package org.cryptomator.util.crypto;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import com.google.common.base.Preconditions;
import com.google.common.io.BaseEncoding;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.ECDHDecrypter;
import com.nimbusds.jose.crypto.ECDHEncrypter;
import com.nimbusds.jose.crypto.PasswordBasedDecrypter;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.AbstractMap;
import java.util.Arrays;
import java.util.Base64;
import java.util.Map;
import java.util.function.Function;
import org.cryptomator.cryptolib.api.CryptoException;
import org.cryptomator.cryptolib.api.Masterkey;
import org.cryptomator.cryptolib.api.MasterkeyLoadingFailedException;
import org.cryptomator.cryptolib.common.MessageDigestSupplier;
import org.cryptomator.cryptolib.common.ObjectPool;
import timber.log.Timber;

/* loaded from: classes5.dex */
public class HubDeviceCryptor {
    static final String DEFAULT_KEYSTORE_NAME = "AndroidKeyStore";
    static final String DEFAULT_KEY_ALIAS = "hubDeviceKey";
    private static final String EC_ALG = "EC";
    private static final String JWE_PAYLOAD_KEY_FIELD = "key";
    private final KeyStore keyStore;

    /* loaded from: classes5.dex */
    public static class InvalidJweKeyException extends CryptoException {
        public InvalidJweKeyException(Throwable th) {
            super("Invalid key", th);
        }
    }

    /* loaded from: classes5.dex */
    public static class KeyDecodeFailedException extends CryptoException {
        public KeyDecodeFailedException(Throwable th) {
            super("Malformed key", th);
        }
    }

    /* renamed from: $r8$lambda$7nsRAWT_9s8a-pXvCLUQa9T_Muo */
    public static /* synthetic */ Masterkey m2587$r8$lambda$7nsRAWT_9s8apXvCLUQa9T_Muo(byte[] bArr) {
        return new Masterkey(bArr);
    }

    HubDeviceCryptor(KeyStore keyStore) {
        if (Build.VERSION.SDK_INT < 31) {
            throw new IllegalStateException("Hub unlock is only supported for devices using Android >= 12");
        }
        try {
            this.keyStore = keyStore;
            keyStore.load(null);
            if (keyStore.containsAlias(DEFAULT_KEY_ALIAS)) {
                return;
            }
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(EC_ALG, "AndroidKeyStore");
            keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(DEFAULT_KEY_ALIAS, 66).setAlgorithmParameterSpec(new ECGenParameterSpec(Curve.P_384.getStdName())).setDigests("SHA-256").setUserAuthenticationRequired(false).build());
            keyPairGenerator.generateKeyPair();
        } catch (IOException | InvalidAlgorithmParameterException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    public static ECPrivateKey decodeECPrivateKey(byte[] bArr) throws KeyDecodeFailedException {
        try {
            PrivateKey generatePrivate = KeyFactory.getInstance(EC_ALG).generatePrivate(new PKCS8EncodedKeySpec(bArr));
            if (generatePrivate instanceof ECPrivateKey) {
                return (ECPrivateKey) generatePrivate;
            }
            throw new IllegalStateException("EC key factory not generating ECPrivateKeys");
        } catch (NoSuchAlgorithmException unused) {
            throw new IllegalStateException("EC not supported");
        } catch (InvalidKeySpecException e) {
            throw new KeyDecodeFailedException(e);
        }
    }

    public static ECPrivateKey decryptUserKey(JWEObject jWEObject, String str) throws InvalidJweKeyException {
        try {
            jWEObject.decrypt(new PasswordBasedDecrypter(str));
            return (ECPrivateKey) readKey(jWEObject, JWE_PAYLOAD_KEY_FIELD, new HubDeviceCryptor$$ExternalSyntheticLambda3());
        } catch (JOSEException e) {
            throw new InvalidJweKeyException(e);
        }
    }

    public static ECPrivateKey decryptUserKey(JWEObject jWEObject, PrivateKey privateKey) {
        try {
            jWEObject.decrypt(new ECDHDecrypter(privateKey, null, Curve.P_384));
            return (ECPrivateKey) readKey(jWEObject, JWE_PAYLOAD_KEY_FIELD, new HubDeviceCryptor$$ExternalSyntheticLambda3());
        } catch (JOSEException e) {
            throw new InvalidJweKeyException(e);
        }
    }

    public static Masterkey decryptVaultKey(JWEObject jWEObject, ECPrivateKey eCPrivateKey) throws InvalidJweKeyException {
        try {
            jWEObject.decrypt(new ECDHDecrypter(eCPrivateKey));
            return (Masterkey) readKey(jWEObject, JWE_PAYLOAD_KEY_FIELD, new Function() { // from class: org.cryptomator.util.crypto.HubDeviceCryptor$$ExternalSyntheticLambda2
                @Override // java.util.function.Function
                public final Object apply(Object obj) {
                    return HubDeviceCryptor.m2587$r8$lambda$7nsRAWT_9s8apXvCLUQa9T_Muo((byte[]) obj);
                }
            });
        } catch (JOSEException e) {
            throw new InvalidJweKeyException(e);
        }
    }

