignatureProvider;
import com.okta.devices.data.repository.KeyType;
import com.okta.devices.log.Log;
import com.okta.devices.util.DevicesExtensionsKt;
import com.okta.devices.util.JwsHelperKt;
import com.sendbird.android.internal.constant.StringSet;
import java.security.Key;
import java.security.KeyPairGenerator;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import kotlin.Deprecated;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

@Metadata(d1 = {"\u0000N\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0012\n\u0002\b\u0002\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\b\n\u0002\b\u0005\u0018\u00002\u00020\u0001B%\u0012\b\b\u0002\u0010\u001c\u001a\u00020\u0017\u0012\b\b\u0002\u0010\u001e\u001a\u00020\u001d\u0012\b\b\u0002\u0010\u001f\u001a\u00020\u000b¢\u0006\u0004\b \u0010!J\b\u0010\u0003\u001a\u00020\u0002H\u0016J\b\u0010\u0004\u001a\u00020\u0002H\u0016J\u0010\u0010\u0007\u001a\u00020\u00062\u0006\u0010\u0005\u001a\u00020\u0002H\u0016J \u0010\f\u001a\u00020\u000b2\u0006\u0010\u0005\u001a\u00020\u00022\u0006\u0010\t\u001a\u00020\b2\u0006\u0010\n\u001a\u00020\bH\u0016J\u0018\u0010\u000f\u001a\u00020\u000e2\u0006\u0010\u0005\u001a\u00020\u00022\u0006\u0010\r\u001a\u00020\u000bH\u0017J\u0018\u0010\u000f\u001a\u00020\u000e2\u0006\u0010\u0005\u001a\u00020\u00022\u0006\u0010\u0010\u001a\u00020\u0002H\u0016J\u0012\u0010\u0012\u001a\u0004\u0018\u00010\u00112\u0006\u0010\u0005\u001a\u00020\u0002H\u0016J\u001c\u0010\u0015\u001a\u0004\u0018\u00010\u00142\u0006\u0010\u0005\u001a\u00020\u00022\b\u0010\u0013\u001a\u0004\u0018\u00010\u0002H\u0016J\b\u0010\u0016\u001a\u00020\u000bH\u0016R\u001a\u0010\u001c\u001a\u00020\u00178\u0016X\u0096\u0004¢\u0006\f\n\u0004\b\u0018\u0010\u0019\u001a\u0004\b\u001a\u0010\u001b¨\u0006\""}, d2 = {"Lcom/okta/devices/encrypt/RsaSignature;", "Lcom/okta/devices/api/security/SignatureProvider;", "", "algorithm", "jwsAlg", "alias", "Ljava/security/Signature;", "getSignature", "", StringSet.message, "signature", "", "verify", "userVerification", "", "generateAndStoreKeyPair", "keyType", "Ljava/security/PublicKey;", "getPublicKey", "password", "Ljava/security/PrivateKey;", "getPrivateKey", "isFipsCompliant", "Lcom/okta/devices/api/security/DeviceKeyStore;", "a", "Lcom/okta/devices/api/security/DeviceKeyStore;", "getDeviceKeyStore", "()Lcom/okta/devices/api/security/DeviceKeyStore;", "deviceKeyStore", "", "keySize", "enableStrongBox", "<init>", "(Lcom/okta/devices/api/security/DeviceKeyStore;IZ)V", "devices-core_release"}, k = 1, mv = {1, 8, 0})
@SourceDebugExtension({"SMAP\nRsaSignature.kt\nKotlin\n*S Kotlin\n*F\n+ 1 RsaSignature.kt\ncom/okta/devices/encrypt/RsaSignature\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n*L\n1#1,130:1\n1#2:131\n*E\n"})
/* loaded from: classes12.dex */
public final class RsaSignature implements SignatureProvider {

    /* renamed from: a, reason: collision with root package name and from kotlin metadata */
    private final DeviceKeyStore deviceKeyStore;

    /* renamed from: b, reason: collision with root package name */
    private final int f93768b;

    /* renamed from: c, reason: collision with root package name */
    private final boolean f93769c;

    /* renamed from: d, reason: collision with root package name */
    private final String f93770d;

    public RsaSignature() {
        this(null, 0, false, 7, null);
    }

    public RsaSignature(@NotNull DeviceKeyStore deviceKeyStore, int i2, boolean z) {
        Intrinsics.checkNotNullParameter(deviceKeyStore, "deviceKeyStore");
        this.deviceKeyStore = deviceKeyStore;
        this.f93768b = i2;
        this.f93769c = z;
        this.f93770d = "SHA256withRSA";
    }

    public /* synthetic */ RsaSignature(DeviceKeyStore deviceKeyStore, int i2, boolean z, int i3, DefaultConstructorMarker defaultConstructorMarker) {
        this((i3 & 1) != 0 ? new DeviceKeyStoreImpl(null, 1, null) : deviceKeyStore, (i3 & 2) != 0 ? 2048 : i2, (i3 & 4) != 0 ? false : z);
    }

