package androidx.security.identity;

import android.content.Context;
import android.icu.util.Calendar;
import android.util.Pair;
import androidx.annotation.NonNull;
import androidx.annotation.Nullable;
import androidx.biometric.BiometricPrompt;
import androidx.security.identity.PersonalizationData;
import androidx.security.identity.SimpleResultData;
import f.a;
import f.b;
import f.d;
import g.c;
import j.f;
import j.k;
import j.u;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPoint;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: classes.dex */
class SoftwareIdentityCredential extends IdentityCredential {
    private static final String TAG = "SWIdentityCredential";
    private Context mContext;
    private String mCredentialName;
    private CredentialData mData;
    private int mSKDeviceCounter;
    private int mSKReaderCounter;
    private KeyPair mEphemeralKeyPair = null;
    private SecretKey mSKDevice = null;
    private SecretKey mSKReader = null;
    private byte[] mAuthKeyAssociatedData = null;
    private PrivateKey mAuthKey = null;
    private BiometricPrompt.CryptoObject mCryptoObject = null;
    private PublicKey mReaderEphemeralPublicKey = null;
    private byte[] mSessionTranscript = null;
    public boolean mAllowUsingExhaustedKeys = true;
    public boolean mAllowUsingExpiredKeys = false;
    private boolean mDidUserAuthResult = false;
    private boolean mDidUserAuthAlreadyCalled = false;

    public SoftwareIdentityCredential(Context context, String str, int i10) {
        if (i10 != 1) {
            throw new CipherSuiteNotSupportedException("Unsupported Cipher Suite");
        }
        this.mContext = context;
        this.mCredentialName = str;
    }

    private int checkAccess(Collection<AccessControlProfileId> collection, Collection<X509Certificate> collection2) {
        Iterator<AccessControlProfileId> it = collection.iterator();
        int i10 = 6;
        while (it.hasNext()) {
            i10 = checkAccessSingleProfile(this.mData.getAccessControlProfile(it.next()), collection2);
            if (i10 == 0) {
                break;
            }
        }
        return i10;
    }

    private int checkAccessSingleProfile(AccessControlProfile accessControlProfile, Collection<X509Certificate> collection) {
        boolean z9;
        if (accessControlProfile.isUserAuthenticationRequired() && !this.mData.checkUserAuthentication(accessControlProfile.getAccessControlProfileId(), didUserAuth())) {
            return 4;
        }
        X509Certificate readerCertificate = accessControlProfile.getReaderCertificate();
        if (readerCertificate != null) {
            if (collection == null) {
                return 5;
            }
            byte[] encoded = readerCertificate.getPublicKey().getEncoded();
            Iterator<X509Certificate> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    z9 = false;
                    break;
                }
                if (Arrays.equals(encoded, it.next().getPublicKey().getEncoded())) {
                    z9 = true;
                    break;
                }
            }
            if (!z9) {
                return 5;
            }
        }
        return 0;
    }

    public static byte[] delete(Context context, String str) {
        return CredentialData.delete(context, str, null);
    }

    private boolean didUserAuth() {
        if (!this.mDidUserAuthAlreadyCalled) {
            this.mDidUserAuthResult = didUserAuthNoCache();
            this.mDidUserAuthAlreadyCalled = true;
        }
        return this.mDidUserAuthResult;
    }

    private boolean didUserAuthNoCache() {
        BiometricPrompt.CryptoObject cryptoObject = this.mCryptoObject;
        if (cryptoObject == null) {
            return false;
        }
        try {
            cryptoObject.getCipher().doFinal(new byte[16]);
            return true;
        } catch (BadPaddingException | IllegalBlockSizeException unused) {
            return false;
        }
    }

    private void ensureAuthKey() {
        if (this.mAuthKey != null) {
            return;
        }
        Pair<PrivateKey, byte[]> selectAuthenticationKey = this.mData.selectAuthenticationKey(this.mAllowUsingExhaustedKeys, this.mAllowUsingExpiredKeys);
        if (selectAuthenticationKey == null) {
            throw new NoAuthenticationKeyAvailableException("No authentication key available for signing");
        }
        this.mAuthKey = (PrivateKey) selectAuthenticationKey.first;
        this.mAuthKeyAssociatedData = (byte[]) selectAuthenticationKey.second;
    }

    private void ensureCryptoObject() {
        String perReaderSessionKeyAlias = this.mData.getPerReaderSessionKeyAlias();
        if (perReaderSessionKeyAlias.isEmpty()) {
            return;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(perReaderSessionKeyAlias, null)).getSecretKey();
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            this.mCryptoObject = new BiometricPrompt.CryptoObject(cipher);
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | NoSuchPaddingException e10) {
            throw new RuntimeException("Error creating Cipher for perReaderSessionKey", e10);
        }
    }

