package com.google.android.libraries.fido.u2f.client;

import android.util.Log;
import com.google.android.libraries.fido.logging.EventLogger;
import com.google.android.libraries.fido.u2f.api.common.KeyHandle;
import com.google.android.libraries.fido.u2f.api.common.ProtocolVersion;
import com.google.android.libraries.fido.u2f.api.common.RegisteredKey;
import com.google.android.libraries.fido.u2f.rawmessage.RawRegisterRequest;
import com.google.android.libraries.fido.u2f.rawmessage.RawSignRequest;
import com.google.android.libraries.fido.u2f.secureelement.ApduCommand;
import com.google.android.libraries.fido.u2f.secureelement.ApduException;
import com.google.android.libraries.fido.u2f.secureelement.ApduResponse;
import com.google.android.libraries.fido.u2f.secureelement.SecureElement;
import com.google.android.libraries.fido.u2f.secureelement.SecurityKeyApduBuilder;
import com.google.android.libraries.fido.u2f.secureelement.UnsupportedSecurityKeyException;
import com.google.common.base.Preconditions;
import com.google.common.io.BaseEncoding;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Random;

/* loaded from: classes.dex */
public abstract class SecureElementSecurityKey {
    public static final short SW_BYTES_REMAINING_MASK = -256;
    static final ApduResponse SYNTHETIC_WRONG_DATA_RESPONSE;
    private final SecureElement mSecureElement;
    private static final String TAG = SecureElementSecurityKey.class.getSimpleName();
    public static final byte[] GOOGLE_CORP_APP_ID_DIGEST = {100, 70, 71, 47, -33, 110, -19, 123, -13, -61, 55, 32, -14, 54, 103, 108, 54, -31, -76, 94, -66, 4, -123, -37, -119, -93, -51, -3, -46, 75, -42, -97};
    static final byte[] EMPTY_SIGN_CHALLENGE = new byte[32];

    static {
        new Random().nextBytes(EMPTY_SIGN_CHALLENGE);
        try {
            SYNTHETIC_WRONG_DATA_RESPONSE = ApduResponse.fromResponse(new byte[]{106, Byte.MIN_VALUE});
        } catch (ApduException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecureElementSecurityKey(SecureElement secureElement) {
        this.mSecureElement = (SecureElement) Preconditions.checkNotNull(secureElement);
    }

    private RegisterResult doRegister(ProtocolVersion protocolVersion, PreparedRegisterRequest preparedRegisterRequest) throws IOException {
        RawRegisterRequest rawRegisterRequest;
        Iterator<RawRegisterRequest> it = preparedRegisterRequest.getRequests().iterator();
        while (true) {
            if (!it.hasNext()) {
                rawRegisterRequest = null;
                break;
            }
            rawRegisterRequest = it.next();
            if (rawRegisterRequest.getVersion().equals(protocolVersion)) {
                break;
            }
        }
        if (rawRegisterRequest == null) {
            String str = TAG;
            String valueOf = String.valueOf(protocolVersion);
            Log.w(str, new StringBuilder(String.valueOf(valueOf).length() + 50).append("No register request matching security key version ").append(valueOf).toString());
            return new RegisterResult(ApduResponse.DATA_INVALID);
        }
        byte[] representativeApplicationParameter = preparedRegisterRequest.getRepresentativeApplicationParameter();
        SecurityKeyApduBuilder securityKeyApduBuilder = new SecurityKeyApduBuilder(this.mSecureElement.getLengthEncoding());
        ApduCommand buildEnroll = securityKeyApduBuilder.buildEnroll(representativeApplicationParameter, rawRegisterRequest.getChallenge(), Arrays.equals(GOOGLE_CORP_APP_ID_DIGEST, representativeApplicationParameter));
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        while (true) {
            ApduResponse processApdu = this.mSecureElement.processApdu(buildEnroll);
            switch (processApdu.getResponseStatus()) {
                case -28672:
                    byteArrayOutputStream.write(processApdu.getResponseData());
                    RegisterResult registerResult = new RegisterResult(byteArrayOutputStream.toByteArray(), protocolVersion);
                    Log.d(TAG, String.format("Enrollment data received: %s.", BaseEncoding.base16().encode(registerResult.getResponseData())));
                    return registerResult;
                default:
                    short responseStatus = processApdu.getResponseStatus();
                    if ((responseStatus & SW_BYTES_REMAINING_MASK) != 24832) {
                        Log.e(TAG, String.format("APDU exception %s", Short.valueOf(responseStatus)));
                        return new RegisterResult(responseStatus);
                    }
                    Log.d(TAG, "Got incomplete response, asking for next response");
                    byteArrayOutputStream.write(processApdu.getResponseData());
                    buildEnroll = securityKeyApduBuilder.buildGetResponse();
            }
        }
    }

