package com.microsoft.omadm.apppolicy;

import android.content.Context;
import android.os.Build;
import android.util.Log;
import com.microsoft.intune.mam.client.telemetry.events.TrackedOccurrence;
import com.microsoft.omadm.apppolicy.MAMKeyProtector;
import com.microsoft.omadm.exception.OMADMException;
import com.microsoft.omadm.logging.MAMTelemetryLogger;
import com.microsoft.omadm.utils.CryptoUtils;
import com.microsoft.omadm.utils.DataEncryptionUtils;
import java.nio.ByteBuffer;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.SecretKey;

/* loaded from: classes.dex */
public class MAMKeyProtector {
    private static final String AES_KEY_ALIAS = "MAMKeyProtector_AES256";
    private static final int MAX_ERROR_STACK_LENGTH = 3072;
    private static final String RSA_KEY_ALIAS = "EscrowedKeyProtector";
    private static final long serialVersionUID = 3965721945633867088L;
    private final Context mContext;
    private final MAMTelemetryLogger telemetryLogger;
    private static final Logger LOGGER = Logger.getLogger(MAMKeyProtector.class.getName());
    private static final byte[] CANARY_PREFIX = {77, 65, 77};
    private static final List<CryptoType> PREFERRED_CRYPTO_OPERATIONS = Collections.unmodifiableList(Arrays.asList(CryptoType.AES, CryptoType.RSA));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public interface CreateKey<K> {
        K createKey(KeyStore keyStore) throws OMADMException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public enum CryptoType {
        RSA((byte) 1, "EscrowedKeyProtector", "RSA/None/PKCS1Padding", 0),
        EncryptionUtils((byte) 2, null, null, 0),
        AES((byte) 3, "MAMKeyProtector_AES256", CryptoUtils.AES_CBC_PKCS7PADDING, 23);

        final String cipherAlgorithm;
        final byte headerKey;
        final String keyAlias;
        private final int minOSVersion;

        CryptoType(byte b, String str, String str2, int i) {
            this.headerKey = b;
            this.keyAlias = str;
            this.cipherAlgorithm = str2;
            this.minOSVersion = i;
        }

        static CryptoType fromHeaderKey(byte b) throws OMADMException {
            CryptoType cryptoType = RSA;
            if (cryptoType.headerKey == b) {
                return cryptoType;
            }
            CryptoType cryptoType2 = AES;
            if (cryptoType2.headerKey == b) {
                return cryptoType2;
            }
            CryptoType cryptoType3 = EncryptionUtils;
            if (cryptoType3.headerKey == b) {
                return cryptoType3;
            }
            throw new OMADMException("Data was not encrypted by this class");
        }

        boolean isSupported() {
            return Build.VERSION.SDK_INT >= this.minOSVersion;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes2.dex */
    public interface GetKey<K> {
        K getKey(KeyStore keyStore) throws OMADMException;
    }

    /* loaded from: classes.dex */
    public static class KeyStoreResetException extends Exception {
        private static final long serialVersionUID = 1465821949633867122L;

        public KeyStoreResetException(String str) {
            super(str);
        }

        public KeyStoreResetException(String str, Throwable th) {
            super(str, th);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MAMKeyProtector(Context context, MAMTelemetryLogger mAMTelemetryLogger) {
        this.mContext = context;
        this.telemetryLogger = mAMTelemetryLogger;
    }

    private byte[] doDecrypt(byte[] bArr, int i, CryptoType cryptoType) throws OMADMException, KeyStoreResetException {
        return CryptoUtils.decryptData(cryptoType.cipherAlgorithm, bArr, i, bArr.length - i, getKeyForDecryption(cryptoType));
    }

    private byte[] doEncrypt(byte[] bArr, int i, CryptoType cryptoType) throws OMADMException {
        return CryptoUtils.encryptData(cryptoType.cipherAlgorithm, bArr, i, bArr.length - i, getKeyForEncryption(cryptoType));
    }

    private byte[] encodeData(byte[] bArr, CryptoType cryptoType) {
        ByteBuffer allocate = ByteBuffer.allocate(bArr.length + 1);
        allocate.put(cryptoType.headerKey);
        allocate.put(bArr);
        return allocate.array();
    }

