package com.android.identity.android.securearea;

import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import android.security.keystore.UserNotAuthenticatedException;
import androidx.biometric.BiometricPrompt;
import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborDecoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.builder.ArrayBuilder;
import co.nstant.in.cbor.builder.MapBuilder;
import co.nstant.in.cbor.model.Array;
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.Map;
import co.nstant.in.cbor.model.UnicodeString;
import com.android.identity.internal.Util;
import com.android.identity.securearea.SecureArea;
import com.android.identity.storage.StorageEngine;
import com.android.identity.util.Logger;
import com.android.identity.util.Timestamp;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.ProviderException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.UnrecoverableEntryException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.sql.Date;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.crypto.KeyAgreement;

/* loaded from: classes18.dex */
public class AndroidKeystoreSecureArea implements SecureArea {
    private static final String PREFIX = "IC_AndroidKeystore_";
    private static final String TAG = "AndroidKeystoreSA";
    public static final int USER_AUTHENTICATION_TYPE_BIOMETRIC = 2;
    public static final int USER_AUTHENTICATION_TYPE_LSKF = 1;
    private final Context mContext;
    private final StorageEngine mStorageEngine;

    /* loaded from: classes18.dex */
    public static class CreateKeySettings extends SecureArea.CreateKeySettings {
        private final String mAttestKeyAlias;
        private final byte[] mAttestationChallenge;
        private final int mEcCurve;
        private final String mExistingKeyAlias;
        private final int mKeyPurposes;
        private final boolean mUseStrongBox;
        private final boolean mUserAuthenticationRequired;
        private final long mUserAuthenticationTimeoutMillis;
        private final int mUserAuthenticationType;
        private final Timestamp mValidFrom;
        private final Timestamp mValidUntil;

        /* loaded from: classes18.dex */
        public static class Builder {
            private String mAttestKeyAlias;
            private final byte[] mAttestationChallenge;
            private String mExistingKeyAlias;
            private boolean mUseStrongBox;
            private boolean mUserAuthenticationRequired;
            private long mUserAuthenticationTimeoutMillis;
            private int mUserAuthenticationType;
            private Timestamp mValidFrom;
            private Timestamp mValidUntil;
            private int mKeyPurposes = 1;
            private int mEcCurve = 1;

            public Builder(byte[] bArr) {
                this.mAttestationChallenge = bArr;
            }

            public CreateKeySettings build() {
                return new CreateKeySettings(this.mKeyPurposes, this.mEcCurve, this.mAttestationChallenge, this.mUserAuthenticationRequired, this.mUserAuthenticationTimeoutMillis, this.mUserAuthenticationType, this.mUseStrongBox, this.mAttestKeyAlias, this.mValidFrom, this.mValidUntil, this.mExistingKeyAlias);
            }

            public Builder setAttestKeyAlias(String str) {
                this.mAttestKeyAlias = str;
                return this;
            }

            public Builder setEcCurve(int i) {
                this.mEcCurve = i;
                return this;
            }

            public Builder setExistingKeyAlias(String str) {
                this.mExistingKeyAlias = str;
                return this;
            }

            public Builder setKeyPurposes(int i) {
                if (i == 0) {
                    throw new IllegalArgumentException("Purpose cannot be empty");
                }
                this.mKeyPurposes = i;
                return this;
            }

            public Builder setUseStrongBox(boolean z) {
                this.mUseStrongBox = z;
                return this;
            }

            public Builder setUserAuthenticationRequired(boolean z, long j, int i) {
                if (z) {
                    if (i == 0) {
                        throw new IllegalArgumentException("userAuthenticationType must be set when user authentication is required");
                    }
                    if (Build.VERSION.SDK_INT < 30 && i != 3) {
                        throw new IllegalArgumentException("Only LSKF and Strong Biometric supported on this API level");
                    }
                }
                this.mUserAuthenticationRequired = z;
                this.mUserAuthenticationTimeoutMillis = j;
                this.mUserAuthenticationType = i;
                return this;
            }

            public Builder setValidityPeriod(Timestamp timestamp, Timestamp timestamp2) {
                this.mValidFrom = timestamp;
                this.mValidUntil = timestamp2;
                return this;
            }
        }

