package com.android.identity.android.legacy;

import android.content.Context;
import android.icu.util.Calendar;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.UserNotAuthenticatedException;
import android.util.AtomicFile;
import android.util.Log;
import android.util.Pair;
import at.asitplus.wallet.app.common.dcapi.IdentityCredentialField;
import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborDecoder;
import co.nstant.in.cbor.CborEncoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.builder.ArrayBuilder;
import co.nstant.in.cbor.builder.MapBuilder;
import co.nstant.in.cbor.model.Array;
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.Map;
import co.nstant.in.cbor.model.Number;
import co.nstant.in.cbor.model.UnicodeString;
import co.nstant.in.cbor.model.UnsignedInteger;
import com.android.identity.android.legacy.AccessControlProfile;
import com.android.identity.android.legacy.PersonalizationData;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.net.URLEncoder;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.AbstractList;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes3.dex */
public class CredentialData {
    private static final String TAG = "CredentialData";
    private AbstractMap<Integer, String> mAcpTimeoutKeyAliases;
    private final Context mContext;
    private final String mCredentialName;
    private final File mStorageDirectory;
    private String mDocType = "";
    private String mCredentialKeyAlias = "";
    private Collection<X509Certificate> mCertificateChain = null;
    private byte[] mProofOfProvisioningSha256 = null;
    private AbstractList<AccessControlProfile> mAccessControlProfiles = new ArrayList();
    private AbstractMap<Integer, AccessControlProfile> mProfileIdToAcpMap = new HashMap();
    private AbstractList<PersonalizationData.NamespaceData> mNamespaceDatas = new ArrayList();
    private int mAuthKeyCount = 0;
    private int mAuthMaxUsesPerKey = 1;
    private long mAuthKeyMinValidTimeMillis = 0;
    private String mPerReaderSessionKeyAlias = "";
    private AbstractList<AuthKeyData> mAuthKeyDatas = new ArrayList();
    final int CHUNKED_ENCRYPTED_MAX_CHUNK_SIZE = 16384;
    final String CHUNKED_ENCRYPTED_MAGIC = "ChunkedEncryptedData";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes3.dex */
    public static class AuthKeyData {
        String mAlias = "";
        byte[] mCertificate = new byte[0];
        byte[] mStaticAuthenticationData = new byte[0];
        int mUseCount = 0;
        String mPendingAlias = "";
        byte[] mPendingCertificate = new byte[0];
        Calendar mExpirationDate = null;

        AuthKeyData() {
        }
    }

    private CredentialData(Context context, File file, String str) {
        this.mContext = context;
        this.mStorageDirectory = file;
        this.mCredentialName = str;
    }

    public static AccessControlProfile accessControlProfileFromCbor(DataItem dataItem) {
        if (!(dataItem instanceof Map)) {
            throw new IllegalArgumentException("Item is not a map");
        }
        Map map = (Map) dataItem;
        AccessControlProfile.Builder builder = new AccessControlProfile.Builder(new AccessControlProfileId(((Number) map.get(new UnicodeString("id"))).getValue().intValue()));
        DataItem dataItem2 = map.get(new UnicodeString("readerCertificate"));
        if (dataItem2 != null) {
            try {
                builder.setReaderCertificate((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((ByteString) dataItem2).getBytes())));
            } catch (CertificateException e) {
                throw new IllegalArgumentException("Error decoding readerCertificate", e);
            }
        }
        builder.setUserAuthenticationRequired(false);
        if (map.get(new UnicodeString("capabilityType")) != null) {
            builder.setUserAuthenticationRequired(true);
            builder.setUserAuthenticationTimeout(map.get(new UnicodeString("timeout")) == null ? 0L : ((Number) r4).getValue().intValue());
        }
        return builder.build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DataItem accessControlProfileToCbor(AccessControlProfile accessControlProfile) {
        CborBuilder cborBuilder = new CborBuilder();
        MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
        addMap.put("id", accessControlProfile.getAccessControlProfileId().getId());
        X509Certificate readerCertificate = accessControlProfile.getReaderCertificate();
        if (readerCertificate != null) {
            try {
                addMap.put("readerCertificate", readerCertificate.getEncoded());
            } catch (CertificateEncodingException e) {
                throw new IllegalStateException("Error encoding reader mCertificate", e);
            }
        }
        if (accessControlProfile.isUserAuthenticationRequired()) {
            addMap.put("capabilityType", 1L);
            long userAuthenticationTimeout = accessControlProfile.getUserAuthenticationTimeout();
            if (userAuthenticationTimeout != 0) {
                addMap.put("timeout", userAuthenticationTimeout);
            }
        }
        return cborBuilder.build().get(0);
    }

    static byte[] buildProofOfDeletionSignature(String str, PrivateKey privateKey, byte[] bArr) {
        CborBuilder cborBuilder = new CborBuilder();
        ArrayBuilder<CborBuilder> addArray = cborBuilder.addArray();
        addArray.add("ProofOfDeletion").add(str);
        if (bArr != null) {
            addArray.add(bArr);
        }
        addArray.add(false);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new CborEncoder(byteArrayOutputStream).encode(cborBuilder.build().get(0));
            return Util.cborEncode(Util.coseSign1Sign(privateKey, "SHA256withECDSA", byteArrayOutputStream.toByteArray(), null, null));
        } catch (CborException e) {
            throw new RuntimeException("Error building ProofOfDeletion", e);
        }
    }