    private Key getAESSecretKey() throws OMADMException, KeyStoreResetException {
        if (Build.VERSION.SDK_INT < 23) {
            throw new OMADMException("AES encryption is not supported in the Android KeyStore on this version of the OS.");
        }
        final CryptoType cryptoType = CryptoType.AES;
        return (Key) getKey(cryptoType, new GetKey() { // from class: com.microsoft.omadm.apppolicy.-$$Lambda$MAMKeyProtector$fCBA_elYQr1E_OT4HV5ijD5rdgA
            @Override // com.microsoft.omadm.apppolicy.MAMKeyProtector.GetKey
            public final Object getKey(KeyStore keyStore) {
                SecretKey secretKeyInAndroidKeyStore;
                secretKeyInAndroidKeyStore = CryptoUtils.getSecretKeyInAndroidKeyStore(keyStore, MAMKeyProtector.CryptoType.this.keyAlias);
                return secretKeyInAndroidKeyStore;
            }
        });
    }

    private <K> K getKey(CryptoType cryptoType, GetKey<K> getKey) throws OMADMException, KeyStoreResetException {
        return (K) getKey(CryptoUtils.loadAndroidKeyStore(), cryptoType, getKey);
    }

    private <K> K getKey(KeyStore keyStore, CryptoType cryptoType, GetKey<K> getKey) throws KeyStoreResetException {
        try {
            K key = getKey.getKey(keyStore);
            if (key == null) {
                throw new KeyStoreResetException("KeyStore result not found for " + cryptoType);
            }
            LOGGER.fine("KeyStore result found for " + cryptoType);
            return key;
        } catch (Exception e) {
            String str = cryptoType + " key was unrecoverable in store";
            LOGGER.log(Level.WARNING, str, (Throwable) e);
            throw new KeyStoreResetException(str, e);
        }
    }

    private Key getKeyForDecryption(CryptoType cryptoType) throws OMADMException, KeyStoreResetException {
        switch (cryptoType) {
            case RSA:
                return getRSAPrivateKey();
            case AES:
                return getAESSecretKey();
            default:
                throw new OMADMException("Unsupported CryptoType: " + cryptoType);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Key getKeyForEncryption(CryptoType cryptoType) throws OMADMException {
        switch (cryptoType) {
            case RSA:
                return getOrGenerateRSAPublicKey();
            case AES:
                return getOrGenerateAESSecretKey();
            default:
                throw new OMADMException("Unsupported CryptoType: " + cryptoType);
        }
    }

    private Key getOrGenerateAESSecretKey() throws OMADMException {
        if (Build.VERSION.SDK_INT < 23) {
            throw new OMADMException("AES encryption is not supported in the Android KeyStore on this version of the OS.");
        }
        final CryptoType cryptoType = CryptoType.AES;
        return (Key) getOrGenerateKey(cryptoType, new GetKey() { // from class: com.microsoft.omadm.apppolicy.-$$Lambda$MAMKeyProtector$pEl-xEfbTLO_kMFREldJp7uiFRY
            @Override // com.microsoft.omadm.apppolicy.MAMKeyProtector.GetKey
            public final Object getKey(KeyStore keyStore) {
                SecretKey secretKeyInAndroidKeyStore;
                secretKeyInAndroidKeyStore = CryptoUtils.getSecretKeyInAndroidKeyStore(keyStore, MAMKeyProtector.CryptoType.this.keyAlias);
                return secretKeyInAndroidKeyStore;
            }
        }, new CreateKey() { // from class: com.microsoft.omadm.apppolicy.-$$Lambda$MAMKeyProtector$FKvKMU9BzREVhCKKD6TtqgOnWMk
            @Override // com.microsoft.omadm.apppolicy.MAMKeyProtector.CreateKey
            public final Object createKey(KeyStore keyStore) {
                SecretKey generateAESKeyInAndroidKeyStore;
                generateAESKeyInAndroidKeyStore = CryptoUtils.generateAESKeyInAndroidKeyStore(keyStore, MAMKeyProtector.CryptoType.this.keyAlias);
                return generateAESKeyInAndroidKeyStore;
            }
        });
    }