        private CreateKeySettings(int i, int i2, byte[] bArr, boolean z, long j, int i3, boolean z2, String str, Timestamp timestamp, Timestamp timestamp2, String str2) {
            super(AndroidKeystoreSecureArea.class);
            this.mKeyPurposes = i;
            this.mEcCurve = i2;
            this.mAttestationChallenge = bArr;
            this.mUserAuthenticationRequired = z;
            this.mUserAuthenticationTimeoutMillis = j;
            this.mUserAuthenticationType = i3;
            this.mUseStrongBox = z2;
            this.mAttestKeyAlias = str;
            this.mValidFrom = timestamp;
            this.mValidUntil = timestamp2;
            this.mExistingKeyAlias = str2;
        }

        public String getAttestKeyAlias() {
            return this.mAttestKeyAlias;
        }

        public byte[] getAttestationChallenge() {
            return this.mAttestationChallenge;
        }

        public int getEcCurve() {
            return this.mEcCurve;
        }

        public String getExistingKeyAlias() {
            return this.mExistingKeyAlias;
        }

        public int getKeyPurposes() {
            return this.mKeyPurposes;
        }

        public boolean getUseStrongBox() {
            return this.mUseStrongBox;
        }

        public boolean getUserAuthenticationRequired() {
            return this.mUserAuthenticationRequired;
        }

        public long getUserAuthenticationTimeoutMillis() {
            return this.mUserAuthenticationTimeoutMillis;
        }

        public int getUserAuthenticationType() {
            return this.mUserAuthenticationType;
        }

        public Timestamp getValidFrom() {
            return this.mValidFrom;
        }

        public Timestamp getValidUntil() {
            return this.mValidUntil;
        }
    }

    /* loaded from: classes18.dex */
    public static class KeyInfo extends SecureArea.KeyInfo {
        private final String mAttestKeyAlias;
        private final boolean mIsStrongBoxBacked;
        private final boolean mUserAuthenticationRequired;
        private final long mUserAuthenticationTimeoutMillis;
        private final int mUserAuthenticationType;
        private final Timestamp mValidFrom;
        private final Timestamp mValidUntil;

        KeyInfo(List<X509Certificate> list, int i, int i2, boolean z, String str, boolean z2, long j, int i3, boolean z3, Timestamp timestamp, Timestamp timestamp2) {
            super(list, i, i2, z);
            this.mUserAuthenticationRequired = z2;
            this.mUserAuthenticationTimeoutMillis = j;
            this.mUserAuthenticationType = i3;
            this.mIsStrongBoxBacked = z3;
            this.mAttestKeyAlias = str;
            this.mValidFrom = timestamp;
            this.mValidUntil = timestamp2;
        }

        public String getAttestKeyAlias() {
            return this.mAttestKeyAlias;
        }

        public long getUserAuthenticationTimeoutMillis() {
            return this.mUserAuthenticationTimeoutMillis;
        }

        public int getUserAuthenticationType() {
            return this.mUserAuthenticationType;
        }

        public Timestamp getValidFrom() {
            return this.mValidFrom;
        }

        public Timestamp getValidUntil() {
            return this.mValidUntil;
        }

        public boolean isStrongBoxBacked() {
            return this.mIsStrongBoxBacked;
        }

        public boolean isUserAuthenticationRequired() {
            return this.mUserAuthenticationRequired;
        }
    }

    /* loaded from: classes18.dex */
    public static class KeyUnlockData implements SecureArea.KeyUnlockData {
        private final String mAlias;
        private BiometricPrompt.CryptoObject mCryptoObjectForSigning;
        private Signature mSignature;
        private int mSignatureAlgorithm;

        public KeyUnlockData(String str) {
            this.mAlias = str;
        }

        public BiometricPrompt.CryptoObject getCryptoObjectForKeyAgreement() {
            if (this.mCryptoObjectForSigning != null) {
                return this.mCryptoObjectForSigning;
            }
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                KeyStore.Entry entry = keyStore.getEntry(this.mAlias, null);
                if (entry == null) {
                    throw new IllegalArgumentException("No entry for alias");
                }
                PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                try {
                    if (((android.security.keystore.KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, android.security.keystore.KeyInfo.class)).getUserAuthenticationValidityDurationSeconds() > 0) {
                        return null;
                    }
                    throw new IllegalStateException("ECDH for keys with timeout 0 is not currently supported");
                } catch (InvalidKeySpecException e) {
                    throw new IllegalStateException("Given key is not an Android Keystore key", e);
                }
            } catch (IOException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | UnrecoverableEntryException | CertificateException e2) {
                throw new IllegalStateException("Unexpected exception", e2);
            }
        }