    private boolean checkUserAuthenticationTimeout(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            KeyStore.Entry entry = keyStore.getEntry(str, null);
            if (entry == null) {
                throw new CredentialInvalidatedException("Failed getting key used for credential");
            }
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) entry).getSecretKey();
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            cipher.doFinal(new byte[]{1, 2});
            return true;
        } catch (UserNotAuthenticatedException unused) {
            return false;
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            Log.w(TAG, "Unexpected exception `" + e.getMessage() + "`, assuming user not authenticated");
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static CredentialData createCredentialData(Context context, File file, String str, String str2, String str3, Collection<X509Certificate> collection, PersonalizationData personalizationData, byte[] bArr, boolean z) {
        if (!z && credentialAlreadyExists(context, file, str2)) {
            throw new RuntimeException("Credential with given name already exists");
        }
        CredentialData credentialData = new CredentialData(context, file, str2);
        credentialData.mDocType = str;
        credentialData.mCredentialKeyAlias = str3;
        credentialData.mCertificateChain = collection;
        credentialData.mProofOfProvisioningSha256 = bArr;
        credentialData.mAccessControlProfiles = new ArrayList();
        credentialData.mProfileIdToAcpMap = new HashMap();
        for (AccessControlProfile accessControlProfile : personalizationData.getAccessControlProfiles()) {
            credentialData.mAccessControlProfiles.add(accessControlProfile);
            credentialData.mProfileIdToAcpMap.put(Integer.valueOf(accessControlProfile.getAccessControlProfileId().getId()), accessControlProfile);
        }
        ArrayList arrayList = new ArrayList();
        credentialData.mNamespaceDatas = arrayList;
        arrayList.addAll(personalizationData.getNamespaceDatas());
        credentialData.mAcpTimeoutKeyAliases = new HashMap();
        for (AccessControlProfile accessControlProfile2 : personalizationData.getAccessControlProfiles()) {
            boolean isUserAuthenticationRequired = accessControlProfile2.isUserAuthenticationRequired();
            long userAuthenticationTimeout = accessControlProfile2.getUserAuthenticationTimeout();
            if (isUserAuthenticationRequired) {
                if (userAuthenticationTimeout == 0) {
                    ensurePerReaderSessionKey(str2, credentialData);
                }
                ensureAcpTimoutKeyForProfile(str2, credentialData, accessControlProfile2, userAuthenticationTimeout);
            }
        }
        credentialData.createDataEncryptionKey();
        credentialData.saveToDisk();
        return credentialData;
    }

    private void createDataEncryptionKey() {
        try {
            String dataKeyAliasFromCredentialName = getDataKeyAliasFromCredentialName(this.mCredentialName);
            KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
            keyGenerator.init(new KeyGenParameterSpec.Builder(dataKeyAliasFromCredentialName, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setKeySize(128).build());
            keyGenerator.generateKey();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
            throw new RuntimeException("Error creating data encryption key", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean credentialAlreadyExists(Context context, File file, String str) {
        try {
            new AtomicFile(new File(file, getFilenameForCredentialData(str))).openRead();
            return true;
        } catch (FileNotFoundException unused) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] delete(Context context, File file, String str, byte[] bArr) {
        AtomicFile atomicFile = new AtomicFile(new File(file, getFilenameForCredentialData(str)));
        try {
            atomicFile.openRead();
            CredentialData credentialData = new CredentialData(context, file, str);
            try {
                credentialData.loadFromDisk(getDataKeyAliasFromCredentialName(str));
                try {
                    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    byte[] buildProofOfDeletionSignature = buildProofOfDeletionSignature(credentialData.mDocType, ((KeyStore.PrivateKeyEntry) keyStore.getEntry(credentialData.mCredentialKeyAlias, null)).getPrivateKey(), bArr);
                    atomicFile.delete();
                    try {
                        keyStore.deleteEntry(credentialData.mCredentialKeyAlias);
                        if (!credentialData.mPerReaderSessionKeyAlias.isEmpty()) {
                            keyStore.deleteEntry(credentialData.mPerReaderSessionKeyAlias);
                        }
                        Iterator<String> it = credentialData.mAcpTimeoutKeyAliases.values().iterator();
                        while (it.hasNext()) {
                            keyStore.deleteEntry(it.next());
                        }
                        Iterator<AuthKeyData> it2 = credentialData.mAuthKeyDatas.iterator();
                        while (it2.hasNext()) {
                            AuthKeyData next = it2.next();
                            if (!next.mAlias.isEmpty()) {
                                keyStore.deleteEntry(next.mAlias);
                            }
                            if (!next.mPendingAlias.isEmpty()) {
                                keyStore.deleteEntry(next.mPendingAlias);
                            }
                        }
                        return buildProofOfDeletionSignature;
                    } catch (KeyStoreException e) {
                        throw new RuntimeException("Error deleting key", e);
                    }
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e2) {
                    throw new RuntimeException("Error loading keystore", e2);
                }
            } catch (RuntimeException unused) {
                Log.e(TAG, "Error parsing file on disk (old version?). Deleting anyway.");
                atomicFile.delete();
                return null;
            }
        } catch (FileNotFoundException unused2) {
        }
    }

    static boolean deleteForMigration(Context context, File file, String str) {
        AtomicFile atomicFile = new AtomicFile(new File(file, getFilenameForCredentialData(str)));
        try {
            atomicFile.openRead();
            CredentialData credentialData = new CredentialData(context, file, str);
            try {
                credentialData.loadFromDisk(getDataKeyAliasFromCredentialName(str));
            } catch (RuntimeException unused) {
                Log.e(TAG, "Error parsing file on disk (old version?). Deleting anyway.");
            }
            atomicFile.delete();
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                try {
                    if (!credentialData.mPerReaderSessionKeyAlias.isEmpty()) {
                        keyStore.deleteEntry(credentialData.mPerReaderSessionKeyAlias);
                    }
                    Iterator<String> it = credentialData.mAcpTimeoutKeyAliases.values().iterator();
                    while (it.hasNext()) {
                        keyStore.deleteEntry(it.next());
                    }
                    Iterator<AuthKeyData> it2 = credentialData.mAuthKeyDatas.iterator();
                    while (it2.hasNext()) {
                        AuthKeyData next = it2.next();
                        if (!next.mAlias.isEmpty()) {
                            keyStore.deleteEntry(next.mAlias);
                        }
                        if (!next.mPendingAlias.isEmpty()) {
                            keyStore.deleteEntry(next.mPendingAlias);
                        }
                    }
                    return true;
                } catch (KeyStoreException e) {
                    throw new RuntimeException("Error deleting key", e);
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
                throw new RuntimeException("Error loading keystore", e2);
            }
        } catch (FileNotFoundException unused2) {
            return false;
        }
    }