    private final KeyGenParameterSpec a(String str, KeyType keyType, boolean z) {
        KeyGenParameterSpec.Builder signaturePaddings = new KeyGenParameterSpec.Builder(str, 4).setKeySize(this.f93768b).setDigests("SHA-256", MessageDigestAlgorithms.SHA_384, MessageDigestAlgorithms.SHA_512).setSignaturePaddings("PKCS1");
        Intrinsics.checkNotNullExpressionValue(signaturePaddings, "Builder(alias, KeyProper…NATURE_PADDING_RSA_PKCS1)");
        if (keyType == KeyType.USER_VERIFICATION_KEY) {
            signaturePaddings.setUserAuthenticationRequired(true);
            if (Build.VERSION.SDK_INT >= 30) {
                signaturePaddings.setUserAuthenticationParameters(0, 2);
            } else {
                signaturePaddings.setUserAuthenticationValidityDurationSeconds(-1);
            }
            signaturePaddings.setInvalidatedByBiometricEnrollment(true);
        }
        if (keyType == KeyType.USER_VERIFICATION_BIO_OR_PIN_KEY) {
            signaturePaddings.setUserAuthenticationRequired(true);
            signaturePaddings.setUserAuthenticationParameters(0, 3);
            signaturePaddings.setInvalidatedByBiometricEnrollment(false);
        }
        if (Build.VERSION.SDK_INT >= 28) {
            signaturePaddings.setIsStrongBoxBacked(z);
        }
        KeyGenParameterSpec build = signaturePaddings.build();
        Intrinsics.checkNotNullExpressionValue(build, "builder.build()");
        return build;
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @NotNull
    public String algorithm() {
        return "RSA";
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    public void generateAndStoreKeyPair(@NotNull String alias, @NotNull String keyType) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        Intrinsics.checkNotNullParameter(keyType, "keyType");
        if (Intrinsics.areEqual(keyType, KeyType.USER_VERIFICATION_BIO_OR_PIN_KEY.getSerializedName()) && Build.VERSION.SDK_INT < 30) {
            Log.e$default(Log.INSTANCE, DevicesExtensionsKt.getTAG(this), "keyType \"userVerificationBioOrPin\" works only on API30 and up", null, 4, null);
            return;
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", getDeviceKeyStore().getKeyStore().getType());
            keyPairGenerator.initialize(a(alias, KeyType.INSTANCE.fromName(keyType), this.f93769c));
            keyPairGenerator.generateKeyPair();
        } catch (ProviderException e2) {
            if (Build.VERSION.SDK_INT < 28 || !a.a(e2)) {
                throw e2;
            }
            KeyPairGenerator keyPairGenerator2 = KeyPairGenerator.getInstance("RSA", getDeviceKeyStore().getKeyStore().getType());
            keyPairGenerator2.initialize(a(alias, KeyType.INSTANCE.fromName(keyType), false));
            keyPairGenerator2.generateKeyPair();
        }
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @Deprecated(message = "Use generateAndStoreKeyPair(alias: String, keyType: String)")
    public void generateAndStoreKeyPair(@NotNull String alias, boolean userVerification) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        generateAndStoreKeyPair(alias, (userVerification ? KeyType.USER_VERIFICATION_KEY : KeyType.PROOF_OF_POSSESSION_KEY).getSerializedName());
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @NotNull
    public DeviceKeyStore getDeviceKeyStore() {
        return this.deviceKeyStore;
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @Nullable
    public PrivateKey getPrivateKey(@NotNull String alias, @Nullable String password) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        Key keyEntry$default = DeviceKeyStore.DefaultImpls.getKeyEntry$default(getDeviceKeyStore(), alias, null, 2, null);
        if (keyEntry$default == null) {
            return null;
        }
        if (keyEntry$default instanceof PrivateKey) {
            return (PrivateKey) keyEntry$default;
        }
        throw new KeyStoreException("PrivateKey not found for " + alias);
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @Nullable
    public PublicKey getPublicKey(@NotNull String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        Certificate certificate = getDeviceKeyStore().getKeyStore().getCertificate(alias);
        if (certificate != null) {
            return certificate.getPublicKey();
        }
        return null;
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @NotNull
    public Signature getSignature(@NotNull String alias) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        PrivateKey privateKey$default = SignatureProvider.DefaultImpls.getPrivateKey$default(this, alias, null, 2, null);
        if (privateKey$default == null) {
            throw new UnrecoverableKeyException("Key for this alias wasn't found");
        }
        Signature signature = Signature.getInstance(this.f93770d);
        signature.initSign(privateKey$default);
        Intrinsics.checkNotNullExpressionValue(signature, "getInstance(signatureAlg…).apply { initSign(key) }");
        return signature;
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    public boolean isFipsCompliant() {
        return false;
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    @NotNull
    public String jwsAlg() {
        return JwsHelperKt.RS256;
    }

    @Override // com.okta.devices.api.security.SignatureProvider
    public boolean verify(@NotNull String alias, @NotNull byte[] message, @NotNull byte[] signature) {
        Intrinsics.checkNotNullParameter(alias, "alias");
        Intrinsics.checkNotNullParameter(message, "message");
        Intrinsics.checkNotNullParameter(signature, "signature");
        PublicKey publicKey = getPublicKey(alias);
        if (publicKey == null) {
            throw new UnrecoverableKeyException("Key for this alias wasn't found");
        }
        Signature signature2 = Signature.getInstance(this.f93770d);
        signature2.initVerify(publicKey);
        signature2.update(message);
        return signature2.verify(signature);
    }
}