        public BiometricPrompt.CryptoObject getCryptoObjectForSigning(int i) {
            if (this.mCryptoObjectForSigning != null) {
                return this.mCryptoObjectForSigning;
            }
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                keyStore.load(null);
                KeyStore.Entry entry = keyStore.getEntry(this.mAlias, null);
                if (entry == null) {
                    throw new IllegalArgumentException("No entry for alias");
                }
                PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                try {
                    if (((android.security.keystore.KeyInfo) KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore").getKeySpec(privateKey, android.security.keystore.KeyInfo.class)).getUserAuthenticationValidityDurationSeconds() > 0) {
                        return null;
                    }
                    this.mSignature = Signature.getInstance(AndroidKeystoreSecureArea.getSignatureAlgorithmName(i));
                    this.mSignature.initSign(privateKey);
                    this.mCryptoObjectForSigning = new BiometricPrompt.CryptoObject(this.mSignature);
                    this.mSignatureAlgorithm = i;
                    return this.mCryptoObjectForSigning;
                } catch (InvalidKeySpecException e) {
                    throw new IllegalStateException("Given key is not an Android Keystore key", e);
                }
            } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | UnrecoverableEntryException | CertificateException e2) {
                throw new IllegalStateException("Unexpected exception", e2);
            }
        }
    }

    public AndroidKeystoreSecureArea(Context context, StorageEngine storageEngine) {
        this.mContext = context;
        this.mStorageEngine = storageEngine;
    }

    private void createFromExistingKey(String str, CreateKeySettings createKeySettings) {
        ArrayList arrayList = new ArrayList();
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            for (Certificate certificate : keyStore.getCertificateChain(str)) {
                arrayList.add((X509Certificate) certificate);
            }
            saveKeyMetadata(str, createKeySettings, arrayList);
            Logger.d(TAG, "EC key with alias '" + str + "' transferred");
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new IllegalStateException("Error generating certificate chain", e);
        }
    }

    static String getSignatureAlgorithmName(int i) {
        switch (i) {
            case SecureArea.ALGORITHM_ES512 /* -36 */:
                return "SHA512withECDSA";
            case SecureArea.ALGORITHM_ES384 /* -35 */:
                return "SHA384withECDSA";
            case -7:
                return "SHA256withECDSA";
            default:
                throw new IllegalArgumentException("Unsupported signing algorithm with id " + i);
        }
    }

    private void saveKeyMetadata(String str, CreateKeySettings createKeySettings, List<X509Certificate> list) {
        CborBuilder cborBuilder = new CborBuilder();
        MapBuilder<CborBuilder> addMap = cborBuilder.addMap();
        addMap.put("curve", createKeySettings.getEcCurve());
        addMap.put("keyPurposes", createKeySettings.getKeyPurposes());
        String attestKeyAlias = createKeySettings.getAttestKeyAlias();
        if (attestKeyAlias != null) {
            addMap.put("attestKeyAlias", attestKeyAlias);
        }
        addMap.put("userAuthenticationRequired", createKeySettings.getUserAuthenticationRequired());
        addMap.put("userAuthenticationTimeoutMillis", createKeySettings.getUserAuthenticationTimeoutMillis());
        addMap.put("useStrongBox", createKeySettings.getUseStrongBox());
        ArrayBuilder<MapBuilder<CborBuilder>> putArray = addMap.putArray("attestation");
        Iterator<X509Certificate> it = list.iterator();
        while (it.hasNext()) {
            try {
                putArray.add(it.next().getEncoded());
            } catch (CertificateEncodingException e) {
                throw new IllegalStateException("Error encoding certificate chain", e);
            }
        }
        putArray.end();
        this.mStorageEngine.put(PREFIX + str, Util.cborEncode(cborBuilder.build().get(0)));
    }