    private static void ensureAcpTimoutKeyForProfile(String str, CredentialData credentialData, AccessControlProfile accessControlProfile, long j) {
        if (j > 0) {
            int id = accessControlProfile.getAccessControlProfileId().getId();
            String acpTimeoutKeyAliasFromCredentialName = getAcpTimeoutKeyAliasFromCredentialName(str, id);
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
                keyGenerator.init(new KeyGenParameterSpec.Builder(acpTimeoutKeyAliasFromCredentialName, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds((int) (j / 1000)).setKeySize(128).build());
                keyGenerator.generateKey();
                credentialData.mAcpTimeoutKeyAliases.put(Integer.valueOf(id), acpTimeoutKeyAliasFromCredentialName);
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
                throw new RuntimeException("Error creating ACP auth-bound timeout key", e);
            }
        }
    }

    private static void ensurePerReaderSessionKey(String str, CredentialData credentialData) {
        if (credentialData.mPerReaderSessionKeyAlias.isEmpty()) {
            credentialData.mPerReaderSessionKeyAlias = getAcpKeyAliasFromCredentialName(str);
            try {
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
                keyGenerator.init(new KeyGenParameterSpec.Builder(credentialData.mPerReaderSessionKeyAlias, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setKeySize(128).setUserAuthenticationRequired(true).setUserAuthenticationValidityDurationSeconds(-1).build());
                keyGenerator.generateKey();
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException e) {
                throw new RuntimeException("Error creating ACP auth-bound key", e);
            }
        }
    }

    static String escapeCredentialName(String str, String str2) {
        try {
            return "identity_credential_" + str + "_" + URLEncoder.encode(str2, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unexpected UnsupportedEncodingException", e);
        }
    }

    static X509Certificate generateAuthenticationKeyCert(String str, String str2, byte[] bArr) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            PublicKey publicKey = ((X509Certificate) keyStore.getCertificate(str)).getPublicKey();
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) keyStore.getEntry(str2, null)).getPrivateKey();
            X500Name x500Name = new X500Name("CN=Android Identity Credential Key");
            X500Name x500Name2 = new X500Name("CN=Android Identity Credential Authentication Key");
            Date date = new Date();
            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.ONE, date, new Date(date.getTime() + TimeUnit.MILLISECONDS.convert(365L, TimeUnit.DAYS)), x500Name2, publicKey);
            if (bArr != null) {
                jcaX509v3CertificateBuilder.addExtension(new ASN1ObjectIdentifier("1.3.6.1.4.1.11129.2.1.26"), false, Util.cborEncode(new CborBuilder().addArray().add("ProofOfBinding").add(bArr).end().build().get(0)));
            }
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(jcaX509v3CertificateBuilder.build(new JcaContentSignerBuilder("SHA256withECDSA").build(privateKey)).getEncoded()));
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | OperatorCreationException e) {
            throw new IllegalStateException("Error signing public key with private key", e);
        }
    }

    static String getAcpKeyAliasFromCredentialName(String str) {
        return escapeCredentialName("acp", str);
    }

    static String getAcpTimeoutKeyAliasFromCredentialName(String str, int i) {
        return escapeCredentialName("acp_timeout_for_id" + i, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getAliasFromCredentialName(String str) {
        return escapeCredentialName("credkey", str);
    }

    static String getDataKeyAliasFromCredentialName(String str) {
        return escapeCredentialName("datakey", str);
    }

    static String getFilenameForCredentialData(String str) {
        return escapeCredentialName("data", str);
    }

    private void loadAccessControlProfiles(Map map) {
        DataItem dataItem = map.get(new UnicodeString("accessControlProfiles"));
        if (!(dataItem instanceof Array)) {
            throw new RuntimeException("accessControlProfiles not found or not array");
        }
        this.mAccessControlProfiles = new ArrayList();
        this.mProfileIdToAcpMap = new HashMap();
        Iterator<DataItem> it = ((Array) dataItem).getDataItems().iterator();
        while (it.hasNext()) {
            AccessControlProfile accessControlProfileFromCbor = accessControlProfileFromCbor(it.next());
            this.mAccessControlProfiles.add(accessControlProfileFromCbor);
            this.mProfileIdToAcpMap.put(Integer.valueOf(accessControlProfileFromCbor.getAccessControlProfileId().getId()), accessControlProfileFromCbor);
        }
    }

