package com.microsoft.scmx.features.naas.vpn.certificate;

import android.security.keystore.KeyGenParameterSpec;
import android.util.Base64;
import androidx.constraintlayout.motion.widget.c;
import com.microsoft.identity.common.java.crypto.key.AES256KeyLoader;
import com.microsoft.scmx.features.naas.vpn.telemetry.NaaSTelemetrySender;
import com.microsoft.scmx.libraries.diagnostics.log.MDLog;
import com.microsoft.scmx.libraries.sharedpref.SharedPrefManager;
import com.nimbusds.jose.jwk.JWKParameterNames;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import kotlin.Metadata;
import kotlin.Pair;
import kotlin.Result;
import kotlin.collections.l;
import kotlin.g;
import kotlin.jvm.internal.Ref$ObjectRef;
import kotlin.jvm.internal.p;
import kotlin.q;
import me.a;

@Metadata(d1 = {"\u0000\\\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0010\u0003\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0012\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\t\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0006\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u000b\u0018\u0000 62\u00020\u0001:\u00017B\u0007¢\u0006\u0004\b\u0002\u0010\u0003J\u000f\u0010\u0005\u001a\u00020\u0004H\u0002¢\u0006\u0004\b\u0005\u0010\u0006J\u0017\u0010\n\u001a\u00020\t2\u0006\u0010\b\u001a\u00020\u0007H\u0002¢\u0006\u0004\b\n\u0010\u000bJ!\u0010\u000f\u001a\u00020\u00042\b\u0010\r\u001a\u0004\u0018\u00010\f2\u0006\u0010\u000e\u001a\u00020\u0004H\u0002¢\u0006\u0004\b\u000f\u0010\u0010J\u0017\u0010\u0013\u001a\u00020\u00122\u0006\u0010\u0011\u001a\u00020\u0004H\u0002¢\u0006\u0004\b\u0013\u0010\u0014J\u0017\u0010\u0015\u001a\u00020\u00122\u0006\u0010\u0011\u001a\u00020\u0004H\u0002¢\u0006\u0004\b\u0015\u0010\u0014J)\u0010\u0019\u001a\u0004\u0018\u00010\f2\u0006\u0010\u0016\u001a\u00020\u00042\u0006\u0010\u0017\u001a\u00020\u00122\u0006\u0010\u0018\u001a\u00020\u0004H\u0002¢\u0006\u0004\b\u0019\u0010\u001aJ'\u0010 \u001a\u00020\t2\u0006\u0010\u001b\u001a\u00020\u00042\u0006\u0010\u001d\u001a\u00020\u001c2\u0006\u0010\u001f\u001a\u00020\u001eH\u0002¢\u0006\u0004\b \u0010!J\u001b\u0010%\u001a\u00020\t2\n\u0010$\u001a\u00060\"j\u0002`#H\u0002¢\u0006\u0004\b%\u0010&J\u0017\u0010(\u001a\u00020\t2\b\u0010'\u001a\u0004\u0018\u00010\f¢\u0006\u0004\b(\u0010)J\r\u0010+\u001a\u00020*¢\u0006\u0004\b+\u0010,J\u0019\u0010.\u001a\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\u00040-¢\u0006\u0004\b.\u0010/J\u0019\u00100\u001a\u00020\u00042\b\u0010\r\u001a\u0004\u0018\u00010\fH\u0007¢\u0006\u0004\b0\u00101J\u0019\u00102\u001a\u00020\u00042\b\u0010\r\u001a\u0004\u0018\u00010\fH\u0007¢\u0006\u0004\b2\u00101J/\u00104\u001a\u0010\u0012\u0004\u0012\u00020\f\u0012\u0004\u0012\u00020\f\u0018\u00010-2\u0006\u00103\u001a\u00020\f2\b\u0010\u0017\u001a\u0004\u0018\u00010\u0012H\u0007¢\u0006\u0004\b4\u00105¨\u00068"}, d2 = {"Lcom/microsoft/scmx/features/naas/vpn/certificate/NaaSCertificateHandler;", "", "<init>", "()V", "", "getKeyStoreAlias", "()Ljava/lang/String;", "", "throwable", "Lkotlin/q;", "handleAndLogException", "(Ljava/lang/Throwable;)V", "", "value", "type", "encodeToPEM", "([BLjava/lang/String;)Ljava/lang/String;", "keyStoreAlias", "Ljavax/crypto/SecretKey;", "getOrCreateAesKey", "(Ljava/lang/String;)Ljavax/crypto/SecretKey;", "generateAesKey", "encryptedText", "secretKey", "cipherIV", "decryptData", "(Ljava/lang/String;Ljavax/crypto/SecretKey;Ljava/lang/String;)[B", "cnName", "Ljava/security/cert/X509Certificate;", "certificate", "Ljava/security/PrivateKey;", "privateKey", "storeCertificateInfo", "(Ljava/lang/String;Ljava/security/cert/X509Certificate;Ljava/security/PrivateKey;)V", "Ljava/lang/Exception;", "Lkotlin/Exception;", JWKParameterNames.RSA_EXPONENT, "handleException", "(Ljava/lang/Exception;)V", "certificateData", "storeCertificateData", "([B)V", "", "isCertificatePresent", "()Z", "Lkotlin/Pair;", "loadCertificateData", "()Lkotlin/Pair;", "encodeToPEMPrivate", "([B)Ljava/lang/String;", "encodeToPEMCert", "data", "encryptData", "([BLjavax/crypto/SecretKey;)Lkotlin/Pair;", "Companion", a.f27121f, "naas-vpn_gammaRelease"}, k = 1, mv = {1, 8, 0}, xi = 48)
/* loaded from: classes3.dex */
public final class NaaSCertificateHandler {
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    private static final String ANDROID_PKCS12_STORE = "PKCS12";
    private static final String CERTIFICATE_HANDLER_ERROR = "NaaSCertificateHandleError";
    private static final String LOG_TAG = "NAAS_CERTIFICATE_HANDLER";
    private static final String PKCS_KEY = "GsaAndroid";