    private void ensureSessionEncryptionKey() {
        if (this.mSKDevice != null) {
            return;
        }
        if (this.mReaderEphemeralPublicKey == null) {
            throw new RuntimeException("Reader ephemeral key not set");
        }
        if (this.mSessionTranscript == null) {
            throw new RuntimeException("Session transcript not set");
        }
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
            keyAgreement.init(this.mEphemeralKeyPair.getPrivate());
            keyAgreement.doPhase(this.mReaderEphemeralPublicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(Util.cborEncode(Util.cborBuildTaggedByteString(this.mSessionTranscript)));
            this.mSKDevice = new SecretKeySpec(Util.computeHkdf("HmacSha256", generateSecret, digest, new byte[]{83, 75, 68, 101, 118, 105, 99, 101}, 32), "AES");
            this.mSKReader = new SecretKeySpec(Util.computeHkdf("HmacSha256", generateSecret, digest, new byte[]{83, 75, 82, 101, 97, 100, 101, 114}, 32), "AES");
            this.mSKDeviceCounter = 1;
            this.mSKReaderCounter = 1;
        } catch (InvalidKeyException | NoSuchAlgorithmException e10) {
            throw new RuntimeException("Error performing key agreement", e10);
        }
    }

    private boolean hasEphemeralKeyInSessionTranscript(@NonNull byte[] bArr) {
        KeyPair keyPair = this.mEphemeralKeyPair;
        if (keyPair == null) {
            return false;
        }
        ECPoint w10 = ((ECPublicKey) keyPair.getPublic()).getW();
        return Util.hasSubByteArray(bArr, Util.stripLeadingZeroes(w10.getAffineX().toByteArray())) || Util.hasSubByteArray(bArr, Util.stripLeadingZeroes(w10.getAffineY().toByteArray()));
    }

    private static HashMap<String, Collection<String>> parseRequestMessage(@Nullable byte[] bArr) {
        HashMap<String, Collection<String>> hashMap = new HashMap<>();
        if (bArr == null) {
            return hashMap;
        }
        try {
            List<f> a10 = new b(new ByteArrayInputStream(bArr)).a();
            if (a10.size() != 1) {
                throw new RuntimeException("Expected 1 item, found " + a10.size());
            }
            if (!(a10.get(0) instanceof k)) {
                throw new RuntimeException("Item is not a map");
            }
            f i10 = ((k) a10.get(0)).i(new u("nameSpaces"));
            if (!(i10 instanceof k)) {
                throw new RuntimeException("nameSpaces entry not found or not map");
            }
            for (f fVar : ((k) i10).j()) {
                if (!(fVar instanceof u)) {
                    throw new RuntimeException("Key item in NameSpaces map not UnicodeString");
                }
                String i11 = ((u) fVar).i();
                ArrayList arrayList = new ArrayList();
                f i12 = ((k) i10).i(fVar);
                if (!(i12 instanceof k)) {
                    throw new RuntimeException("Value item in NameSpaces map not Map");
                }
                for (f fVar2 : ((k) i12).j()) {
                    if (!(fVar2 instanceof u)) {
                        throw new RuntimeException("Item in nameSpaces array not UnicodeString");
                    }
                    arrayList.add(((u) fVar2).i());
                }
                hashMap.put(i11, arrayList);
            }
            return hashMap;
        } catch (d e10) {
            throw new RuntimeException("Error decoding request message", e10);
        }
    }

    private void retrieveValues(byte[] bArr, HashMap<String, Collection<String>> hashMap, Collection<X509Certificate> collection, Map<String, Collection<String>> map, SimpleResultData.Builder builder, c<a> cVar) {
        for (String str : map.keySet()) {
            retrieveValuesForNamespace(builder, cVar, map.get(str), bArr, hashMap.get(str), collection, str, this.mData.lookupNamespaceData(str));
        }
    }