    private void loadAuthKey(Map map) {
        long j;
        this.mPerReaderSessionKeyAlias = ((UnicodeString) map.get(new UnicodeString("perReaderSessionKeyAlias"))).getString();
        DataItem dataItem = map.get(new UnicodeString("acpTimeoutKeyMap"));
        if (!(dataItem instanceof Map)) {
            throw new RuntimeException("acpTimeoutKeyMap not found or not map");
        }
        this.mAcpTimeoutKeyAliases = new HashMap();
        Map map2 = (Map) dataItem;
        for (DataItem dataItem2 : map2.getKeys()) {
            if (!(dataItem2 instanceof UnsignedInteger)) {
                throw new RuntimeException("Key in acpTimeoutKeyMap is not an integer");
            }
            int intValue = ((UnsignedInteger) dataItem2).getValue().intValue();
            DataItem dataItem3 = map2.get(dataItem2);
            if (!(dataItem3 instanceof UnicodeString)) {
                throw new RuntimeException("Item in acpTimeoutKeyMap is not a string");
            }
            this.mAcpTimeoutKeyAliases.put(Integer.valueOf(intValue), ((UnicodeString) dataItem3).getString());
        }
        this.mAuthKeyCount = ((Number) map.get(new UnicodeString("authKeyCount"))).getValue().intValue();
        this.mAuthMaxUsesPerKey = ((Number) map.get(new UnicodeString("authKeyMaxUses"))).getValue().intValue();
        this.mAuthKeyMinValidTimeMillis = 0L;
        if (Util.cborMapHasKey(map, "authKeyMinValidTimeMillis")) {
            this.mAuthKeyMinValidTimeMillis = ((Number) map.get(new UnicodeString("authKeyMinValidTimeMillis"))).getValue().intValue();
        }
        DataItem dataItem4 = map.get(new UnicodeString("authKeyDatas"));
        if (!(dataItem4 instanceof Array)) {
            throw new RuntimeException("authKeyDatas not found or not array");
        }
        this.mAuthKeyDatas = new ArrayList();
        for (DataItem dataItem5 : ((Array) dataItem4).getDataItems()) {
            AuthKeyData authKeyData = new AuthKeyData();
            Map map3 = (Map) dataItem5;
            authKeyData.mAlias = ((UnicodeString) map3.get(new UnicodeString("alias"))).getString();
            authKeyData.mUseCount = ((Number) map3.get(new UnicodeString("useCount"))).getValue().intValue();
            authKeyData.mCertificate = ((ByteString) map3.get(new UnicodeString("certificate"))).getBytes();
            authKeyData.mStaticAuthenticationData = ((ByteString) map3.get(new UnicodeString("staticAuthenticationData"))).getBytes();
            authKeyData.mPendingAlias = ((UnicodeString) map3.get(new UnicodeString("pendingAlias"))).getString();
            authKeyData.mPendingCertificate = ((ByteString) map3.get(new UnicodeString("pendingCertificate"))).getBytes();
            DataItem dataItem6 = map3.get(new UnicodeString("expirationDateMillis"));
            if (dataItem6 == null) {
                j = Long.MAX_VALUE;
            } else {
                if (!(dataItem6 instanceof Number)) {
                    throw new RuntimeException("expirationDateMillis not a number");
                }
                j = Util.checkedLongValue(dataItem6);
            }
            Calendar calendar = Calendar.getInstance();
            calendar.setTimeInMillis(j);
            authKeyData.mExpirationDate = calendar;
            this.mAuthKeyDatas.add(authKeyData);
        }
    }

    private void loadBasic(Map map) {
        this.mDocType = ((UnicodeString) map.get(new UnicodeString("docType"))).getString();
        this.mCredentialKeyAlias = ((UnicodeString) map.get(new UnicodeString("credentialKeyAlias"))).getString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static CredentialData loadCredentialData(Context context, File file, String str) {
        CredentialData credentialData = new CredentialData(context, file, str);
        if (credentialData.loadFromDisk(getDataKeyAliasFromCredentialName(str))) {
            return credentialData;
        }
        return null;
    }

    private void loadCredentialKeyCertChain(Map map) {
        DataItem dataItem = map.get(new UnicodeString("credentialKeyCertChain"));
        if (!(dataItem instanceof Array)) {
            throw new RuntimeException("credentialKeyCertChain not found or not array");
        }
        this.mCertificateChain = new ArrayList();
        Iterator<DataItem> it = ((Array) dataItem).getDataItems().iterator();
        while (it.hasNext()) {
            byte[] bytes = ((ByteString) it.next()).getBytes();
            try {
                this.mCertificateChain.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bytes)));
            } catch (CertificateException e) {
                throw new RuntimeException("Error decoding certificate blob", e);
            }
        }
    }

    private boolean loadFromDisk(String str) {
        try {
            try {
                List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(loadFromDiskDecrypt(str, new AtomicFile(new File(this.mStorageDirectory, getFilenameForCredentialData(this.mCredentialName))).readFully()))).decode();
                if (decode.size() != 1) {
                    throw new RuntimeException("Expected 1 item, found " + decode.size());
                }
                if (!(decode.get(0) instanceof Map)) {
                    throw new RuntimeException("Item is not a map");
                }
                Map map = (Map) decode.get(0);
                loadBasic(map);
                loadCredentialKeyCertChain(map);
                loadProofOfProvisioningSha256(map);
                loadAccessControlProfiles(map);
                loadNamespaceDatas(map);
                loadAuthKey(map);
                return true;
            } catch (CborException e) {
                throw new RuntimeException("Error decoding data", e);
            }
        } catch (IOException unused) {
            return false;
        }
    }

    private byte[] loadFromDiskDecrypt(String str, byte[] bArr) {
        byte[] bytes = "ChunkedEncryptedData".getBytes(StandardCharsets.UTF_8);
        if (bArr.length >= bytes.length + 2 && Arrays.equals(Arrays.copyOfRange(bArr, 2, bytes.length + 2), bytes)) {
            return loadFromDiskDecryptChunkedEncrypted(str, bArr);
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(str, null)).getSecretKey();
            if (bArr.length < 12) {
                throw new RuntimeException("Encrypted CBOR on disk is too small");
            }
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            byte[] bArr2 = new byte[12];
            wrap.get(bArr2);
            byte[] bArr3 = new byte[bArr.length - 12];
            wrap.get(bArr3);
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(2, secretKey, new GCMParameterSpec(128, bArr2));
            return cipher.doFinal(bArr3);
        } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new RuntimeException("Error decrypting CBOR", e);
        }
    }

