package com.noknok.android.client.asm.authenticator;

import android.util.Base64;
import com.noknok.android.client.asm.api.AsmException;
import com.noknok.android.client.asm.api.UserVerification;
import com.noknok.android.client.asm.api.uaf.json.DisplayPNGCharacteristicsDescriptor;
import com.noknok.android.client.asm.api.uaf.json.ProtocolTags;
import com.noknok.android.client.asm.api.uaf.json.UAFPublicKeyFormat;
import com.noknok.android.client.asm.authenticator.matcherparams.KSMatcherOutParams;
import com.noknok.android.client.asm.core.AKDigestMethod;
import com.noknok.android.client.asm.core.ICryptoLayer;
import com.noknok.android.client.asm.core.uaf.AuthenticatorCore;
import com.noknok.android.client.asm.sdk.AuthenticatorException;
import com.noknok.android.client.asm.sdk.IAKDigestMethod;
import com.noknok.android.client.asm.sdk.IAuthenticatorDescriptor;
import com.noknok.android.client.asm.sdk.IAuthenticatorKernel;
import com.noknok.android.client.utils.Logger;
import com.noknok.android.client.utils.Outcome;
import com.noknok.android.uaf.asmcore.AKProcessor;
import com.noknok.android.uaf.asmcore.AuthenticatorDatabase;
import com.noknok.android.uaf.asmcore.TLVCommandEncoder;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.Signature;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

/* loaded from: classes4.dex */
public class KsUafAuthenticatorKernel implements IAuthenticatorKernel {
    private static final String TAG = "KsUafAuthenticatorKernel";

    /* renamed from: a, reason: collision with root package name */
    public static final /* synthetic */ int f26466a = 0;
    private static final Map<String, LabelParams> mLabelParams;
    protected final AkUafInfo mAkUafInfo;
    protected final ICryptoLayer mCryptoLayer;

    /* loaded from: classes4.dex */
    public static class AkUafInfo {
        public String aaid;
        public short authenticationAlgorithm;
        public short keyProtection;
        public short matcherProtection;
        public short pubKeyAlgAndEncoding;
        public long userVerification;
        public short tcDisplay = 1;
        public String tcDisplayContentType = "text/plain";
        public List<DisplayPNGCharacteristicsDescriptor> tcDisplayPNGCharacteristics = null;
        public final String assertionScheme = "UAFV1TLV";
        public final short attestationType = ProtocolTags.TAG_ATTESTATION_BASIC_SURROGATE;
        public short authenticatorType = 0;
        public final byte maxKeyHandleNum = 16;
    }

    /* loaded from: classes4.dex */
    public static class LabelParams {
        private final short mAuthenticationAlgorithm;
        private final short mKeyProtection;
        private final short mPubKeyAlgAndEncoding;

        public LabelParams(short s11, short s12, short s13) {
            this.mKeyProtection = s11;
            this.mAuthenticationAlgorithm = s12;
            this.mPubKeyAlgAndEncoding = s13;
        }
    }

    static {
        HashMap hashMap = new HashMap();
        mLabelParams = hashMap;
        hashMap.put("NNL_KS_UAF", new LabelParams((short) 6, (short) 1, UAFPublicKeyFormat.UAF_ALG_KEY_ECC_X962_RAW));
        hashMap.put("NNL_KS_SFT_UAF", new LabelParams((short) 1, (short) 1, UAFPublicKeyFormat.UAF_ALG_KEY_ECC_X962_RAW));
        hashMap.put("NNL_KS_SFT_RSA_UAF", new LabelParams((short) 1, (short) 8, UAFPublicKeyFormat.UAF_ALG_KEY_RSA_2048_PSS_RAW));
        hashMap.put("NNL_KS_RSA_UAF", new LabelParams((short) 6, (short) 8, UAFPublicKeyFormat.UAF_ALG_KEY_RSA_2048_PSS_RAW));
        hashMap.put("NNL_KS_SE_UAF", new LabelParams((short) 2, (short) 1, UAFPublicKeyFormat.UAF_ALG_KEY_ECC_X962_RAW));
        hashMap.put("NNL_KS_SE_RSA_UAF", new LabelParams((short) 2, (short) 8, UAFPublicKeyFormat.UAF_ALG_KEY_RSA_2048_PSS_RAW));
        hashMap.put("NNL_KS_WATCH_UAF", new LabelParams((short) 1, (short) 1, UAFPublicKeyFormat.UAF_ALG_KEY_ECC_X962_RAW));
    }

