package com.cisco.anyconnect.vpn.android.crypto;

import android.app.KeyguardManager;
import android.content.Context;
import android.os.Build;
import android.security.keystore.KeyProtection;
import com.cisco.anyconnect.vpn.android.util.AppLog;
import java.security.Key;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertStoreException;
import java.security.cert.Certificate;
import java.util.List;

/* loaded from: classes.dex */
public class AndroidKeyStore extends KsCertStore {
    private static final String ENTITY_NAME = "AndroidKeyStore";
    private final Context mContext;

    public AndroidKeyStore(String str, Context context) throws CertStoreException {
        super(str, ENTITY_NAME, null, null);
        this.mContext = context;
    }

    @Override // com.cisco.anyconnect.vpn.android.crypto.KsCertStore, com.cisco.anyconnect.vpn.android.crypto.ClientCertStoreBase
    public List<CertificateInfo> getClientCerts() throws CertStoreException {
        List<CertificateInfo> clientCerts = super.getClientCerts();
        for (CertificateInfo certificateInfo : clientCerts) {
            try {
                getPrivateKey(certificateInfo.getAlias());
            } catch (UnrecoverableKeyException unused) {
                AppLog.error(this, "getClientCerts() UnrecoverableKeyException, removing " + certificateInfo.getAlias() + " from list of client certs");
                clientCerts.remove(certificateInfo);
            }
        }
        return clientCerts;
    }

    @Override // com.cisco.anyconnect.vpn.android.crypto.KsCertStore, com.cisco.anyconnect.vpn.android.crypto.ClientCertStoreBase
    public PrivateKey getPrivateKey(String str) throws CertStoreException, UnrecoverableKeyException {
        if (!loadKeystore()) {
            return null;
        }
        try {
            String keyAliasForCertAlias = getKeyAliasForCertAlias(str);
            if (keyAliasForCertAlias == null) {
                return null;
            }
            return (PrivateKey) this.mKeyStore.getKey(keyAliasForCertAlias, this.mKeyPass);
        } catch (UnrecoverableKeyException e) {
            AppLog.warn(this, "Key " + str + " was invalidated, deleting");
            deleteCert(str);
            throw e;
        } catch (Exception e2) {
            AppLog.error(this, "Unexpected exception in getPrivateKey", e2);
            return null;
        }
    }

    @Override // com.cisco.anyconnect.vpn.android.crypto.KsCertStore, com.cisco.anyconnect.vpn.android.crypto.ClientCertStoreBase
    public String importPrivateKey(Key key, Certificate[] certificateArr, boolean z) throws CertStoreException {
        if (!loadKeystore() || !z || Build.VERSION.SDK_INT < 23) {
            return null;
        }
        if (certificateArr != null) {
            try {
                if (certificateArr.length != 0) {
                    String keyAliasForCertAlias = getKeyAliasForCertAlias(getCertAliasForImport(certificateArr));
                    KeyProtection.Builder userAuthenticationRequired = new KeyProtection.Builder(5).setBlockModes("ECB").setDigests("NONE").setEncryptionPaddings("PKCS1Padding").setSignaturePaddings("PKCS1").setUserAuthenticationRequired(true);
                    KeyStore.PrivateKeyEntry privateKeyEntry = new KeyStore.PrivateKeyEntry((PrivateKey) key, certificateArr);
                    if (!((KeyguardManager) this.mContext.getSystemService("keyguard")).isDeviceSecure()) {
                        throw new CertStoreException("Can't import cert - no screen lock");
                    }
                    userAuthenticationRequired.setUserAuthenticationValidityDurationSeconds(5);
                    this.mKeyStore.setEntry(keyAliasForCertAlias, privateKeyEntry, userAuthenticationRequired.build());
                    AppLog.logDebugMessage(AppLog.Severity.DBG_INFO, ENTITY_NAME, "Importing cert requiring user authentication");
                    return keyAliasForCertAlias;
                }
            } catch (Exception e) {
                throw new CertStoreException("importPrivateKey failed", e);
            }
        }
        throw new CertStoreException("empty certificate chain");
    }

    @Override // com.cisco.anyconnect.vpn.android.crypto.KsCertStore
    protected boolean loadKeystore() throws CertStoreException {
        if (this.mKeyStore != null) {
            return true;
        }
        try {
            this.mKeyStore = KeyStore.getInstance(this.mType);
            this.mKeyStore.load(null);
            return true;
        } catch (NoSuchAlgorithmException unused) {
            AppLog.error(this, "Failed to load AndroidKeyStore");
            this.mKeyStore = null;
            return false;
        } catch (Exception e) {
            this.mKeyStore = null;
            throw new CertStoreException(e);
        }
    }

    @Override // com.cisco.anyconnect.vpn.android.crypto.KsCertStore
    protected void saveKeyStore() throws CertStoreException {
    }
}