    private byte[] loadFromDiskDecryptChunkedEncrypted(String str, byte[] bArr) {
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1) {
                throw new RuntimeException("Expected one item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Array)) {
                throw new RuntimeException("Item is not a array");
            }
            Array array = (Array) decode.get(0);
            if (array.getDataItems().size() < 2) {
                throw new RuntimeException("Expected 2+ items, found " + array.getDataItems().size());
            }
            if (!(array.getDataItems().get(1) instanceof Array)) {
                throw new RuntimeException("Second item in outer array is not a array");
            }
            Array array2 = (Array) array.getDataItems().get(1);
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(str, null)).getSecretKey();
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                for (DataItem dataItem : array2.getDataItems()) {
                    if (!(dataItem instanceof ByteString)) {
                        throw new RuntimeException("Item in inner array is not a bstr");
                    }
                    byte[] bytes = ((ByteString) dataItem).getBytes();
                    ByteBuffer wrap = ByteBuffer.wrap(bytes);
                    byte[] bArr2 = new byte[12];
                    wrap.get(bArr2);
                    byte[] bArr3 = new byte[bytes.length - 12];
                    wrap.get(bArr3);
                    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                    cipher.init(2, secretKey, new GCMParameterSpec(128, bArr2));
                    byteArrayOutputStream.write(cipher.doFinal(bArr3));
                }
                return byteArrayOutputStream.toByteArray();
            } catch (IOException | InvalidAlgorithmParameterException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                throw new RuntimeException("Error decrypting chunk", e);
            }
        } catch (CborException unused) {
            throw new RuntimeException("Error decoding ChunkedEncryptedData CBOR");
        }
    }

    private void loadNamespaceDatas(Map map) {
        DataItem dataItem = map.get(new UnicodeString("namespaceDatas"));
        if (!(dataItem instanceof Map)) {
            throw new RuntimeException("namespaceDatas not found or not map");
        }
        this.mNamespaceDatas = new ArrayList();
        Map map2 = (Map) dataItem;
        for (DataItem dataItem2 : map2.getKeys()) {
            if (!(dataItem2 instanceof UnicodeString)) {
                throw new RuntimeException("Key in namespaceDatas is not a string");
            }
            this.mNamespaceDatas.add(namespaceDataFromCbor(((UnicodeString) dataItem2).getString(), map2.get(dataItem2)));
        }
    }

    private void loadProofOfProvisioningSha256(Map map) {
        DataItem dataItem = map.get(new UnicodeString("proofOfProvisioningSha256"));
        if (!(dataItem instanceof ByteString)) {
            throw new RuntimeException("proofOfProvisioningSha256 not found or not bstr");
        }
        this.mProofOfProvisioningSha256 = ((ByteString) dataItem).getBytes();
    }

    public static PersonalizationData.NamespaceData namespaceDataFromCbor(String str, DataItem dataItem) {
        if (!(dataItem instanceof Array)) {
            throw new IllegalArgumentException("Item is not an Array");
        }
        PersonalizationData.Builder builder = new PersonalizationData.Builder();
        for (DataItem dataItem2 : ((Array) dataItem).getDataItems()) {
            if (!(dataItem2 instanceof Map)) {
                throw new IllegalArgumentException("Item is not a map");
            }
            Map map = (Map) dataItem2;
            String string = ((UnicodeString) map.get(new UnicodeString("name"))).getString();
            ArrayList arrayList = new ArrayList();
            Iterator<DataItem> it = ((Array) map.get(new UnicodeString("accessControlProfiles"))).getDataItems().iterator();
            while (it.hasNext()) {
                arrayList.add(new AccessControlProfileId(((Number) it.next()).getValue().intValue()));
            }
            builder.putEntry(str, string, arrayList, Util.cborEncode(map.get(new UnicodeString(IdentityCredentialField.VALUE))));
        }
        return builder.build().getNamespaceData(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static DataItem namespaceDataToCbor(PersonalizationData.NamespaceData namespaceData) {
        CborBuilder cborBuilder = new CborBuilder();
        ArrayBuilder<CborBuilder> addArray = cborBuilder.addArray();
        for (String str : namespaceData.getEntryNames()) {
            byte[] entryValue = namespaceData.getEntryValue(str);
            Collection<AccessControlProfileId> accessControlProfileIds = namespaceData.getAccessControlProfileIds(str);
            CborBuilder cborBuilder2 = new CborBuilder();
            ArrayBuilder<CborBuilder> addArray2 = cborBuilder2.addArray();
            Iterator<AccessControlProfileId> it = accessControlProfileIds.iterator();
            while (it.hasNext()) {
                addArray2.add(it.next().getId());
            }
            MapBuilder<ArrayBuilder<CborBuilder>> addMap = addArray.addMap();
            addMap.put("name", str);
            addMap.put(new UnicodeString(IdentityCredentialField.VALUE), Util.cborDecode(entryValue));
            addMap.put(new UnicodeString("accessControlProfiles"), cborBuilder2.build().get(0));
        }
        return cborBuilder.build().get(0);
    }

