package org.jmrtd.protocol;

import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Random;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.crypto.KeyAgreement;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.IvParameterSpec;
import net.sf.scuba.smartcards.CardServiceException;
import net.sf.scuba.smartcards.ISOFileInfo;
import net.sf.scuba.util.Hex;
import org.jmrtd.BACKeySpec;
import org.jmrtd.JMRTDSecurityProvider;
import org.jmrtd.PACEException;
import org.jmrtd.PassportService;
import org.jmrtd.Util;
import org.jmrtd.lds.PACEInfo;

/* loaded from: classes.dex */
public class PACEProtocol {
    private Random random = new SecureRandom();
    private PassportService service;
    private SecureMessagingWrapper wrapper;
    private static final Logger LOGGER = Logger.getLogger("org.jmrtd");
    private static final Provider BC_PROVIDER = JMRTDSecurityProvider.getBouncyCastleProvider();
    private static final byte[] IV_FOR_PACE_CAM_DECRYPTION = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1};

    /* loaded from: classes.dex */
    public class MyECDHKeyAgreement {
        private ECPrivateKey privateKey;

        public MyECDHKeyAgreement() {
        }

        public ECPoint doPhase(ECPublicKey eCPublicKey) {
            org.spongycastle.math.ec.ECPoint normalize = Util.toBouncyECPublicKeyParameters(eCPublicKey).getQ().multiply(Util.toBouncyECPrivateKeyParameters(this.privateKey).getD()).normalize();
            if (normalize.isInfinity()) {
                throw new IllegalStateException("Infinity");
            }
            return Util.fromBouncyCastleECPoint(normalize);
        }

        public void init(ECPrivateKey eCPrivateKey) {
            this.privateKey = eCPrivateKey;
        }
    }

    public PACEProtocol(PassportService passportService, SecureMessagingWrapper secureMessagingWrapper) {
        this.service = passportService;
        this.wrapper = secureMessagingWrapper;
    }

    private static byte[] computeKeySeedForPACE(String str, String str2, String str3) throws GeneralSecurityException {
        return Util.computeKeySeed(str, str2, str3, "SHA-1", false);
    }

    public static byte[] computeKeySeedForPACE(KeySpec keySpec) throws GeneralSecurityException {
        if (!(keySpec instanceof BACKeySpec)) {
            throw new IllegalArgumentException("Unsupported key spec, was expecting BAC key spec");
        }
        BACKeySpec bACKeySpec = (BACKeySpec) keySpec;
        String documentNumber = bACKeySpec.getDocumentNumber();
        String dateOfBirth = bACKeySpec.getDateOfBirth();
        String dateOfExpiry = bACKeySpec.getDateOfExpiry();
        if (dateOfBirth == null || dateOfBirth.length() != 6) {
            throw new IllegalArgumentException("Wrong date format used for date of birth. Expected yyMMdd, found " + dateOfBirth);
        }
        if (dateOfExpiry == null || dateOfExpiry.length() != 6) {
            throw new IllegalArgumentException("Wrong date format used for date of expiry. Expected yyMMdd, found " + dateOfExpiry);
        }
        if (documentNumber == null) {
            throw new IllegalArgumentException("Wrong document number. Found " + documentNumber);
        }
        return computeKeySeedForPACE(fixDocumentNumber(documentNumber), dateOfBirth, dateOfExpiry);
    }

    public static SecretKey deriveStaticPACEKey(KeySpec keySpec, String str) throws GeneralSecurityException {
        return Util.deriveKey(computeKeySeedForPACE(keySpec), PACEInfo.toCipherAlgorithm(str), PACEInfo.toKeyLength(str), 3);
    }

    private static String fixDocumentNumber(String str) {
        String replace = str.replace('<', ' ').trim().replace(' ', '<');
        while (replace.length() < 9) {
            replace = replace + "<";
        }
        return replace;
    }