    private void retrieveValuesForNamespace(SimpleResultData.Builder builder, c<a> cVar, Collection<String> collection, byte[] bArr, Collection<String> collection2, Collection<X509Certificate> collection3, String str, PersonalizationData.NamespaceData namespaceData) {
        int i10;
        c<c<a>> cVar2 = null;
        for (String str2 : collection) {
            byte[] entryValue = namespaceData != null ? namespaceData.getEntryValue(str2) : null;
            if (entryValue == null) {
                i10 = 1;
            } else if (bArr == null || (collection2 != null && collection2.contains(str2))) {
                int checkAccess = checkAccess(namespaceData.getAccessControlProfileIds(str2), collection3);
                if (checkAccess != 0) {
                    builder.addErrorStatus(str, str2, checkAccess);
                } else {
                    builder.addEntry(str, str2, entryValue);
                    if (cVar2 == null) {
                        cVar2 = cVar.p(str);
                    }
                    cVar2.i(new u(str2), Util.cborDecode(entryValue));
                }
            } else {
                i10 = 3;
            }
            builder.addErrorStatus(str, str2, i10);
        }
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public KeyPair createEphemeralKeyPair() {
        if (this.mEphemeralKeyPair == null) {
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
                keyPairGenerator.initialize(new ECGenParameterSpec("prime256v1"));
                this.mEphemeralKeyPair = keyPairGenerator.generateKeyPair();
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e10) {
                throw new RuntimeException("Error generating ephemeral key", e10);
            }
        }
        return this.mEphemeralKeyPair;
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public byte[] decryptMessageFromReader(@NonNull byte[] bArr) {
        ensureSessionEncryptionKey();
        ByteBuffer allocate = ByteBuffer.allocate(12);
        allocate.putInt(0, 0);
        allocate.putInt(4, 0);
        allocate.putInt(8, this.mSKReaderCounter);
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(2, this.mSKReader, new GCMParameterSpec(128, allocate.array()));
            byte[] doFinal = cipher.doFinal(bArr);
            this.mSKReaderCounter++;
            return doFinal;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e10) {
            throw new MessageDecryptionException("Error decrypting message", e10);
        }
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public byte[] delete(@NonNull byte[] bArr) {
        return CredentialData.delete(this.mContext, this.mCredentialName, bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public byte[] encryptMessageToReader(@NonNull byte[] bArr) {
        ensureSessionEncryptionKey();
        try {
            ByteBuffer allocate = ByteBuffer.allocate(12);
            allocate.putInt(0, 0);
            allocate.putInt(4, 1);
            allocate.putInt(8, this.mSKDeviceCounter);
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, this.mSKDevice, new GCMParameterSpec(128, allocate.array()));
            byte[] doFinal = cipher.doFinal(bArr);
            this.mSKDeviceCounter++;
            return doFinal;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e10) {
            throw new RuntimeException("Error encrypting message", e10);
        }
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public Collection<X509Certificate> getAuthKeysNeedingCertification() {
        return this.mData.getAuthKeysNeedingCertification();
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public int[] getAuthenticationDataUsageCount() {
        return this.mData.getAuthKeyUseCounts();
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public Collection<X509Certificate> getCredentialKeyCertificateChain() {
        return this.mData.getCredentialKeyCertificateChain();
    }

    @Override // androidx.security.identity.IdentityCredential
    @Nullable
    public BiometricPrompt.CryptoObject getCryptoObject() {
        ensureCryptoObject();
        return this.mCryptoObject;
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public ResultData getEntries(@Nullable byte[] bArr, @NonNull Map<String, Collection<String>> map, @Nullable byte[] bArr2) {
        Collection<X509Certificate> collection;
        byte[] bArr3 = this.mSessionTranscript;
        if (bArr3 != null && !hasEphemeralKeyInSessionTranscript(bArr3)) {
            throw new EphemeralPublicKeyNotFoundException("Did not find ephemeral public key X and Y coordinates in SessionTranscript (make sure leading zeroes are not used)");
        }
        HashMap<String, Collection<String>> parseRequestMessage = parseRequestMessage(bArr);
        if (bArr2 == null) {
            collection = null;
        } else {
            if (this.mSessionTranscript == null) {
                throw new InvalidReaderSignatureException("readerSignature non-null but sessionTranscript was null");
            }
            if (bArr == null) {
                throw new InvalidReaderSignatureException("readerSignature non-null but requestMessage was null");
            }
            Collection<X509Certificate> coseSign1GetX5Chain = Util.coseSign1GetX5Chain(Util.cborDecode(bArr2));
            if (coseSign1GetX5Chain.size() < 1) {
                throw new InvalidReaderSignatureException("No x5chain element in reader signature");
            }
            if (!Util.validateCertificateChain(coseSign1GetX5Chain)) {
                throw new InvalidReaderSignatureException("Error validating certificate chain");
            }
            if (!Util.coseSign1CheckSignature(Util.cborDecode(bArr2), Util.cborEncode(Util.cborBuildTaggedByteString(Util.cborEncode(new a().k().h("ReaderAuthentication").g(Util.cborDecode(this.mSessionTranscript)).g(Util.cborBuildTaggedByteString(bArr)).l().m().get(0)))), coseSign1GetX5Chain.iterator().next().getPublicKey())) {
                throw new InvalidReaderSignatureException("Reader signature check failed");
            }
            collection = coseSign1GetX5Chain;
        }
        SimpleResultData.Builder builder = new SimpleResultData.Builder();
        a aVar = new a();
        retrieveValues(bArr, parseRequestMessage, collection, map, builder, aVar.l());
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            new f.c(byteArrayOutputStream).a(aVar.m().get(0));
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            builder.setAuthenticatedData(byteArray);
            if (this.mSessionTranscript != null) {
                ensureAuthKey();
                builder.setStaticAuthenticationData(this.mAuthKeyAssociatedData);
                byte[] cborEncode = Util.cborEncode(Util.cborBuildTaggedByteString(Util.cborEncode(new a().k().h("DeviceAuthentication").g(Util.cborDecode(this.mSessionTranscript)).h(this.mData.getDocType()).g(Util.cborBuildTaggedByteString(byteArray)).l().m().get(0))));
                try {
                    Signature signature = Signature.getInstance("SHA256withECDSA");
                    signature.initSign(this.mAuthKey);
                    builder.setEcdsaSignature(Util.cborEncode(Util.coseSign1Sign(signature, (byte[]) null, cborEncode, (Collection<X509Certificate>) null)));
                } catch (InvalidKeyException | NoSuchAlgorithmException | CertificateEncodingException e10) {
                    throw new RuntimeException("Error signing DeviceAuthentication CBOR", e10);
                }
            }
            return builder.build();
        } catch (d e11) {
            throw new RuntimeException("Error encoding deviceNameSpace", e11);
        }
    }

