package com.microsoft.workaccount.authenticatorservice;

import android.accounts.Account;
import android.content.Context;
import android.net.Uri;
import android.text.TextUtils;
import android.util.Base64;
import com.microsoft.identity.client.BrokerConstants;
import com.microsoft.identity.common.adal.internal.ADALError;
import com.microsoft.identity.common.adal.internal.cache.StorageHelper;
import com.microsoft.identity.common.adal.internal.util.StringExtensions;
import com.microsoft.identity.common.exception.ClientException;
import com.microsoft.identity.common.exception.ErrorStrings;
import com.microsoft.identity.common.internal.broker.DerivedKey;
import com.microsoft.identity.common.internal.broker.IKeyHandler;
import com.microsoft.identity.common.internal.broker.JweResponse;
import com.microsoft.identity.common.internal.broker.PrimaryRefreshToken;
import com.microsoft.identity.common.internal.providers.microsoft.azureactivedirectory.AzureActiveDirectory;
import com.microsoft.identity.common.internal.providers.microsoft.azureactivedirectory.AzureActiveDirectoryCloud;
import com.microsoft.omadm.utils.CryptoUtils;
import com.microsoft.workaccount.workplacejoin.AccountManagerStorageHelper;
import com.microsoft.workaccount.workplacejoin.Logger;
import com.microsoft.workaccount.workplacejoin.WorkplaceJoinData;
import com.microsoft.workaccount.workplacejoin.WorkplaceJoinDataStore;
import com.microsoft.workaccount.workplacejoin.core.StringHelper;
import com.microsoft.workaccount.workplacejoin.core.WorkplaceJoinFailure;
import java.io.ByteArrayOutputStream;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.charset.Charset;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.util.Iterator;
import java.util.Locale;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.Mac;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.ShortBufferException;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.json.JSONException;
import org.spongycastle.crypto.digests.SHA256Digest;
import org.spongycastle.crypto.generators.KDFCounterBytesGenerator;
import org.spongycastle.crypto.macs.HMac;
import org.spongycastle.crypto.params.KDFCounterParameters;

/* loaded from: classes3.dex */
public final class KeyHandler implements IKeyHandler {
    private static final int BYTE_BUFFER_SIZE = 4;
    private static final String HMAC_SHA256 = "HmacSHA256";
    private static final String JWS_ALGORITHM = "SHA256withRSA";
    private static final int MAC_SIZE = 8;
    private static final int SP800_108_CTX_SIZE = 24;
    private static final String SP800_108_LABEL = "AzureAD-SecureConversation";
    private static final String TAG = "KeyHandler#";
    private static final ReentrantReadWriteLock prtLock = new ReentrantReadWriteLock();
    private AccountManagerStorageHelper mAcctMgrHelper;
    private SessionKey mCachedSessionKey;
    private Context mContext;
    private StorageHelper mStorageHelper = null;
    private DerivedKey mDerivedSessionKey = null;
    private final SecureRandom mRandom = new SecureRandom();

    public KeyHandler(Context context) {
        this.mCachedSessionKey = null;
        this.mAcctMgrHelper = null;
        this.mContext = context;
        this.mCachedSessionKey = null;
        this.mAcctMgrHelper = new AccountManagerStorageHelper(context);
    }

    private String decrypt(String str) {
        StorageHelper storageHelper = this.mStorageHelper;
        if (storageHelper != null) {
            try {
                return storageHelper.decrypt(str);
            } catch (Exception e) {
                Logger.e("KeyHandler#decrypt", "Data decryption failed " + e.getMessage(), WorkplaceJoinFailure.INTERNAL, e);
            }
        }
        return str;
    }

    private String encrypt(String str) {
        StorageHelper storageHelper = this.mStorageHelper;
        if (storageHelper != null) {
            try {
                return storageHelper.encrypt(str);
            } catch (Exception e) {
                Logger.e("KeyHandler#encrypt", "Data encryption failed " + e.getMessage(), WorkplaceJoinFailure.INTERNAL, e);
            }
        }
        return str;
    }

