package com.fido.fido2.client.logical;

import android.util.Log;
import co.nstant.in.cbor.CborException;
import com.fido.fido2.client.logical.transport.ITransport;
import com.fido.fido2.client.logical.transport.ble.BleTransport;
import com.fido.fido2.client.logical.transport.usb.HidTransport;
import com.fido.fido2.param.authenticator.AttestationData;
import com.fido.fido2.param.authenticator.AttestationObject;
import com.fido.fido2.param.authenticator.AuthenticatorData;
import com.fido.fido2.param.authenticator.FidoU2fAttestationStatement;
import com.fido.fido2.param.authenticator.U2FAuthRequest;
import com.fido.fido2.param.authenticator.U2FAuthResponse;
import com.fido.fido2.param.authenticator.U2FRegRequest;
import com.fido.fido2.param.authenticator.U2FRegResponse;
import com.fido.fido2.param.authenticator.U2FStatus;
import com.fido.fido2.param.client.AuthenticatorAssertionResponse;
import com.fido.fido2.param.client.AuthenticatorAttestationResponse;
import com.fido.fido2.param.client.AuthenticatorResponse;
import com.fido.fido2.param.client.PublicKeyCredentialCreationOptions;
import com.fido.fido2.param.client.PublicKeyCredentialRequestOptions;
import com.fido.fido2.param.client.RequestOptions;
import com.fido.fido2.param.model.Algorithm;
import com.fido.fido2.param.model.AuthenticatorSelectionCriteria;
import com.fido.fido2.param.model.EccKey;
import com.fido.fido2.param.model.PublicKeyCredentialDescriptor;
import com.fido.fido2.param.model.PublicKeyCredentialParameters;
import com.fido.fido2.param.model.UserVerificationRequirement;
import com.fido.fido2.utils.Logger;
import com.fido.fido2.utils.UtilByte;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;

/* loaded from: classes.dex */
public class U2FProcessor {
    private static final String TAG = "U2FProcessor";
    private static final String VERSION_U2F = "U2F_V2";
    private final ClientDataProcessor mClientDataProcessor;
    private final ITransport mTransport;
    private static final byte[] REQUEST_U2F_REG = {0, 1, 0, 0};
    private static final byte[] REQUEST_U2F_AUTH = {0, 2};
    private static final byte[] REQUEST_U2F_VERSION = {0, 3, 0, 0, 0};

    public U2FProcessor(ITransport iTransport, ClientDataProcessor clientDataProcessor) {
        this.mTransport = iTransport;
        this.mClientDataProcessor = clientDataProcessor;
    }

    private short checkAuthPolicy(byte[] bArr, byte[] bArr2, byte[] bArr3) throws AkException {
        Logger.d(TAG, "checkAuthPolicy operate");
        U2FAuthRequest u2FAuthRequest = new U2FAuthRequest();
        u2FAuthRequest.control = (byte) 7;
        u2FAuthRequest.challenge = bArr2;
        u2FAuthRequest.application = bArr3;
        u2FAuthRequest.keyHandle = bArr;
        int length = u2FAuthRequest.encode().length;
        byte[] sendData = sendData(UtilByte.concat(REQUEST_U2F_AUTH, new byte[]{u2FAuthRequest.control, 0}, length == 0 ? new byte[0] : new byte[]{0, (byte) (length >> 8), (byte) length}, u2FAuthRequest.encode()));
        U2FAuthResponse u2FAuthResponse = new U2FAuthResponse();
        u2FAuthResponse.decode(sendData);
        Logger.d(TAG, "checkAuthPolicy end");
        return u2FAuthResponse.status;
    }

    private byte[] sendData(byte[] bArr) throws AkException {
        Logger.d(TAG, "sendData:" + UtilByte.byte2hex(bArr));
        UtilByte.short2ArrayBigEndian(U2FStatus.SW_CONDITIONS_NOT_SATISFIED);
        byte[] exec = this.mTransport.exec("", bArr);
        Logger.d(TAG, "recvData:" + UtilByte.byte2hex(exec));
        return exec;
    }

