package org.whispersystems.signalservice.api;

import java.io.IOException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.util.Locale;
import org.signal.libsignal.protocol.InvalidKeyException;
import org.signal.libsignal.protocol.logging.Log;
import org.whispersystems.signalservice.api.crypto.InvalidCiphertextException;
import org.whispersystems.signalservice.api.kbs.HashedPin;
import org.whispersystems.signalservice.api.kbs.KbsData;
import org.whispersystems.signalservice.api.kbs.MasterKey;
import org.whispersystems.signalservice.internal.contacts.crypto.KeyBackupCipher;
import org.whispersystems.signalservice.internal.contacts.crypto.Quote;
import org.whispersystems.signalservice.internal.contacts.crypto.RemoteAttestation;
import org.whispersystems.signalservice.internal.contacts.crypto.UnauthenticatedQuoteException;
import org.whispersystems.signalservice.internal.contacts.crypto.UnauthenticatedResponseException;
import org.whispersystems.signalservice.internal.contacts.entities.TokenResponse;
import org.whispersystems.signalservice.internal.keybackup.protos.BackupResponse;
import org.whispersystems.signalservice.internal.keybackup.protos.RestoreResponse;
import org.whispersystems.signalservice.internal.push.PushServiceSocket;
import org.whispersystems.signalservice.internal.push.RemoteAttestationUtil;
import org.whispersystems.signalservice.internal.util.Util;

/* loaded from: input_file:org/whispersystems/signalservice/api/KeyBackupService.class */
public class KeyBackupService {
    private static final String TAG = KeyBackupService.class.getSimpleName();
    private final KeyStore iasKeyStore;
    private final String enclaveName;
    private final byte[] serviceId;
    private final String mrenclave;
    private final PushServiceSocket pushServiceSocket;
    private final int maxTries;

    /* loaded from: input_file:org/whispersystems/signalservice/api/KeyBackupService$HashSession.class */
    public interface HashSession {
        byte[] hashSalt();
    }

    /* loaded from: input_file:org/whispersystems/signalservice/api/KeyBackupService$PinChangeSession.class */
    public interface PinChangeSession extends HashSession {
        KbsPinData setPin(HashedPin hashedPin, MasterKey masterKey) throws IOException, UnauthenticatedResponseException;

        void removePin() throws IOException, UnauthenticatedResponseException;

        void enableRegistrationLock(MasterKey masterKey) throws IOException;

        void disableRegistrationLock() throws IOException;
    }

    /* loaded from: input_file:org/whispersystems/signalservice/api/KeyBackupService$RestoreSession.class */
    public interface RestoreSession extends HashSession {
        KbsPinData restorePin(HashedPin hashedPin) throws UnauthenticatedResponseException, IOException, KeyBackupServicePinException, KeyBackupSystemNoDataException, InvalidKeyException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/whispersystems/signalservice/api/KeyBackupService$Session.class */
    public class Session implements RestoreSession, PinChangeSession {
        private final String authorization;
        private final TokenResponse currentToken;

        Session(String str, TokenResponse tokenResponse) {
            this.authorization = str;
            this.currentToken = tokenResponse;
        }

        @Override // org.whispersystems.signalservice.api.KeyBackupService.HashSession
        public byte[] hashSalt() {
            return this.currentToken.getBackupId();
        }

        @Override // org.whispersystems.signalservice.api.KeyBackupService.RestoreSession
        public KbsPinData restorePin(HashedPin hashedPin) throws UnauthenticatedResponseException, IOException, KeyBackupServicePinException, KeyBackupSystemNoDataException, InvalidKeyException {
            int i = 0;
            SecureRandom secureRandom = new SecureRandom();
            TokenResponse tokenResponse = this.currentToken;
            while (true) {
                i++;
                try {
                    return restorePin(hashedPin, tokenResponse);
                } catch (TokenException e) {
                    tokenResponse = e.getToken();
                    if (e instanceof KeyBackupServicePinException) {
                        throw ((KeyBackupServicePinException) e);
                    }
                    if (!e.isCanAutomaticallyRetry() || i >= 5) {
                        throw new UnauthenticatedResponseException("Token mismatch, expended all automatic retries");
                    }
                    int i2 = 250 * (1 << (i - 1));
                    Util.sleep(i2 + secureRandom.nextInt(i2));
                }
            }
            throw new UnauthenticatedResponseException("Token mismatch, expended all automatic retries");
        }