    private static byte[] myIntToBbBe(int i) {
        return ByteBuffer.allocate(4).order(ByteOrder.BIG_ENDIAN).putInt(i).array();
    }

    private boolean verifyAuthorityForPRT(Account account, String str) throws ClientException {
        try {
            URL url = new URL(str);
            String pRTAuthority = this.mAcctMgrHelper.getPRTAuthority(account);
            if (TextUtils.isEmpty(pRTAuthority)) {
                return true;
            }
            try {
                if (url.getHost().equalsIgnoreCase(new URL(pRTAuthority).getHost())) {
                    return true;
                }
                Iterator<AzureActiveDirectoryCloud> it = AzureActiveDirectory.getClouds().iterator();
                while (it.hasNext()) {
                    Iterator<String> it2 = it.next().getHostAliases().iterator();
                    while (it2.hasNext()) {
                        if (url.getHost().equalsIgnoreCase(it2.next())) {
                            Logger.i("KeyHandler#performAuthorityLookUpForPRT", "Found a match in the alias hosts.");
                            return true;
                        }
                    }
                }
                return false;
            } catch (MalformedURLException unused) {
                Logger.i("KeyHandler#performAuthorityLookUpForPRT", "The preferred PRT requestAuthority is invalid.");
                return false;
            }
        } catch (MalformedURLException e) {
            Logger.e("KeyHandler#performAuthorityLookUpForPRT", ADALError.DEVELOPER_AUTHORITY_IS_NOT_VALID_URL.toString(), "Passed in requestAuthority: " + str, WorkplaceJoinFailure.INTERNAL, e);
            throw new ClientException("malformed_url", "Authority url is malformed.", e);
        }
    }

    String authorityHostWithCommon(String str) {
        if (StringHelper.IsNullOrBlank(str)) {
            Logger.v("KeyHandler#authorityHostWithCommon", "The passed in authority is empty.");
            return null;
        }
        try {
            return new Uri.Builder().scheme(BrokerConstants.HTTPS_PROTOCOL_STRING).authority(new URL(str).getHost()).path("common").build().toString().toLowerCase(Locale.US);
        } catch (MalformedURLException unused) {
            Logger.v("KeyHandler#authorityHostWithCommon", "The passed in authority is invalid.");
            return null;
        }
    }