    public static byte[] generateAuthenticationToken(String str, SecretKey secretKey, PublicKey publicKey) throws GeneralSecurityException {
        Mac mac = Mac.getInstance(inferMacAlgorithmFromCipherAlgorithm(PACEInfo.toCipherAlgorithm(str)), BC_PROVIDER);
        byte[] encodePublicKeyDataObject = Util.encodePublicKeyDataObject(str, publicKey);
        mac.init(secretKey);
        byte[] bArr = new byte[8];
        System.arraycopy(mac.doFinal(encodePublicKeyDataObject), 0, bArr, 0, bArr.length);
        return bArr;
    }

    private static String inferMacAlgorithmFromCipherAlgorithm(String str) throws InvalidAlgorithmParameterException {
        if (str == null) {
            throw new IllegalArgumentException("Cannot infer MAC algorithm from cipher algorithm null");
        }
        if (str.startsWith("DESede")) {
            return "ISO9797Alg3Mac";
        }
        if (str.startsWith("AES")) {
            return "AESCMAC";
        }
        throw new InvalidAlgorithmParameterException("Cannot infer MAC algorithm from cipher algorithm \"" + str + "\"");
    }

    private void pseudoRandomFunction(byte[] bArr, byte[] bArr2, Cipher cipher) {
    }

    public static PublicKey updateParameterSpec(PublicKey publicKey, PrivateKey privateKey) throws GeneralSecurityException {
        if ((publicKey instanceof ECPublicKey) && (privateKey instanceof ECPrivateKey)) {
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(((ECPublicKey) publicKey).getW(), ((ECPrivateKey) privateKey).getParams()));
        }
        throw new NoSuchAlgorithmException("Unsupported key type");
    }

    public PACEResult doPACE(KeySpec keySpec, String str, AlgorithmParameterSpec algorithmParameterSpec) throws PACEException {
        try {
            return doPACE(deriveStaticPACEKey(keySpec, str), str, algorithmParameterSpec);
        } catch (GeneralSecurityException e) {
            throw new PACEException("PCD side error in key derivation step");
        }
    }

