package com.ionicframework.auth;

import android.annotation.TargetApi;
import android.content.Context;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.KeyPermanentlyInvalidatedException;
import android.util.Base64;
import android.util.Log;
import androidx.biometric.KeyguardUtils$Api23Impl$$ExternalSyntheticApiModelOutline0;
import com.bottlerocketstudios.vault.EncryptionConstants;
import com.bottlerocketstudios.vault.keys.generator.Aes256KeyFromPasswordFactory;
import com.bottlerocketstudios.vault.keys.generator.Aes256RandomKeyFactory;
import com.bottlerocketstudios.vault.salt.SaltGenerator;
import com.ionicframework.IdentityVault.Device$$ExternalSyntheticApiModelOutline0;
import java.security.Key;
import java.security.KeyStore;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.json.JSONArray;

/* loaded from: classes.dex */
public class IonicCombinedVault {
    private static final int PBKDF_ITERATIONS = 10000;
    private IonicVault mBiometricVault;
    private Context mContext;
    private String mDescriptor;
    private IdentityVault mParent;
    private VaultState mState;
    private IonicVault mStorageVault;
    private final int MAX_AUTH_ATTEMPTS = 5;
    private final String STORAGE_KEY = "STORAGE_KEY";
    private final String STORAGE_KEY_ALGORITHM = "STORAGE_KEY_ALGORITHM";
    private final String TAG = "IonicCombinedVault";
    private final String FINGERPRINT_KEY = "_ionicAuthFingerprintKey";
    private int remainingAttempts = 5;

    public IonicCombinedVault(Context context, String str, IdentityVault identityVault) {
        this.mDescriptor = str;
        this.mParent = identityVault;
        this.mState = new VaultState(VaultFactory.getStateVault(context), str, identityVault.isBiometricsAvailable());
        this.mContext = context;
        this.mStorageVault = VaultFactory.getPasscodeVault(context, this.mDescriptor);
        if (identityVault.isBiometricsAvailable()) {
            this.mBiometricVault = VaultFactory.getBiometricVault(context, this.mDescriptor);
        }
        autoGenerateKeyIfNeeded();
    }

    private void autoGenerateKeyIfNeeded() {
        if (this.mStorageVault.isKeyAvailable()) {
            return;
        }
        VaultState vaultState = this.mState;
        if (!vaultState.inUse || vaultState.isSecureStorageModeEnabled()) {
            if (this.mState.isSecureStorageModeEnabled()) {
                this.mStorageVault.setKey(this.mState.secureStorageKey);
            } else {
                this.mStorageVault.rekeyStorage(Aes256RandomKeyFactory.createKey());
            }
            storeKeyInBioVault(this.mStorageVault.getKey());
        }
    }

    @TargetApi(23)
    private void detectFingerprintsChanged() {
        try {
            KeyStore keyStore = KeyStore.getInstance(EncryptionConstants.ANDROID_KEY_STORE);
            keyStore.load(null);
            Key key = keyStore.getKey("_ionicAuthFingerprintKey", null);
            if (key == null) {
                setupBiometricChangeDetectionKey();
            } else {
                Cipher.getInstance(EncryptionConstants.AES_CBC_PADDED_TRANSFORM_ANDROID_M).init(1, key);
            }
        } catch (KeyPermanentlyInvalidatedException unused) {
            if (!isPasscodeEnabled()) {
                clear();
            }
            this.mBiometricVault.rekeyStorage(null);
            setupBiometricChangeDetectionKey();
            throw new InvalidatedCredentialsError();
        } catch (Exception e) {
            throw new VaultError(e.getLocalizedMessage());
        }
    }

    @TargetApi(23)
    private boolean handleRuntimeException(Throwable th) {
        if (Device$$ExternalSyntheticApiModelOutline0.m(th)) {
            Log.i("IonicCombinedVault", "User authentication expired");
            throw new AuthFailedError();
        }
        if (!Device$$ExternalSyntheticApiModelOutline0.m$1(th)) {
            return false;
        }
        Log.i("IonicCombinedVault", "User changed unlock code and permanently invalidated the key");
        clear();
        throw new InvalidatedCredentialsError();
    }

    private SecretKey keyFromPassword(String str, SaltGenerator saltGenerator) {
        return Aes256KeyFromPasswordFactory.createKey(str, PBKDF_ITERATIONS, saltGenerator);
    }

    private void markAsInUse() {
        VaultState vaultState = this.mState;
        if (vaultState.inUse) {
            return;
        }
        vaultState.inUse = true;
        vaultState.storeState();
    }

