package com.android.identity.securearea;

import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborDecoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.builder.ArrayBuilder;
import co.nstant.in.cbor.builder.MapBuilder;
import co.nstant.in.cbor.model.Array;
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.Map;
import co.nstant.in.cbor.model.UnicodeString;
import com.android.identity.internal.Util;
import com.android.identity.securearea.SecureArea;
import com.android.identity.storage.StorageEngine;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.jcajce.spec.EdDSAParameterSpec;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: classes18.dex */
public class BouncyCastleSecureArea implements SecureArea {
    private static final String PREFIX = "IC_BouncyCastleSA_";
    private static final String TAG = "BouncyCastleSA";
    private final StorageEngine mStorageEngine;

    /* loaded from: classes18.dex */
    public static class CreateKeySettings extends SecureArea.CreateKeySettings {
        private final String mAttestationKeyAlias;
        private final int mEcCurve;
        private int mKeyPurposes;
        private final String mPassphrase;
        private final boolean mPassphraseRequired;

        /* loaded from: classes18.dex */
        public static class Builder {
            private String mAttestationKeyAlias;
            private boolean mPassphraseRequired;
            private int mKeyPurposes = 1;
            private int mEcCurve = 1;
            private String mPassphrase = "";

            public CreateKeySettings build() {
                return new CreateKeySettings(this.mPassphraseRequired, this.mPassphrase, this.mEcCurve, this.mKeyPurposes, this.mAttestationKeyAlias);
            }

            public Builder setAttestationKeyAlias(String str) {
                this.mAttestationKeyAlias = str;
                return this;
            }

            public Builder setEcCurve(int i) {
                this.mEcCurve = i;
                return this;
            }

            public Builder setKeyPurposes(int i) {
                if (i == 0) {
                    throw new IllegalArgumentException("Purpose cannot be empty");
                }
                this.mKeyPurposes = i;
                return this;
            }

            public Builder setPassphraseRequired(boolean z, String str) {
                if (this.mPassphraseRequired && str == null) {
                    throw new IllegalStateException("Passphrase cannot be null if it's required");
                }
                this.mPassphraseRequired = z;
                this.mPassphrase = str;
                return this;
            }
        }

        private CreateKeySettings(boolean z, String str, int i, int i2, String str2) {
            super(BouncyCastleSecureArea.class);
            this.mPassphraseRequired = z;
            this.mPassphrase = str;
            this.mEcCurve = i;
            this.mKeyPurposes = i2;
            this.mAttestationKeyAlias = str2;
        }

        public String getAttestationKeyAlias() {
            return this.mAttestationKeyAlias;
        }

        public int getEcCurve() {
            return this.mEcCurve;
        }

        public int getKeyPurposes() {
            return this.mKeyPurposes;
        }

        public String getPassphrase() {
            return this.mPassphrase;
        }

        public boolean getPassphraseRequired() {
            return this.mPassphraseRequired;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: classes18.dex */
    public static class KeyData {
        int curve;
        int keyPurposes;
        PrivateKey privateKey;

        private KeyData() {
        }
    }

    /* loaded from: classes18.dex */
    public static class KeyInfo extends SecureArea.KeyInfo {
        private final String mAttestationKeyAlias;
        private final boolean mIsPassphraseProtected;

        KeyInfo(List<X509Certificate> list, int i, int i2, boolean z, boolean z2, String str) {
            super(list, i, i2, z);
            this.mIsPassphraseProtected = z2;
            this.mAttestationKeyAlias = str;
        }

        public String getAttestationKeyAlias() {
            return this.mAttestationKeyAlias;
        }

        public boolean isPassphraseProtected() {
            return this.mIsPassphraseProtected;
        }
    }

    /* loaded from: classes18.dex */
    public static class KeyUnlockData implements SecureArea.KeyUnlockData {
        private final String mPassphrase;

        public KeyUnlockData(String str) {
            this.mPassphrase = str;
        }
    }

    public BouncyCastleSecureArea(StorageEngine storageEngine) {
        this.mStorageEngine = storageEngine;
    }

    private SecretKey derivePrivateKeyEncryptionKey(byte[] bArr, String str) {
        return new SecretKeySpec(Util.computeHkdf("HmacSha256", str.getBytes(StandardCharsets.UTF_8), bArr, "ICPrivateKeyEncryption1".getBytes(StandardCharsets.UTF_8), 32), "AES");
    }