    public PACEResult doPACE(SecretKey secretKey, String str, AlgorithmParameterSpec algorithmParameterSpec) throws PACEException {
        PACEInfo.MappingType mappingType = PACEInfo.toMappingType(str);
        String keyAgreementAlgorithm = PACEInfo.toKeyAgreementAlgorithm(str);
        String cipherAlgorithm = PACEInfo.toCipherAlgorithm(str);
        String digestAlgorithm = PACEInfo.toDigestAlgorithm(str);
        int keyLength = PACEInfo.toKeyLength(str);
        LOGGER.info("DEBUG: PACE: oid = " + str + " -> mappingType = " + mappingType + ", agreementAlg = " + keyAgreementAlgorithm + ", cipherAlg = " + cipherAlgorithm + ", digestAlg = " + digestAlgorithm + ", keyLength = " + keyLength);
        if (keyAgreementAlgorithm == null) {
            throw new IllegalArgumentException("Unknown agreement algorithm");
        }
        if (!"ECDH".equals(keyAgreementAlgorithm) && !"DH".equals(keyAgreementAlgorithm)) {
            throw new IllegalArgumentException("Unsupported agreement algorithm, expected ECDH or DH, found " + keyAgreementAlgorithm);
        }
        if ("ECDH".equals(keyAgreementAlgorithm) && !(algorithmParameterSpec instanceof ECParameterSpec)) {
            throw new IllegalArgumentException("Expected ECParameterSpec for agreement algorithm " + keyAgreementAlgorithm + ", found " + algorithmParameterSpec.getClass().getCanonicalName());
        }
        if ("DH".equals(keyAgreementAlgorithm) && !(algorithmParameterSpec instanceof DHParameterSpec)) {
            throw new IllegalArgumentException("Expected DHParameterSpec for agreement algorithm " + keyAgreementAlgorithm + ", found " + algorithmParameterSpec.getClass().getCanonicalName());
        }
        try {
            Cipher cipher = Cipher.getInstance(cipherAlgorithm + "/CBC/NoPadding");
            try {
                this.service.sendMSESetATMutualAuth(this.wrapper, str, 1, null);
                byte[] doPACEStep1 = doPACEStep1(secretKey, cipher);
                AlgorithmParameterSpec doPACEStep2 = doPACEStep2(mappingType, keyAgreementAlgorithm, algorithmParameterSpec, doPACEStep1);
                KeyPair doPACEStep3GenerateKeyPair = doPACEStep3GenerateKeyPair(keyAgreementAlgorithm, doPACEStep2);
                PublicKey doPACEStep3ExchangePublicKeys = doPACEStep3ExchangePublicKeys(doPACEStep3GenerateKeyPair.getPublic(), doPACEStep2);
                byte[] doPACEStep3KeyAgreement = doPACEStep3KeyAgreement(keyAgreementAlgorithm, doPACEStep3GenerateKeyPair.getPrivate(), doPACEStep3ExchangePublicKeys);
                try {
                    SecretKey deriveKey = Util.deriveKey(doPACEStep3KeyAgreement, cipherAlgorithm, keyLength, 1);
                    SecretKey deriveKey2 = Util.deriveKey(doPACEStep3KeyAgreement, cipherAlgorithm, keyLength, 2);
                    byte[] doPACEStep4 = doPACEStep4(str, mappingType, doPACEStep3GenerateKeyPair, doPACEStep3ExchangePublicKeys, deriveKey2);
                    byte[] bArr = null;
                    try {
                        if (cipherAlgorithm.startsWith("DESede")) {
                            this.wrapper = new DESedeSecureMessagingWrapper(deriveKey, deriveKey2);
                        } else if (cipherAlgorithm.startsWith("AES")) {
                            this.wrapper = new AESSecureMessagingWrapper(deriveKey, deriveKey2, this.wrapper == null ? 0L : this.wrapper.getSendSequenceCounter());
                        }
                        if (PACEInfo.MappingType.CAM.equals(mappingType)) {
                            if (doPACEStep4 == null) {
                                LOGGER.severe("Encrypted Chip Authentication data is null");
                            }
                            try {
                                Cipher cipher2 = Cipher.getInstance("AES/CBC/NoPadding");
                                cipher2.init(2, deriveKey, new IvParameterSpec(IV_FOR_PACE_CAM_DECRYPTION));
                                bArr = Util.unpad(cipher2.doFinal(doPACEStep4));
                                LOGGER.info("DEBUG: Including Chip Authentication data in PACE result");
                            } catch (GeneralSecurityException e) {
                                LOGGER.log(Level.SEVERE, "Could not decrypt Chip Authentication data", (Throwable) e);
                            }
                        }
                        return new PACEResult(mappingType, keyAgreementAlgorithm, cipherAlgorithm, digestAlgorithm, keyLength, algorithmParameterSpec, doPACEStep1, doPACEStep2, doPACEStep3GenerateKeyPair, doPACEStep3ExchangePublicKeys, doPACEStep3KeyAgreement, doPACEStep4, bArr, this.wrapper);
                    } catch (GeneralSecurityException e2) {
                        LOGGER.severe("Exception: " + e2.getMessage());
                        throw new IllegalStateException("Security exception in secure messaging establishment: " + e2.getMessage());
                    }
                } catch (GeneralSecurityException e3) {
                    LOGGER.log(Level.SEVERE, "Security exception during secure messaging key derivation", (Throwable) e3);
                    throw new PACEException("Security exception during secure messaging key derivation: " + e3.getMessage());
                }
            } catch (CardServiceException e4) {
                throw new PACEException("PICC side error in static PACE key derivation step", e4.getSW());
            }
        } catch (GeneralSecurityException e5) {
            throw new PACEException("PCD side error in static cipher construction during key derivation step");
        }
    }

