package at.bitfire.davdroid.webdav;

import android.content.Context;
import android.content.SharedPreferences;
import android.security.keystore.KeyGenParameterSpec;
import androidx.compose.ui.platform.AndroidCompositionLocals_androidKt$$ExternalSyntheticOutline0;
import androidx.security.crypto.EncryptedSharedPreferences;
import androidx.security.crypto.MasterKey;
import androidx.security.crypto.MasterKeys;
import at.bitfire.davdroid.db.Credentials;
import com.google.crypto.tink.Aead;
import com.google.crypto.tink.DeterministicAead;
import com.google.crypto.tink.KeyTemplates;
import com.google.crypto.tink.KeysetHandle;
import com.google.crypto.tink.Registry;
import com.google.crypto.tink.aead.AeadConfig;
import com.google.crypto.tink.config.internal.TinkFipsUtil;
import com.google.crypto.tink.daead.DeterministicAeadConfig;
import com.google.crypto.tink.daead.DeterministicAeadWrapper;
import com.google.crypto.tink.integration.android.AndroidKeysetManager;
import com.google.crypto.tink.internal.KeyTypeManager;
import com.google.crypto.tink.internal.PrimitiveFactory;
import com.google.crypto.tink.proto.AesSivKey;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.ProviderException;
import java.util.Arrays;
import javax.crypto.KeyGenerator;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import org.conscrypt.PSKKeyManager;

/* compiled from: CredentialsStore.kt */
/* loaded from: classes.dex */
public final class CredentialsStore {
    public static final String CERTIFICATE_ALIAS = "certificate_alias";
    public static final String HAS_CREDENTIALS = "has_credentials";
    public static final String PASSWORD = "password";
    public static final String USER_NAME = "user_name";
    private final MasterKey masterKey;
    private final SharedPreferences prefs;
    public static final Companion Companion = new Companion(null);
    public static final int $stable = 8;

    /* compiled from: CredentialsStore.kt */
    /* loaded from: classes.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    /* compiled from: CredentialsStore.kt */
    @Retention(RetentionPolicy.SOURCE)
    /* loaded from: classes.dex */
    public @interface KeyName {
    }