    private final byte[] decryptData(String encryptedText, SecretKey secretKey, String cipherIV) {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(2, secretKey, new GCMParameterSpec(128, Base64.decode(cipherIV, 0)));
        return cipher.doFinal(Base64.decode(encryptedText, 0));
    }

    private final String encodeToPEM(byte[] value, String type) {
        StringBuilder sb2 = new StringBuilder();
        sb2.append("-----BEGIN " + type + "-----\n");
        sb2.append(Base64.encodeToString(value, 0));
        sb2.append("-----END " + type + "-----\n");
        String sb3 = sb2.toString();
        p.f(sb3, "StringBuilder().apply(builderAction).toString()");
        return sb3;
    }

    private final SecretKey generateAesKey(String keyStoreAlias) {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(AES256KeyLoader.AES_ALGORITHM, ANDROID_KEY_STORE);
        try {
            KeyGenParameterSpec build = new KeyGenParameterSpec.Builder(keyStoreAlias, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build();
            p.f(build, "Builder(keyStoreAlias,\n …\n                .build()");
            keyGenerator.init(build);
        } catch (Exception unused) {
            MDLog.d(LOG_TAG, "Added for test cases");
        }
        SecretKey generateKey = keyGenerator.generateKey();
        p.f(generateKey, "keyGenerator.generateKey()");
        return generateKey;
    }

    private final String getKeyStoreAlias() {
        String string = SharedPrefManager.getString("naas_certificate_data", "naasCertificateCN");
        return string == null ? "" : string;
    }

    private final SecretKey getOrCreateAesKey(String keyStoreAlias) {
        KeyStore keyStore = KeyStore.getInstance(ANDROID_KEY_STORE);
        keyStore.load(null);
        Key key = keyStore.getKey(keyStoreAlias, null);
        SecretKey secretKey = key instanceof SecretKey ? (SecretKey) key : null;
        return secretKey == null ? generateAesKey(keyStoreAlias) : secretKey;
    }

    private final void handleAndLogException(Throwable throwable) {
        if (throwable instanceof Exception) {
            handleException((Exception) throwable);
        } else {
            MDLog.c(LOG_TAG, "An unexpected error occurred", throwable);
        }
    }