    public KsUafAuthenticatorKernel(ICryptoLayer iCryptoLayer, IAuthenticatorDescriptor iAuthenticatorDescriptor) {
        AkUafInfo akUafInfo = new AkUafInfo();
        this.mAkUafInfo = akUafInfo;
        this.mCryptoLayer = iCryptoLayer;
        String label = iCryptoLayer.getLabel();
        akUafInfo.aaid = iAuthenticatorDescriptor.getAAIDInfo().get(label).aaid;
        akUafInfo.matcherProtection = iAuthenticatorDescriptor.getMatcherProtection().getUafValue();
        akUafInfo.userVerification = UserVerification.getUafValue(iAuthenticatorDescriptor.getUserVerification());
        LabelParams labelParams = mLabelParams.get(label);
        akUafInfo.keyProtection = labelParams.mKeyProtection;
        akUafInfo.authenticationAlgorithm = labelParams.mAuthenticationAlgorithm;
        akUafInfo.pubKeyAlgAndEncoding = labelParams.mPubKeyAlgAndEncoding;
        if (iAuthenticatorDescriptor.getTransactionUIType().equals(IAuthenticatorDescriptor.TransactionUI.None)) {
            akUafInfo.tcDisplay = (short) 0;
        }
    }

    private byte[] processDeregister(AKProcessor.AKRequestParams aKRequestParams, byte[] bArr, Map<IAuthenticatorKernel.AKDataKeys, Object> map) {
        List<byte[]> list = aKRequestParams.keyHandles;
        if (list != null) {
            Iterator<byte[]> it = list.iterator();
            while (it.hasNext()) {
                this.mCryptoLayer.removeKey(KeyHandle.decodeKeyHandle(this.mCryptoLayer.unwrapObject(it.next())).mUAuthPriv);
            }
        }
        AKProcessor.AKResponseParams aKResponseParams = new AKProcessor.AKResponseParams();
        aKResponseParams.statusCode = Outcome.SUCCESS.getUafAsmStatusCode();
        return TLVCommandEncoder.encodeResponse(aKResponseParams, TLVCommandEncoder.Commands.DEREGISTER);
    }

    private byte[] processRegister(AKProcessor.AKRequestParams aKRequestParams, byte[] bArr, Map<IAuthenticatorKernel.AKDataKeys, Object> map) {
        Signature signature;
        byte[] bArr2;
        byte[] bArr3 = aKRequestParams.userVerifyToken;
        if (bArr3 != null && bArr3.length > 0) {
            UVTHelper.verifyUVT(bArr3);
        }
        ((KsUafCryptoLayer) this.mCryptoLayer).randSeed(aKRequestParams.finalChallenge);
        ByteBuffer wrap = ByteBuffer.wrap(this.mCryptoLayer.generateKey(map));
        wrap.order(ByteOrder.LITTLE_ENDIAN);
        int i11 = wrap.getShort();
        byte[] bArr4 = new byte[i11 - 1];
        wrap.get(bArr4);
        byte[] bArr5 = new byte[i11];
        wrap.position(2);
        wrap.get(bArr5);
        byte[] bArr6 = aKRequestParams.userVerifyToken;
        if (bArr6 == null || bArr6.length == 0) {
            Logger.i(TAG, "Register: UVT is not provided, verifying User with internal matcher.");
            KSMatcherOutParams kSMatcherOutParams = (KSMatcherOutParams) this.mCryptoLayer.verifyUser(bArr4, true, map);
            if (kSMatcherOutParams == null) {
                throw new AsmException(Outcome.fromCalErrorCode(((KsUafCryptoLayer) this.mCryptoLayer).statusCode), "User verification failed");
            }
            byte[] userID = kSMatcherOutParams.getUserID();
            signature = kSMatcherOutParams.getSignature();
            bArr2 = userID;
        } else {
            bArr2 = UVTHelper.verifyUVT(bArr6).getUserID();
            signature = null;
        }
        Logger.i(TAG, "Register: User is successfully verified. Generating UAF REG assertion.");
        AKProcessor.AKResponseParams aKResponseParams = new AKProcessor.AKResponseParams();
        byte[] wrapObject = this.mCryptoLayer.wrapObject(new KeyHandle(aKRequestParams.KHAccessToken, bArr5, false, aKRequestParams.userName, bArr2, null).encodeKeyHandle());
        byte[] hashData = ((KsUafCryptoLayer) this.mCryptoLayer).hashData(wrapObject);
        AKProcessor.AkConfig akConfig = new AKProcessor.AkConfig();
        byte[] bArr7 = aKRequestParams.additionalAKArgument;
        if (bArr7 != null && bArr7.length > 0) {
            akConfig = TLVCommandEncoder.parseAkConfig(this.mCryptoLayer.unwrapObject(bArr7));
        }
        AKProcessor.AkConfig akConfig2 = akConfig;
        akConfig2.regCounter++;
        akConfig2.signCounter++;
        byte[] createKrd = TLVCommandEncoder.createKrd(aKRequestParams, this.mAkUafInfo, akConfig2, hashData, this.mCryptoLayer.exportPublicKey(bArr4), TLVCommandEncoder.createUvmExtensionTlv(this.mAkUafInfo));
        aKResponseParams.assertion = TLVCommandEncoder.createRegAssertion(createKrd, this.mCryptoLayer.signData(bArr4, createKrd, map, signature));
        aKResponseParams.regToBeStored.keyID = Base64.encodeToString(bArr4, 11);
        aKResponseParams.regToBeStored.keyHandle = Base64.encodeToString(wrapObject, 11);
        aKResponseParams.additionalAKInfoToBeStored = this.mCryptoLayer.wrapObject(TLVCommandEncoder.encodeAkConfig(akConfig2));
        return TLVCommandEncoder.encodeResponse(aKResponseParams, TLVCommandEncoder.Commands.REGISTER);
    }