    private ContentSigner getSignerForAlias(String str) {
        String str2;
        try {
            KeyData loadKey = loadKey(str, null);
            if ((loadKey.keyPurposes & 1) == 0) {
                throw new IllegalArgumentException("Cannot sign certificate using a key without signing purpose.");
            }
            switch (loadKey.curve) {
                case -65540:
                    str2 = "SHA512withECDSA";
                    break;
                case -65539:
                    str2 = "SHA384withECDSA";
                    break;
                case -65538:
                    str2 = "SHA256withECDSA";
                    break;
                case -65537:
                    str2 = "SHA256withECDSA";
                    break;
                case 1:
                    str2 = "SHA256withECDSA";
                    break;
                case 2:
                    str2 = "SHA384withECDSA";
                    break;
                case 3:
                    str2 = "SHA512withECDSA";
                    break;
                case 6:
                    str2 = "EdDSA";
                    break;
                case 7:
                    str2 = "EdDSA";
                    break;
                default:
                    throw new IllegalStateException("Invalid curve " + loadKey.curve + "for attestation signing");
            }
            try {
                return new JcaContentSignerBuilder(str2).build(loadKey.privateKey);
            } catch (OperatorCreationException e) {
                throw new IllegalStateException("Unexpected exception", e);
            }
        } catch (SecureArea.KeyLockedException e2) {
            throw new IllegalArgumentException("Attestation key cannot be locked");
        }
    }