    public String decryptTokenResponse(String str) throws JSONException, UnsupportedEncodingException, ClientException {
        JweResponse parseJwe = JweResponse.parseJwe(str);
        if (!parseJwe.getJweHeader().mHeaderEncryptionAlgorithm.equalsIgnoreCase("A256GCM") && !parseJwe.getJweHeader().mHeaderEncryptionAlgorithm.equalsIgnoreCase("dir")) {
            throw new IllegalArgumentException("Invalid encryption algorithm");
        }
        byte[] decode = Base64.decode(parseJwe.getIV(), 8);
        byte[] decode2 = Base64.decode(parseJwe.getPayload(), 8);
        byte[] decode3 = Base64.decode(parseJwe.getJweHeader().mHeaderContext, 0);
        com.microsoft.identity.common.internal.logging.Logger.verbose(TAG, "Decrypting the token response for using PRT. IV size:" + decode.length + " mPayload size:" + decode2.length + " ctx size:" + decode3.length);
        return new String(decryptUsingDerivedSessionKey(decode, decode3, decode2), "UTF-8");
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public byte[] decryptUsingDerivedSessionKey(byte[] bArr, byte[] bArr2, byte[] bArr3) throws ClientException {
        this.mDerivedSessionKey = generateDerivedKey(this.mCachedSessionKey.getRawKey(), SP800_108_LABEL.getBytes(Charset.forName("ASCII")), bArr2);
        SecretKeySpec secretKeySpec = new SecretKeySpec(this.mDerivedSessionKey.getGeneratedKey(), CryptoUtils.KEY_ALGORITHM_AES);
        IvParameterSpec ivParameterSpec = new IvParameterSpec(bArr);
        try {
            Cipher cipher = Cipher.getInstance(CryptoUtils.AES_CBC_PKCS7PADDING, "BC");
            cipher.init(2, secretKeySpec, ivParameterSpec);
            byte[] bArr4 = new byte[cipher.getOutputSize(bArr3.length)];
            int update = cipher.update(bArr3, 0, bArr3.length, bArr4, 0);
            int doFinal = update + cipher.doFinal(bArr4, update);
            byte[] bArr5 = new byte[doFinal];
            System.arraycopy(bArr4, 0, bArr5, 0, doFinal);
            return bArr5;
        } catch (InvalidAlgorithmParameterException e) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e.getMessage());
            throw new ClientException("IV param is invalid", e.getMessage(), e);
        } catch (InvalidKeyException e2) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e2.getMessage());
            throw new ClientException("Symmetric key is invalid", e2.getMessage(), e2);
        } catch (NoSuchAlgorithmException e3) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e3.getMessage());
            throw new ClientException("AES/CBC/PKCS7Padding is not available", e3.getMessage(), e3);
        } catch (NoSuchProviderException e4) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e4.getMessage());
            throw new ClientException("BC provider is not available", e4.getMessage(), e4);
        } catch (BadPaddingException e5) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e5.getMessage());
            throw new ClientException("PKCS7Padding is expected", e5.getMessage(), e5);
        } catch (IllegalBlockSizeException e6) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e6.getMessage());
            throw new ClientException("CBC Block size is expected", e6.getMessage(), e6);
        } catch (NoSuchPaddingException e7) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e7.getMessage());
            throw new ClientException("AES/CBC/PKCS7Padding is not available", e7.getMessage(), e7);
        } catch (ShortBufferException e8) {
            Logger.v("KeyHandler#decryptUsingDerivedSessionKey", e8.getMessage());
            throw new ClientException("User provided buffer is too small ", e8.getMessage(), e8);
        }
    }

    public void deletePRT(Account account) {
        prtLock.writeLock().lock();
        try {
            Logger.v("KeyHandler#deletePRT", "Delete PRT/SessionKey from AccountManager.");
            this.mAcctMgrHelper.deletePRTandSK(account);
            this.mAcctMgrHelper.setPrtAcquisitionTimeEpochMillis(account, Long.MIN_VALUE);
            Logger.v("KeyHandler#deletePRT", "Wiped mCachedSessionKey.");
            this.mCachedSessionKey = null;
        } finally {
            prtLock.writeLock().unlock();
        }
    }