    private void saveToDisk() {
        FileOutputStream fileOutputStream;
        CborBuilder cborBuilder = new CborBuilder();
        MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
        saveToDiskBasic(addMap);
        saveToDiskAuthDatas(addMap);
        saveToDiskACPs(addMap);
        saveToDiskNamespaceDatas(addMap);
        saveToDiskAuthKeys(addMap);
        byte[] saveToDiskEncrypt = saveToDiskEncrypt(saveToDiskEncode(cborBuilder));
        AtomicFile atomicFile = new AtomicFile(new File(this.mStorageDirectory, getFilenameForCredentialData(this.mCredentialName)));
        try {
            fileOutputStream = atomicFile.startWrite();
        } catch (IOException e) {
            e = e;
            fileOutputStream = null;
        }
        try {
            fileOutputStream.write(saveToDiskEncrypt);
            atomicFile.finishWrite(fileOutputStream);
        } catch (IOException e2) {
            e = e2;
            if (fileOutputStream != null) {
                atomicFile.failWrite(fileOutputStream);
            }
            throw new RuntimeException("Error writing data", e);
        }
    }

    private void saveToDiskACPs(MapBuilder<CborBuilder> mapBuilder) {
        ArrayBuilder<MapBuilder<CborBuilder>> putArray = mapBuilder.putArray("accessControlProfiles");
        Iterator<AccessControlProfile> it = this.mAccessControlProfiles.iterator();
        while (it.hasNext()) {
            putArray.add(accessControlProfileToCbor(it.next()));
        }
    }

    private void saveToDiskAuthDatas(MapBuilder<CborBuilder> mapBuilder) {
        ArrayBuilder<MapBuilder<CborBuilder>> putArray = mapBuilder.putArray("authKeyDatas");
        Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
        while (it.hasNext()) {
            AuthKeyData next = it.next();
            putArray.addMap().put("alias", next.mAlias).put("useCount", next.mUseCount).put("certificate", next.mCertificate).put("staticAuthenticationData", next.mStaticAuthenticationData).put("pendingAlias", next.mPendingAlias).put("pendingCertificate", next.mPendingCertificate).put("expirationDateMillis", next.mExpirationDate != null ? next.mExpirationDate.getTimeInMillis() : Long.MAX_VALUE).end();
        }
    }

    private void saveToDiskAuthKeys(MapBuilder<CborBuilder> mapBuilder) {
        mapBuilder.put("perReaderSessionKeyAlias", this.mPerReaderSessionKeyAlias);
        MapBuilder<MapBuilder<CborBuilder>> putMap = mapBuilder.putMap("acpTimeoutKeyMap");
        Iterator<Map.Entry<Integer, String>> it = this.mAcpTimeoutKeyAliases.entrySet().iterator();
        while (it.hasNext()) {
            putMap.put(new UnsignedInteger(r0.getKey().intValue()), new UnicodeString(it.next().getValue()));
        }
    }

    private void saveToDiskBasic(MapBuilder<CborBuilder> mapBuilder) {
        mapBuilder.put("docType", this.mDocType);
        mapBuilder.put("credentialKeyAlias", this.mCredentialKeyAlias);
        ArrayBuilder<MapBuilder<CborBuilder>> putArray = mapBuilder.putArray("credentialKeyCertChain");
        Iterator<X509Certificate> it = this.mCertificateChain.iterator();
        while (it.hasNext()) {
            try {
                putArray.add(it.next().getEncoded());
            } catch (CertificateEncodingException e) {
                throw new RuntimeException("Error encoding certificate", e);
            }
        }
        mapBuilder.put("proofOfProvisioningSha256", this.mProofOfProvisioningSha256);
        mapBuilder.put("authKeyCount", this.mAuthKeyCount);
        mapBuilder.put("authKeyMaxUses", this.mAuthMaxUsesPerKey);
        mapBuilder.put("authKeyMinValidTimeMillis", this.mAuthKeyMinValidTimeMillis);
    }

    private byte[] saveToDiskEncode(CborBuilder cborBuilder) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            new CborEncoder(byteArrayOutputStream).nonCanonical().encode(cborBuilder.build());
            return byteArrayOutputStream.toByteArray();
        } catch (CborException e) {
            throw new RuntimeException("Error encoding data", e);
        }
    }

    private byte[] saveToDiskEncrypt(byte[] bArr) {
        CborBuilder cborBuilder = new CborBuilder();
        ArrayBuilder<CborBuilder> addArray = cborBuilder.addArray();
        addArray.add("ChunkedEncryptedData");
        ArrayBuilder<ArrayBuilder<CborBuilder>> addArray2 = addArray.addArray();
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(getDataKeyAliasFromCredentialName(this.mCredentialName), null)).getSecretKey();
            int i = 0;
            boolean z = false;
            do {
                int length = bArr.length - i;
                if (length <= 16384) {
                    z = true;
                } else {
                    length = 16384;
                }
                Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                cipher.init(1, secretKey);
                byte[] doFinal = cipher.doFinal(bArr, i, length);
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                byteArrayOutputStream.write(cipher.getIV());
                byteArrayOutputStream.write(doFinal);
                addArray2.add(byteArrayOutputStream.toByteArray());
                i += length;
            } while (!z);
            return Util.cborEncode(cborBuilder.build().get(0));
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new RuntimeException("Error encrypting CBOR for saving to disk", e);
        }
    }

