package com.microsoft.omadm.apppolicy;

import android.content.Context;
import com.microsoft.intune.mam.log.ExceptionUtils;
import com.microsoft.omadm.Services;
import com.microsoft.omadm.apppolicy.MAMKeyProtector;
import com.microsoft.omadm.apppolicy.data.MAMKey;
import com.microsoft.omadm.apppolicy.data.MAMServiceEnrollment;
import com.microsoft.omadm.apppolicy.mamservice.MAMServiceEncryptionKey;
import com.microsoft.omadm.apppolicy.mamservice.MAMServiceGetEncryptionKeysTask;
import com.microsoft.omadm.apppolicy.mamservice.MAMServiceUtils;
import com.microsoft.omadm.database.TableRepository;
import com.microsoft.omadm.exception.OMADMException;
import com.microsoft.omadm.logging.MAMTelemetryLogger;
import com.microsoft.omadm.logging.telemetry.MAMTrackedOccurrence;
import com.microsoft.omadm.utils.CryptoUtils;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: classes.dex */
public class MAMKeyManager {
    private static final String ALGORITHM = "AES";
    private static final int FILE_ENCRYPTION_KEY_LENGTH = 256;
    private static final int KEY_LIFETIME = 1;
    private static final Logger LOGGER = Logger.getLogger(MAMKeyManager.class.getName());
    private static final int TABLE_SIGNING_KEY_LENGTH = 256;
    private static final String UNABLE_TO_RECOVER = "Unable to recover from reset Android KeyStore";
    private final Context mContext;
    private final Map<String, MAMKeySpec> mKeyCache = new ConcurrentHashMap();
    private final Map<KeyPurpose, Object> mKeyTypeLock = new ConcurrentHashMap();
    private final MAMKeyProtector mMAMKeyProtector;
    private final TableRepository mTableRepository;
    private final MAMTelemetryLogger mTelemetryLogger;

    /* loaded from: classes.dex */
    public enum KeyPurpose {
        FileEncryption(1, 256, false),
        TableSigning(2, 256, true);

        private final int mId;
        private final int mKeySizeBits;
        private final boolean mProtectLocallyGeneratedKeysWithAndroidKeyStore;

        KeyPurpose(int i, int i2, boolean z) {
            this.mId = i;
            this.mKeySizeBits = i2;
            this.mProtectLocallyGeneratedKeysWithAndroidKeyStore = z;
        }

        int id() {
            return this.mId;
        }

        int keySizeBits() {
            return this.mKeySizeBits;
        }

        boolean protectLocallyGeneratedKeysWithAndroidKeyStore() {
            return this.mProtectLocallyGeneratedKeysWithAndroidKeyStore;
        }
    }

    public MAMKeyManager(Context context, TableRepository tableRepository, MAMKeyProtector mAMKeyProtector, MAMTelemetryLogger mAMTelemetryLogger) {
        this.mContext = context;
        this.mTableRepository = tableRepository;
        this.mMAMKeyProtector = mAMKeyProtector;
        this.mTelemetryLogger = mAMTelemetryLogger;
        for (KeyPurpose keyPurpose : KeyPurpose.values()) {
            this.mKeyTypeLock.put(keyPurpose, new Object());
        }
    }

    protected static boolean checkTimestamp(Date date) {
        if (date == null) {
            return false;
        }
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(date);
        return Calendar.getInstance().before(calendar);
    }

    private byte[] decryptKey(MAMKey mAMKey) throws OMADMException {
        try {
            return this.mMAMKeyProtector.decrypt(mAMKey.keyBytes);
        } catch (MAMKeyProtector.KeyStoreResetException e) {
            if (!mAMKey.isFromService()) {
                throw new OMADMException("Unable to decrypt locally generated key.", e);
            }
            LOGGER.warning("Unable to decrypt key, apparently because the Android KeyStore has been reset. Attempting to refresh escrowed keys from service");
            mAMKey.flags = Integer.valueOf(mAMKey.flags.intValue() | 2);
            this.mTableRepository.insertOrReplace(mAMKey);
            List<MAMServiceEnrollment> enrollmentsBySuccess = MAMServiceUtils.getEnrollmentsBySuccess();
            if (enrollmentsBySuccess == null || enrollmentsBySuccess.isEmpty()) {
                LOGGER.severe("No MAM Service enrollments, will not be able to retrieve escrowed keys");
                throw new OMADMException(UNABLE_TO_RECOVER);
            }
            MAMServiceEnrollment mAMServiceEnrollment = enrollmentsBySuccess.get(0);
            MAMServiceGetEncryptionKeysTask mAMServiceGetEncryptionKeysTask = new MAMServiceGetEncryptionKeysTask(mAMServiceEnrollment.packageName, mAMServiceEnrollment.identity, mAMServiceEnrollment.refreshToken);
            Services.get().getMAMTaskQueue().cancelTasksByTags(mAMServiceGetEncryptionKeysTask.getTaskTags());
            Thread thread = new Thread(mAMServiceGetEncryptionKeysTask);
            thread.start();
            try {
                thread.join();
                MAMKey mAMKey2 = (MAMKey) this.mTableRepository.get(new MAMKey.Key(mAMKey.keyID));
                if (mAMKey2 == null) {
                    throw new OMADMException("Unable to recover from reset Android KeyStore even after trying to retrieve encryption keys, updated key is unexpectedly NULL");
                }
                try {
                    LOGGER.info("Trying to retrieve key again after requesting keys from service");
                    return this.mMAMKeyProtector.decrypt(mAMKey2.keyBytes);
                } catch (MAMKeyProtector.KeyStoreResetException e2) {
                    throw new OMADMException("Unable to recover from reset Android KeyStore even after trying to retrieve encryption keys from service", e2);
                }
            } catch (InterruptedException e3) {
                throw new OMADMException("Interrupted while waiting to retrieve escrowed keys", e3);
            }
        }
    }

