package com.robinhood.vault.internal;

import android.security.keystore.KeyGenParameterSpec;
import com.robinhood.android.common.util.analytics.AnalyticsStrings;
import com.robinhood.vault.IncompatibleCiphertextVersionException;
import com.robinhood.vault.VaultKeyUngeneratableException;
import com.robinhood.vault.VaultKeyUnrecoverableException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import kotlin.ExceptionsKt__ExceptionsKt;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;
import okio.ByteString;

@Metadata(bv = {}, d1 = {"\u0000:\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\b\n\u0002\b\b\u0018\u0000 \u001b2\u00020\u0001:\u0001\u001bB\u0007¢\u0006\u0004\b\u0019\u0010\u001aJ\u0012\u0010\u0005\u001a\u0004\u0018\u00010\u00042\u0006\u0010\u0003\u001a\u00020\u0002H\u0002J\u0010\u0010\u0006\u001a\u00020\u00042\u0006\u0010\u0003\u001a\u00020\u0002H\u0002J\u0010\u0010\n\u001a\u00020\t2\u0006\u0010\b\u001a\u00020\u0007H\u0016J\u0010\u0010\f\u001a\u00020\u00072\u0006\u0010\u000b\u001a\u00020\tH\u0016J\b\u0010\u000e\u001a\u00020\rH\u0016R\u0014\u0010\u0010\u001a\u00020\u000f8\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0010\u0010\u0011R\u0014\u0010\u0012\u001a\u00020\u00048\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0012\u0010\u0013R\u001a\u0010\u0015\u001a\u00020\u00148\u0016X\u0096D¢\u0006\f\n\u0004\b\u0015\u0010\u0016\u001a\u0004\b\u0017\u0010\u0018¨\u0006\u001c"}, d2 = {"Lcom/robinhood/vault/internal/Api23VaultWorkerV1;", "Lcom/robinhood/vault/internal/VaultWorker;", "", "alias", "Ljavax/crypto/SecretKey;", "getSecretKeyFromKeystore", "generateKey", "Lokio/ByteString;", "bytes", "Lcom/robinhood/vault/internal/VaultCipherText;", "encrypt", "ciphertext", "decrypt", "", AnalyticsStrings.BUTTON_LIST_DELETE, "Ljava/security/KeyStore;", "keystore", "Ljava/security/KeyStore;", "key", "Ljavax/crypto/SecretKey;", "", "version", "I", "getVersion", "()I", "<init>", "()V", "Companion", "lib-vault_externalRelease"}, k = 1, mv = {1, 6, 0})
/* loaded from: classes37.dex */
public final class Api23VaultWorkerV1 implements VaultWorker {
    private static final int AES_KEY_SIZE = 256;
    private static final String ALIAS = "robinhoodSecretKey";
    private static final String ANDROID_KEY_STORE = "AndroidKeyStore";
    private static final int GCM_TAG_LENGTH = 128;
    private static final String TRANSFORMATION = "AES/GCM/NoPadding";
    private static final int VERSION = 1;
    private final SecretKey key;
    private final KeyStore keystore;
    private final int version;

    public Api23VaultWorkerV1() {
        KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
        keyStore.load(null);
        Intrinsics.checkNotNullExpressionValue(keyStore, "getInstance(ANDROID_KEY_…    .apply { load(null) }");
        this.keystore = keyStore;
        SecretKey secretKeyFromKeystore = getSecretKeyFromKeystore(ALIAS);
        this.key = secretKeyFromKeystore == null ? generateKey(ALIAS) : secretKeyFromKeystore;
        this.version = 1;
    }

    private final SecretKey generateKey(String alias) {
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
        Intrinsics.checkNotNullExpressionValue(keyGenerator, "getInstance(\n           …DROID_KEY_STORE\n        )");
        keyGenerator.init(new KeyGenParameterSpec.Builder(alias, 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setKeySize(256).build());
        try {
            SecretKey generateKey = keyGenerator.generateKey();
            Intrinsics.checkNotNullExpressionValue(generateKey, "keygen.generateKey()");
            return generateKey;
        } catch (Exception e) {
            throw new VaultKeyUngeneratableException(null, e, 1, null);
        }
    }

