package com.google.crypto.tink.integration.android;

import android.security.keystore.KeyGenParameterSpec;
import com.google.crypto.tink.KmsClient;
import com.google.crypto.tink.subtle.Random;
import com.google.crypto.tink.subtle.Validators;
import com.linkedin.android.video.conferencing.view.BR;
import com.microsoft.did.sdk.util.Constants;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.util.Arrays;
import java.util.Locale;
import javax.crypto.KeyGenerator;

/* loaded from: classes.dex */
public final class AndroidKeystoreKmsClient implements KmsClient {
    public final KeyStore keyStore;

    /* loaded from: classes.dex */
    public static final class Builder {
        public KeyStore keyStore;

        public Builder() {
            this.keyStore = null;
            try {
                KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
                this.keyStore = keyStore;
                keyStore.load(null);
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalStateException(e);
            }
        }
    }

    public AndroidKeystoreKmsClient() throws GeneralSecurityException {
        this(new Builder());
    }

    public AndroidKeystoreKmsClient(Builder builder) {
        this.keyStore = builder.keyStore;
    }

    public static void generateNewAeadKey(String str) throws GeneralSecurityException {
        if (new AndroidKeystoreKmsClient().keyStore.containsAlias(Validators.validateKmsKeyUriAndRemovePrefix(str))) {
            throw new IllegalArgumentException(String.format("cannot generate a new key %s because it already exists; please delete it with deleteKey() and try again", str));
        }
        String validateKmsKeyUriAndRemovePrefix = Validators.validateKmsKeyUriAndRemovePrefix(str);
        KeyGenerator keyGenerator = KeyGenerator.getInstance(Constants.AES_KEY, "AndroidKeyStore");
        keyGenerator.init(new KeyGenParameterSpec.Builder(validateKmsKeyUriAndRemovePrefix, 3).setKeySize(BR.learnMoreOnClick).setBlockModes("GCM").setEncryptionPaddings("NoPadding").build());
        keyGenerator.generateKey();
    }

    @Override // com.google.crypto.tink.KmsClient
    public final boolean doesSupport(String str) {
        return str.toLowerCase(Locale.US).startsWith("android-keystore://");
    }

    @Override // com.google.crypto.tink.KmsClient
    public final AndroidKeystoreAesGcm getAead(String str) throws GeneralSecurityException {
        AndroidKeystoreAesGcm androidKeystoreAesGcm = new AndroidKeystoreAesGcm(Validators.validateKmsKeyUriAndRemovePrefix(str), this.keyStore);
        byte[] randBytes = Random.randBytes(10);
        byte[] bArr = new byte[0];
        if (Arrays.equals(randBytes, androidKeystoreAesGcm.decrypt(androidKeystoreAesGcm.encrypt(randBytes, bArr), bArr))) {
            return androidKeystoreAesGcm;
        }
        throw new KeyStoreException("cannot use Android Keystore: encryption/decryption of non-empty message and empty aad returns an incorrect result");
    }
}