    private <K> K getOrGenerateKey(CryptoType cryptoType, GetKey<K> getKey, CreateKey<K> createKey) throws OMADMException {
        KeyStore loadAndroidKeyStore = CryptoUtils.loadAndroidKeyStore();
        try {
            return (K) getKey(loadAndroidKeyStore, cryptoType, getKey);
        } catch (KeyStoreResetException e) {
            LOGGER.log(Level.INFO, cryptoType + " key was unrecoverable in store, will re-initialize", (Throwable) e);
            synchronized (cryptoType) {
                try {
                    try {
                        return (K) getKey(loadAndroidKeyStore, cryptoType, getKey);
                    } catch (Exception unused) {
                        LOGGER.info("Initializing MAMKeyProtector " + cryptoType + " key in Android KeyStore");
                        K createKey2 = createKey.createKey(loadAndroidKeyStore);
                        LOGGER.info("Initializing MAMKeyProtector " + cryptoType + " key completed");
                        return createKey2;
                    }
                } catch (Throwable th) {
                    throw th;
                }
            }
        }
    }

    private KeyPair getOrGenerateRSAKeyPair() throws OMADMException {
        final CryptoType cryptoType = CryptoType.RSA;
        return (KeyPair) getOrGenerateKey(cryptoType, new GetKey() { // from class: com.microsoft.omadm.apppolicy.-$$Lambda$MAMKeyProtector$wZAwB0QLehri5UR7KEHMFfsIklE
            @Override // com.microsoft.omadm.apppolicy.MAMKeyProtector.GetKey
            public final Object getKey(KeyStore keyStore) {
                KeyPair keyPairInAndroidKeyStore;
                keyPairInAndroidKeyStore = CryptoUtils.getKeyPairInAndroidKeyStore(keyStore, MAMKeyProtector.CryptoType.this.keyAlias);
                return keyPairInAndroidKeyStore;
            }
        }, new CreateKey() { // from class: com.microsoft.omadm.apppolicy.-$$Lambda$MAMKeyProtector$LJ9eOB23q8pLDMv1_ZpXG9H3D-Y
            @Override // com.microsoft.omadm.apppolicy.MAMKeyProtector.CreateKey
            public final Object createKey(KeyStore keyStore) {
                KeyPair generateRSAKeyInAndroidKeyStore;
                generateRSAKeyInAndroidKeyStore = CryptoUtils.generateRSAKeyInAndroidKeyStore(keyStore, MAMKeyProtector.CryptoType.this.keyAlias);
                return generateRSAKeyInAndroidKeyStore;
            }
        });
    }

    private Key getOrGenerateRSAPublicKey() throws OMADMException {
        return getOrGenerateRSAKeyPair().getPublic();
    }

    private KeyPair getRSAKeyPair() throws OMADMException, KeyStoreResetException {
        final CryptoType cryptoType = CryptoType.RSA;
        return (KeyPair) getKey(cryptoType, new GetKey() { // from class: com.microsoft.omadm.apppolicy.-$$Lambda$MAMKeyProtector$YsM7kMKaJEhWLTuPBY4eM1l1r_k
            @Override // com.microsoft.omadm.apppolicy.MAMKeyProtector.GetKey
            public final Object getKey(KeyStore keyStore) {
                KeyPair keyPairInAndroidKeyStore;
                keyPairInAndroidKeyStore = CryptoUtils.getKeyPairInAndroidKeyStore(keyStore, MAMKeyProtector.CryptoType.this.keyAlias);
                return keyPairInAndroidKeyStore;
            }
        });
    }

    private Key getRSAPrivateKey() throws OMADMException, KeyStoreResetException {
        return getRSAKeyPair().getPrivate();
    }