    private void saveToDiskNamespaceDatas(MapBuilder<CborBuilder> mapBuilder) {
        MapBuilder<MapBuilder<CborBuilder>> putMap = mapBuilder.putMap("namespaceDatas");
        Iterator<PersonalizationData.NamespaceData> it = this.mNamespaceDatas.iterator();
        while (it.hasNext()) {
            PersonalizationData.NamespaceData next = it.next();
            putMap.put(new UnicodeString(next.getNamespaceName()), namespaceDataToCbor(next));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean checkUserAuthentication(AccessControlProfileId accessControlProfileId, boolean z) {
        if (getAccessControlProfile(accessControlProfileId).getUserAuthenticationTimeout() == 0) {
            return z;
        }
        String str = this.mAcpTimeoutKeyAliases.get(Integer.valueOf(accessControlProfileId.getId()));
        if (str != null) {
            return checkUserAuthenticationTimeout(str);
        }
        throw new RuntimeException("No key alias for ACP with ID " + accessControlProfileId.getId());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void deleteKeysForReplacement() {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            try {
                if (!this.mPerReaderSessionKeyAlias.isEmpty()) {
                    keyStore.deleteEntry(this.mPerReaderSessionKeyAlias);
                }
                Iterator<String> it = this.mAcpTimeoutKeyAliases.values().iterator();
                while (it.hasNext()) {
                    keyStore.deleteEntry(it.next());
                }
                Iterator<AuthKeyData> it2 = this.mAuthKeyDatas.iterator();
                while (it2.hasNext()) {
                    AuthKeyData next = it2.next();
                    if (!next.mAlias.isEmpty()) {
                        keyStore.deleteEntry(next.mAlias);
                    }
                    if (!next.mPendingAlias.isEmpty()) {
                        keyStore.deleteEntry(next.mPendingAlias);
                    }
                }
            } catch (KeyStoreException e) {
                throw new RuntimeException("Error deleting key", e);
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            throw new RuntimeException("Error loading keystore", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessControlProfile getAccessControlProfile(AccessControlProfileId accessControlProfileId) {
        AccessControlProfile accessControlProfile = this.mProfileIdToAcpMap.get(Integer.valueOf(accessControlProfileId.getId()));
        if (accessControlProfile != null) {
            return accessControlProfile;
        }
        throw new RuntimeException("No profile with id " + accessControlProfileId.getId());
    }

    Collection<AccessControlProfile> getAccessControlProfiles() {
        return this.mAccessControlProfiles;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getAuthKeyCount() {
        return this.mAuthKeyCount;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<Calendar> getAuthKeyExpirations() {
        ArrayList arrayList = new ArrayList();
        Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().mExpirationDate);
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public long getAuthKeyMinValidTimeMillis() {
        return this.mAuthKeyMinValidTimeMillis;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int[] getAuthKeyUseCounts() {
        int[] iArr = new int[this.mAuthKeyCount];
        Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
        int i = 0;
        while (it.hasNext()) {
            iArr[i] = it.next().mUseCount;
            i++;
        }
        return iArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<X509Certificate> getAuthKeysNeedingCertification() {
        boolean z;
        try {
            KeyStore.getInstance("AndroidKeyStore").load(null);
            ArrayList arrayList = new ArrayList();
            Calendar calendar = Calendar.getInstance();
            for (int i = 0; i < this.mAuthKeyCount; i++) {
                AuthKeyData authKeyData = this.mAuthKeyDatas.get(i);
                boolean z2 = authKeyData.mUseCount >= this.mAuthMaxUsesPerKey;
                if (authKeyData.mExpirationDate != null) {
                    Calendar calendar2 = (Calendar) authKeyData.mExpirationDate.clone();
                    calendar2.add(14, (int) (-this.mAuthKeyMinValidTimeMillis));
                    z = calendar.after(calendar2);
                } else {
                    z = false;
                }
                boolean z3 = authKeyData.mAlias.isEmpty() || z2 || z;
                boolean z4 = !authKeyData.mPendingAlias.isEmpty();
                try {
                    if (z3 && !z4) {
                        try {
                            String str = this.mCredentialKeyAlias + String.format(Locale.US, "_auth_%d", Integer.valueOf(i));
                            if (str.equals(authKeyData.mAlias)) {
                                str = str + "_";
                            }
                            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
                            keyPairGenerator.initialize(new KeyGenParameterSpec.Builder(str, 12).setDigests("SHA-256", "SHA-512").build());
                            keyPairGenerator.generateKeyPair();
                            Log.i(TAG, "AuthKey created, strongBoxBacked=false");
                            X509Certificate generateAuthenticationKeyCert = generateAuthenticationKeyCert(str, this.mCredentialKeyAlias, this.mProofOfProvisioningSha256);
                            authKeyData.mPendingAlias = str;
                            authKeyData.mPendingCertificate = generateAuthenticationKeyCert.getEncoded();
                        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException | NoSuchProviderException | CertificateEncodingException e) {
                            throw new RuntimeException("Error creating auth key", e);
                        }
                    } else if (!z4) {
                        continue;
                    }
                    arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(authKeyData.mPendingCertificate)));
                } catch (CertificateException e2) {
                    throw new RuntimeException("Error creating certificate for auth key", e2);
                }
            }
            saveToDisk();
            return arrayList;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e3) {
            throw new RuntimeException("Error loading keystore", e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public int getAuthMaxUsesPerKey() {
        return this.mAuthMaxUsesPerKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCredentialKeyAlias() {
        return this.mCredentialKeyAlias;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<X509Certificate> getCredentialKeyCertificateChain() {
        return this.mCertificateChain;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrivateKey getCredentialKeyPrivate() {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            return ((KeyStore.PrivateKeyEntry) keyStore.getEntry(this.mCredentialKeyAlias, null)).getPrivateKey();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e) {
            throw new RuntimeException("Error loading keystore", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getDocType() {
        return this.mDocType;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Collection<PersonalizationData.NamespaceData> getNamespaceDatas() {
        return this.mNamespaceDatas;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getPerReaderSessionKeyAlias() {
        return this.mPerReaderSessionKeyAlias;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PersonalizationData.NamespaceData lookupNamespaceData(String str) {
        Iterator<PersonalizationData.NamespaceData> it = this.mNamespaceDatas.iterator();
        while (it.hasNext()) {
            PersonalizationData.NamespaceData next = it.next();
            if (next.getNamespaceName().equals(str)) {
                return next;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] proveOwnership(byte[] bArr) {
        PrivateKey credentialKeyPrivate = getCredentialKeyPrivate();
        CborBuilder cborBuilder = new CborBuilder();
        cborBuilder.addArray().add("ProofOfOwnership").add(this.mDocType).add(bArr).add(false);
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            new CborEncoder(byteArrayOutputStream).encode(cborBuilder.build().get(0));
            return Util.cborEncode(Util.coseSign1Sign(credentialKeyPrivate, "SHA256withECDSA", byteArrayOutputStream.toByteArray(), null, null));
        } catch (CborException e) {
            throw new RuntimeException("Error building ProofOfOwnership", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Pair<PrivateKey, byte[]> selectAuthenticationKey(boolean z, boolean z2, boolean z3) {
        Pair<PrivateKey, byte[]> selectAuthenticationKeyHelper = selectAuthenticationKeyHelper(z, false, z3);
        if (selectAuthenticationKeyHelper != null) {
            return selectAuthenticationKeyHelper;
        }
        if (z2) {
            return selectAuthenticationKeyHelper(z, true, z3);
        }
        return null;
    }