    public byte[] doPACEStep1(SecretKey secretKey, Cipher cipher) throws PACEException {
        try {
            byte[] unwrapDO = Util.unwrapDO(ISOFileInfo.DATA_BYTES1, this.service.sendGeneralAuthenticate(this.wrapper, new byte[0], false));
            cipher.init(2, secretKey, new IvParameterSpec(new byte[cipher.getBlockSize()]));
            return cipher.doFinal(unwrapDO);
        } catch (GeneralSecurityException e) {
            LOGGER.severe("Exception: " + e.getMessage());
            throw new PACEException("PCD side exception in tranceiving nonce step: " + e.getMessage());
        } catch (CardServiceException e2) {
            throw new PACEException("PICC side exception in tranceiving nonce step", e2.getSW());
        }
    }

    public AlgorithmParameterSpec doPACEStep2(PACEInfo.MappingType mappingType, String str, AlgorithmParameterSpec algorithmParameterSpec, byte[] bArr) throws PACEException {
        switch (mappingType) {
            case CAM:
            case GM:
                return doPACEStep2GM(str, algorithmParameterSpec, bArr);
            case IM:
                return doPACEStep2IM(str, algorithmParameterSpec, bArr);
            default:
                throw new PACEException("Unsupported mapping type " + mappingType);
        }
    }

    public AlgorithmParameterSpec doPACEStep2GM(String str, AlgorithmParameterSpec algorithmParameterSpec, byte[] bArr) throws PACEException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, BC_PROVIDER);
            keyPairGenerator.initialize(algorithmParameterSpec);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey = generateKeyPair.getPublic();
            PrivateKey privateKey = generateKeyPair.getPrivate();
            KeyAgreement keyAgreement = KeyAgreement.getInstance(str);
            keyAgreement.init(privateKey);
            MyECDHKeyAgreement myECDHKeyAgreement = null;
            if ("ECDH".equals(str)) {
                myECDHKeyAgreement = new MyECDHKeyAgreement();
                myECDHKeyAgreement.init((ECPrivateKey) privateKey);
            }
            PublicKey decodePublicKeyFromSmartCard = Util.decodePublicKeyFromSmartCard(Util.unwrapDO((byte) -126, this.service.sendGeneralAuthenticate(this.wrapper, Util.wrapDO(ISOFileInfo.DATA_BYTES2, Util.encodePublicKeyForSmartCard(publicKey)), false)), algorithmParameterSpec);
            keyAgreement.doPhase(decodePublicKeyFromSmartCard, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            LOGGER.info("DEBUG: mappingSharedSecretBytes = " + Hex.bytesToHexString(generateSecret));
            if (!"ECDH".equals(str) || myECDHKeyAgreement == null) {
                if ("DH".equals(str)) {
                    return Util.mapNonceGMWithDH(Util.os2i(bArr), Util.os2i(generateSecret), (DHParameterSpec) algorithmParameterSpec);
                }
                throw new IllegalArgumentException("Unsupported parameters for mapping nonce, expected ECParameterSpec or DHParameterSpec, found " + algorithmParameterSpec.getClass().getCanonicalName());
            }
            ECPoint doPhase = myECDHKeyAgreement.doPhase((ECPublicKey) decodePublicKeyFromSmartCard);
            LOGGER.info("DEBUG: calling mapNonceGMWithECDH directly");
            LOGGER.info("DEBUG: Affine X = " + doPhase.getAffineX());
            LOGGER.info("DEBUG: Affine Y = " + doPhase.getAffineY());
            return Util.mapNonceGMWithECDH(Util.os2i(bArr), doPhase, (ECParameterSpec) algorithmParameterSpec);
        } catch (GeneralSecurityException e) {
            throw new PACEException("PCD side error in mapping nonce step: " + e.getMessage());
        } catch (CardServiceException e2) {
            throw new PACEException("PICC side exception in mapping nonce step", e2.getSW());
        }
    }

