package com.fido.fido2.client.logical;

import co.nstant.in.cbor.CborException;
import com.fido.fido2.client.logical.transport.ITransport;
import com.fido.fido2.param.authenticator.AuthenticatorClientPinRequest;
import com.fido.fido2.param.authenticator.AuthenticatorClientPinResponse;
import com.fido.fido2.param.model.Algorithm;
import com.fido.fido2.param.model.EccKey;
import com.fido.fido2.utils.CryptoUtil;
import com.fido.fido2.utils.Logger;
import com.fido.fido2.utils.UtilByte;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;

/* loaded from: classes.dex */
public class ClientPin {
    private static final String KEY_ENTRY = "platform_pin_key";
    private static final String TAG = "ClientPin";
    private final ITransport mTransport;
    private byte[] pinToken;
    private byte[] secret;

    /* JADX INFO: Access modifiers changed from: protected */
    public ClientPin(ITransport iTransport) {
        this.mTransport = iTransport;
    }

    private byte[] encryptPin(byte[] bArr, byte[] bArr2) throws Exception {
        byte[] bArr3;
        if (bArr2 == null) {
            Logger.e(TAG, "pin not set");
            throw new AkException((short) 49);
        }
        if (bArr2.length < 64) {
            bArr3 = new byte[64];
        } else {
            bArr3 = new byte[((bArr2.length / 16) + (bArr2.length % 16) == 0 ? 0 : 1) * 16];
        }
        System.arraycopy(bArr2, 0, bArr3, 0, bArr2.length);
        return CryptoUtil.aesEncryptCbcNopadd(bArr, bArr3, new byte[16]);
    }

    private byte[] encryptPinHash(byte[] bArr, byte[] bArr2) throws Exception {
        if (bArr2.length == 16) {
            return CryptoUtil.aesEncryptCbcNopadd(bArr, bArr2, new byte[16]);
        }
        Logger.e(TAG, "pin hash length not fit");
        throw new AkException((short) 49);
    }

    private AuthenticatorClientPinResponse execAk(AuthenticatorClientPinRequest authenticatorClientPinRequest) throws AkException {
        Logger.d(TAG, "execAk start");
        try {
            byte[] encode = authenticatorClientPinRequest.encode();
            byte[] bArr = new byte[encode.length + 1];
            bArr[0] = 6;
            System.arraycopy(encode, 0, bArr, 1, encode.length);
            byte[] exec = this.mTransport.exec(null, bArr);
            AuthenticatorClientPinResponse authenticatorClientPinResponse = new AuthenticatorClientPinResponse();
            try {
                authenticatorClientPinResponse.decode(exec);
                return authenticatorClientPinResponse;
            } catch (CborException e) {
                e.printStackTrace();
                Logger.e(TAG, "execAk failed by decode akResponse", e);
                throw new AkException((short) 16);
            }
        } catch (CborException e2) {
            e2.printStackTrace();
            Logger.e(TAG, "execAk failed by encode akRequest", e2);
            throw new AkException((short) 16);
        }
    }

    private byte[] hmac(byte[] bArr, byte[] bArr2, int i) throws Exception {
        byte[] hmacSha256 = CryptoUtil.hmacSha256(bArr, bArr2);
        if (hmacSha256.length < 16) {
            throw new IllegalArgumentException("hmac failed");
        }
        byte[] bArr3 = new byte[16];
        System.arraycopy(hmacSha256, 0, bArr3, 0, i);
        return bArr3;
    }

    private byte[] sha(byte[] bArr, int i) throws Exception {
        byte[] sha256 = CryptoUtil.sha256(bArr);
        if (sha256.length < 16) {
            throw new IllegalArgumentException("sha256 failed");
        }
        byte[] bArr2 = new byte[16];
        System.arraycopy(sha256, 0, bArr2, 0, i);
        return bArr2;
    }