    private void logEncryptionFailureTelemetry(CryptoType cryptoType, Exception exc) throws OMADMException {
        TrackedOccurrence trackedOccurrence;
        switch (cryptoType) {
            case RSA:
                trackedOccurrence = TrackedOccurrence.MAM_KEY_PROTECTOR_ENCRYPTION_FAILED_RSA;
                break;
            case AES:
                trackedOccurrence = TrackedOccurrence.MAM_KEY_PROTECTOR_ENCRYPTION_FAILED_AES;
                break;
            default:
                throw new OMADMException("Unexpected crypto type: " + cryptoType);
        }
        String stackTraceString = Log.getStackTraceString(exc);
        if (stackTraceString.length() > MAX_ERROR_STACK_LENGTH) {
            stackTraceString = stackTraceString.substring(0, MAX_ERROR_STACK_LENGTH);
        }
        this.telemetryLogger.logTrackedOccurrence(this.mContext.getPackageName(), trackedOccurrence, stackTraceString);
    }

    public void asyncInit() {
        new Thread(new Runnable() { // from class: com.microsoft.omadm.apppolicy.MAMKeyProtector.1
            @Override // java.lang.Runnable
            public void run() {
                for (CryptoType cryptoType : MAMKeyProtector.PREFERRED_CRYPTO_OPERATIONS) {
                    if (cryptoType.keyAlias != null && cryptoType.isSupported()) {
                        try {
                            MAMKeyProtector.this.getKeyForEncryption(cryptoType);
                        } catch (OMADMException e) {
                            MAMKeyProtector.LOGGER.log(Level.SEVERE, "Async MAMKeyProtector init failed for " + cryptoType, (Throwable) e);
                        }
                    }
                }
            }
        }).start();
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    public byte[] decrypt(byte[] bArr) throws OMADMException, KeyStoreResetException {
        CryptoType fromHeaderKey = CryptoType.fromHeaderKey(bArr[0]);
        if (fromHeaderKey == CryptoType.EncryptionUtils) {
            return DataEncryptionUtils.decryptRawData(Arrays.copyOfRange(bArr, 1, bArr.length), this.mContext);
        }
        try {
            byte[] doDecrypt = doDecrypt(bArr, 1, fromHeaderKey);
            if (doDecrypt.length < CANARY_PREFIX.length) {
                LOGGER.warning("Could not decrypt successfully as data is too short. Assuming key this data was encrypted with is no longer available");
                throw new KeyStoreResetException("Could not decrypt successfully as data is too short. Assuming key this data was encrypted with is no longer available");
            }
            for (int i = 0; i < CANARY_PREFIX.length; i++) {
                if (doDecrypt[i] != CANARY_PREFIX[i]) {
                    LOGGER.warning("Could not decrypt successfully as canary does not match. Assuming key this data was encrypted with is no longer available");
                    throw new KeyStoreResetException("Could not decrypt successfully as canary does not match. Assuming key this data was encrypted with is no longer available");
                }
            }
            return Arrays.copyOfRange(doDecrypt, CANARY_PREFIX.length, doDecrypt.length);
        } catch (OMADMException e) {
            if (!(e.getCause() instanceof BadPaddingException) && !(e.getCause() instanceof IllegalBlockSizeException)) {
                throw e;
            }
            LOGGER.log(Level.WARNING, "Could not decrypt due to exception, assuming key this data was encrypted with is no longer available", (Throwable) e);
            throw new KeyStoreResetException("Could not decrypt due to exception, assuming key this data was encrypted with is no longer available", e);
        }
    }

    public byte[] encrypt(byte[] bArr) throws OMADMException {
        byte[] bArr2 = CANARY_PREFIX;
        byte[] bArr3 = new byte[bArr2.length + bArr.length];
        System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
        System.arraycopy(bArr, 0, bArr3, CANARY_PREFIX.length, bArr.length);
        for (CryptoType cryptoType : PREFERRED_CRYPTO_OPERATIONS) {
            if (cryptoType.isSupported()) {
                try {
                    return encodeData(doEncrypt(bArr3, 0, cryptoType), cryptoType);
                } catch (OMADMException e) {
                    LOGGER.log(Level.WARNING, "Failed to encrypt MAM key using " + cryptoType, (Throwable) e);
                    logEncryptionFailureTelemetry(cryptoType, e);
                }
            }
        }
        return encryptWithFileBackedKey(bArr);
    }

    public byte[] encryptWithFileBackedKey(byte[] bArr) throws OMADMException {
        return encodeData(DataEncryptionUtils.encryptRawData(bArr, this.mContext), CryptoType.EncryptionUtils);
    }
}