    private byte[] processSign(AKProcessor.AKRequestParams aKRequestParams, byte[] bArr, Map<IAuthenticatorKernel.AKDataKeys, Object> map) {
        Signature signature;
        AKProcessor.AKResponseParams aKResponseParams = new AKProcessor.AKResponseParams();
        ((KsUafCryptoLayer) this.mCryptoLayer).randSeed(aKRequestParams.finalChallenge);
        byte[] bArr2 = aKRequestParams.userVerifyToken;
        if (bArr2 != null && bArr2.length > 0) {
            UVTHelper.verifyUVT(bArr2);
        }
        ArrayList arrayList = new ArrayList();
        byte[] bArr3 = null;
        byte[] bArr4 = null;
        for (byte[] bArr5 : aKRequestParams.keyHandles) {
            arrayList.add(KeyHandle.decodeKeyHandle(this.mCryptoLayer.unwrapObject(bArr5)));
            bArr4 = ((KsUafCryptoLayer) this.mCryptoLayer).hashData(bArr5);
        }
        if (arrayList.size() == 0) {
            throw new AsmException(Outcome.ACCESS_DENIED, "No valid key handle provided");
        }
        if (arrayList.size() == 1) {
            byte[] bArr6 = aKRequestParams.userVerifyToken;
            if (bArr6 == null || bArr6.length == 0) {
                Logger.i(TAG, "Register: UVT is not provided, verifying User with internal matcher.");
                KSMatcherOutParams kSMatcherOutParams = (KSMatcherOutParams) this.mCryptoLayer.verifyUser(((KeyHandle) arrayList.get(0)).mUAuthPriv, false, map);
                if (kSMatcherOutParams == null) {
                    throw new AsmException(Outcome.fromCalErrorCode(((KsUafCryptoLayer) this.mCryptoLayer).statusCode), "verifyUser failed");
                }
                signature = kSMatcherOutParams.getSignature();
            } else {
                signature = null;
            }
            AKProcessor.AkConfig akConfig = new AKProcessor.AkConfig();
            byte[] bArr7 = aKRequestParams.additionalAKArgument;
            if (bArr7 != null && bArr7.length > 0) {
                akConfig = TLVCommandEncoder.parseAkConfig(this.mCryptoLayer.unwrapObject(bArr7));
            }
            AKProcessor.AkConfig akConfig2 = akConfig;
            akConfig2.signCounter++;
            byte[] createUvmExtensionTlv = TLVCommandEncoder.createUvmExtensionTlv(this.mAkUafInfo);
            byte[] randGen = ((KsUafCryptoLayer) this.mCryptoLayer).randGen(new byte[32]);
            byte[] bArr8 = aKRequestParams.transaction;
            if (bArr8 != null && bArr8.length > 0) {
                bArr3 = verifyTct(bArr8, aKRequestParams.transactionConfirmationToken, aKRequestParams.finalChallenge);
            }
            byte[] createAuthSignData = TLVCommandEncoder.createAuthSignData(aKRequestParams, this.mAkUafInfo, akConfig2, bArr4, randGen, bArr3, createUvmExtensionTlv);
            byte[] signData = this.mCryptoLayer.signData(((KeyHandle) arrayList.get(0)).mUAuthPriv, createAuthSignData, map, signature);
            aKResponseParams.additionalAKInfoToBeStored = this.mCryptoLayer.wrapObject(TLVCommandEncoder.encodeAkConfig(akConfig2));
            aKResponseParams.assertion = TLVCommandEncoder.createSignAsertion(createAuthSignData, signData);
        } else {
            for (int i11 = 0; i11 < aKRequestParams.keyHandles.size(); i11++) {
                aKResponseParams.usernames.add(new AuthenticatorCore.Username(new String(((KeyHandle) arrayList.get(i11)).mUsername), Base64.encodeToString(aKRequestParams.keyHandles.get(i11), 11), 0L));
            }
        }
        return TLVCommandEncoder.encodeResponse(aKResponseParams, TLVCommandEncoder.Commands.SIGN);
    }