    private final SecretKey getSecretKeyFromKeystore(String alias) {
        KeyStoreException keyStoreException = null;
        if (!this.keystore.containsAlias(alias)) {
            return null;
        }
        try {
            KeyStore.Entry entry = this.keystore.getEntry(alias, null);
            if (entry != null) {
                return ((KeyStore.SecretKeyEntry) entry).getSecretKey();
            }
            throw new NullPointerException("null cannot be cast to non-null type java.security.KeyStore.SecretKeyEntry");
        } catch (Exception e) {
            try {
                KeyStore.Entry entry2 = this.keystore.getEntry(alias, null);
                if (entry2 != null) {
                    return ((KeyStore.SecretKeyEntry) entry2).getSecretKey();
                }
                throw new NullPointerException("null cannot be cast to non-null type java.security.KeyStore.SecretKeyEntry");
            } catch (Exception e2) {
                try {
                    this.keystore.deleteEntry(alias);
                } catch (KeyStoreException e3) {
                    keyStoreException = e3;
                }
                VaultKeyUnrecoverableException vaultKeyUnrecoverableException = new VaultKeyUnrecoverableException("Retrieval failed twice.", e2);
                ExceptionsKt__ExceptionsKt.addSuppressed(vaultKeyUnrecoverableException, e);
                if (keyStoreException != null) {
                    ExceptionsKt__ExceptionsKt.addSuppressed(vaultKeyUnrecoverableException, keyStoreException);
                }
                throw vaultKeyUnrecoverableException;
            }
        }
    }

    @Override // com.robinhood.vault.internal.VaultWorker
    public synchronized ByteString decrypt(VaultCipherText ciphertext) {
        ByteString.Companion companion;
        byte[] doFinal;
        Intrinsics.checkNotNullParameter(ciphertext, "ciphertext");
        if (ciphertext.getVersion() != getVersion()) {
            throw new IncompatibleCiphertextVersionException("VaultCipherText version not supported: " + ciphertext.getVersion() + " (expected " + getVersion() + ')', null, 2, null);
        }
        Cipher cipher = Cipher.getInstance(TRANSFORMATION);
        cipher.init(2, this.key, new GCMParameterSpec(128, ciphertext.getIv().toByteArray()));
        cipher.updateAAD(new byte[]{1});
        companion = ByteString.Companion;
        doFinal = cipher.doFinal(ciphertext.getCiphertext().toByteArray());
        Intrinsics.checkNotNullExpressionValue(doFinal, "cipher.doFinal(ciphertex…ciphertext.toByteArray())");
        return ByteString.Companion.of$default(companion, doFinal, 0, 0, 3, null);
    }

    @Override // com.robinhood.vault.internal.VaultWorker
    public void delete() {
        this.keystore.deleteEntry(ALIAS);
    }

    @Override // com.robinhood.vault.internal.VaultWorker
    public synchronized VaultCipherText encrypt(ByteString bytes) {
        byte[] doFinal;
        int version;
        ByteString.Companion companion;
        byte[] iv;
        Intrinsics.checkNotNullParameter(bytes, "bytes");
        Cipher cipher = Cipher.getInstance(TRANSFORMATION);
        cipher.init(1, this.key);
        cipher.updateAAD(new byte[]{1});
        doFinal = cipher.doFinal(bytes.toByteArray());
        Intrinsics.checkNotNullExpressionValue(doFinal, "cipher.doFinal(bytes.toByteArray())");
        version = getVersion();
        companion = ByteString.Companion;
        iv = cipher.getIV();
        Intrinsics.checkNotNullExpressionValue(iv, "cipher.iv");
        return new VaultCipherText(version, ByteString.Companion.of$default(companion, iv, 0, 0, 3, null), ByteString.Companion.of$default(companion, doFinal, 0, 0, 3, null));
    }

    @Override // com.robinhood.vault.internal.VaultWorker
    public int getVersion() {
        return this.version;
    }
}