    private static JWEObject encryptKey(Key key, ECPublicKey eCPublicKey) {
        Map m;
        try {
            byte[] encoded = key.getEncoded();
            if (encoded == null) {
                throw new RuntimeException("Encoded key is null");
            }
            String encodeToString = Base64.getEncoder().encodeToString(encoded);
            JWEHeader build = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES, EncryptionMethod.A256GCM).ephemeralPublicKey(new ECKeyGenerator(Curve.P_384).generate().toPublicJWK()).build();
            m = HubDeviceCryptor$$ExternalSyntheticBackport0.m(new Map.Entry[]{new AbstractMap.SimpleEntry(JWE_PAYLOAD_KEY_FIELD, encodeToString)});
            JWEObject jWEObject = new JWEObject(build, new Payload((Map<String, Object>) m));
            jWEObject.encrypt(new ECDHEncrypter(eCPublicKey));
            return jWEObject;
        } catch (JOSEException e) {
            throw new RuntimeException(e);
        }
    }

    public static JWEObject encryptUserKey(ECPrivateKey eCPrivateKey, ECPublicKey eCPublicKey) {
        return encryptKey(eCPrivateKey, eCPublicKey);
    }

    public static HubDeviceCryptor getInstance() {
        try {
            return new HubDeviceCryptor(KeyStore.getInstance("AndroidKeyStore"));
        } catch (KeyStoreException e) {
            throw new RuntimeException(e);
        }
    }

    private static <T> T readKey(JWEObject jWEObject, String str, Function<byte[], T> function) throws MasterkeyLoadingFailedException {
        Preconditions.checkArgument(jWEObject.getState() == JWEObject.State.DECRYPTED);
        Map<String, Object> jSONObject = jWEObject.getPayload().toJSONObject();
        if (jSONObject == null) {
            Timber.tag("HubDeviceCryptor").e("Expected JWE payload to be JSON: " + jWEObject.getPayload(), new Object[0]);
            throw new MasterkeyLoadingFailedException("Expected JWE payload to be JSON");
        }
        byte[] bArr = new byte[0];
        try {
            try {
                Object obj = jSONObject.get(str);
                if (!(obj instanceof String)) {
                    throw new IllegalArgumentException("JWE payload doesn't contain field " + str);
                }
                byte[] decode = Base64.getDecoder().decode((String) obj);
                T apply = function.apply(decode);
                Arrays.fill(decode, (byte) 0);
                return apply;
            } catch (Throwable th) {
                Arrays.fill(bArr, (byte) 0);
                throw th;
            }
        } catch (IllegalArgumentException | KeyDecodeFailedException e) {
            Timber.tag("HubDeviceCryptor").e("Unexpected JWE payload: " + jWEObject.getPayload(), new Object[0]);
            throw new MasterkeyLoadingFailedException("Unexpected JWE payload", e);
        }
    }

    public Masterkey decryptVaultKey(JWEObject jWEObject, JWEObject jWEObject2) {
        try {
            return decryptVaultKey(jWEObject, decryptUserKey(jWEObject2, (PrivateKey) this.keyStore.getKey(DEFAULT_KEY_ALIAS, null)));
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new RuntimeException(e);
        }
    }

    public String getDeviceId() {
        byte[] devicePublicKeyEncoded = getDevicePublicKeyEncoded();
        ObjectPool.Lease<MessageDigest> instance = MessageDigestSupplier.SHA256.instance();
        try {
            String encode = BaseEncoding.base16().encode(instance.get().digest(devicePublicKeyEncoded));
            if (instance != null) {
                instance.close();
            }
            return encode;
        } catch (Throwable th) {
            if (instance != null) {
                try {
                    instance.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public ECPublicKey getDevicePublicKey() {
        try {
            return (ECPublicKey) this.keyStore.getCertificate(DEFAULT_KEY_ALIAS).getPublicKey();
        } catch (KeyStoreException e) {
            throw new RuntimeException(e);
        }
    }

    public byte[] getDevicePublicKeyEncoded() {
        byte[] encoded = getDevicePublicKey().getEncoded();
        if (encoded != null) {
            return encoded;
        }
        throw new RuntimeException("Encoded Hub device key is null");
    }

    public JWEObject reEncryptUserKey(JWEObject jWEObject, String str) {
        return encryptUserKey(decryptUserKey(jWEObject, str), getDevicePublicKey());
    }
}