    private KeyData loadKey(String str, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        byte[] cborMapExtractByteString;
        Cipher cipher;
        byte[] bArr;
        byte[] bArr2;
        KeyData keyData = new KeyData();
        String str2 = keyUnlockData != null ? ((KeyUnlockData) keyUnlockData).mPassphrase : null;
        byte[] bArr3 = this.mStorageEngine.get(PREFIX + str);
        if (bArr3 == null) {
            throw new IllegalArgumentException("No key with given alias");
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr3)).decode();
            if (decode.size() != 1) {
                throw new IllegalStateException("Expected 1 item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Map)) {
                throw new IllegalStateException("Item is not a map");
            }
            Map map = (Map) decode.get(0);
            keyData.curve = (int) Util.cborMapExtractNumber(map, "curve");
            keyData.keyPurposes = (int) Util.cborMapExtractNumber(map, "keyPurposes");
            if (!Util.cborMapExtractBoolean(map, "passphraseRequired")) {
                cborMapExtractByteString = Util.cborMapExtractByteString(map, "privateKey");
            } else {
                if (str2 == null) {
                    throw new SecureArea.KeyLockedException("No passphrase provided");
                }
                byte[] cborMapExtractByteString2 = Util.cborMapExtractByteString(map, "publicKey");
                byte[] cborMapExtractByteString3 = Util.cborMapExtractByteString(map, "encryptedPrivateKey");
                SecretKey derivePrivateKeyEncryptionKey = derivePrivateKeyEncryptionKey(cborMapExtractByteString2, str2);
                try {
                    cipher = Cipher.getInstance("AES/GCM/NoPadding");
                    ByteBuffer wrap = ByteBuffer.wrap(cborMapExtractByteString3);
                    bArr = new byte[12];
                    wrap.get(bArr);
                    bArr2 = new byte[cborMapExtractByteString3.length - 12];
                    wrap.get(bArr2);
                    try {
                    } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
                        e = e;
                    }
                } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e2) {
                    e = e2;
                }
                try {
                    cipher.init(2, derivePrivateKeyEncryptionKey, new GCMParameterSpec(128, bArr));
                    cborMapExtractByteString = cipher.doFinal(bArr2);
                } catch (InvalidAlgorithmParameterException e3) {
                    e = e3;
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                } catch (InvalidKeyException e4) {
                    e = e4;
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                } catch (NoSuchAlgorithmException e5) {
                    e = e5;
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                } catch (BadPaddingException e6) {
                    e = e6;
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                } catch (IllegalBlockSizeException e7) {
                    e = e7;
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                } catch (NoSuchPaddingException e8) {
                    e = e8;
                    throw new SecureArea.KeyLockedException("Error decrypting private key", e);
                }
            }
            try {
                keyData.privateKey = KeyFactory.getInstance("EC", new BouncyCastleProvider()).generatePrivate(new PKCS8EncodedKeySpec(cborMapExtractByteString));
                return keyData;
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e9) {
                throw new IllegalStateException("Error loading private key", e9);
            }
        } catch (CborException e10) {
            throw new IllegalStateException("Error decoded CBOR", e10);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public void createKey(String str, SecureArea.CreateKeySettings createKeySettings) {
        Throwable th;
        KeyPairGenerator keyPairGenerator;
        String str2;
        Throwable th2;
        byte[] byteArray;
        ContentSigner signerForAlias;
        CreateKeySettings createKeySettings2 = (CreateKeySettings) createKeySettings;
        ArrayList arrayList = new ArrayList();
        try {
            keyPairGenerator = KeyPairGenerator.getInstance("EC", new BouncyCastleProvider());
        } catch (IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException e) {
            e = e;
        }
        try {
            try {
                switch (createKeySettings2.getEcCurve()) {
                    case -65540:
                        keyPairGenerator.initialize(new ECGenParameterSpec("brainpoolP512r1"));
                        str2 = "SHA512withECDSA";
                        break;
                    case -65539:
                        keyPairGenerator.initialize(new ECGenParameterSpec("brainpoolP384r1"));
                        str2 = "SHA384withECDSA";
                        break;
                    case -65538:
                        keyPairGenerator.initialize(new ECGenParameterSpec("brainpoolP320r1"));
                        str2 = "SHA256withECDSA";
                        break;
                    case -65537:
                        keyPairGenerator.initialize(new ECGenParameterSpec("brainpoolP256r1"));
                        str2 = "SHA256withECDSA";
                        break;
                    case 1:
                        keyPairGenerator.initialize(new ECGenParameterSpec("secp256r1"));
                        str2 = "SHA256withECDSA";
                        break;
                    case 2:
                        keyPairGenerator.initialize(new ECGenParameterSpec("secp384r1"));
                        str2 = "SHA384withECDSA";
                        break;
                    case 3:
                        keyPairGenerator.initialize(new ECGenParameterSpec("secp521r1"));
                        str2 = "SHA512withECDSA";
                        break;
                    case 4:
                        keyPairGenerator = KeyPairGenerator.getInstance("x25519", new BouncyCastleProvider());
                        str2 = EdDSAParameterSpec.Ed25519;
                        break;
                    case 5:
                        keyPairGenerator = KeyPairGenerator.getInstance("x448", new BouncyCastleProvider());
                        str2 = EdDSAParameterSpec.Ed448;
                        break;
                    case 6:
                        keyPairGenerator = KeyPairGenerator.getInstance(EdDSAParameterSpec.Ed25519, new BouncyCastleProvider());
                        str2 = EdDSAParameterSpec.Ed25519;
                        break;
                    case 7:
                        keyPairGenerator = KeyPairGenerator.getInstance(EdDSAParameterSpec.Ed448, new BouncyCastleProvider());
                        str2 = EdDSAParameterSpec.Ed448;
                        break;
                    default:
                        throw new IllegalArgumentException("Unknown curve with id " + createKeySettings2.getEcCurve());
                }
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                CborBuilder cborBuilder = new CborBuilder();
                MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
                addMap.put("curve", createKeySettings2.getEcCurve());
                addMap.put("keyPurposes", createKeySettings2.getKeyPurposes());
                String attestationKeyAlias = createKeySettings2.getAttestationKeyAlias();
                if (attestationKeyAlias != null) {
                    addMap.put("attestationKeyAlias", attestationKeyAlias);
                }
                addMap.put("passphraseRequired", createKeySettings2.getPassphraseRequired());
                if (createKeySettings2.getPassphraseRequired()) {
                    byte[] encoded = generateKeyPair.getPrivate().getEncoded();
