package com.google.crypto.tink.integration.android;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.subtle.Random;
import com.google.crypto.tink.subtle.Validators;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.Arrays;
import java.util.Locale;
import javax.crypto.KeyGenerator;

/* loaded from: classes.dex */
public final class AndroidKeystoreKmsClient implements KmsClient {

    /* renamed from: a, reason: collision with root package name */
    private final String f6190a;

    /* renamed from: b, reason: collision with root package name */
    private final KeyStore f6191b;

    /* loaded from: classes.dex */
    public static final class Builder {

        /* renamed from: a, reason: collision with root package name */
        String f6192a = null;

        /* renamed from: b, reason: collision with root package name */
        KeyStore f6193b;

        public Builder() {
            this.f6193b = null;
            if (!AndroidKeystoreKmsClient.c()) {
                throw new IllegalStateException("need Android Keystore on Android M or newer");
            }
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                this.f6193b = keyStore;
                keyStore.load(null);
            } catch (IOException | GeneralSecurityException e2) {
                throw new IllegalStateException(e2);
            }
        }

        public AndroidKeystoreKmsClient a() {
            return new AndroidKeystoreKmsClient(this);
        }

        public Builder b(KeyStore keyStore) {
            if (keyStore == null) {
                throw new IllegalArgumentException("val cannot be null");
            }
            this.f6193b = keyStore;
            return this;
        }
    }

    public AndroidKeystoreKmsClient() {
        this(new Builder());
    }

    private AndroidKeystoreKmsClient(Builder builder) {
        this.f6190a = builder.f6192a;
        this.f6191b = builder.f6193b;
    }

    static /* synthetic */ boolean c() {
        return f();
    }

    public static void d(String str) {
        if (new AndroidKeystoreKmsClient().e(str)) {
            throw new IllegalArgumentException(String.format("cannot generate a new key %s because it already exists; please delete it with deleteKey() and try again", str));
        }
        String b2 = Validators.b("android-keystore://", str);
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
        keyGenerator.init(new KeyGenParameterSpec.Builder(b2, 3).setKeySize(256).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
        keyGenerator.generateKey();
    }

    private static boolean f() {
        return Build.VERSION.SDK_INT >= 23;
    }

    private static Aead g(Aead aead) {
        byte[] c2 = Random.c(10);
        byte[] bArr = new byte[0];
        if (Arrays.equals(c2, aead.b(aead.a(c2, bArr), bArr))) {
            return aead;
        }
        throw new KeyStoreException("cannot use Android Keystore: encryption/decryption of non-empty message and empty aad returns an incorrect result");
    }

    @Override // com.google.crypto.tink.KmsClient
    public boolean a(String str) {
        String str2 = this.f6190a;
        if (str2 == null || !str2.equals(str)) {
            return this.f6190a == null && str.toLowerCase(Locale.US).startsWith("android-keystore://");
        }
        return true;
    }

    @Override // com.google.crypto.tink.KmsClient
    public Aead b(String str) {
        String str2 = this.f6190a;
        if (str2 != null && !str2.equals(str)) {
            throw new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.f6190a, str));
        }
        AndroidKeystoreAesGcm androidKeystoreAesGcm = new AndroidKeystoreAesGcm(Validators.b("android-keystore://", str), this.f6191b);
        g(androidKeystoreAesGcm);
        return androidKeystoreAesGcm;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean e(String str) {
        return this.f6191b.containsAlias(Validators.b("android-keystore://", str));
    }
}