    private byte[] validPin(String str) {
        if (str == null || str.length() < 4) {
            Logger.e(TAG, "valid pin failed by <4");
            return null;
        }
        byte[] bytes = str.getBytes();
        if (bytes.length <= 255) {
            return bytes;
        }
        Logger.e(TAG, "valid pin falied by > 255");
        return null;
    }

    public byte[] getPinAuth(byte[] bArr) throws AkException {
        Logger.d(TAG, "getPinAuth start");
        byte[] bArr2 = this.pinToken;
        if (bArr2 == null) {
            throw new AkException((short) 49);
        }
        byte[] bArr3 = null;
        try {
            bArr3 = hmac(bArr2, bArr, 16);
            Logger.d(TAG, "getPinAuth get pinAuth success");
            return bArr3;
        } catch (Exception e) {
            e.printStackTrace();
            Logger.e(TAG, "getPinAuth failed", e);
            return bArr3;
        }
    }

    public void getPinToken(String str) throws AkException {
        Logger.d(TAG, "getPinToken start");
        if (this.secret == null) {
            Logger.e(TAG, "getPinToken failed secret is null");
            throw new AkException((short) 49);
        }
        byte[] validPin = validPin(str);
        if (validPin == null) {
            Logger.e(TAG, "getPinToken start pin not valid");
            throw new AkException((short) 55);
        }
        AuthenticatorClientPinRequest authenticatorClientPinRequest = new AuthenticatorClientPinRequest();
        authenticatorClientPinRequest.pinProtocol = 1;
        authenticatorClientPinRequest.subCommand = 5;
        ECPublicKey eCDHPubkey = CryptoUtil.getECDHPubkey(KEY_ENTRY);
        if (eCDHPubkey == null) {
            Logger.e(TAG, "setNewPin failed by get ECDH key failed!");
            throw new AkException((short) 49);
        }
        byte[] byteArray = eCDHPubkey.getW().getAffineX().toByteArray();
        if (byteArray.length == 33) {
            byte[] bArr = new byte[32];
            System.arraycopy(byteArray, 1, bArr, 0, 32);
            byteArray = bArr;
        }
        byte[] byteArray2 = eCDHPubkey.getW().getAffineY().toByteArray();
        if (byteArray2.length == 33) {
            byte[] bArr2 = new byte[32];
            System.arraycopy(byteArray2, 1, bArr2, 0, 32);
            byteArray2 = bArr2;
        }
        authenticatorClientPinRequest.keyAgreement = new EccKey(Algorithm.ECDH, byteArray, byteArray2);
        Logger.d(TAG, "getPinToken set keyAgreement success");
        try {
            authenticatorClientPinRequest.pinHashEnc = encryptPinHash(this.secret, sha(validPin, 16));
            Logger.d(TAG, "getPinToken set pinHashEnc success");
            AuthenticatorClientPinResponse execAk = execAk(authenticatorClientPinRequest);
            if (execAk.status != 0) {
                Logger.d(TAG, "getPinToken failed");
                throw new AkException((short) 49);
            }
            try {
                this.pinToken = CryptoUtil.aesDecryptCbcNopadd(this.secret, execAk.pinToken, new byte[16]);
                Logger.d(TAG, "getPinToken end");
            } catch (Exception e) {
                e.printStackTrace();
                Logger.d(TAG, "getPinToken failed by decrypt!");
                throw new AkException((short) 49);
            }
        } catch (Exception e2) {
            e2.printStackTrace();
            Logger.d(TAG, "getPinToken failed by encrypt");
            throw new AkException((short) 49);
        }
    }

