package com.google.crypto.tink.integration.android;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.util.Log;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.subtle.Random;
import com.google.crypto.tink.subtle.Validators;
import com.oapm.perftest.trace.TraceWeaver;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.Arrays;
import java.util.Locale;
import javax.annotation.concurrent.GuardedBy;
import javax.crypto.KeyGenerator;

/* loaded from: classes2.dex */
public final class AndroidKeystoreKmsClient implements KmsClient {
    public static final String PREFIX = "android-keystore://";
    private static final String TAG;
    private static final int WAIT_TIME_MILLISECONDS_BEFORE_RETRY = 20;

    @GuardedBy("this")
    private KeyStore keyStore;
    private final String keyUri;

    /* loaded from: classes2.dex */
    public static final class Builder {
        KeyStore keyStore;
        String keyUri;

        public Builder() {
            TraceWeaver.i(69195);
            this.keyUri = null;
            this.keyStore = null;
            if (!AndroidKeystoreKmsClient.access$000()) {
                IllegalStateException illegalStateException = new IllegalStateException("need Android Keystore on Android M or newer");
                TraceWeaver.o(69195);
                throw illegalStateException;
            }
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                this.keyStore = keyStore;
                keyStore.load(null);
                TraceWeaver.o(69195);
            } catch (IOException | GeneralSecurityException e10) {
                IllegalStateException illegalStateException2 = new IllegalStateException(e10);
                TraceWeaver.o(69195);
                throw illegalStateException2;
            }
        }

        public AndroidKeystoreKmsClient build() {
            TraceWeaver.i(69221);
            AndroidKeystoreKmsClient androidKeystoreKmsClient = new AndroidKeystoreKmsClient(this);
            TraceWeaver.o(69221);
            return androidKeystoreKmsClient;
        }

        public Builder setKeyStore(KeyStore keyStore) {
            TraceWeaver.i(69213);
            if (keyStore != null) {
                this.keyStore = keyStore;
                TraceWeaver.o(69213);
                return this;
            }
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException("val cannot be null");
            TraceWeaver.o(69213);
            throw illegalArgumentException;
        }

        public Builder setKeyUri(String str) {
            TraceWeaver.i(69206);
            if (str == null || !str.toLowerCase(Locale.US).startsWith(AndroidKeystoreKmsClient.PREFIX)) {
                IllegalArgumentException illegalArgumentException = new IllegalArgumentException("val must start with android-keystore://");
                TraceWeaver.o(69206);
                throw illegalArgumentException;
            }
            this.keyUri = str;
            TraceWeaver.o(69206);
            return this;
        }
    }

    static {
        TraceWeaver.i(69167);
        TAG = AndroidKeystoreKmsClient.class.getSimpleName();
        TraceWeaver.o(69167);
    }

    public AndroidKeystoreKmsClient() throws GeneralSecurityException {
        this(new Builder());
        TraceWeaver.i(69099);
        TraceWeaver.o(69099);
    }

    private AndroidKeystoreKmsClient(Builder builder) {
        TraceWeaver.i(69107);
        this.keyUri = builder.keyUri;
        this.keyStore = builder.keyStore;
        TraceWeaver.o(69107);
    }

    @Deprecated
    public AndroidKeystoreKmsClient(String str) {
        this(new Builder().setKeyUri(str));
        TraceWeaver.i(69104);
        TraceWeaver.o(69104);
    }

    static /* synthetic */ boolean access$000() {
        return isAtLeastM();
    }

    public static void generateNewAeadKey(String str) throws GeneralSecurityException {
        TraceWeaver.i(69148);
        if (new AndroidKeystoreKmsClient().hasKey(str)) {
            IllegalArgumentException illegalArgumentException = new IllegalArgumentException(String.format("cannot generate a new key %s because it already exists; please delete it with deleteKey() and try again", str));
            TraceWeaver.o(69148);
            throw illegalArgumentException;
        }
        String validateKmsKeyUriAndRemovePrefix = Validators.validateKmsKeyUriAndRemovePrefix(PREFIX, str);
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
        keyGenerator.init(new KeyGenParameterSpec.Builder(validateKmsKeyUriAndRemovePrefix, 3).setKeySize(256).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
        keyGenerator.generateKey();
        TraceWeaver.o(69148);
    }