    @Override // com.android.identity.securearea.SecureArea
    public void createKey(String str, SecureArea.CreateKeySettings createKeySettings) {
        CreateKeySettings createKeySettings2 = (CreateKeySettings) createKeySettings;
        if (createKeySettings2.getExistingKeyAlias() != null) {
            createFromExistingKey(createKeySettings2.getExistingKeyAlias(), createKeySettings2);
            return;
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC", "AndroidKeyStore");
            int i = (createKeySettings2.getKeyPurposes() & 1) != 0 ? 0 | 4 : 0;
            if ((createKeySettings2.getKeyPurposes() & 2) != 0) {
                if (Build.VERSION.SDK_INT < 31) {
                    throw new IllegalArgumentException("PURPOSE_AGREE_KEY not supported on this device");
                }
                i |= 64;
            }
            KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder(str, i);
            switch (createKeySettings2.getEcCurve()) {
                case 1:
                    builder.setDigests("SHA-256");
                    break;
                case 4:
                    if (createKeySettings2.getKeyPurposes() != 2) {
                        throw new IllegalArgumentException("Curve X25519 only works with KEY_PURPOSE_AGREE_KEY");
                    }
                    builder.setAlgorithmParameterSpec(new ECGenParameterSpec("x25519"));
                    break;
                case 6:
                    if (createKeySettings2.getKeyPurposes() != 1) {
                        throw new IllegalArgumentException("Curve Ed25519 only works with KEY_PURPOSE_SIGN");
                    }
                    builder.setAlgorithmParameterSpec(new ECGenParameterSpec("ed25519"));
                    break;
                default:
                    throw new IllegalArgumentException("Curve is not supported");
            }
            if (createKeySettings2.getUserAuthenticationRequired()) {
                builder.setUserAuthenticationRequired(true);
                long userAuthenticationTimeoutMillis = createKeySettings2.getUserAuthenticationTimeoutMillis();
                if (Build.VERSION.SDK_INT >= 30) {
                    int userAuthenticationType = createKeySettings2.getUserAuthenticationType();
                    int i2 = (userAuthenticationType & 1) != 0 ? 0 | 1 : 0;
                    if ((userAuthenticationType & 2) != 0) {
                        i2 |= 2;
                    }
                    if (userAuthenticationTimeoutMillis == 0) {
                        builder.setUserAuthenticationParameters(0, i2);
                    } else {
                        builder.setUserAuthenticationParameters((int) Math.max(1L, userAuthenticationTimeoutMillis / 1000), i2);
                    }
                } else if (userAuthenticationTimeoutMillis == 0) {
                    builder.setUserAuthenticationValidityDurationSeconds(-1);
                } else {
                    builder.setUserAuthenticationValidityDurationSeconds((int) Math.max(1L, userAuthenticationTimeoutMillis / 1000));
                }
                builder.setInvalidatedByBiometricEnrollment(false);
            }
            if (createKeySettings2.getUseStrongBox() && Build.VERSION.SDK_INT >= 28) {
                builder.setIsStrongBoxBacked(true);
            }
            if (createKeySettings2.getAttestKeyAlias() != null && Build.VERSION.SDK_INT >= 31) {
                builder.setAttestKeyAlias(createKeySettings2.getAttestKeyAlias());
            }
            builder.setAttestationChallenge(createKeySettings2.getAttestationChallenge());
            if (createKeySettings2.getValidFrom() != null) {
                Date date = new Date(createKeySettings2.getValidFrom().toEpochMilli());
                Date date2 = new Date(createKeySettings2.getValidUntil().toEpochMilli());
                builder.setKeyValidityStart(date);
                builder.setCertificateNotBefore(date);
                builder.setKeyValidityEnd(date2);
                builder.setCertificateNotAfter(date2);
            }
            try {
                keyPairGenerator.initialize(builder.build());
                keyPairGenerator.generateKeyPair();
                ArrayList arrayList = new ArrayList();
                try {
                    KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                    keyStore.load(null);
                    for (Certificate certificate : keyStore.getCertificateChain(str)) {
                        arrayList.add((X509Certificate) certificate);
                    }
                    Logger.d(TAG, "EC key with alias '" + str + "' created");
                    saveKeyMetadata(str, createKeySettings2, arrayList);
                } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                    throw new IllegalStateException("Error generate certificate chain", e);
                }
            } catch (InvalidAlgorithmParameterException e2) {
                throw new IllegalStateException("Unexpected exception", e2);
            }
        } catch (NoSuchAlgorithmException | NoSuchProviderException e3) {
            throw new IllegalStateException("Error creating key", e3);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public void deleteKey(String str) {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            if (!keyStore.containsAlias(str)) {
                Logger.w(TAG, "Key with alias '" + str + "' doesn't exist");
                return;
            }
            keyStore.deleteEntry(str);
            this.mStorageEngine.delete(PREFIX + str);
            Logger.d(TAG, "EC key with alias '" + str + "' deleted");
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new IllegalStateException("Error loading keystore", e);
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public KeyInfo getKeyInfo(String str) {
        CertificateException certificateException;
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            KeyStore.Entry entry = keyStore.getEntry(str, null);
            try {
                try {
                    if (entry == null) {
                        throw new IllegalArgumentException("No entry for alias");
                    }