    @TargetApi(23)
    private void setupBiometricChangeDetectionKey() {
        KeyGenParameterSpec.Builder blockModes;
        KeyGenParameterSpec.Builder userAuthenticationRequired;
        KeyGenParameterSpec.Builder encryptionPaddings;
        KeyGenParameterSpec build;
        try {
            KeyStore keyStore = KeyStore.getInstance(EncryptionConstants.ANDROID_KEY_STORE);
            keyStore.load(null);
            keyStore.deleteEntry("_ionicAuthFingerprintKey");
            KeyGenerator keyGenerator = KeyGenerator.getInstance(EncryptionConstants.AES_CIPHER, EncryptionConstants.ANDROID_KEY_STORE);
            KeyguardUtils$Api23Impl$$ExternalSyntheticApiModelOutline0.m();
            blockModes = Device$$ExternalSyntheticApiModelOutline0.m$1().setBlockModes(EncryptionConstants.BLOCK_MODE_CBC);
            userAuthenticationRequired = blockModes.setUserAuthenticationRequired(true);
            encryptionPaddings = userAuthenticationRequired.setEncryptionPaddings(EncryptionConstants.ENCRYPTION_PADDING_PKCS7);
            build = encryptionPaddings.build();
            keyGenerator.init(build);
            keyGenerator.generateKey();
        } catch (Exception e) {
            throw new VaultError(e.getLocalizedMessage());
        }
    }

    private void storeKeyInBioVault(SecretKey secretKey) {
        if (isBiometricsEnabled()) {
            if (this.mBiometricVault == null) {
                this.mBiometricVault = VaultFactory.getBiometricVault(this.mContext, this.mDescriptor);
            }
            String encodeToString = Base64.encodeToString(secretKey.getEncoded(), 0);
            this.mBiometricVault.rekeyStorage(null);
            this.mBiometricVault.edit().putString("STORAGE_KEY", encodeToString).putString("STORAGE_KEY_ALGORITHM", secretKey.getAlgorithm()).apply();
        }
    }

    public void clear() {
        IonicVault ionicVault = this.mBiometricVault;
        if (ionicVault != null) {
            ionicVault.rekeyStorage(null);
        }
        this.mStorageVault.clearStorage();
        VaultState vaultState = this.mState;
        vaultState.inUse = false;
        vaultState.passcodeSetup = false;
        vaultState.storeState();
        autoGenerateKeyIfNeeded();
        this.remainingAttempts = 5;
    }

    public JSONArray getKeys() {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (isInUse()) {
            return this.mStorageVault.getKeys();
        }
        return null;
    }

    public int getRemainingAttempts() {
        return this.remainingAttempts;
    }

    public Object getStoredValue(String str) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (isInUse()) {
            return this.mStorageVault.getStoredValue(str);
        }
        return null;
    }

    public boolean isBiometricsEnabled() {
        return this.mState.biometricsEnabled && this.mParent.isBiometricsAvailable();
    }

    public boolean isInUse() {
        return this.mState.inUse;
    }

    public boolean isLocked() {
        if (this.mStorageVault.isLocked()) {
            VaultState vaultState = this.mState;
            if (vaultState.inUse && !vaultState.isSecureStorageModeEnabled()) {
                return true;
            }
        }
        return false;
    }

    public boolean isPasscodeEnabled() {
        return this.mState.passcodeEnabled;
    }

    public boolean isSecureStorageModeEnabled() {
        return this.mState.isSecureStorageModeEnabled();
    }

    public void lock() {
        if (isLocked() || !isInUse() || isSecureStorageModeEnabled()) {
            return;
        }
        VaultState vaultState = this.mState;
        if (!vaultState.passcodeEnabled && !vaultState.biometricsEnabled) {
            try {
                clear();
            } catch (VaultError unused) {
            }
        }
        this.mStorageVault.lock();
        IonicVault ionicVault = this.mBiometricVault;
        if (ionicVault != null) {
            ionicVault.lock();
        }
    }

    public boolean needsUserPasswordSetup() {
        VaultState vaultState = this.mState;
        return !vaultState.passcodeSetup && vaultState.passcodeEnabled;
    }

    public void removeValue(String str) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (needsUserPasswordSetup()) {
            throw new MissingPasscodeError();
        }
        this.mStorageVault.removeValue(str);
        markAsInUse();
    }

    public void setBiometricsEnabled(boolean z) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (z == isBiometricsEnabled()) {
            return;
        }
        VaultState vaultState = this.mState;
        vaultState.biometricsEnabled = z;
        vaultState.storeState();
        if (z) {
            setupBiometricChangeDetectionKey();
            setSecureStorageModeEnabled(false);
            storeKeyInBioVault(this.mStorageVault.getKey());
        } else {
            IonicVault ionicVault = this.mBiometricVault;
            if (ionicVault != null) {
                ionicVault.rekeyStorage(null);
            }
        }
    }