        private KbsPinData restorePin(HashedPin hashedPin, TokenResponse tokenResponse) throws UnauthenticatedResponseException, IOException, TokenException, KeyBackupSystemNoDataException, InvalidKeyException {
            try {
                int tries = tokenResponse.getTries();
                RemoteAttestation andVerifyRemoteAttestation = getAndVerifyRemoteAttestation();
                RestoreResponse keyRestoreResponse = KeyBackupCipher.getKeyRestoreResponse(KeyBackupService.this.pushServiceSocket.putKbsData(this.authorization, KeyBackupCipher.createKeyRestoreRequest(hashedPin.getKbsAccessKey(), tokenResponse, andVerifyRemoteAttestation, KeyBackupService.this.serviceId), andVerifyRemoteAttestation.getCookies(), KeyBackupService.this.enclaveName), andVerifyRemoteAttestation);
                TokenResponse tokenResponse2 = keyRestoreResponse.hasToken() ? new TokenResponse(tokenResponse.getBackupId(), keyRestoreResponse.getToken().toByteArray(), keyRestoreResponse.getTries()) : tokenResponse;
                Log.i(KeyBackupService.TAG, "Restore " + keyRestoreResponse.getStatus());
                switch (keyRestoreResponse.getStatus()) {
                    case OK:
                        return new KbsPinData(hashedPin.decryptKbsDataIVCipherText(keyRestoreResponse.getData().toByteArray()).getMasterKey(), tokenResponse2);
                    case PIN_MISMATCH:
                        Log.i(KeyBackupService.TAG, "Restore PIN_MISMATCH");
                        throw new KeyBackupServicePinException(tokenResponse2);
                    case TOKEN_MISMATCH:
                        Log.i(KeyBackupService.TAG, "Restore TOKEN_MISMATCH");
                        boolean z = tries == keyRestoreResponse.getTries();
                        Log.i(KeyBackupService.TAG, String.format(Locale.US, "Token MISMATCH %d %d", Integer.valueOf(tries), Integer.valueOf(keyRestoreResponse.getTries())));
                        throw new TokenException(tokenResponse2, z);
                    case MISSING:
                        Log.i(KeyBackupService.TAG, "Restore OK! No data though");
                        throw new KeyBackupSystemNoDataException();
                    case NOT_YET_VALID:
                        throw new UnauthenticatedResponseException("Key is not valid yet, clock mismatch");
                    default:
                        throw new AssertionError("Unexpected case");
                }
            } catch (InvalidCiphertextException e) {
                throw new UnauthenticatedResponseException(e);
            }
        }

        private RemoteAttestation getAndVerifyRemoteAttestation() throws UnauthenticatedResponseException, IOException, InvalidKeyException {
            try {
                return RemoteAttestationUtil.getAndVerifyRemoteAttestation(KeyBackupService.this.pushServiceSocket, PushServiceSocket.ClientSet.KeyBackup, KeyBackupService.this.iasKeyStore, KeyBackupService.this.enclaveName, KeyBackupService.this.mrenclave, this.authorization);
            } catch (SignatureException | InvalidCiphertextException | Quote.InvalidQuoteFormatException | UnauthenticatedQuoteException e) {
                throw new UnauthenticatedResponseException(e);
            }
        }

        @Override // org.whispersystems.signalservice.api.KeyBackupService.PinChangeSession
        public KbsPinData setPin(HashedPin hashedPin, MasterKey masterKey) throws IOException, UnauthenticatedResponseException {
            KbsData createNewKbsData = hashedPin.createNewKbsData(masterKey);
            return new KbsPinData(masterKey, putKbsData(createNewKbsData.getKbsAccessKey(), createNewKbsData.getCipherText(), KeyBackupService.this.enclaveName, this.currentToken));
        }