                    PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
                    KeyFactory keyFactory = KeyFactory.getInstance(privateKey.getAlgorithm(), "AndroidKeyStore");
                    android.security.keystore.KeyInfo keyInfo = (android.security.keystore.KeyInfo) keyFactory.getKeySpec(privateKey, android.security.keystore.KeyInfo.class);
                    byte[] bArr = this.mStorageEngine.get(PREFIX + str);
                    if (bArr == null) {
                        throw new IllegalArgumentException("No key with given alias");
                    }
                    try {
                        List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
                        if (decode.size() != 1) {
                            throw new IllegalStateException("Expected 1 item, found " + decode.size());
                        }
                        if (!(decode.get(0) instanceof Map)) {
                            throw new IllegalStateException("Item is not a map");
                        }
                        Map map = (Map) decode.get(0);
                        int cborMapExtractNumber = (int) Util.cborMapExtractNumber(map, "curve");
                        int cborMapExtractNumber2 = (int) Util.cborMapExtractNumber(map, "keyPurposes");
                        boolean cborMapExtractBoolean = Util.cborMapExtractBoolean(map, "userAuthenticationRequired");
                        long cborMapExtractNumber3 = Util.cborMapExtractNumber(map, "userAuthenticationTimeoutMillis");
                        boolean cborMapExtractBoolean2 = Util.cborMapExtractBoolean(map, "useStrongBox");
                        String cborMapExtractString = Util.cborMapHasKey(map, "attestKeyAlias") ? Util.cborMapExtractString(map, "attestKeyAlias") : null;
                        boolean isInsideSecureHardware = keyInfo.isInsideSecureHardware();
                        Timestamp ofEpochMilli = keyInfo.getKeyValidityStart() != null ? Timestamp.ofEpochMilli(keyInfo.getKeyValidityStart().getTime()) : null;
                        Timestamp ofEpochMilli2 = keyInfo.getKeyValidityForOriginationEnd() != null ? Timestamp.ofEpochMilli(keyInfo.getKeyValidityForOriginationEnd().getTime()) : null;
                        DataItem dataItem = map.get(new UnicodeString("attestation"));
                        if (!(dataItem instanceof Array)) {
                            throw new IllegalStateException("attestation not found or not array");
                        }
                        ArrayList arrayList = new ArrayList();
                        Iterator<DataItem> it = ((Array) dataItem).getDataItems().iterator();
                        while (it.hasNext()) {
                            try {
                                DataItem dataItem2 = dataItem;
                                try {
                                    KeyFactory keyFactory2 = keyFactory;
                                    try {
                                        try {
                                            arrayList.add((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((ByteString) it.next()).getBytes())));
                                            dataItem = dataItem2;
                                            keyFactory = keyFactory2;
                                        } catch (CertificateException e) {
                                            certificateException = e;
                                            throw new IllegalStateException("Error decoding certificate blob", certificateException);
                                        }
                                    } catch (CertificateException e2) {
                                        certificateException = e2;
                                    }
                                } catch (CertificateException e3) {
                                    certificateException = e3;
                                }
                            } catch (CertificateException e4) {
                                certificateException = e4;
                            }
                        }
                        int i = 3;
                        if (Build.VERSION.SDK_INT >= 30) {
                            int userAuthenticationType = keyInfo.getUserAuthenticationType();
                            i = (userAuthenticationType & 1) != 0 ? 0 | 1 : 0;
                            if ((userAuthenticationType & 2) != 0) {
                                i |= 2;
                            }
                        }
                        return new KeyInfo(arrayList, cborMapExtractNumber2, cborMapExtractNumber, isInsideSecureHardware, cborMapExtractString, cborMapExtractBoolean, cborMapExtractNumber3, i, cborMapExtractBoolean2, ofEpochMilli, ofEpochMilli2);
                    } catch (CborException e5) {
                        throw new IllegalStateException("Error decoded CBOR", e5);
                    }
                } catch (CertificateException e6) {
                    e = e6;
                    throw new IllegalStateException("Unexpected exception", e);
                }
            } catch (IOException e7) {
                e = e7;
                throw new IllegalStateException("Unexpected exception", e);
            } catch (KeyStoreException e8) {
                e = e8;
                throw new IllegalStateException("Unexpected exception", e);
            } catch (NoSuchAlgorithmException e9) {
                e = e9;
                throw new IllegalStateException("Unexpected exception", e);
            } catch (NoSuchProviderException e10) {
                e = e10;
                throw new IllegalStateException("Unexpected exception", e);
            } catch (UnrecoverableEntryException e11) {
                e = e11;
                throw new IllegalStateException("Unexpected exception", e);
            } catch (InvalidKeySpecException e12) {
                e = e12;
                throw new IllegalStateException("Unexpected exception", e);
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | UnrecoverableEntryException | CertificateException | InvalidKeySpecException e13) {
            e = e13;
        }
    }