    private MAMKey getCurrentKeyFromTable(KeyPurpose keyPurpose) {
        List list = this.mTableRepository.get(MAMKey.class, "Purpose=?", new String[]{String.valueOf(keyPurpose.id())}, null, null, "id DESC", "1");
        if (list.size() > 0) {
            return (MAMKey) list.get(0);
        }
        return null;
    }

    public void clearCache() {
        synchronized (this.mKeyTypeLock.get(KeyPurpose.TableSigning)) {
            synchronized (this.mKeyTypeLock.get(KeyPurpose.FileEncryption)) {
                this.mKeyCache.clear();
            }
        }
    }

    public MAMKeySpec getCurrentKey(KeyPurpose keyPurpose) throws OMADMException {
        LOGGER.info("Getting current key for " + keyPurpose);
        synchronized (this.mKeyTypeLock.get(keyPurpose)) {
            MAMKey currentKeyFromTable = getCurrentKeyFromTable(keyPurpose);
            if (currentKeyFromTable != null) {
                LOGGER.info(String.format("Current %s key has id %s.", keyPurpose, currentKeyFromTable.keyID));
                if (checkTimestamp(currentKeyFromTable.expireTime)) {
                    MAMKeySpec mAMKeySpec = this.mKeyCache.get(currentKeyFromTable.keyID);
                    if (mAMKeySpec != null) {
                        return mAMKeySpec;
                    }
                    try {
                        MAMKeySpec mAMKeySpec2 = new MAMKeySpec(currentKeyFromTable.keyID, decryptKey(currentKeyFromTable), "AES", true);
                        this.mKeyCache.put(currentKeyFromTable.keyID, mAMKeySpec2);
                        return mAMKeySpec2;
                    } catch (OMADMException e) {
                        if (currentKeyFromTable.isFromService()) {
                            throw e;
                        }
                        LOGGER.log(Level.WARNING, "Unable to recover current key. A new one will be generated.", (Throwable) e);
                        this.mTelemetryLogger.logTrackedOccurrence(this.mContext.getPackageName(), MAMTrackedOccurrence.KEY_MANAGER_UNRECOVERABLE_KEY, ExceptionUtils.describeException(e));
                        currentKeyFromTable.expireTime = new Date();
                        this.mTableRepository.insertOrReplace(currentKeyFromTable);
                    }
                }
                if (currentKeyFromTable.isFromService()) {
                    List keys = this.mTableRepository.getKeys(MAMServiceEnrollment.class);
                    if (keys != null && !keys.isEmpty()) {
                        MAMKeySpec mAMKeySpec3 = this.mKeyCache.get(currentKeyFromTable.keyID);
                        if (mAMKeySpec3 != null) {
                            return mAMKeySpec3;
                        }
                        MAMKeySpec mAMKeySpec4 = new MAMKeySpec(currentKeyFromTable.keyID, decryptKey(currentKeyFromTable), "AES", true);
                        this.mKeyCache.put(currentKeyFromTable.keyID, mAMKeySpec4);
                        return mAMKeySpec4;
                    }
                    LOGGER.info(String.format("Stale MAMService %s key has expired, generating a new local key", keyPurpose));
                }
            }
            byte[] encoded = CryptoUtils.generateSecretKey(keyPurpose.keySizeBits()).getEncoded();
            byte[] encrypt = keyPurpose.protectLocallyGeneratedKeysWithAndroidKeyStore() ? this.mMAMKeyProtector.encrypt(encoded) : this.mMAMKeyProtector.encryptWithFileBackedKey(encoded);
            UUID randomUUID = UUID.randomUUID();
            Calendar calendar = Calendar.getInstance();
            calendar.add(1, 1);
            this.mTableRepository.insert(new MAMKey(randomUUID, encrypt, calendar.getTime(), 0, Integer.valueOf(keyPurpose.id())));
            LOGGER.info(String.format("Generated new %s key with id %s", keyPurpose, randomUUID.toString()));
            MAMKeySpec mAMKeySpec5 = new MAMKeySpec(randomUUID, encoded, "AES", true);
            this.mKeyCache.put(randomUUID.toString(), mAMKeySpec5);
            return mAMKeySpec5;
        }
    }

