package defpackage;

import android.app.admin.DevicePolicyManager;
import android.os.Build;
import android.security.AttestedKeyPair;
import android.security.KeyChain;
import android.security.KeyChainException;
import android.security.keystore.KeyExpiredException;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.util.Base64;
import com.google.android.gms.chimera.modules.auth.cryptauth.AppContextProvider;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.ProviderException;
import java.security.Signature;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.util.Arrays;
import java.util.List;

/* compiled from: :com.google.android.gms@244933004@24.49.33 (040400-705592033) */
/* loaded from: classes2.dex */
public final class qfo {
    private final apdz a;

    public qfo(apdz apdzVar) {
        this.a = apdzVar;
    }

    public static final void d(byte[] bArr) {
        try {
            h().deleteEntry(g(bArr));
        } catch (RuntimeException | KeyStoreException e) {
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Error deleting Android KeyStore key", e);
        }
    }

    public static final KeyStore.Entry e(byte[] bArr) {
        try {
            KeyStore h = h();
            String g = g(bArr);
            KeyStore.Entry entry = h.getEntry(g, null);
            if (entry != null) {
                return entry;
            }
            throw new qfv(a.x(g, "Key does not exist in Android KeyStore: "), qfx.CLIENT_INTERNAL_ERROR);
        } catch (RuntimeException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Error retrieving Android KeyStore entry", e);
        }
    }

    public static final byte[] f(byte[] bArr) {
        try {
            return CertificateFactory.getInstance("X.509").generateCertPath(Arrays.asList(((KeyStore.PrivateKeyEntry) e(bArr)).getCertificateChain())).getEncoded("PkiPath");
        } catch (CertificateException e) {
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Error getting certificate chain.", e);
        }
    }

    private static String g(byte[] bArr) {
        return Base64.encodeToString(bArr, 11);
    }

    private static KeyStore h() {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            return keyStore;
        } catch (IOException | RuntimeException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Unable to access Android KeyStore.", e);
        }
    }

    private static boolean i(KeyStore.Entry entry) {
        try {
            Signature.getInstance("SHA256withECDSA").initSign(((KeyStore.PrivateKeyEntry) entry).getPrivateKey());
            return false;
        } catch (ClassCastException e) {
            e = e;
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Error initializing signature", e);
        } catch (InvalidKeyException e2) {
            return (e2 instanceof KeyPermanentlyInvalidatedException) || (e2 instanceof KeyExpiredException);
        } catch (NoSuchAlgorithmException e3) {
            e = e3;
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Error initializing signature", e);
        }
    }

    public final KeyPair a(String str, byte[] bArr, boolean z, byte[] bArr2, boolean z2, boolean z3, int i, boolean z4) {
        KeyGenParameterSpec.Builder attestationChallenge;
        boolean isUniqueDeviceAttestationSupported;
        AttestedKeyPair generateKeyPair;
        List attestationRecord;
        KeyPair keyPair;
        KeyGenParameterSpec.Builder isStrongBoxBacked;
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            attestationChallenge = new KeyGenParameterSpec.Builder(g(bArr), 4).setDigests("SHA-256").setAlgorithmParameterSpec(new ECGenParameterSpec("secp256r1")).setAttestationChallenge(MessageDigest.getInstance("SHA-256").digest(bArr2));
            if (Build.VERSION.SDK_INT >= 28) {
                isStrongBoxBacked = attestationChallenge.setIsStrongBoxBacked(z);
                isStrongBoxBacked.setUserPresenceRequired(z2);
            }
            attestationChallenge.setUserAuthenticationRequired(z3);
            if (fcit.a.a().g() && apwu.g() && (str.equals("fido:android_strong_auth_v2_key") || str.equals("fido:android_strong_auth_v3_key"))) {
                attestationChallenge.setUserAuthenticationParameters(i, 3);
            } else {
                attestationChallenge.setUserAuthenticationValidityDurationSeconds(i);
            }
            attestationChallenge.setInvalidatedByBiometricEnrollment(false);
            if (!z4) {
                keyPairGenerator.initialize(attestationChallenge.build());
                return keyPairGenerator.generateKeyPair();
            }
            KeyGenParameterSpec build = attestationChallenge.build();
            this.a.h("Generating Corp Key.", new Object[0]);
            DevicePolicyManager devicePolicyManager = (DevicePolicyManager) AppContextProvider.a().getSystemService("device_policy");
            if (Build.VERSION.SDK_INT < 30) {
                qfx qfxVar = qfx.NEW_ACTIVE_KEY_ENROLLED;
                throw new qfz("Individual Attestation requires Android R.");
            }
            if (devicePolicyManager == null) {
                qfx qfxVar2 = qfx.NEW_ACTIVE_KEY_ENROLLED;
                throw new qfz("No DevicePolicyManager is available.");
            }
            isUniqueDeviceAttestationSupported = devicePolicyManager.isUniqueDeviceAttestationSupported();
            if (!isUniqueDeviceAttestationSupported) {
                qfx qfxVar3 = qfx.NEW_ACTIVE_KEY_ENROLLED;
                throw new qfz("Unique Device Attestation is not supported.");
            }
            try {
                generateKeyPair = devicePolicyManager.generateKeyPair(null, "EC", build, 16);
                attestationRecord = generateKeyPair.getAttestationRecord();
                devicePolicyManager.setKeyPairCertificate(null, build.getKeystoreAlias(), attestationRecord, false);
                keyPair = generateKeyPair.getKeyPair();
                return keyPair;
            } catch (SecurityException e) {
                qfx qfxVar4 = qfx.NEW_ACTIVE_KEY_ENROLLED;
                throw new qfz("Failed to generate key pair.", e);
            }
        } catch (NullPointerException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException | ProviderException e2) {
            if (!fcit.a.a().i()) {
                throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Failed to generate Key Store key.", e2);
            }
            qfx qfxVar5 = qfx.NEW_ACTIVE_KEY_ENROLLED;
            throw new qfz("Failed to generate Key Store key: ".concat(String.valueOf(e2.getMessage())), e2);
        }
    }

    public final boolean b(byte[] bArr) {
        try {
            return !i(e(bArr));
        } catch (qfv e) {
            this.a.d("Failed to find valid key in Keystore: ".concat(String.valueOf(e.getMessage())), new Object[0]);
            return false;
        }
    }

    public final byte[] c(byte[] bArr) {
        this.a.h("Getting individual attestation.", new Object[0]);
        try {
            List<? extends Certificate> asList = Arrays.asList(KeyChain.getCertificateChain(AppContextProvider.a(), g(bArr)));
            this.a.h("Got cert chain of size %d", Integer.valueOf(asList.size()));
            return CertificateFactory.getInstance("X.509").generateCertPath(asList).getEncoded("PkiPath");
        } catch (KeyChainException | InterruptedException | CertificateException e) {
            throw new qfv(qfx.CLIENT_INTERNAL_ERROR, "Error getting certificate chain.", e);
        }
    }
}