    public AuthenticatorAssertionResponse authenticate(PublicKeyCredentialRequestOptions publicKeyCredentialRequestOptions) throws AkException {
        int i;
        byte[] bArr;
        U2FAuthResponse u2FAuthResponse;
        byte[] bArr2;
        U2FProcessor u2FProcessor = this;
        Logger.d(TAG, "authenticate operate");
        AuthenticatorAssertionResponse authenticatorAssertionResponse = null;
        byte[] bArr3 = null;
        byte[] bArr4 = null;
        List<PublicKeyCredentialDescriptor> allowList = publicKeyCredentialRequestOptions.getAllowList();
        if (allowList == null || allowList.size() == 0) {
            Logger.e(TAG, "authenticate failed , allow list is empty");
            throw new AkException((short) 43);
        }
        byte[] bytes = u2FProcessor.mClientDataProcessor.getClientData(publicKeyCredentialRequestOptions).getBytes();
        try {
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(bytes);
            Logger.d(TAG, "authenticate clientDataHash finish");
            try {
                byte[] digest2 = MessageDigest.getInstance("SHA-256").digest(UtilByte.str2byte(publicKeyCredentialRequestOptions.getRpId()));
                Logger.d(TAG, "authenticate rpIdHash finish");
                Iterator<PublicKeyCredentialDescriptor> it = allowList.iterator();
                while (it.hasNext()) {
                    PublicKeyCredentialDescriptor next = it.next();
                    Logger.d(TAG, "authenticate credential");
                    ITransport iTransport = u2FProcessor.mTransport;
                    if ((iTransport instanceof HidTransport) || (iTransport instanceof BleTransport)) {
                        Logger.d(TAG, "authenticate usb,checkpolicy first");
                        short checkAuthPolicy = u2FProcessor.checkAuthPolicy(next.id, digest, digest2);
                        Logger.d(TAG, "authenticate usb,checkpolicy status:" + ((int) checkAuthPolicy));
                        if (checkAuthPolicy == -28672 || checkAuthPolicy == 27013) {
                            Logger.d(TAG, "check success , go on this");
                        } else {
                            Logger.d(TAG, "check failed , go on next");
                        }
                    }
                    Logger.d(TAG, "begin authenticate");
                    U2FAuthRequest u2FAuthRequest = new U2FAuthRequest();
                    u2FAuthRequest.control = (byte) 8;
                    u2FAuthRequest.challenge = digest;
                    u2FAuthRequest.application = digest2;
                    u2FAuthRequest.keyHandle = next.id;
                    int length = u2FAuthRequest.encode().length;
                    Iterator<PublicKeyCredentialDescriptor> it2 = it;
                    if (length == 0) {
                        bArr = new byte[0];
                        i = 2;
                    } else {
                        i = 2;
                        bArr = new byte[]{0, (byte) (length >> 8), (byte) length};
                    }
                    byte[] bArr5 = new byte[i];
                    bArr5[0] = u2FAuthRequest.control;
                    bArr5[1] = 0;
                    List<PublicKeyCredentialDescriptor> list = allowList;
                    byte[] bArr6 = REQUEST_U2F_AUTH;
                    byte[] concat = UtilByte.concat(bArr6, bArr5, bArr, u2FAuthRequest.encode());
                    byte[] sendData = u2FProcessor.sendData(concat);
                    U2FAuthResponse u2FAuthResponse2 = new U2FAuthResponse();
                    u2FAuthResponse2.decode(sendData);
                    Logger.d(TAG, "authenticate result:" + ((int) u2FAuthResponse2.status));
                    if (u2FAuthResponse2.status == 27392) {
                        u2FAuthRequest.control = (byte) 3;
                        byte[] concat2 = UtilByte.concat(bArr6, new byte[]{u2FAuthRequest.control, 0}, bArr, u2FAuthRequest.encode());
                        byte[] sendData2 = u2FProcessor.sendData(concat2);
                        U2FAuthResponse u2FAuthResponse3 = new U2FAuthResponse();
                        u2FAuthResponse3.decode(sendData2);
                        Logger.d(TAG, "authenticate2 result:" + ((int) u2FAuthResponse3.status));
                        byte[] bArr7 = sendData2;
                        while (true) {
                            bArr2 = bArr7;
                            if (u2FAuthResponse3.status != 27013) {
                                break;
                            }
                            Logger.d(TAG, "6985 , need process again");
                            byte[] sendData3 = u2FProcessor.sendData(concat2);
                            u2FAuthResponse3.decode(sendData3);
                            Logger.d(TAG, "authenticate2 result again:" + u2FAuthResponse3.toString());
                            u2FProcessor = this;
                            bArr7 = sendData3;
                        }
                        u2FAuthResponse = u2FAuthResponse3;
                        bArr4 = concat2;
                        bArr3 = bArr2;
                    } else {
                        u2FAuthResponse = u2FAuthResponse2;
                        bArr3 = sendData;
                        bArr4 = concat;
                    }
                    if (u2FAuthResponse.status != -28672) {
                        Logger.d(TAG, "authenticate failed , go on");
                        u2FProcessor = this;
                        it = it2;
                        allowList = list;
                    } else {
                        byte[] bArr8 = bArr3;
                        try {
                            authenticatorAssertionResponse = new AuthenticatorAssertionResponse(bytes, new AuthenticatorData(digest2, (byte) ((u2FAuthResponse.up & 1) | (u2FAuthResponse.up & 2)), u2FAuthResponse.counter, null, null).encode(), u2FAuthResponse.signature, next.id);
                            u2FProcessor = this;
                            bArr4 = bArr4;
                            it = it2;
                            bArr3 = bArr8;
                            allowList = list;
                        } catch (CborException e) {
                            e.printStackTrace();
                            Logger.d(TAG, "authenticate failed by cbor");
                            throw new AkException((short) 16);
                        }
                    }
                }
                if (authenticatorAssertionResponse != null) {
                    Logger.d(TAG, "authenticate end");
                    return authenticatorAssertionResponse;
                }
                Logger.e(TAG, "authenticate failed by all");
                throw new AkException((short) 127);
            } catch (NoSuchAlgorithmException e2) {
                e2.printStackTrace();
                Log.e(TAG, "hash encodeBytes failed!!!");
                return null;
            }
        } catch (NoSuchAlgorithmException e3) {
            e3.printStackTrace();
            Log.e(TAG, "hash encodeBytes failed!!!");
            return null;
        }
    }