    public boolean loadData() {
        CredentialData loadCredentialData = CredentialData.loadCredentialData(this.mContext, this.mCredentialName);
        this.mData = loadCredentialData;
        return loadCredentialData != null;
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public byte[] proveOwnership(@NonNull byte[] bArr) {
        return this.mData.proveOwnership(bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setAllowUsingExhaustedKeys(boolean z9) {
        this.mAllowUsingExhaustedKeys = z9;
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setAllowUsingExpiredKeys(boolean z9) {
        this.mAllowUsingExpiredKeys = z9;
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setAvailableAuthenticationKeys(int i10, int i11) {
        this.mData.setAvailableAuthenticationKeys(i10, i11);
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setReaderEphemeralPublicKey(@NonNull PublicKey publicKey) {
        this.mReaderEphemeralPublicKey = publicKey;
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setSessionTranscript(@NonNull byte[] bArr) {
        if (this.mSessionTranscript != null) {
            throw new RuntimeException("SessionTranscript already set");
        }
        this.mSessionTranscript = (byte[]) bArr.clone();
    }

    @Override // androidx.security.identity.IdentityCredential
    public void storeStaticAuthenticationData(@NonNull X509Certificate x509Certificate, @NonNull Calendar calendar, @NonNull byte[] bArr) {
        this.mData.storeStaticAuthenticationData(x509Certificate, calendar, bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    public void storeStaticAuthenticationData(@NonNull X509Certificate x509Certificate, @NonNull byte[] bArr) {
        this.mData.storeStaticAuthenticationData(x509Certificate, null, bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    @NonNull
    public byte[] update(@NonNull PersonalizationData personalizationData) {
        try {
            String docType = this.mData.getDocType();
            Collection<X509Certificate> credentialKeyCertificateChain = this.mData.getCredentialKeyCertificateChain();
            PrivateKey credentialKeyPrivate = this.mData.getCredentialKeyPrivate();
            int authKeyCount = this.mData.getAuthKeyCount();
            int authMaxUsesPerKey = this.mData.getAuthMaxUsesPerKey();
            f buildProofOfProvisioningWithSignature = SoftwareWritableIdentityCredential.buildProofOfProvisioningWithSignature(docType, personalizationData, credentialKeyPrivate);
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(Util.coseSign1GetData(buildProofOfProvisioningWithSignature));
            this.mData.deleteKeysForReplacement();
            Context context = this.mContext;
            String str = this.mCredentialName;
            CredentialData createCredentialData = CredentialData.createCredentialData(context, docType, str, CredentialData.getAliasFromCredentialName(str), credentialKeyCertificateChain, personalizationData, digest, true);
            this.mData = createCredentialData;
            createCredentialData.setAvailableAuthenticationKeys(authKeyCount, authMaxUsesPerKey);
            return Util.cborEncode(buildProofOfProvisioningWithSignature);
        } catch (NoSuchAlgorithmException e10) {
            throw new RuntimeException("Error digesting ProofOfProvisioning", e10);
        }
    }
}