    public AlgorithmParameterSpec doPACEStep2IM(String str, AlgorithmParameterSpec algorithmParameterSpec, byte[] bArr) throws PACEException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, BC_PROVIDER);
            keyPairGenerator.initialize(algorithmParameterSpec);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            generateKeyPair.getPublic();
            KeyAgreement.getInstance(str).init(generateKeyPair.getPrivate());
            byte[] bArr2 = new byte[bArr.length];
            this.random.nextBytes(bArr2);
            pseudoRandomFunction(bArr, bArr2, null);
            throw new PACEException("Integrated Mapping not yet implemented");
        } catch (GeneralSecurityException e) {
            throw new PACEException("PCD side error in mapping nonce step: " + e.getMessage());
        } catch (CardServiceException e2) {
            throw new PACEException("PICC side exception in mapping nonce step", e2.getSW());
        }
    }

    public PublicKey doPACEStep3ExchangePublicKeys(PublicKey publicKey, AlgorithmParameterSpec algorithmParameterSpec) throws PACEException {
        try {
            PublicKey decodePublicKeyFromSmartCard = Util.decodePublicKeyFromSmartCard(Util.unwrapDO((byte) -124, this.service.sendGeneralAuthenticate(this.wrapper, Util.wrapDO(ISOFileInfo.FILE_IDENTIFIER, Util.encodePublicKeyForSmartCard(publicKey)), false)), algorithmParameterSpec);
            if (publicKey.equals(decodePublicKeyFromSmartCard)) {
                throw new PACEException("PCD's public key and PICC's public key are the same in key agreement step!");
            }
            return decodePublicKeyFromSmartCard;
        } catch (IllegalStateException e) {
            throw new PACEException("PCD side exception in key agreement step: " + e.getMessage());
        } catch (GeneralSecurityException e2) {
            throw new PACEException("PCD side exception in key agreement step: " + e2.getMessage());
        } catch (CardServiceException e3) {
            throw new PACEException("PICC side exception in key agreement step", e3.getSW());
        }
    }

    public KeyPair doPACEStep3GenerateKeyPair(String str, AlgorithmParameterSpec algorithmParameterSpec) throws PACEException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(str, BC_PROVIDER);
            keyPairGenerator.initialize(algorithmParameterSpec);
            return keyPairGenerator.generateKeyPair();
        } catch (GeneralSecurityException e) {
            throw new PACEException("PCD side error during generation of PCD key pair");
        }
    }

    public byte[] doPACEStep3KeyAgreement(String str, PrivateKey privateKey, PublicKey publicKey) throws PACEException {
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance(str, BC_PROVIDER);
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(updateParameterSpec(publicKey, privateKey), true);
            return keyAgreement.generateSecret();
        } catch (GeneralSecurityException e) {
            LOGGER.log(Level.SEVERE, "PCD side error during key agreement", (Throwable) e);
            throw new PACEException("PCD side error during key agreement");
        }
    }

    public byte[] doPACEStep4(String str, PACEInfo.MappingType mappingType, KeyPair keyPair, PublicKey publicKey, SecretKey secretKey) throws PACEException {
        try {
            byte[] wrapDO = Util.wrapDO(ISOFileInfo.PROP_INFO, generateAuthenticationToken(str, secretKey, publicKey));
            if (!Arrays.equals(generateAuthenticationToken(str, secretKey, keyPair.getPublic()), Util.unwrapDO((byte) -122, this.service.sendGeneralAuthenticate(this.wrapper, wrapDO, true)))) {
                throw new GeneralSecurityException("PICC authentication token mismatch");
            }
            if (mappingType == PACEInfo.MappingType.CAM) {
                return Util.unwrapDO(ISOFileInfo.LCS_BYTE, wrapDO);
            }
            return null;
        } catch (GeneralSecurityException e) {
            throw new PACEException("PCD side exception in authentication token generation step: " + e.getMessage());
        } catch (CardServiceException e2) {
            throw new PACEException("PICC side exception in authentication token generation step", e2.getSW());
        }
    }
}