    @Override // com.android.identity.securearea.SecureArea
    public byte[] keyAgreement(String str, PublicKey publicKey, SecureArea.KeyUnlockData keyUnlockData) throws SecureArea.KeyLockedException {
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            KeyStore.Entry entry = keyStore.getEntry(str, null);
            if (entry == null) {
                throw new IllegalArgumentException("No entry for alias");
            }
            PrivateKey privateKey = ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH", "AndroidKeyStore");
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(publicKey, true);
            return keyAgreement.generateSecret();
        } catch (UserNotAuthenticatedException e) {
            throw new SecureArea.KeyLockedException("User not authenticated", e);
        } catch (IOException e2) {
            e = e2;
            throw new IllegalStateException("Unexpected exception while doing key agreement", e);
        } catch (InvalidKeyException e3) {
            throw new IllegalArgumentException("Key does not have purpose KEY_PURPOSE_AGREE_KEY", e3);
        } catch (KeyStoreException e4) {
            e = e4;
            throw new IllegalStateException("Unexpected exception while doing key agreement", e);
        } catch (NoSuchAlgorithmException e5) {
            e = e5;
            throw new IllegalStateException("Unexpected exception while doing key agreement", e);
        } catch (NoSuchProviderException e6) {
            e = e6;
            throw new IllegalStateException("Unexpected exception while doing key agreement", e);
        } catch (ProviderException e7) {
            if (e7.getCause() == null || !e7.getCause().getMessage().startsWith("Key user not authenticated")) {
                throw new IllegalStateException("Unexpected exception while doing key agreement", e7);
            }
            throw new SecureArea.KeyLockedException("User not authenticated", e7);
        } catch (UnrecoverableEntryException e8) {
            e = e8;
            throw new IllegalStateException("Unexpected exception while doing key agreement", e);
        } catch (CertificateException e9) {
            e = e9;
            throw new IllegalStateException("Unexpected exception while doing key agreement", e);
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:34:0x00b0  */
    @Override // com.android.identity.securearea.SecureArea
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public byte[] sign(java.lang.String r7, int r8, byte[] r9, com.android.identity.securearea.SecureArea.KeyUnlockData r10) throws com.android.identity.securearea.SecureArea.KeyLockedException {
        /*
            r6 = this;
            java.lang.String r0 = "User not authenticated"
            java.lang.String r1 = "Unexpected exception while signing"
            if (r10 == 0) goto L66
            r2 = r10
            com.android.identity.android.securearea.AndroidKeystoreSecureArea$KeyUnlockData r2 = (com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData) r2
            java.lang.String r3 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$000(r2)
            boolean r3 = r3.equals(r7)
            if (r3 == 0) goto L52
            java.security.Signature r3 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$100(r2)
            if (r3 == 0) goto L66
            int r0 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$200(r2)
            if (r0 != r8) goto L36
            java.security.Signature r0 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$100(r2)     // Catch: java.security.SignatureException -> L2f
            r0.update(r9)     // Catch: java.security.SignatureException -> L2f
            java.security.Signature r0 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$100(r2)     // Catch: java.security.SignatureException -> L2f
            byte[] r0 = r0.sign()     // Catch: java.security.SignatureException -> L2f
            return r0
        L2f:
            r0 = move-exception
            java.lang.IllegalStateException r3 = new java.lang.IllegalStateException
            r3.<init>(r1, r0)
            throw r3
        L36:
            java.lang.IllegalArgumentException r0 = new java.lang.IllegalArgumentException
            int r1 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$200(r2)
            java.lang.Integer r1 = java.lang.Integer.valueOf(r1)
            java.lang.Integer r3 = java.lang.Integer.valueOf(r8)
            java.lang.Object[] r1 = new java.lang.Object[]{r1, r3}