    public boolean getVersion() throws AkException {
        int length;
        Logger.d(TAG, "getVersion operate");
        byte[] sendData = sendData(REQUEST_U2F_VERSION);
        if (sendData == null || (length = sendData.length) < 2 || UtilByte.getShortBigEndian(sendData, length - 2) != -28672) {
            Logger.d(TAG, "getVersion end failed");
            return false;
        }
        String str = new String(Arrays.copyOfRange(sendData, 0, length - 2), StandardCharsets.UTF_8);
        Logger.d(TAG, "version:" + str);
        return VERSION_U2F.equals(str);
    }

    public AuthenticatorResponse process(RequestOptions requestOptions) throws AkException {
        return requestOptions instanceof PublicKeyCredentialRequestOptions ? authenticate((PublicKeyCredentialRequestOptions) requestOptions) : requestOptions instanceof PublicKeyCredentialCreationOptions ? register((PublicKeyCredentialCreationOptions) requestOptions) : null;
    }

    public AuthenticatorAttestationResponse register(PublicKeyCredentialCreationOptions publicKeyCredentialCreationOptions) throws AkException {
        byte[] bArr;
        char c;
        char c2;
        Logger.d(TAG, "register operate");
        if (publicKeyCredentialCreationOptions.getAuthenticatorSelection() != null) {
            Logger.d(TAG, "register operate check selection");
            AuthenticatorSelectionCriteria authenticatorSelection = publicKeyCredentialCreationOptions.getAuthenticatorSelection();
            if (authenticatorSelection.isRequireResidentKey() != null && authenticatorSelection.isRequireResidentKey().booleanValue()) {
                Logger.d(TAG, "register operate check selection failed by resident key");
                throw new AkException((short) 43);
            }
            if (authenticatorSelection.getUserVerification() != null && authenticatorSelection.getUserVerification() == UserVerificationRequirement.REQUIRED) {
                Logger.d(TAG, "register operate check selection failed by uv");
                throw new AkException((short) 43);
            }
        }
        if (publicKeyCredentialCreationOptions.getPubKeyCredParams() != null) {
            Logger.d(TAG, "register operate check options");
            List<PublicKeyCredentialParameters> pubKeyCredParams = publicKeyCredentialCreationOptions.getPubKeyCredParams();
            if (pubKeyCredParams != null) {
                Logger.d(TAG, "register operate alg check");
                boolean z = false;
                Iterator<PublicKeyCredentialParameters> it = pubKeyCredParams.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().alg == Algorithm.ES256) {
                        Logger.d(TAG, "register operate alg fit");
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    Logger.d(TAG, "register operate alg failed");
                    throw new AkException((short) 43);
                }
            }
        }
        U2FRegRequest u2FRegRequest = new U2FRegRequest();
        byte[] bytes = this.mClientDataProcessor.getClientData(publicKeyCredentialCreationOptions).getBytes();
        try {
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(bytes);
            u2FRegRequest.challenge = digest;
            Logger.d(TAG, "clientData finish");
            try {
                byte[] digest2 = MessageDigest.getInstance("SHA-256").digest(UtilByte.str2byte(publicKeyCredentialCreationOptions.getRp().id));
                u2FRegRequest.application = digest2;
                Logger.d(TAG, "rpIdHash finish");
                if (publicKeyCredentialCreationOptions.getExcludeList() != null) {
                    Logger.d(TAG, "exclude list check");
                    List<PublicKeyCredentialDescriptor> excludeList = publicKeyCredentialCreationOptions.getExcludeList();
                    if (excludeList != null) {
                        for (PublicKeyCredentialDescriptor publicKeyCredentialDescriptor : excludeList) {
                            Logger.d(TAG, "exclude check");