        @Override // org.whispersystems.signalservice.api.KeyBackupService.PinChangeSession
        public void removePin() throws IOException, UnauthenticatedResponseException {
            try {
                RemoteAttestation andVerifyRemoteAttestation = getAndVerifyRemoteAttestation();
                KeyBackupCipher.getKeyDeleteResponseStatus(KeyBackupService.this.pushServiceSocket.putKbsData(this.authorization, KeyBackupCipher.createKeyDeleteRequest(this.currentToken, andVerifyRemoteAttestation, KeyBackupService.this.serviceId), andVerifyRemoteAttestation.getCookies(), KeyBackupService.this.enclaveName), andVerifyRemoteAttestation);
            } catch (InvalidCiphertextException | InvalidKeyException e) {
                throw new UnauthenticatedResponseException(e);
            }
        }

        @Override // org.whispersystems.signalservice.api.KeyBackupService.PinChangeSession
        public void enableRegistrationLock(MasterKey masterKey) throws IOException {
            KeyBackupService.this.pushServiceSocket.setRegistrationLockV2(masterKey.deriveRegistrationLock());
        }

        @Override // org.whispersystems.signalservice.api.KeyBackupService.PinChangeSession
        public void disableRegistrationLock() throws IOException {
            KeyBackupService.this.pushServiceSocket.disableRegistrationLockV2();
        }

        private TokenResponse putKbsData(byte[] bArr, byte[] bArr2, String str, TokenResponse tokenResponse) throws IOException, UnauthenticatedResponseException {
            try {
                RemoteAttestation andVerifyRemoteAttestation = getAndVerifyRemoteAttestation();
                BackupResponse keyBackupResponse = KeyBackupCipher.getKeyBackupResponse(KeyBackupService.this.pushServiceSocket.putKbsData(this.authorization, KeyBackupCipher.createKeyBackupRequest(bArr, bArr2, tokenResponse, andVerifyRemoteAttestation, KeyBackupService.this.serviceId, KeyBackupService.this.maxTries), andVerifyRemoteAttestation.getCookies(), str), andVerifyRemoteAttestation);
                BackupResponse.Status status = keyBackupResponse.getStatus();
                switch (status) {
                    case OK:
                        return keyBackupResponse.hasToken() ? new TokenResponse(tokenResponse.getBackupId(), keyBackupResponse.getToken().toByteArray(), KeyBackupService.this.maxTries) : tokenResponse;
                    case ALREADY_EXISTS:
                        throw new UnauthenticatedResponseException("Already exists");
                    case NOT_YET_VALID:
                        throw new UnauthenticatedResponseException("Key is not valid yet, clock mismatch");
                    default:
                        throw new AssertionError("Unknown response status " + status);
                }
            } catch (InvalidCiphertextException | InvalidKeyException e) {
                throw new UnauthenticatedResponseException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KeyBackupService(KeyStore keyStore, String str, byte[] bArr, String str2, PushServiceSocket pushServiceSocket, int i) {
        this.iasKeyStore = keyStore;
        this.enclaveName = str;
        this.serviceId = bArr;
        this.mrenclave = str2;
        this.pushServiceSocket = pushServiceSocket;
        this.maxTries = i;
    }

    public PinChangeSession newPinChangeSession() throws IOException {
        return newSession(this.pushServiceSocket.getKeyBackupServiceAuthorization(), null);
    }

    public PinChangeSession newPinChangeSession(TokenResponse tokenResponse) throws IOException {
        return newSession(this.pushServiceSocket.getKeyBackupServiceAuthorization(), tokenResponse);
    }

    public TokenResponse getToken(String str) throws IOException {
        return this.pushServiceSocket.getKeyBackupServiceToken(str, this.enclaveName);
    }

    public String getAuthorization() throws IOException {
        return this.pushServiceSocket.getKeyBackupServiceAuthorization();
    }

    public RestoreSession newRegistrationSession(String str, TokenResponse tokenResponse) throws IOException {
        return newSession(str, tokenResponse);
    }

    private Session newSession(String str, TokenResponse tokenResponse) throws IOException {
        return new Session(str, tokenResponse != null ? tokenResponse : this.pushServiceSocket.getKeyBackupServiceToken(str, this.enclaveName));
    }
}