    public void getSharedSecret() throws AkException {
        Logger.d(TAG, "getSharedSecret start");
        AuthenticatorClientPinRequest authenticatorClientPinRequest = new AuthenticatorClientPinRequest();
        authenticatorClientPinRequest.pinProtocol = 1;
        authenticatorClientPinRequest.subCommand = 2;
        authenticatorClientPinRequest.getKeyAgreement = true;
        AuthenticatorClientPinResponse execAk = execAk(authenticatorClientPinRequest);
        if (execAk.keyAgreement == null) {
            throw new AkException((short) 16);
        }
        PublicKey convertPubkey = execAk.keyAgreement.convertPubkey();
        if (convertPubkey == null) {
            Logger.e(TAG, "aG is null!");
            throw new AkException((short) 49);
        }
        Logger.d(TAG, "aG:" + UtilByte.byte2hex(convertPubkey.getEncoded()));
        if (!CryptoUtil.genECDH(KEY_ENTRY)) {
            Logger.e(TAG, "getSharedSecret failed by gen ecdh failed");
            throw new AkException((short) 49);
        }
        Logger.d(TAG, "ecdh gen success");
        byte[] genECDHSecret = CryptoUtil.genECDHSecret(KEY_ENTRY, convertPubkey);
        if (genECDHSecret == null) {
            Logger.e(TAG, "getSharedSecret failed by gen secret failed");
            throw new AkException((short) 49);
        }
        try {
            this.secret = CryptoUtil.sha256(genECDHSecret);
        } catch (Exception e) {
            e.printStackTrace();
        }
        Logger.d(TAG, "getSharedSecret end:" + UtilByte.byte2hex(this.secret));
    }

    public boolean setNewPin(String str) throws AkException {
        Logger.d(TAG, "setNewPin start");
        if (this.secret == null) {
            throw new AkException((short) 49);
        }
        byte[] validPin = validPin(str);
        if (validPin == null) {
            throw new AkException((short) 55);
        }
        Logger.d(TAG, "setNewPin validPin success");
        AuthenticatorClientPinRequest authenticatorClientPinRequest = new AuthenticatorClientPinRequest();
        authenticatorClientPinRequest.pinProtocol = 1;
        authenticatorClientPinRequest.subCommand = 3;
        ECPublicKey eCDHPubkey = CryptoUtil.getECDHPubkey(KEY_ENTRY);
        if (eCDHPubkey == null) {
            Logger.e(TAG, "setNewPin failed by get ECDH key failed!");
            throw new AkException((short) 49);
        }
        byte[] byteArray = eCDHPubkey.getW().getAffineX().toByteArray();
        if (byteArray.length == 33) {
            byte[] bArr = new byte[32];
            System.arraycopy(byteArray, 1, bArr, 0, 32);
            byteArray = bArr;
        }
        byte[] byteArray2 = eCDHPubkey.getW().getAffineY().toByteArray();
        if (byteArray2.length == 33) {
            byte[] bArr2 = new byte[32];
            System.arraycopy(byteArray2, 1, bArr2, 0, 32);
            byteArray2 = bArr2;
        }
        authenticatorClientPinRequest.keyAgreement = new EccKey(Algorithm.ECDH, byteArray, byteArray2);
        Logger.d(TAG, "setNewPin set KeyAgreement success");
        try {
            authenticatorClientPinRequest.newPinEnc = encryptPin(this.secret, validPin);
            Logger.d(TAG, "setNewPin gen newPinEnc success");
            try {
                authenticatorClientPinRequest.pinAuth = hmac(this.secret, authenticatorClientPinRequest.newPinEnc, 16);
                Logger.d(TAG, "setNewPin gen pinAuth success");
                if (execAk(authenticatorClientPinRequest).status == 0) {
                    Logger.d(TAG, "setNewPin success");
                    return true;
                }
                Logger.d(TAG, "setNewPin failed");
                return false;
            } catch (Exception e) {
                Logger.e(TAG, "setNewPin failed by pinAuth", e);
                e.printStackTrace();
                throw new AkException((short) 49);
            }
        } catch (Exception e2) {
            Logger.e(TAG, "setNewPin failed by encrypt pin", e2);
            e2.printStackTrace();
            throw new AkException((short) 49);
        }
    }
}