    public DerivedKey generateDerivedKey(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        HMac hMac = new HMac(new SHA256Digest());
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(bArr2, 0, bArr2.length);
        byteArrayOutputStream.write(0);
        byteArrayOutputStream.write(bArr3, 0, bArr3.length);
        byte[] myIntToBbBe = myIntToBbBe(hMac.getMacSize() * 8);
        byteArrayOutputStream.write(myIntToBbBe, 0, myIntToBbBe.length);
        KDFCounterParameters kDFCounterParameters = new KDFCounterParameters(bArr, byteArrayOutputStream.toByteArray(), 32);
        KDFCounterBytesGenerator kDFCounterBytesGenerator = new KDFCounterBytesGenerator(hMac);
        kDFCounterBytesGenerator.init(kDFCounterParameters);
        byte[] bArr4 = new byte[hMac.getMacSize()];
        Logger.v("KeyHandler#generateDerivedKey", "Generating derived key");
        kDFCounterBytesGenerator.generateBytes(bArr4, 0, bArr4.length);
        this.mDerivedSessionKey = new DerivedKey(bArr3, bArr4);
        return this.mDerivedSessionKey;
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public DerivedKey getDerivedSessionKey() {
        if (this.mDerivedSessionKey == null) {
            byte[] bytes = SP800_108_LABEL.getBytes(Charset.forName("ASCII"));
            byte[] bArr = new byte[24];
            this.mRandom.nextBytes(bArr);
            this.mDerivedSessionKey = generateDerivedKey(this.mCachedSessionKey.getRawKey(), bytes, bArr);
        }
        return this.mDerivedSessionKey;
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public String getDeviceCertX5c() throws CertificateEncodingException, UnsupportedEncodingException {
        Logger.v("KeyHandler#getDeviceCertX5c", "Attempting to getdencoded Device certificate");
        return new String(Base64.encode(new WorkplaceJoinDataStore(this.mAcctMgrHelper).getWorkplaceJoinData().getCertificateData().getX509Cert().getEncoded(), 2), "UTF-8");
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public String getKeyId() {
        return null;
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public PrimaryRefreshToken getPRT(Account account, String str) {
        PrimaryRefreshToken primaryRefreshToken = new PrimaryRefreshToken();
        Logger.v("KeyHandler#getPRT", "Retrieve PRT from AccountManager.");
        prtLock.readLock().lock();
        boolean z = false;
        try {
            try {
                z = verifyAuthorityForPRT(account, str);
            } catch (ClientException e) {
                Logger.v("KeyHandler#getPRT", "The passed in authority is not valid for the PRT in shared preference. Exception: " + e.toString());
            }
            if (z) {
                String prt = this.mAcctMgrHelper.getPRT(account);
                int expiresIn = this.mAcctMgrHelper.getExpiresIn(account);
                String prtIdToken = this.mAcctMgrHelper.getPrtIdToken(account);
                String encodedSessionKey = this.mAcctMgrHelper.getEncodedSessionKey(account);
                long prtAcquisitionTimeEpochMillis = this.mAcctMgrHelper.getPrtAcquisitionTimeEpochMillis(account);
                if (!TextUtils.isEmpty(encodedSessionKey)) {
                    this.mCachedSessionKey = SessionKey.createWithRawKey(Base64.decode(encodedSessionKey.getBytes(Charset.forName("UTF-8")), 2));
                }
                primaryRefreshToken.setExpiresIn(expiresIn);
                primaryRefreshToken.setIdToken(prtIdToken);
                primaryRefreshToken.setRefreshToken(decrypt(prt));
                primaryRefreshToken.setAuthority(str);
                primaryRefreshToken.setAcquisitionTimeEpochMillis(prtAcquisitionTimeEpochMillis);
                Logger.v("KeyHandler#getPRT", "Retrieve PRT successfully.");
            } else {
                Logger.v("KeyHandler#getPRT", "The passed in authority is not valid for the PRT in shared preference.");
            }
            return primaryRefreshToken;
        } finally {
            prtLock.readLock().unlock();
        }
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public String getPrtAuthority(Account account) {
        return this.mAcctMgrHelper.getPRTAuthority(account);
    }

    public ReadWriteLock getPrtLock() {
        return prtLock;
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public void savePRT(Account account, PrimaryRefreshToken primaryRefreshToken) {
        prtLock.writeLock().lock();
        try {
            WorkplaceJoinData workplaceJoinData = new WorkplaceJoinDataStore(this.mContext).getWorkplaceJoinData();
            if (workplaceJoinData == null) {
                Logger.e("KeyHandler#savePRT", "WorkplaceJoinData not found.", WorkplaceJoinFailure.INTERNAL);
                return;
            }
            try {
                if (!TextUtils.isEmpty(primaryRefreshToken.getSessionKeyJwe())) {
                    SessionKey createFromJWE = SessionKey.createFromJWE(primaryRefreshToken.getSessionKeyJwe(), workplaceJoinData.getCertificateData().getStkPrivateKey());
                    this.mAcctMgrHelper.setEncodedSessionKey(account, createFromJWE.getEncodedSessionKey());
                    this.mCachedSessionKey = createFromJWE;
                    this.mDerivedSessionKey = null;
                    getDerivedSessionKey();
                }
                Logger.v("KeyHandler#savePRT", "Saving PRT into AccountManager.");
                this.mAcctMgrHelper.setPRT(account, encrypt(primaryRefreshToken.getRefreshToken()), authorityHostWithCommon(primaryRefreshToken.getAuthority()), primaryRefreshToken.getExpiresIn(), primaryRefreshToken.getIdToken());
                this.mAcctMgrHelper.setEmail(account, primaryRefreshToken.getUserEmail());
            } catch (AuthenticatorException e) {
                Logger.e("KeyHandler#savePRT", "Failed to create session key from JWE with privateKey.", e.getMessage(), WorkplaceJoinFailure.INTERNAL, e);
                deletePRT(account);
            } catch (UnsupportedEncodingException e2) {
                Logger.e("KeyHandler#savePRT", "Unsupported encoding.", e2.getMessage(), WorkplaceJoinFailure.INTERNAL, e2);
                deletePRT(account);
            }
        } finally {
            prtLock.writeLock().unlock();
        }
    }

