package com.google.crypto.tink.integration.android;

import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.util.Log;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KeyTemplate;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.KeysetManager;
import com.google.crypto.tink.KeysetReader;
import com.google.crypto.tink.KeysetWriter;
import com.google.crypto.tink.Util;
import com.google.crypto.tink.integration.android.AndroidKeystoreKmsClient;
import com.google.crypto.tink.proto.EncryptedKeyset;
import com.google.crypto.tink.proto.Keyset;
import com.google.crypto.tink.shaded.protobuf.InvalidProtocolBufferException;
import com.google.crypto.tink.subtle.Validators;
import java.io.FileNotFoundException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.ProviderException;
import javax.annotation.concurrent.GuardedBy;
import javax.crypto.KeyGenerator;

/* loaded from: classes3.dex */
public final class AndroidKeysetManager {
    static final String a = "AndroidKeysetManager";
    private final KeysetWriter b;
    private final Aead c;

    @GuardedBy("this")
    private KeysetManager d;

    /* loaded from: classes3.dex */
    public static final class Builder {

        @GuardedBy("this")
        KeysetManager d;
        private KeysetReader e = null;
        KeysetWriter a = null;
        private String f = null;
        Aead b = null;
        private boolean g = true;
        public KeyTemplate c = null;
        private KeyStore h = null;

        private Aead b() {
            AndroidKeystoreKmsClient androidKeystoreKmsClient;
            if (!(Build.VERSION.SDK_INT >= 23)) {
                Log.w(AndroidKeysetManager.a, "Android Keystore requires at least Android M");
                return null;
            }
            if (this.h != null) {
                AndroidKeystoreKmsClient.Builder builder = new AndroidKeystoreKmsClient.Builder();
                KeyStore keyStore = this.h;
                if (keyStore == null) {
                    throw new IllegalArgumentException("val cannot be null");
                }
                builder.b = keyStore;
                androidKeystoreKmsClient = new AndroidKeystoreKmsClient(builder, (byte) 0);
            } else {
                androidKeystoreKmsClient = new AndroidKeystoreKmsClient();
            }
            boolean c = androidKeystoreKmsClient.c(this.f);
            if (!c) {
                try {
                    String str = this.f;
                    if (new AndroidKeystoreKmsClient().c(str)) {
                        throw new IllegalArgumentException(String.format("cannot generate a new key %s because it already exists; please delete it with deleteKey() and try again", str));
                    }
                    String a = Validators.a("android-keystore://", str);
                    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
                    keyGenerator.init(new KeyGenParameterSpec.Builder(a, 3).setKeySize(256).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
                    keyGenerator.generateKey();
                } catch (GeneralSecurityException | ProviderException e) {
                    Log.w(AndroidKeysetManager.a, "cannot use Android Keystore, it'll be disabled", e);
                    return null;
                }
            }
            try {
                return androidKeystoreKmsClient.b(this.f);
            } catch (GeneralSecurityException | ProviderException e2) {
                if (c) {
                    throw new KeyStoreException(String.format("the master key %s exists but is unusable", this.f), e2);
                }
                Log.w(AndroidKeysetManager.a, "cannot use Android Keystore, it'll be disabled", e2);
                return null;
            }
        }

        private KeysetManager c() {
            try {
                return d();
            } catch (FileNotFoundException e) {
                if (Log.isLoggable(AndroidKeysetManager.a, 4)) {
                    e.getMessage();
                }
                if (this.c == null) {
                    throw new GeneralSecurityException("cannot read or generate keyset");
                }
                KeysetManager a = new KeysetManager(Keyset.DEFAULT_INSTANCE.j()).a(this.c);
                KeysetManager a2 = a.a(Util.a(a.a().a).keyInfo_.get(0).keyId_);
                if (this.b != null) {
                    KeysetHandle a3 = a2.a();
                    this.a.a(KeysetHandle.a(a3.a, this.b, new byte[0]));
                } else {
                    this.a.a(a2.a().a);
                }
                return a2;
            }
        }

        private KeysetManager d() {
            Aead aead = this.b;
            if (aead != null) {
                try {
                    byte[] bArr = new byte[0];
                    EncryptedKeyset b = this.e.b();
                    if (b == null || b.encryptedKeyset_.b() == 0) {
                        throw new GeneralSecurityException("empty keyset");
                    }
                    return KeysetManager.a(new KeysetHandle(KeysetHandle.a(b, aead, bArr)));
                } catch (InvalidProtocolBufferException | GeneralSecurityException e) {
                    Log.w(AndroidKeysetManager.a, "cannot decrypt keyset: ", e);
                }
            }
            return KeysetManager.a(KeysetHandle.a(this.e.a()));
        }

        public final Builder a(Context context, String str, String str2) {
            if (context == null) {
                throw new IllegalArgumentException("need an Android context");
            }
            this.e = new SharedPrefKeysetReader(context, str, str2);
            this.a = new SharedPrefKeysetWriter(context, str, str2);
            return this;
        }

        public final Builder a(String str) {
            if (!str.startsWith("android-keystore://")) {
                throw new IllegalArgumentException("key URI must start with android-keystore://");
            }
            if (!this.g) {
                throw new IllegalArgumentException("cannot call withMasterKeyUri() after calling doNotUseKeystore()");
            }
            this.f = str;
            return this;
        }

        public final synchronized AndroidKeysetManager a() {
            if (this.f != null) {
                this.b = b();
            }
            this.d = c();
            return new AndroidKeysetManager(this, (byte) 0);
        }
    }

    private AndroidKeysetManager(Builder builder) {
        this.b = builder.a;
        this.c = builder.b;
        this.d = builder.d;
    }

    /* synthetic */ AndroidKeysetManager(Builder builder, byte b) {
        this(builder);
    }

    public final synchronized KeysetHandle a() {
        return this.d.a();
    }
}