    private SignResult doSign(ProtocolVersion protocolVersion, List<RawSignRequest> list, EventLogger eventLogger) throws SignException {
        ApduCommand buildV1Sign;
        for (int i = 0; i < list.size(); i++) {
            RawSignRequest rawSignRequest = list.get(i);
            KeyHandle keyHandle = rawSignRequest.getKeyHandle();
            if (keyHandle.getProtocolVersion().isCompatible(protocolVersion)) {
                try {
                    byte[] challenge = rawSignRequest.getChallenge();
                    switch (protocolVersion) {
                        case V1:
                            buildV1Sign = new SecurityKeyApduBuilder(this.mSecureElement.getLengthEncoding()).buildV1Sign(rawSignRequest.getApplication(), challenge, keyHandle.getBytes());
                            break;
                        default:
                            buildV1Sign = new SecurityKeyApduBuilder(this.mSecureElement.getLengthEncoding()).buildSign(rawSignRequest.getApplication(), challenge, keyHandle.getBytes());
                            break;
                    }
                    if (eventLogger != null) {
                        eventLogger.logApduRequest(buildV1Sign);
                    }
                    ApduResponse processApdu = this.mSecureElement.processApdu(buildV1Sign);
                    if (eventLogger != null) {
                        eventLogger.logApduResponse(processApdu);
                    }
                    short responseStatus = processApdu.getResponseStatus();
                    switch (responseStatus) {
                        case -28672:
                            byte[] responseData = processApdu.getResponseData();
                            Log.d(TAG, String.format("Response data received: %s.", BaseEncoding.base16().encode(responseData)));
                            return new SignResult(responseData, challenge, keyHandle);
                        case 26368:
                            Log.w(TAG, String.format("Wrong len error at key handle %d", Integer.valueOf(i)));
                            break;
                        case 27264:
                            Log.w(TAG, String.format("Wrong data error at key handle %d", Integer.valueOf(i)));
                            break;
                        default:
                            Log.e(TAG, String.format("APDU exception %s", Integer.toHexString(responseStatus)));
                            return new SignResult(responseStatus);
                    }
                } catch (IOException e) {
                    Log.e(TAG, "Signing failed!", e);
                    throw new SignException(e, i);
                }
            } else {
                Log.d(TAG, String.format("Ignoring key handle %d with version %s, mismatch with security key version %s", Integer.valueOf(i), keyHandle.getProtocolVersion(), protocolVersion));
            }
        }
        return new SignResult(SYNTHETIC_WRONG_DATA_RESPONSE.getResponseStatus());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecureElement getSecureElement() {
        return this.mSecureElement;
    }

    public Result handlePreparedRequest(PreparedRequest preparedRequest) throws IOException, UnsupportedSecurityKeyException {
        switch (preparedRequest.getType()) {
            case REGISTER:
                return register((PreparedRegisterRequest) preparedRequest);
            case SIGN:
                return sign((PreparedSignRequest) preparedRequest);
            default:
                String valueOf = String.valueOf(preparedRequest);
                throw new RuntimeException(new StringBuilder(String.valueOf(valueOf).length() + 18).append("Unhandled request ").append(valueOf).toString());
        }
    }

    protected abstract ProtocolVersion initializeForApplicationParameter(byte[] bArr) throws IOException, UnsupportedSecurityKeyException;

    public RegisterResult register(PreparedRegisterRequest preparedRegisterRequest) throws IOException, UnsupportedSecurityKeyException {
        byte[] representativeApplicationParameter = preparedRegisterRequest.getRepresentativeApplicationParameter();
        ProtocolVersion initializeForApplicationParameter = initializeForApplicationParameter(representativeApplicationParameter);
        ArrayList arrayList = new ArrayList(preparedRegisterRequest.getRegisteredKeys().size());
        Iterator<RegisteredKey> it = preparedRegisterRequest.getRegisteredKeys().iterator();
        while (it.hasNext()) {
            arrayList.add(new RawSignRequest(it.next().getKeyHandle(), representativeApplicationParameter, EMPTY_SIGN_CHALLENGE));
        }
        SignResult doSign = doSign(initializeForApplicationParameter, arrayList, null);
        switch (doSign.getResponseStatus()) {
            case -28672:
                Log.d(TAG, "Security key already registered");
                return new RegisterResult(ApduResponse.WRONG_DATA);
            case 27264:
                return doRegister(initializeForApplicationParameter, preparedRegisterRequest);
            default:
                short responseStatus = doSign.getResponseStatus();
                Log.e(TAG, String.format("APDU exception %s", Short.valueOf(responseStatus)));
                return new RegisterResult(responseStatus);
        }
    }

    public SignResult sign(PreparedSignRequest preparedSignRequest) throws IOException, UnsupportedSecurityKeyException {
        return sign(preparedSignRequest, null);
    }

    public SignResult sign(PreparedSignRequest preparedSignRequest, EventLogger eventLogger) throws IOException, UnsupportedSecurityKeyException {
        ProtocolVersion initializeForApplicationParameter = initializeForApplicationParameter(preparedSignRequest.getRepresentativeApplicationParameter());
        if (preparedSignRequest.getRequests() != null) {
            return doSign(initializeForApplicationParameter, preparedSignRequest.getRequests(), eventLogger);
        }
        Log.w(TAG, "Service called with no sign request list");
        return new SignResult(ApduResponse.DATA_INVALID);
    }
}
