package org.jmrtd.protocol;

import java.io.ByteArrayOutputStream;
import java.security.PrivateKey;
import java.security.Signature;
import java.util.List;
import java.util.logging.Logger;
import net.sf.scuba.smartcards.CardServiceException;
import net.sf.scuba.smartcards.ISOFileInfo;
import net.sf.scuba.tlv.TLVOutputStream;
import org.jmrtd.PassportService;
import org.jmrtd.Util;
import org.jmrtd.cert.CVCAuthorizationTemplate;
import org.jmrtd.cert.CVCPrincipal;
import org.jmrtd.cert.CardVerifiableCertificate;
import org.jmrtd.lds.icao.MRZInfo;
import org.spongycastle.i18n.LocalizedMessage;
import org.spongycastle.jce.interfaces.ECPrivateKey;

/* loaded from: classes.dex */
public class TAProtocol {
    private static final Logger LOGGER = Logger.getLogger("org.jmrtd");
    private static final int TAG_CVCERTIFICATE_SIGNATURE = 24375;
    private PassportService service;
    private SecureMessagingWrapper wrapper;

    public TAProtocol(PassportService passportService, SecureMessagingWrapper secureMessagingWrapper) {
        this.service = passportService;
        this.wrapper = secureMessagingWrapper;
    }

    public synchronized TAResult doTA(CVCPrincipal cVCPrincipal, List<CardVerifiableCertificate> list, PrivateKey privateKey, String str, CAResult cAResult, String str2) throws CardServiceException {
        byte[] sendGetChallenge;
        if (list != null) {
            try {
                if (!list.isEmpty()) {
                    byte[] keyHash = cAResult.getKeyHash();
                    if (keyHash == null) {
                        throw new IllegalArgumentException("CA key hash is null");
                    }
                    CardVerifiableCertificate cardVerifiableCertificate = list.get(0);
                    if (CVCAuthorizationTemplate.Role.CVCA.equals(cardVerifiableCertificate.getAuthorizationTemplate().getRole())) {
                        CVCPrincipal holderReference = cardVerifiableCertificate.getHolderReference();
                        if (cVCPrincipal != null && !cVCPrincipal.equals(holderReference)) {
                            throw new CardServiceException("First certificate holds wrong authority, found \"" + holderReference.getName() + "\", expected \"" + cVCPrincipal.getName() + "\"");
                        }
                        if (cVCPrincipal == null) {
                            cVCPrincipal = holderReference;
                        }
                        list.remove(0);
                    }
                    CVCPrincipal authorityReference = cardVerifiableCertificate.getAuthorityReference();
                    if (cVCPrincipal != null && !cVCPrincipal.equals(authorityReference)) {
                        throw new CardServiceException("First certificate not signed by expected CA, found " + authorityReference.getName() + ",  expected " + cVCPrincipal.getName());
                    }
                    if (cVCPrincipal == null) {
                        cVCPrincipal = authorityReference;
                    }
                    CardVerifiableCertificate cardVerifiableCertificate2 = list.get(list.size() - 1);
                    CVCAuthorizationTemplate.Role role = cardVerifiableCertificate2.getAuthorizationTemplate().getRole();
                    if (!CVCAuthorizationTemplate.Role.IS.equals(role)) {
                        throw new CardServiceException("Last certificate in chain (" + cardVerifiableCertificate2.getHolderReference().getName() + ") does not have role IS, but has role " + role);
                    }
                    for (CardVerifiableCertificate cardVerifiableCertificate3 : list) {
                        try {
                            this.service.sendMSESetDST(this.wrapper, Util.wrapDO(ISOFileInfo.FILE_IDENTIFIER, cardVerifiableCertificate3.getAuthorityReference().getName().getBytes(LocalizedMessage.DEFAULT_ENCODING)));
                            byte[] certBodyData = cardVerifiableCertificate3.getCertBodyData();
                            byte[] signature = cardVerifiableCertificate3.getSignature();
                            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                            TLVOutputStream tLVOutputStream = new TLVOutputStream(byteArrayOutputStream);
                            tLVOutputStream.writeTag(24375);
                            tLVOutputStream.writeValue(signature);
                            tLVOutputStream.close();
                            this.service.sendPSOExtendedLengthMode(this.wrapper, certBodyData, byteArrayOutputStream.toByteArray());
                        } catch (CardServiceException e) {
                            throw e;
                        } catch (Exception e2) {
                            throw new CardServiceException(e2.getMessage());
                        }
                    }
                    if (privateKey == null) {
                        throw new CardServiceException("No terminal key");
                    }
                    this.service.sendMSESetATExtAuth(this.wrapper, Util.wrapDO(ISOFileInfo.FILE_IDENTIFIER, cardVerifiableCertificate2.getHolderReference().getName().getBytes(LocalizedMessage.DEFAULT_ENCODING)));
                    sendGetChallenge = this.service.sendGetChallenge(this.wrapper);
                    byte[] bArr = new byte[str2.length() + 1];
                    System.arraycopy(str2.getBytes(LocalizedMessage.DEFAULT_ENCODING), 0, bArr, 0, str2.length());
                    bArr[bArr.length - 1] = (byte) MRZInfo.checkDigit(str2);
                    ByteArrayOutputStream byteArrayOutputStream2 = new ByteArrayOutputStream();
                    byteArrayOutputStream2.write(bArr);
                    byteArrayOutputStream2.write(sendGetChallenge);
                    byteArrayOutputStream2.write(keyHash);
                    byteArrayOutputStream2.close();
                    byte[] byteArray = byteArrayOutputStream2.toByteArray();
                    String sigAlgName = cardVerifiableCertificate2.getSigAlgName();
                    if (sigAlgName == null) {
                        throw new IllegalStateException("ERROR: Could not determine signature algorithm for terminal certificate " + cardVerifiableCertificate2.getHolderReference().getName());
                    }
                    Signature signature2 = Signature.getInstance(sigAlgName);
                    signature2.initSign(privateKey);
                    signature2.update(byteArray);
                    byte[] sign = signature2.sign();
                    if (sigAlgName.toUpperCase().endsWith("ECDSA")) {
                        sign = Util.getRawECDSASignature(sign, ((ECPrivateKey) privateKey).getParameters().getCurve().getFieldSize() / 8);
                    }
                    this.service.sendMutualAuthenticate(this.wrapper, sign);
                }
            } catch (CardServiceException e3) {
                throw e3;
            } catch (Exception e4) {
                throw new CardServiceException(e4.toString());
            }
        }
        throw new IllegalArgumentException("Need at least 1 certificate to perform TA, found: " + list);
        return new TAResult(cAResult, cVCPrincipal, list, privateKey, str2, sendGetChallenge);
    }
}