    public CredentialsStore(Context context) {
        KeysetHandle keysetHandle;
        KeysetHandle keysetHandle2;
        Intrinsics.checkNotNullParameter(context, "context");
        context.getApplicationContext();
        KeyGenParameterSpec build = new KeyGenParameterSpec.Builder("_androidx_security_master_key_", 3).setBlockModes("GCM").setEncryptionPaddings("NoPadding").setKeySize(PSKKeyManager.MAX_KEY_LENGTH_BYTES).build();
        if (build == null) {
            throw new NullPointerException("KeyGenParameterSpec was null after build() check");
        }
        Object obj = MasterKeys.sLock;
        if (build.getKeySize() != 256) {
            throw new IllegalArgumentException("invalid key size, want 256 bits got " + build.getKeySize() + " bits");
        }
        if (!Arrays.equals(build.getBlockModes(), new String[]{"GCM"})) {
            throw new IllegalArgumentException("invalid block mode, want GCM got " + Arrays.toString(build.getBlockModes()));
        }
        if (build.getPurposes() != 3) {
            throw new IllegalArgumentException("invalid purposes mode, want PURPOSE_ENCRYPT | PURPOSE_DECRYPT got " + build.getPurposes());
        }
        if (!Arrays.equals(build.getEncryptionPaddings(), new String[]{"NoPadding"})) {
            throw new IllegalArgumentException("invalid padding mode, want NoPadding got " + Arrays.toString(build.getEncryptionPaddings()));
        }
        if (build.isUserAuthenticationRequired() && build.getUserAuthenticationValidityDurationSeconds() < 1) {
            throw new IllegalArgumentException("per-operation authentication is not supported (UserAuthenticationValidityDurationSeconds must be >0)");
        }
        synchronized (MasterKeys.sLock) {
            String keystoreAlias = build.getKeystoreAlias();
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            if (!keyStore.containsAlias(keystoreAlias)) {
                try {
                    KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
                    keyGenerator.init(build);
                    keyGenerator.generateKey();
                } catch (ProviderException e) {
                    throw new GeneralSecurityException(e.getMessage(), e);
                }
            }
        }
        String keystoreAlias2 = build.getKeystoreAlias();
        this.masterKey = new MasterKey(keystoreAlias2, build);
        int i = DeterministicAeadConfig.$r8$clinit;
        Registry.registerPrimitiveWrapper(DeterministicAeadWrapper.WRAPPER);
        if (!TinkFipsUtil.isRestrictedToFips.get()) {
            Registry.registerKeyManager(new KeyTypeManager(AesSivKey.class, new PrimitiveFactory(DeterministicAead.class)), true);
        }
        AeadConfig.register();
        Context applicationContext = context.getApplicationContext();
        AndroidKeysetManager.Builder builder = new AndroidKeysetManager.Builder();
        builder.keyTemplate = KeyTemplates.get("AES256_SIV");
        if (applicationContext == null) {
            throw new IllegalArgumentException("need an Android context");
        }
        builder.context = applicationContext;
        builder.keysetName = "__androidx_security_crypto_encrypted_prefs_key_keyset__";
        builder.prefFileName = "webdav_credentials";
        String m = AndroidCompositionLocals_androidKt$$ExternalSyntheticOutline0.m("android-keystore://", keystoreAlias2);
        if (!m.startsWith("android-keystore://")) {
            throw new IllegalArgumentException("key URI must start with android-keystore://");
        }
        builder.masterKeyUri = m;
        AndroidKeysetManager build2 = builder.build();
        synchronized (build2) {
            keysetHandle = build2.keysetManager.getKeysetHandle();
        }
        AndroidKeysetManager.Builder builder2 = new AndroidKeysetManager.Builder();
        builder2.keyTemplate = KeyTemplates.get("AES256_GCM");
        builder2.context = applicationContext;
        builder2.keysetName = "__androidx_security_crypto_encrypted_prefs_value_keyset__";
        builder2.prefFileName = "webdav_credentials";
        String m2 = AndroidCompositionLocals_androidKt$$ExternalSyntheticOutline0.m("android-keystore://", keystoreAlias2);
        if (!m2.startsWith("android-keystore://")) {
            throw new IllegalArgumentException("key URI must start with android-keystore://");
        }
        builder2.masterKeyUri = m2;
        AndroidKeysetManager build3 = builder2.build();
        synchronized (build3) {
            keysetHandle2 = build3.keysetManager.getKeysetHandle();
        }
        this.prefs = new EncryptedSharedPreferences(applicationContext.getSharedPreferences("webdav_credentials", 0), (Aead) keysetHandle2.getPrimitive(Aead.class), (DeterministicAead) keysetHandle.getPrimitive(DeterministicAead.class));
    }

    private final String keyName(long j, String str) {
        return j + "." + str;
    }

    public final Credentials getCredentials(long j) {
        if (this.prefs.getBoolean(keyName(j, HAS_CREDENTIALS), false)) {
            return new Credentials(this.prefs.getString(keyName(j, "user_name"), null), this.prefs.getString(keyName(j, "password"), null), this.prefs.getString(keyName(j, "certificate_alias"), null), null, 8, null);
        }
        return null;
    }

    public final void setCredentials(long j, Credentials credentials) {
        SharedPreferences.Editor edit = this.prefs.edit();
        if (credentials != null) {
            edit.putBoolean(keyName(j, HAS_CREDENTIALS), true).putString(keyName(j, "user_name"), credentials.getUsername()).putString(keyName(j, "password"), credentials.getPassword()).putString(keyName(j, "certificate_alias"), credentials.getCertificateAlias());
        } else {
            edit.remove(keyName(j, HAS_CREDENTIALS)).remove(keyName(j, "user_name")).remove(keyName(j, "password")).remove(keyName(j, "certificate_alias"));
        }
        edit.apply();
    }
}