    private byte[] verifyTct(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        if (bArr2 == null || bArr2.length == 0) {
            throw new AsmException(Outcome.ACCESS_DENIED, "Empty Transaction confirmation token");
        }
        byte[] hashData = ((KsUafCryptoLayer) this.mCryptoLayer).hashData(bArr);
        ByteBuffer wrap = ByteBuffer.wrap(bArr2);
        wrap.order(ByteOrder.LITTLE_ENDIAN);
        byte[] bArr4 = null;
        while (wrap.hasRemaining()) {
            TLVCommandEncoder.TagLength readTagAndLength = TLVCommandEncoder.readTagAndLength(wrap);
            int i11 = readTagAndLength.length;
            if (i11 < 0) {
                throw new AsmException(Outcome.PROTOCOL_ERROR, "Invalid TLV structure in TCT");
            }
            short s11 = readTagAndLength.tag;
            if (s11 == 10485) {
                wrap.get();
            } else {
                if (s11 != 10486) {
                    throw new AsmException(Outcome.PROTOCOL_ERROR, "Uncnown tag in TC token");
                }
                bArr4 = new byte[i11];
                wrap.get(bArr4);
            }
        }
        if (bArr4 == null || bArr4.length != hashData.length + bArr3.length) {
            throw new AsmException(Outcome.ACCESS_DENIED, "TCT content is empty or has invalid lengh ");
        }
        byte[] copyOf = Arrays.copyOf(bArr4, hashData.length);
        byte[] copyOfRange = Arrays.copyOfRange(bArr4, hashData.length, bArr4.length);
        if (Arrays.equals(copyOf, hashData) && Arrays.equals(copyOfRange, bArr3)) {
            return hashData;
        }
        throw new AsmException(Outcome.ACCESS_DENIED, "TCT validation failed");
    }

    public boolean checkDatabase(AuthenticatorDatabase authenticatorDatabase) {
        return (authenticatorDatabase.hasRegistrations() && KsUafCryptoLayer.unwrapObjectStatic(Base64.decode(authenticatorDatabase.getAKConfig(), 11)) == null) ? false : true;
    }

    @Override // com.noknok.android.client.asm.sdk.IAuthenticatorKernel
    public EnumSet<IAuthenticatorKernel.AttachmentHint> getAttachmentHint() {
        return EnumSet.of(IAuthenticatorKernel.AttachmentHint.ATTACHMENT_HINT_INTERNAL);
    }

    @Override // com.noknok.android.client.asm.sdk.IAuthenticatorKernel
    public IAKDigestMethod getDigestMethod() {
        return new AKDigestMethod();
    }

    @Override // com.noknok.android.client.asm.sdk.IAuthenticatorKernel
    public boolean postProcess() {
        return true;
    }

    @Override // com.noknok.android.client.asm.sdk.IAuthenticatorKernel
    public byte[] processRequest(byte[] bArr, Map<IAuthenticatorKernel.AKDataKeys, Object> map) throws AuthenticatorException {
        AKProcessor.AKRequestParams decodeRequest = TLVCommandEncoder.decodeRequest(bArr);
        switch (decodeRequest.cmd) {
            case 13313:
                return TLVCommandEncoder.prepareGetInfoResponse(this.mAkUafInfo);
            case 13314:
                return processRegister(decodeRequest, bArr, map);
            case 13315:
                return processSign(decodeRequest, bArr, map);
            case 13316:
                return processDeregister(decodeRequest, bArr, map);
            default:
                Logger.e(TAG, "Unsupported command " + ((int) decodeRequest.cmd));
                return null;
        }
    }

    @Override // com.noknok.android.client.asm.sdk.IAuthenticatorKernel
    public boolean requiresKeyHandleForDereg() {
        return true;
    }
}
