package org.jmrtd.protocol;

import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.util.logging.Logger;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.interfaces.DHPublicKey;
import net.sf.scuba.smartcards.CardServiceException;
import net.sf.scuba.smartcards.ISOFileInfo;
import org.jmrtd.PassportService;
import org.jmrtd.Util;
import org.jmrtd.lds.ChipAuthenticationInfo;
import org.jmrtd.lds.ChipAuthenticationPublicKeyInfo;

/* loaded from: classes.dex */
public class CAProtocol {
    private static final Logger LOGGER = Logger.getLogger("org.jmrtd");
    private PassportService service;
    private SecureMessagingWrapper wrapper;

    public CAProtocol(PassportService passportService, SecureMessagingWrapper secureMessagingWrapper) {
        this.service = passportService;
        this.wrapper = secureMessagingWrapper;
    }

    public CAResult doCA(BigInteger bigInteger, String str, String str2, PublicKey publicKey) throws CardServiceException {
        AlgorithmParameterSpec params;
        if (publicKey == null) {
            throw new IllegalArgumentException("Public key is null");
        }
        if (str == null) {
            LOGGER.info("DEBUG: OID is null, publicKeyOID = " + str2 + ", piccPublicKey.getAlgorithm() = " + publicKey.getAlgorithm());
            if (ChipAuthenticationPublicKeyInfo.ID_PK_ECDH.equals(str2)) {
                LOGGER.warning("Could not determine ChipAuthentication algorithm, defaulting to id-CA-ECDH-3DES-CBC-CBC");
                str = ChipAuthenticationInfo.ID_CA_ECDH_3DES_CBC_CBC;
            } else if (ChipAuthenticationPublicKeyInfo.ID_PK_DH.equals(str2)) {
                LOGGER.warning("Could not determine ChipAuthentication algorithm, defaulting to id-CA-DH-3DES-CBC-CBC");
                str = ChipAuthenticationInfo.ID_CA_DH_3DES_CBC_CBC;
            } else {
                LOGGER.severe("No ChipAuthenticationInfo and unsupported ChipAuthenticationPublicKeyInfo public key OID " + str2);
            }
        }
        String keyAgreementAlgorithm = ChipAuthenticationInfo.toKeyAgreementAlgorithm(str);
        String cipherAlgorithm = ChipAuthenticationInfo.toCipherAlgorithm(str);
        String digestAlgorithm = ChipAuthenticationInfo.toDigestAlgorithm(str);
        int keyLength = ChipAuthenticationInfo.toKeyLength(str);
        LOGGER.info("DEBUG: CA: oid = " + str + " -> agreementAlg = " + keyAgreementAlgorithm + ", cipherAlg = " + cipherAlgorithm + ", digestAlg = " + digestAlgorithm + ", keyLength = " + keyLength);
        if (keyAgreementAlgorithm == null) {
            throw new IllegalArgumentException("Unknown agreement algorithm");
        }
        if (!"ECDH".equals(keyAgreementAlgorithm) && !"DH".equals(keyAgreementAlgorithm)) {
            throw new IllegalArgumentException("Unsupported agreement algorithm, expected ECDH or DH, found " + keyAgreementAlgorithm);
        }
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyAgreementAlgorithm);
            LOGGER.info("DEBUG: Chip Authentication uses public key: " + Util.getDetailedPublicKeyAlgorithm(publicKey));
            if ("DH".equals(keyAgreementAlgorithm)) {
                params = ((DHPublicKey) publicKey).getParams();
            } else {
                if (!"ECDH".equals(keyAgreementAlgorithm)) {
                    throw new IllegalStateException("Unsupported algorithm \"" + keyAgreementAlgorithm + "\"");
                }
                params = ((ECPublicKey) publicKey).getParams();
            }
            keyPairGenerator.initialize(params);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey2 = generateKeyPair.getPublic();
            PrivateKey privateKey = generateKeyPair.getPrivate();
            KeyAgreement keyAgreement = KeyAgreement.getInstance(keyAgreementAlgorithm);
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(publicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            byte[] bArr = null;
            byte[] bArr2 = new byte[0];
            if ("DH".equals(keyAgreementAlgorithm)) {
                bArr = ((DHPublicKey) publicKey2).getY().toByteArray();
                MessageDigest.getInstance("SHA1");
                bArr2 = MessageDigest.getInstance("SHA1").digest(bArr);
            } else if ("ECDH".equals(keyAgreementAlgorithm)) {
                org.spongycastle.jce.interfaces.ECPublicKey eCPublicKey = (org.spongycastle.jce.interfaces.ECPublicKey) publicKey2;
                bArr = eCPublicKey.getQ().getEncoded();
                bArr2 = Util.alignKeyDataToSize(Util.i2os(eCPublicKey.getQ().getX().toBigInteger()), eCPublicKey.getParameters().getCurve().getFieldSize() / 8);
            }
            byte[] wrapDO = bigInteger != null ? Util.wrapDO((byte) -124, bigInteger.toByteArray()) : null;
            if (cipherAlgorithm.startsWith("DESede")) {
                this.service.sendMSEKAT(this.wrapper, Util.wrapDO((byte) -111, bArr), wrapDO);
            } else {
                if (!cipherAlgorithm.startsWith("AES")) {
                    throw new IllegalStateException("Cannot set up secure channel with cipher " + cipherAlgorithm);
                }
                this.service.sendMSESetATIntAuth(this.wrapper, str, bigInteger);
                this.service.sendGeneralAuthenticate(this.wrapper, Util.wrapDO(ISOFileInfo.DATA_BYTES1, bArr), true);
            }
            SecretKey deriveKey = Util.deriveKey(generateSecret, cipherAlgorithm, keyLength, 1);
            SecretKey deriveKey2 = Util.deriveKey(generateSecret, cipherAlgorithm, keyLength, 2);
            if (cipherAlgorithm.startsWith("DESede")) {
                this.wrapper = new DESedeSecureMessagingWrapper(deriveKey, deriveKey2, 0L);
            } else {
                if (!cipherAlgorithm.startsWith("AES")) {
                    throw new IllegalStateException("Unsupported cipher algorithm " + cipherAlgorithm);
                }
                this.wrapper = new AESSecureMessagingWrapper(deriveKey, deriveKey2, 0L);
            }
            return new CAResult(bigInteger, publicKey, bArr2, generateKeyPair, this.wrapper);
        } catch (GeneralSecurityException e) {
            throw new CardServiceException(e.toString());
        }
    }

    public SecureMessagingWrapper getWrapper() {
        return this.wrapper;
    }
}