            java.lang.String r3 = "keyUnlockData has signature algorithm %d which differs from passed-in algorithm %d"
            java.lang.String r1 = java.lang.String.format(r3, r1)
            r0.<init>(r1)
            throw r0
        L52:
            java.lang.IllegalArgumentException r0 = new java.lang.IllegalArgumentException
            java.lang.String r1 = com.android.identity.android.securearea.AndroidKeystoreSecureArea.KeyUnlockData.access$000(r2)
            java.lang.Object[] r1 = new java.lang.Object[]{r1, r7}
            java.lang.String r3 = "keyUnlockData has alias %s which differs from passed-in alias %s"
            java.lang.String r1 = java.lang.String.format(r3, r1)
            r0.<init>(r1)
            throw r0
        L66:
            java.lang.String r2 = "AndroidKeyStore"
            java.security.KeyStore r2 = java.security.KeyStore.getInstance(r2)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            r3 = 0
            r2.load(r3)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            java.security.KeyStore$Entry r3 = r2.getEntry(r7, r3)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            if (r3 == 0) goto L90
            r4 = r3
            java.security.KeyStore$PrivateKeyEntry r4 = (java.security.KeyStore.PrivateKeyEntry) r4     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            java.security.PrivateKey r4 = r4.getPrivateKey()     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            java.lang.String r5 = getSignatureAlgorithmName(r8)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            java.security.Signature r5 = java.security.Signature.getInstance(r5)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            r5.initSign(r4)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            r5.update(r9)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            byte[] r0 = r5.sign()     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            return r0
        L90:
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            java.lang.String r5 = "No entry for alias"
            r4.<init>(r5)     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
            throw r4     // Catch: java.security.InvalidKeyException -> L98 java.security.SignatureException -> La1 java.security.NoSuchAlgorithmException -> La3 java.io.IOException -> La5 java.security.KeyStoreException -> La7 java.security.cert.CertificateException -> La9 java.security.UnrecoverableEntryException -> Lab android.security.keystore.UserNotAuthenticatedException -> Lcb
        L98:
            r0 = move-exception
            java.lang.IllegalArgumentException r1 = new java.lang.IllegalArgumentException
            java.lang.String r2 = "Key does not have purpose KEY_PURPOSE_SIGN"
            r1.<init>(r2, r0)
            throw r1
        La1:
            r2 = move-exception
            goto Lac
        La3:
            r2 = move-exception
            goto Lac
        La5:
            r2 = move-exception
            goto Lac
        La7:
            r2 = move-exception
            goto Lac
        La9:
            r2 = move-exception
            goto Lac
        Lab:
            r2 = move-exception
        Lac:
            boolean r3 = r2 instanceof java.security.SignatureException
            if (r3 == 0) goto Lc5
            r3 = r2
            java.security.SignatureException r3 = (java.security.SignatureException) r3
            java.lang.String r3 = r3.getMessage()
            java.lang.String r4 = "android.security.KeyStoreException: Key user not authenticated"
            boolean r3 = r3.startsWith(r4)
            if (r3 == 0) goto Lc5
            com.android.identity.securearea.SecureArea$KeyLockedException r1 = new com.android.identity.securearea.SecureArea$KeyLockedException
            r1.<init>(r0, r2)
            throw r1
        Lc5:
            java.lang.IllegalStateException r0 = new java.lang.IllegalStateException
            r0.<init>(r1, r2)
            throw r0
        Lcb:
            r1 = move-exception
            com.android.identity.securearea.SecureArea$KeyLockedException r2 = new com.android.identity.securearea.SecureArea$KeyLockedException
            r2.<init>(r0, r1)
            throw r2
        */
        throw new UnsupportedOperationException("Method not decompiled: com.android.identity.android.securearea.AndroidKeystoreSecureArea.sign(java.lang.String, int, byte[], com.android.identity.securearea.SecureArea$KeyUnlockData):byte[]");
    }
}