    Pair<PrivateKey, byte[]> selectAuthenticationKeyHelper(boolean z, boolean z2, boolean z3) {
        Calendar calendar = Calendar.getInstance();
        AuthKeyData authKeyData = null;
        for (int i = 0; i < this.mAuthKeyCount; i++) {
            AuthKeyData authKeyData2 = this.mAuthKeyDatas.get(i);
            if (!authKeyData2.mAlias.isEmpty() && ((authKeyData2.mExpirationDate == null || !calendar.after(authKeyData2.mExpirationDate) || z2) && (authKeyData == null || authKeyData2.mUseCount < authKeyData.mUseCount))) {
                authKeyData = authKeyData2;
            }
        }
        if (authKeyData == null) {
            return null;
        }
        if (authKeyData.mUseCount >= this.mAuthMaxUsesPerKey) {
            if (!z) {
                return null;
            }
            Log.i(TAG, "Using exhausted key.");
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            Pair<PrivateKey, byte[]> pair = new Pair<>(((KeyStore.PrivateKeyEntry) keyStore.getEntry(authKeyData.mAlias, null)).getPrivateKey(), authKeyData.mStaticAuthenticationData);
            if (z3) {
                authKeyData.mUseCount++;
                saveToDisk();
            }
            return pair;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e) {
            throw new RuntimeException("Error loading keystore", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setAvailableAuthenticationKeys(int i, int i2, long j) {
        int i3 = this.mAuthKeyCount;
        this.mAuthKeyCount = i;
        this.mAuthMaxUsesPerKey = i2;
        this.mAuthKeyMinValidTimeMillis = j;
        if (i3 < i) {
            while (i3 < this.mAuthKeyCount) {
                this.mAuthKeyDatas.add(new AuthKeyData());
                i3++;
            }
        } else if (i3 > i) {
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                int i4 = i3 - this.mAuthKeyCount;
                for (int i5 = 0; i5 < i4; i5++) {
                    AuthKeyData authKeyData = this.mAuthKeyDatas.get(0);
                    if (!authKeyData.mAlias.isEmpty()) {
                        try {
                            if (keyStore.containsAlias(authKeyData.mAlias)) {
                                keyStore.deleteEntry(authKeyData.mAlias);
                            }
                        } catch (KeyStoreException e) {
                            throw new RuntimeException("Error deleting auth key with mAlias " + authKeyData.mAlias, e);
                        }
                    }
                    if (!authKeyData.mPendingAlias.isEmpty()) {
                        try {
                            if (keyStore.containsAlias(authKeyData.mPendingAlias)) {
                                keyStore.deleteEntry(authKeyData.mPendingAlias);
                            }
                        } catch (KeyStoreException e2) {
                            throw new RuntimeException("Error deleting auth key with mPendingAlias " + authKeyData.mPendingAlias, e2);
                        }
                    }
                    this.mAuthKeyDatas.remove(0);
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e3) {
                throw new RuntimeException("Error loading keystore", e3);
            }
        }
        saveToDisk();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void storeStaticAuthenticationData(X509Certificate x509Certificate, Calendar calendar, byte[] bArr) throws UnknownAuthenticationKeyException {
        AuthKeyData authKeyData;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Iterator<AuthKeyData> it = this.mAuthKeyDatas.iterator();
            while (true) {
                if (!it.hasNext()) {
                    authKeyData = null;
                    break;
                }
                authKeyData = it.next();
                if (authKeyData.mPendingCertificate.length > 0 && ((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(authKeyData.mPendingCertificate))).equals(x509Certificate)) {
                    break;
                }
            }
            if (authKeyData == null) {
                throw new UnknownAuthenticationKeyException("No such authentication key");
            }
            if (!authKeyData.mAlias.isEmpty()) {
                try {
                    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    if (keyStore.containsAlias(authKeyData.mAlias)) {
                        keyStore.deleteEntry(authKeyData.mAlias);
                    }
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                    throw new RuntimeException("Error deleting old authentication key", e);
                }
            }
            authKeyData.mAlias = authKeyData.mPendingAlias;
            authKeyData.mCertificate = authKeyData.mPendingCertificate;
            authKeyData.mStaticAuthenticationData = bArr;
            authKeyData.mUseCount = 0;
            authKeyData.mPendingAlias = "";
            authKeyData.mPendingCertificate = new byte[0];
            authKeyData.mExpirationDate = calendar;
            saveToDisk();
        } catch (CertificateException e2) {
            throw new RuntimeException("Error encoding certificate", e2);
        }
    }
}