    public MAMKeySpec getKey(KeyPurpose keyPurpose, UUID uuid) throws OMADMException {
        String uuid2 = uuid.toString();
        MAMKeySpec mAMKeySpec = this.mKeyCache.get(uuid2);
        if (mAMKeySpec != null) {
            return mAMKeySpec;
        }
        MAMKey mAMKey = (MAMKey) this.mTableRepository.get(new MAMKey.Key(uuid2));
        if (mAMKey == null) {
            throw new OMADMException(String.format("The requested %s key %s could not be found.", keyPurpose, uuid));
        }
        if (mAMKey.purpose.intValue() != keyPurpose.id()) {
            throw new OMADMException(String.format("The requested key is used for a different purpose than what was requested. Requested: %s [%s], Actual [%s].", keyPurpose, Integer.valueOf(keyPurpose.id()), mAMKey.purpose));
        }
        MAMKeySpec mAMKeySpec2 = new MAMKeySpec(uuid, decryptKey(mAMKey), "AES", mAMKey.equals(getCurrentKeyFromTable(keyPurpose)));
        this.mKeyCache.put(uuid2, mAMKeySpec2);
        return mAMKeySpec2;
    }

    public void storeFileEncryptionKeysFromMAMService(List<MAMServiceEncryptionKey> list) throws OMADMException {
        Collections.sort(list, new MAMServiceEncryptionKey.ExpiryComparator());
        for (MAMServiceEncryptionKey mAMServiceEncryptionKey : list) {
            MAMKey mAMKey = (MAMKey) this.mTableRepository.get(new MAMKey.Key(mAMServiceEncryptionKey.getKeyID()));
            if (mAMKey == null) {
                LOGGER.info("Adding escrowed key " + mAMServiceEncryptionKey.getKeyID() + " with expiration " + mAMServiceEncryptionKey.getExpiry());
                this.mTableRepository.insertOrReplace(new MAMKey(mAMServiceEncryptionKey.getKeyID(), this.mMAMKeyProtector.encrypt(mAMServiceEncryptionKey.getBytes()), mAMServiceEncryptionKey.getExpiry(), 1, Integer.valueOf(KeyPurpose.FileEncryption.id())));
            } else if ((mAMKey.flags.intValue() & 2) != 0) {
                LOGGER.info("Replacing existing escrowed key " + mAMServiceEncryptionKey.getKeyID());
                mAMKey.keyBytes = this.mMAMKeyProtector.encrypt(mAMServiceEncryptionKey.getBytes());
                mAMKey.expireTime = mAMServiceEncryptionKey.getExpiry();
                mAMKey.flags = Integer.valueOf(mAMKey.flags.intValue() ^ 2);
                this.mTableRepository.update(mAMKey);
            } else if (mAMKey.expireTime.equals(mAMServiceEncryptionKey.getExpiry())) {
                LOGGER.info("Escrowed key " + mAMServiceEncryptionKey.getKeyID() + " already known.");
            } else {
                LOGGER.info("Updating expiry for escrowed key " + mAMKey.keyID);
                mAMKey.expireTime = mAMServiceEncryptionKey.getExpiry();
                this.mTableRepository.update(mAMKey);
            }
        }
    }

    public boolean updateActiveKeyId(KeyPurpose keyPurpose, String str) {
        LOGGER.info(String.format("Updating the active key for %s to key id %s.", keyPurpose, str));
        synchronized (this.mKeyTypeLock.get(keyPurpose)) {
            MAMKey currentKeyFromTable = getCurrentKeyFromTable(keyPurpose);
            if (currentKeyFromTable != null && str.equals(currentKeyFromTable.keyID)) {
                return true;
            }
            LOGGER.info(keyPurpose + " key " + str + " is not active");
            MAMKey mAMKey = (MAMKey) this.mTableRepository.get(new MAMKey.Key(str));
            if (mAMKey == null) {
                LOGGER.info("Key is not in the table.");
                return false;
            }
            LOGGER.info("Key is already present but was not active");
            mAMKey.id = null;
            this.mTableRepository.insertOrReplace(mAMKey);
            return true;
        }
    }
}