    private final void handleException(Exception e10) {
        String a10 = e10 instanceof KeyStoreException ? c.a("KeyStore initialization error: ", e10.getMessage()) : e10 instanceof CertificateException ? c.a("Certificate processing error: ", e10.getMessage()) : e10 instanceof UnrecoverableKeyException ? c.a("Private key retrieval error: ", e10.getMessage()) : e10 instanceof IOException ? c.a("Certificate data reading error: ", e10.getMessage()) : e10 instanceof NoSuchAlgorithmException ? c.a("Algorithm not available: ", e10.getMessage()) : e10 instanceof NoSuchPaddingException ? c.a("Padding scheme not available: ", e10.getMessage()) : e10 instanceof InvalidKeyException ? c.a("Invalid key: ", e10.getMessage()) : e10 instanceof InvalidAlgorithmParameterException ? c.a("Invalid algorithm parameters: ", e10.getMessage()) : e10 instanceof IllegalBlockSizeException ? c.a("Illegal block size: ", e10.getMessage()) : e10 instanceof BadPaddingException ? c.a("Bad padding: ", e10.getMessage()) : e10 instanceof IllegalArgumentException ? c.a("Invalid argument: ", e10.getMessage()) : c.a("An unexpected error occurred: ", e10.getMessage());
        NaaSTelemetrySender.a.a(CERTIFICATE_HANDLER_ERROR, "NaaS", a10);
        MDLog.c(LOG_TAG, a10, e10);
    }

    private final void storeCertificateInfo(String cnName, X509Certificate certificate, PrivateKey privateKey) {
        SharedPrefManager.setString("naas_certificate_data", "naasCertificateCN", cnName);
        SecretKey orCreateAesKey = getOrCreateAesKey(cnName);
        byte[] encoded = privateKey.getEncoded();
        p.f(encoded, "privateKey.encoded");
        Pair<byte[], byte[]> encryptData = encryptData(encoded, orCreateAesKey);
        if (encryptData != null) {
            byte[] component1 = encryptData.component1();
            byte[] component2 = encryptData.component2();
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedKey", Base64.encodeToString(component1, 0));
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedKeyIV", Base64.encodeToString(component2, 0));
        }
        byte[] encoded2 = certificate.getEncoded();
        p.f(encoded2, "certificate.encoded");
        Pair<byte[], byte[]> encryptData2 = encryptData(encoded2, orCreateAesKey);
        if (encryptData2 != null) {
            byte[] component12 = encryptData2.component1();
            byte[] component22 = encryptData2.component2();
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedCert", Base64.encodeToString(component12, 0));
            SharedPrefManager.setString("naas_certificate_data", "naasEncryptedCertIV", Base64.encodeToString(component22, 0));
        }
    }

    public final String encodeToPEMCert(byte[] value) {
        return encodeToPEM(value, "CERTIFICATE");
    }

    public final String encodeToPEMPrivate(byte[] value) {
        return encodeToPEM(value, "PRIVATE KEY");
    }

    public final Pair<byte[], byte[]> encryptData(byte[] data, SecretKey secretKey) {
        p.g(data, "data");
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            return new Pair<>(cipher.doFinal(data), cipher.getIV());
        } catch (Exception e10) {
            handleException(e10);
            return new Pair<>(new byte[0], new byte[0]);
        }
    }