                    SecretKey derivePrivateKeyEncryptionKey = derivePrivateKeyEncryptionKey(generateKeyPair.getPublic().getEncoded(), createKeySettings2.getPassphrase());
                    try {
                        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
                        cipher.init(1, derivePrivateKeyEncryptionKey);
                        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                        byteArrayOutputStream.write(cipher.getIV());
                        byteArrayOutputStream.write(cipher.doFinal(encoded));
                        byteArray = byteArrayOutputStream.toByteArray();
                        try {
                        } catch (InvalidKeyException e2) {
                            e = e2;
                            th2 = e;
                            throw new IllegalStateException("Error encrypting private key", th2);
                        } catch (BadPaddingException e3) {
                            e = e3;
                            th2 = e;
                            throw new IllegalStateException("Error encrypting private key", th2);
                        } catch (IllegalBlockSizeException e4) {
                            e = e4;
                            th2 = e;
                            throw new IllegalStateException("Error encrypting private key", th2);
                        } catch (NoSuchPaddingException e5) {
                            e = e5;
                            th2 = e;
                            throw new IllegalStateException("Error encrypting private key", th2);
                        }
                    } catch (InvalidKeyException e6) {
                        e = e6;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    } catch (BadPaddingException e7) {
                        e = e7;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    } catch (IllegalBlockSizeException e8) {
                        e = e8;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    } catch (NoSuchPaddingException e9) {
                        e = e9;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    }
                    try {
                        addMap.put("publicKey", generateKeyPair.getPublic().getEncoded());
                        addMap.put("encryptedPrivateKey", byteArray);
                    } catch (InvalidKeyException e10) {
                        e = e10;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    } catch (BadPaddingException e11) {
                        e = e11;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    } catch (IllegalBlockSizeException e12) {
                        e = e12;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    } catch (NoSuchPaddingException e13) {
                        e = e13;
                        th2 = e;
                        throw new IllegalStateException("Error encrypting private key", th2);
                    }
                } else {
                    addMap.put("privateKey", generateKeyPair.getPrivate().getEncoded());
                }
                X500Name x500Name = new X500Name("CN=Android Identity Credential BC KS Impl");
                X500Name x500Name2 = new X500Name("CN=Android Identity Credential BC KS Impl");
                Date date = new Date();
                JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.ONE, date, new Date(date.getTime() + TimeUnit.MILLISECONDS.convert(365L, TimeUnit.DAYS)), x500Name2, generateKeyPair.getPublic());
                if (attestationKeyAlias != null) {
                    signerForAlias = getSignerForAlias(attestationKeyAlias);
                } else {
                    if ((createKeySettings2.getKeyPurposes() & 1) == 0) {
                        throw new IllegalArgumentException("Cannot self-sign certificate for a key without signing purpose. Use an attestation key.");
                    }
                    signerForAlias = new JcaContentSignerBuilder(str2).build(generateKeyPair.getPrivate());
                }
                arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(jcaX509v3CertificateBuilder.build(signerForAlias).getEncoded())));
                ArrayBuilder<MapBuilder<CborBuilder>> putArray = addMap.putArray("attestation");
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    try {
                        try {
                            JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder2 = jcaX509v3CertificateBuilder;
                            try {
                                putArray.add(((X509Certificate) it.next()).getEncoded());
                                jcaX509v3CertificateBuilder = jcaX509v3CertificateBuilder2;
                            } catch (CertificateEncodingException e14) {
                                throw new IllegalStateException("Error encoding certificate chain", e14);
                            }
                        } catch (IOException e15) {
                            e = e15;
                            th = e;
                            throw new IllegalStateException("Unexpected exception", th);
                        } catch (InvalidAlgorithmParameterException e16) {
                            e = e16;
                            th = e;
                            throw new IllegalStateException("Unexpected exception", th);
                        } catch (NoSuchAlgorithmException e17) {
                            e = e17;
                            th = e;
                            throw new IllegalStateException("Unexpected exception", th);
                        } catch (CertificateException e18) {
                            e = e18;
                            th = e;
                            throw new IllegalStateException("Unexpected exception", th);
                        } catch (OperatorCreationException e19) {
                            e = e19;
                            th = e;
                            throw new IllegalStateException("Unexpected exception", th);
                        }
                    } catch (IOException e20) {
                        e = e20;
                        th = e;
                        throw new IllegalStateException("Unexpected exception", th);
                    } catch (InvalidAlgorithmParameterException e21) {
                        e = e21;
                        th = e;
                        throw new IllegalStateException("Unexpected exception", th);
                    } catch (NoSuchAlgorithmException e22) {
                        e = e22;
                        th = e;
                        throw new IllegalStateException("Unexpected exception", th);
                    } catch (CertificateException e23) {
                        e = e23;
                        th = e;
                        throw new IllegalStateException("Unexpected exception", th);
                    } catch (OperatorCreationException e24) {
                        e = e24;
                        th = e;
                        throw new IllegalStateException("Unexpected exception", th);
                    }
                }
                putArray.end();
                this.mStorageEngine.put(PREFIX + str, Util.cborEncode(cborBuilder.build().get(0)));
            } catch (IOException e25) {
                e = e25;
            } catch (InvalidAlgorithmParameterException e26) {
                e = e26;
            } catch (NoSuchAlgorithmException e27) {
                e = e27;
            } catch (CertificateException e28) {
                e = e28;
            } catch (OperatorCreationException e29) {
                e = e29;
            }
        } catch (IOException | InvalidAlgorithmParameterException | NoSuchAlgorithmException | CertificateException | OperatorCreationException e30) {
            th = e30;
            throw new IllegalStateException("Unexpected exception", th);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public void deleteKey(String str) {
        this.mStorageEngine.delete(PREFIX + str);
    }