                            short checkAuthPolicy = checkAuthPolicy(publicKeyCredentialDescriptor.id, digest, digest2);
                            if (checkAuthPolicy == -28672 || checkAuthPolicy == 27013) {
                                Logger.e(TAG, "exclude check failed");
                                throw new AkException((short) 25);
                            }
                        }
                    }
                    Logger.d(TAG, "exclude check finish");
                }
                int length = u2FRegRequest.encode().length;
                if (length == 0) {
                    bArr = new byte[0];
                    c2 = 2;
                    c = 1;
                } else {
                    c = 1;
                    c2 = 2;
                    bArr = new byte[]{0, (byte) (length >> 8), (byte) length};
                }
                byte[][] bArr2 = new byte[3];
                bArr2[0] = REQUEST_U2F_REG;
                bArr2[c] = bArr;
                bArr2[c2] = u2FRegRequest.encode();
                byte[] concat = UtilByte.concat(bArr2);
                byte[] sendData = sendData(concat);
                U2FRegResponse u2FRegResponse = new U2FRegResponse();
                u2FRegResponse.decode(sendData);
                Logger.d(TAG, "recv:" + u2FRegResponse.toString());
                byte[] bArr3 = sendData;
                while (u2FRegResponse.status == 27013) {
                    Logger.d(TAG, "6985 , need process again");
                    bArr3 = sendData(concat);
                    u2FRegResponse.decode(bArr3);
                    Logger.d(TAG, "recv again:" + u2FRegResponse.toString());
                }
                if (u2FRegResponse.status != -28672) {
                    Logger.e(TAG, "akResponse is success,status:" + ((int) u2FRegResponse.status));
                    throw new AkException((short) 127);
                }
                byte[] bArr4 = u2FRegResponse.keyHandle;
                Logger.d(TAG, "credentialId:" + UtilByte.byte2hex(bArr4));
                byte[] bArr5 = u2FRegResponse.userPublicKey;
                if (bArr5[0] != 4) {
                    Logger.e(TAG, "parse userPublicKey failed,not uncompressed");
                    throw new AkException((short) 16);
                }
                byte[] bArr6 = new byte[32];
                System.arraycopy(bArr5, 1, bArr6, 0, 32);
                byte[] bArr7 = new byte[32];
                System.arraycopy(bArr5, 33, bArr7, 0, 32);
                AuthenticatorData authenticatorData = new AuthenticatorData(digest2, (byte) 65, 0, new AttestationData(new byte[16], bArr4, new EccKey(Algorithm.ES256, bArr6, bArr7)), null);
                FidoU2fAttestationStatement fidoU2fAttestationStatement = new FidoU2fAttestationStatement(u2FRegResponse.signature, u2FRegResponse.attestationCertificate, null);
                AttestationObject attestationObject = new AttestationObject();
                attestationObject.attStmt = fidoU2fAttestationStatement;
                attestationObject.authData = authenticatorData;
                attestationObject.fmt = "fido-u2f";
                try {
                    AuthenticatorAttestationResponse authenticatorAttestationResponse = new AuthenticatorAttestationResponse(bytes, attestationObject.encodeServer(), bArr4);
                    Logger.d(TAG, "register end");
                    return authenticatorAttestationResponse;
                } catch (CborException e) {
                    e.printStackTrace();
                    Logger.e(TAG, "attestationObject failed", e);
                    throw new AkException((short) 16);
                }
            } catch (NoSuchAlgorithmException e2) {
                e2.printStackTrace();
                Log.e(TAG, "hash encodeBytes failed!!!");
                throw new AkException((short) 127);
            }
        } catch (NoSuchAlgorithmException e3) {
            e3.printStackTrace();
            Log.e(TAG, "hash encodeBytes failed!!!");
            throw new AkException((short) 127);
        }
    }
}
