package com.google.crypto.tink.e.a;

import android.os.Build;
import android.security.keystore.KeyGenParameterSpec;
import com.google.crypto.tink.n;
import com.google.crypto.tink.subtle.al;
import com.google.crypto.tink.subtle.ar;
import com.networkbench.agent.impl.harvest.HarvestConfiguration;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.Arrays;
import java.util.Locale;
import javax.crypto.KeyGenerator;

/* compiled from: AndroidKeystoreKmsClient.java */
/* loaded from: classes.dex */
public final class c implements n {
    private static final String TAG = "c";
    private final KeyStore atS;
    private final String atU;

    /* compiled from: AndroidKeystoreKmsClient.java */
    /* loaded from: classes.dex */
    public static final class a {
        KeyStore atS;
        String atU = null;

        public a() {
            this.atS = null;
            if (!c.xk()) {
                throw new IllegalStateException("need Android Keystore on Android M or newer");
            }
            try {
                this.atS = KeyStore.getInstance("AndroidKeyStore");
                this.atS.load(null);
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalStateException(e);
            }
        }

        public a a(KeyStore keyStore) {
            if (keyStore == null) {
                throw new IllegalArgumentException("val cannot be null");
            }
            this.atS = keyStore;
            return this;
        }

        public c xl() {
            return new c(this);
        }
    }

    public c() throws GeneralSecurityException {
        this(new a());
    }

    private c(a aVar) {
        this.atU = aVar.atU;
        this.atS = aVar.atS;
    }

    private static com.google.crypto.tink.a a(com.google.crypto.tink.a aVar) throws GeneralSecurityException {
        byte[] hD = al.hD(10);
        byte[] bArr = new byte[0];
        if (Arrays.equals(hD, aVar.d(aVar.c(hD, bArr), bArr))) {
            return aVar;
        }
        throw new KeyStoreException("cannot use Android Keystore: encryption/decryption of non-empty message and empty aad returns an incorrect result");
    }

    public static void bT(String str) throws GeneralSecurityException {
        if (new c().bS(str)) {
            throw new IllegalArgumentException(String.format("cannot generate a new key %s because it already exists; please delete it with deleteKey() and try again", str));
        }
        String t = ar.t("android-keystore://", str);
        KeyGenerator keyGenerator = KeyGenerator.getInstance("AES", "AndroidKeyStore");
        keyGenerator.init(new KeyGenParameterSpec.Builder(t, 3).setKeySize(HarvestConfiguration.CDN_ENDBLED).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
        keyGenerator.generateKey();
    }

    private static boolean xc() {
        return Build.VERSION.SDK_INT >= 23;
    }

    static /* synthetic */ boolean xk() {
        return xc();
    }

    @Override // com.google.crypto.tink.n
    public boolean bM(String str) {
        String str2 = this.atU;
        if (str2 == null || !str2.equals(str)) {
            return this.atU == null && str.toLowerCase(Locale.US).startsWith("android-keystore://");
        }
        return true;
    }

    @Override // com.google.crypto.tink.n
    public com.google.crypto.tink.a bN(String str) throws GeneralSecurityException {
        String str2 = this.atU;
        if (str2 == null || str2.equals(str)) {
            return a(new b(ar.t("android-keystore://", str), this.atS));
        }
        throw new GeneralSecurityException(String.format("this client is bound to %s, cannot load keys bound to %s", this.atU, str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean bS(String str) throws GeneralSecurityException {
        return this.atS.containsAlias(ar.t("android-keystore://", str));
    }
}