    public static Aead getOrGenerateNewAeadKey(String str) throws GeneralSecurityException, IOException {
        TraceWeaver.i(69144);
        AndroidKeystoreKmsClient androidKeystoreKmsClient = new AndroidKeystoreKmsClient();
        if (!androidKeystoreKmsClient.hasKey(str)) {
            Log.w(TAG, String.format("key URI %s doesn't exist, generating a new one", str));
            generateNewAeadKey(str);
        }
        Aead aead = androidKeystoreKmsClient.getAead(str);
        TraceWeaver.o(69144);
        return aead;
    }

    private static boolean isAtLeastM() {
        TraceWeaver.i(69162);
        boolean z10 = Build.VERSION.SDK_INT >= 23;
        TraceWeaver.o(69162);
        return z10;
    }

    private static Aead validateAead(Aead aead) throws GeneralSecurityException {
        TraceWeaver.i(69154);
        byte[] randBytes = Random.randBytes(10);
        byte[] bArr = new byte[0];
        if (Arrays.equals(randBytes, aead.decrypt(aead.encrypt(randBytes, bArr), bArr))) {
            TraceWeaver.o(69154);
            return aead;
        }
        KeyStoreException keyStoreException = new KeyStoreException("cannot use Android Keystore: encryption/decryption of non-empty message and empty aad returns an incorrect result");
        TraceWeaver.o(69154);
        throw keyStoreException;
    }

    public synchronized void deleteKey(String str) throws GeneralSecurityException {
        TraceWeaver.i(69137);
        this.keyStore.deleteEntry(Validators.validateKmsKeyUriAndRemovePrefix(PREFIX, str));
        TraceWeaver.o(69137);
    }

    @Override // com.google.crypto.tink.KmsClient
    public synchronized boolean doesSupport(String str) {
        TraceWeaver.i(69114);
        String str2 = this.keyUri;
        boolean z10 = true;
        if (str2 != null && str2.equals(str)) {
            TraceWeaver.o(69114);
            return true;
        }
        if (this.keyUri != null || !str.toLowerCase(Locale.US).startsWith(PREFIX)) {
            z10 = false;
        }
        TraceWeaver.o(69114);
        return z10;
    }

    @Override // com.google.crypto.tink.KmsClient
    public synchronized Aead getAead(String str) throws GeneralSecurityException {
        Aead validateAead;
        TraceWeaver.i(69133);
        String str2 = this.keyUri;
        if (str2 != null && !str2.equals(str)) {
            GeneralSecurityException generalSecurityException = new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.keyUri, str));
            TraceWeaver.o(69133);
            throw generalSecurityException;
        }
        validateAead = validateAead(new AndroidKeystoreAesGcm(Validators.validateKmsKeyUriAndRemovePrefix(PREFIX, str), this.keyStore));
        TraceWeaver.o(69133);
        return validateAead;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized boolean hasKey(String str) throws GeneralSecurityException {
        boolean containsAlias;
        TraceWeaver.i(69139);
        String validateKmsKeyUriAndRemovePrefix = Validators.validateKmsKeyUriAndRemovePrefix(PREFIX, str);
        try {
            containsAlias = this.keyStore.containsAlias(validateKmsKeyUriAndRemovePrefix);
            TraceWeaver.o(69139);
        } catch (NullPointerException unused) {
            Log.w(TAG, "Keystore is temporarily unavailable, wait 20ms, reinitialize Keystore and try again.");
            try {
                Thread.sleep(20L);
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                this.keyStore = keyStore;
                keyStore.load(null);
            } catch (IOException e10) {
                GeneralSecurityException generalSecurityException = new GeneralSecurityException(e10);
                TraceWeaver.o(69139);
                throw generalSecurityException;
            } catch (InterruptedException unused2) {
            }
            boolean containsAlias2 = this.keyStore.containsAlias(validateKmsKeyUriAndRemovePrefix);
            TraceWeaver.o(69139);
            return containsAlias2;
        }
        return containsAlias;
    }

    @Override // com.google.crypto.tink.KmsClient
    public KmsClient withCredentials(String str) throws GeneralSecurityException {
        TraceWeaver.i(69123);
        AndroidKeystoreKmsClient androidKeystoreKmsClient = new AndroidKeystoreKmsClient();
        TraceWeaver.o(69123);
        return androidKeystoreKmsClient;
    }

    @Override // com.google.crypto.tink.KmsClient
    public KmsClient withDefaultCredentials() throws GeneralSecurityException {
        TraceWeaver.i(69129);
        AndroidKeystoreKmsClient androidKeystoreKmsClient = new AndroidKeystoreKmsClient();
        TraceWeaver.o(69129);
        return androidKeystoreKmsClient;
    }
}