    public final boolean isCertificatePresent() {
        String string;
        return (getKeyStoreAlias().length() <= 0 || (string = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedCert")) == null || string.length() == 0) ? false : true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v0, types: [java.lang.String] */
    /* JADX WARN: Type inference failed for: r1v2, types: [T] */
    /* JADX WARN: Type inference failed for: r1v3 */
    /* JADX WARN: Type inference failed for: r4v10 */
    /* JADX WARN: Type inference failed for: r4v11 */
    /* JADX WARN: Type inference failed for: r4v12, types: [T] */
    /* JADX WARN: Type inference failed for: r4v13 */
    /* JADX WARN: Type inference failed for: r4v17 */
    public final Pair<String, String> loadCertificateData() {
        Object a10;
        Object a11;
        Ref$ObjectRef ref$ObjectRef = new Ref$ObjectRef();
        ref$ObjectRef.element = "";
        Ref$ObjectRef ref$ObjectRef2 = new Ref$ObjectRef();
        ref$ObjectRef2.element = "";
        if (isCertificatePresent()) {
            String string = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedCert");
            String string2 = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedCertIV");
            String string3 = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedKey");
            String string4 = SharedPrefManager.getString("naas_certificate_data", "naasEncryptedKeyIV");
            if (string != null && string2 != null) {
                try {
                    a11 = decryptData(string, getOrCreateAesKey(getKeyStoreAlias()), string2);
                } catch (Throwable th2) {
                    a11 = g.a(th2);
                }
                Throwable a12 = Result.a(a11);
                if (a12 != null) {
                    handleAndLogException(a12);
                    a11 = null;
                }
                byte[] bArr = (byte[]) a11;
                ?? encodeToPEMCert = bArr != null ? encodeToPEMCert(bArr) : 0;
                if (encodeToPEMCert == 0) {
                    encodeToPEMCert = "";
                }
                ref$ObjectRef2.element = encodeToPEMCert;
            }
            if (string3 != null && string4 != null) {
                try {
                    a10 = decryptData(string3, getOrCreateAesKey(getKeyStoreAlias()), string4);
                } catch (Throwable th3) {
                    a10 = g.a(th3);
                }
                Throwable a13 = Result.a(a10);
                if (a13 != null) {
                    handleAndLogException(a13);
                    a10 = null;
                }
                byte[] bArr2 = (byte[]) a10;
                String encodeToPEMPrivate = bArr2 != null ? encodeToPEMPrivate(bArr2) : null;
                ref$ObjectRef.element = encodeToPEMPrivate != null ? encodeToPEMPrivate : "";
            }
        }
        return new Pair<>(ref$ObjectRef2.element, ref$ObjectRef.element);
    }

    public final void storeCertificateData(byte[] certificateData) {
        try {
            try {
            } catch (Throwable th2) {
                if (certificateData != null) {
                    l.n(certificateData);
                }
                throw th2;
            }
        } catch (Exception e10) {
            handleException(e10);
            if (certificateData == null) {
                return;
            }
        }
        if (certificateData == null) {
            throw new IllegalArgumentException("certificateData cannot be null");
        }
        KeyStore keyStore = KeyStore.getInstance(ANDROID_PKCS12_STORE);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(certificateData);
        try {
            char[] charArray = PKCS_KEY.toCharArray();
            p.f(charArray, "this as java.lang.String).toCharArray()");
            keyStore.load(byteArrayInputStream, charArray);
            q qVar = q.f23963a;
            kotlin.io.a.a(byteArrayInputStream, null);
            Enumeration<String> aliases = keyStore.aliases();
            if (!aliases.hasMoreElements()) {
                throw new IllegalStateException("No aliases found in the PKCS#12 keystore");
            }
            String nextElement = aliases.nextElement();
            if (keyStore.isKeyEntry(nextElement)) {
                Certificate certificate = keyStore.getCertificate(nextElement);
                X509Certificate x509Certificate = certificate instanceof X509Certificate ? (X509Certificate) certificate : null;
                if (x509Certificate == null) {
                    throw new CertificateException("Retrieved certificate is not an instance of X509Certificate");
                }
                char[] charArray2 = PKCS_KEY.toCharArray();
                p.f(charArray2, "this as java.lang.String).toCharArray()");
                Key key = keyStore.getKey(nextElement, charArray2);
                PrivateKey privateKey = key instanceof PrivateKey ? (PrivateKey) key : null;
                if (privateKey == null) {
                    throw new UnrecoverableKeyException("Retrieved key is not an instance of PrivateKey");
                }
                String cnName = x509Certificate.getSubjectX500Principal().getName();
                p.f(cnName, "cnName");
                storeCertificateInfo(cnName, x509Certificate, privateKey);
            }
            l.n(certificateData);
        } catch (Throwable th3) {
            try {
                throw th3;
            } catch (Throwable th4) {
                kotlin.io.a.a(byteArrayInputStream, th3);
                throw th4;
            }
        }
    }
}