    @Override // com.android.identity.securearea.SecureArea
    public KeyInfo getKeyInfo(String str) {
        byte[] bArr = this.mStorageEngine.get(PREFIX + str);
        if (bArr == null) {
            throw new IllegalArgumentException("No key with given alias");
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1) {
                throw new IllegalStateException("Expected 1 item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Map)) {
                throw new IllegalStateException("Item is not a map");
            }
            Map map = (Map) decode.get(0);
            int cborMapExtractNumber = (int) Util.cborMapExtractNumber(map, "curve");
            int cborMapExtractNumber2 = (int) Util.cborMapExtractNumber(map, "keyPurposes");
            boolean cborMapExtractBoolean = Util.cborMapExtractBoolean(map, "passphraseRequired");
            String cborMapExtractString = Util.cborMapHasKey(map, "attestationKeyAlias") ? Util.cborMapExtractString(map, "attestationKeyAlias") : null;
            DataItem dataItem = map.get(new UnicodeString("attestation"));
            if (!(dataItem instanceof Array)) {
                throw new IllegalStateException("attestation not found or not array");
            }
            ArrayList arrayList = new ArrayList();
            Iterator<DataItem> it = ((Array) dataItem).getDataItems().iterator();
            while (it.hasNext()) {
                try {
                    arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((ByteString) it.next()).getBytes())));
                } catch (CertificateException e) {
                    throw new IllegalStateException("Error decoding certificate blob", e);
                }
            }
            return new KeyInfo(arrayList, cborMapExtractNumber2, cborMapExtractNumber, false, cborMapExtractBoolean, cborMapExtractString);
        } catch (CborException e2) {
            throw new IllegalStateException("Error decoded CBOR", e2);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public byte[] keyAgreement(String str, PublicKey publicKey, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        KeyData loadKey = loadKey(str, keyUnlockData);
        if ((loadKey.keyPurposes & 2) == 0) {
            throw new IllegalArgumentException("Key does not have purpose KEY_PURPOSE_AGREE_KEY");
        }
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
            keyAgreement.init(loadKey.privateKey);
            keyAgreement.doPhase(publicKey, true);
            return keyAgreement.generateSecret();
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new IllegalStateException("Unexpected Exception", e);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public byte[] sign(String str, int i, byte[] bArr, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        String str2;
        KeyData loadKey = loadKey(str, keyUnlockData);
        if ((loadKey.keyPurposes & 1) == 0) {
            throw new IllegalArgumentException("Key does not have purpose KEY_PURPOSE_SIGN");
        }
        switch (i) {
            case SecureArea.ALGORITHM_ES512 /* -36 */:
                str2 = "SHA512withECDSA";
                break;
            case SecureArea.ALGORITHM_ES384 /* -35 */:
                str2 = "SHA384withECDSA";
                break;
            case -8:
                if (loadKey.curve == 6) {
                    str2 = EdDSAParameterSpec.Ed25519;
                    break;
                } else {
                    if (loadKey.curve != 7) {
                        throw new IllegalArgumentException("ALGORITHM_EDDSA can only be used with EC_CURVE_ED_25519 and EC_CURVE_ED_448");
                    }
                    str2 = EdDSAParameterSpec.Ed448;
                    break;
                }
            case -7:
                str2 = "SHA256withECDSA";
                break;
            default:
                throw new IllegalArgumentException("Unsupported signing algorithm  with id " + i);
        }
        try {
            Signature signature = Signature.getInstance(str2);
            signature.initSign(loadKey.privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new IllegalStateException("Unexpected Exception", e);
        }
    }
}