    public void setPasscode(String str) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        VaultState vaultState = this.mState;
        if (!vaultState.passcodeEnabled) {
            throw new PasscodeNotEnabledError();
        }
        vaultState.newSalt();
        SecretKey keyFromPassword = keyFromPassword(str, this.mState.getSaltGenerator());
        this.mStorageVault.restoreVaultWithNewKey(keyFromPassword);
        VaultState vaultState2 = this.mState;
        vaultState2.passcodeSetup = true;
        vaultState2.storeState();
        storeKeyInBioVault(keyFromPassword);
    }

    public void setPasscodeEnabled(boolean z) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (z == isPasscodeEnabled()) {
            return;
        }
        VaultState vaultState = this.mState;
        vaultState.passcodeEnabled = z;
        if (z) {
            setSecureStorageModeEnabled(false);
            VaultState vaultState2 = this.mState;
            vaultState2.passcodeSetup = false;
            vaultState2.storeState();
            autoGenerateKeyIfNeeded();
            return;
        }
        vaultState.salt = null;
        SecretKey createKey = Aes256RandomKeyFactory.createKey();
        this.mStorageVault.restoreVaultWithNewKey(createKey);
        VaultState vaultState3 = this.mState;
        vaultState3.passcodeSetup = true;
        vaultState3.storeState();
        storeKeyInBioVault(createKey);
    }

    public void setSecureStorageModeEnabled(boolean z) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (z == isSecureStorageModeEnabled()) {
            return;
        }
        if (z) {
            setBiometricsEnabled(false);
            setPasscodeEnabled(false);
            this.mState.enableSecureStorage(true);
            this.mStorageVault.restoreVaultWithNewKey(this.mState.secureStorageKey);
        } else {
            this.mState.enableSecureStorage(false);
            this.mStorageVault.restoreVaultWithNewKey(Aes256RandomKeyFactory.createKey());
        }
        this.mState.storeState();
    }

    public void storeValue(String str, Object obj) {
        if (isLocked()) {
            throw new VaultLockedError();
        }
        if (needsUserPasswordSetup()) {
            throw new MissingPasscodeError();
        }
        this.mStorageVault.storeValue(str, obj);
        markAsInUse();
    }

    @TargetApi(23)
    public void unlock() {
        String string;
        String string2;
        if (isLocked()) {
            if (!isBiometricsEnabled()) {
                throw new BiometricsNotEnabled();
            }
            detectFingerprintsChanged();
            try {
                string = this.mBiometricVault.getString("STORAGE_KEY", null);
                string2 = this.mBiometricVault.getString("STORAGE_KEY_ALGORITHM", null);
            } catch (RuntimeException e) {
                if (!handleRuntimeException(e.getCause())) {
                    Log.e("IonicCombinedVault", "Failed to handle exception", e);
                    throw new VaultError("unhandled runtime error: " + e.getLocalizedMessage());
                }
            }
            if (string == null || string2 == null) {
                VaultState vaultState = this.mState;
                vaultState.biometricsEnabled = false;
                vaultState.storeState();
                this.mBiometricVault.rekeyStorage(null);
                throw new BiometricsNotEnabled();
            }
            byte[] decode = Base64.decode(string, 0);
            this.mStorageVault.setKey(new SecretKeySpec(decode, 0, decode.length, string2));
            try {
                this.mStorageVault.validateLogin();
                this.remainingAttempts = 5;
            } catch (AuthFailedError e2) {
                this.remainingAttempts--;
                this.mStorageVault.lock();
                if (this.remainingAttempts > 0) {
                    throw e2;
                }
                throw new TooManyFailedAttemptsError();
            }
        }
    }

    public void unlock(String str) {
        if (isLocked()) {
            VaultState vaultState = this.mState;
            if (!vaultState.passcodeEnabled) {
                throw new PasscodeNotEnabledError();
            }
            this.mStorageVault.setKey(Aes256KeyFromPasswordFactory.createKey(str, PBKDF_ITERATIONS, vaultState.getSaltGenerator()));
            try {
                this.mStorageVault.validateLogin();
                this.remainingAttempts = 5;
                storeKeyInBioVault(this.mStorageVault.getKey());
            } catch (AuthFailedError e) {
                this.remainingAttempts--;
                this.mStorageVault.lock();
                if (this.remainingAttempts > 0) {
                    throw e;
                }
                throw new TooManyFailedAttemptsError();
            }
        }
    }
}