    public void setAccountManagerStorageHelper(AccountManagerStorageHelper accountManagerStorageHelper) {
        this.mAcctMgrHelper = accountManagerStorageHelper;
    }

    public void setCachedSessionKey(SessionKey sessionKey) {
        this.mCachedSessionKey = sessionKey;
    }

    public void setDerivedKey(DerivedKey derivedKey) {
        this.mDerivedSessionKey = derivedKey;
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public String signWithDerivedSessionKey(String str) throws ClientException {
        try {
            Mac mac = Mac.getInstance("HmacSHA256");
            mac.init(new SecretKeySpec(this.mDerivedSessionKey.getGeneratedKey(), "HmacSHA256"));
            return StringExtensions.encodeBase64URLSafeString(mac.doFinal(str.getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            String str2 = "UTF-8 encoding is not supported " + e.getMessage();
            Logger.e("KeyHandler#signWithDerivedSessionKey", str2, WorkplaceJoinFailure.INTERNAL, e);
            throw new ClientException(ErrorStrings.ENCRYPTION_ERROR, str2, e);
        } catch (IllegalStateException e2) {
            Logger.e("KeyHandler#signWithDerivedSessionKey", e2.getMessage(), WorkplaceJoinFailure.INTERNAL, e2);
            throw new ClientException(ErrorStrings.ENCRYPTION_ERROR, e2.getMessage(), e2);
        } catch (InvalidKeyException e3) {
            String str3 = "Key is invalid for signing " + e3.getMessage();
            Logger.e("KeyHandler#signWithDerivedSessionKey", str3, WorkplaceJoinFailure.INTERNAL, e3);
            throw new ClientException(ErrorStrings.ENCRYPTION_ERROR, str3, e3);
        } catch (NoSuchAlgorithmException e4) {
            String str4 = "HmacSHA256 algorithm does not exist " + e4.getMessage();
            Logger.e("KeyHandler#signWithDerivedSessionKey", str4, WorkplaceJoinFailure.INTERNAL, e4);
            throw new ClientException(ErrorStrings.ENCRYPTION_ERROR, str4, e4);
        }
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public String signWithDeviceKey(String str) throws InvalidKeyException, UnsupportedEncodingException, SignatureException, NoSuchAlgorithmException {
        Logger.v("KeyHandler#signWithWPJSTKPrivateKey", "Attempting to sign with Device Certificate");
        WorkplaceJoinData workplaceJoinData = new WorkplaceJoinDataStore(this.mAcctMgrHelper).getWorkplaceJoinData();
        Signature signature = Signature.getInstance(JWS_ALGORITHM);
        signature.initSign(workplaceJoinData.getCertificateData().getDevicePrivateKey());
        signature.update(str.getBytes("UTF-8"));
        return StringExtensions.encodeBase64URLSafeString(signature.sign());
    }

    @Override // com.microsoft.identity.common.internal.broker.IKeyHandler
    public String signWithNGC(String str) {
        return null;
    }
}
