package androidx.security.identity;

import android.content.Context;
import android.icu.util.Calendar;
import android.util.Log;
import android.util.Pair;
import androidx.biometric.BiometricPrompt;
import androidx.security.identity.PersonalizationData;
import androidx.security.identity.SimpleResultData;
import co.nstant.in.cbor.CborBuilder;
import co.nstant.in.cbor.CborDecoder;
import co.nstant.in.cbor.CborEncoder;
import co.nstant.in.cbor.CborException;
import co.nstant.in.cbor.builder.MapBuilder;
import co.nstant.in.cbor.model.Array;
import co.nstant.in.cbor.model.ByteString;
import co.nstant.in.cbor.model.DataItem;
import co.nstant.in.cbor.model.Map;
import co.nstant.in.cbor.model.UnicodeString;
import com.microsoft.identity.common.java.crypto.key.AES256KeyLoader;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPoint;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: classes2.dex */
class SoftwareIdentityCredential extends IdentityCredential {
    private static final String TAG = "SWIdentityCredential";
    private Context mContext;
    private String mCredentialName;
    private CredentialData mData;
    private int mSKDeviceCounter;
    private int mSKReaderCounter;
    private KeyPair mEphemeralKeyPair = null;
    private SecretKey mSKDevice = null;
    private SecretKey mSKReader = null;
    private byte[] mAuthKeyAssociatedData = null;
    private PrivateKey mAuthKey = null;
    private BiometricPrompt.CryptoObject mCryptoObject = null;
    private PublicKey mReaderEphemeralPublicKey = null;
    private byte[] mSessionTranscript = null;
    boolean mAllowUsingExhaustedKeys = true;
    boolean mAllowUsingExpiredKeys = false;
    private boolean mDidUserAuthResult = false;
    private boolean mDidUserAuthAlreadyCalled = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SoftwareIdentityCredential(Context context, String str, int i) throws CipherSuiteNotSupportedException {
        if (i != 1) {
            throw new CipherSuiteNotSupportedException("Unsupported Cipher Suite");
        }
        this.mContext = context;
        this.mCredentialName = str;
    }

    private int checkAccess(Collection<AccessControlProfileId> collection, Collection<X509Certificate> collection2) {
        Iterator<AccessControlProfileId> it = collection.iterator();
        int i = 6;
        while (it.hasNext()) {
            i = checkAccessSingleProfile(this.mData.getAccessControlProfile(it.next()), collection2);
            if (i == 0) {
                break;
            }
        }
        return i;
    }

    private int checkAccessSingleProfile(AccessControlProfile accessControlProfile, Collection<X509Certificate> collection) {
        boolean z;
        if (accessControlProfile.isUserAuthenticationRequired() && !this.mData.checkUserAuthentication(accessControlProfile.getAccessControlProfileId(), didUserAuth())) {
            return 4;
        }
        X509Certificate readerCertificate = accessControlProfile.getReaderCertificate();
        if (readerCertificate != null) {
            if (collection == null) {
                return 5;
            }
            byte[] encoded = readerCertificate.getPublicKey().getEncoded();
            Iterator<X509Certificate> it = collection.iterator();
            while (true) {
                if (!it.hasNext()) {
                    z = false;
                    break;
                }
                if (Arrays.equals(encoded, it.next().getPublicKey().getEncoded())) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                return 5;
            }
        }
        return 0;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static byte[] delete(Context context, String str) {
        return CredentialData.delete(context, str, null);
    }

    private boolean didUserAuth() {
        if (!this.mDidUserAuthAlreadyCalled) {
            this.mDidUserAuthResult = didUserAuthNoCache();
            this.mDidUserAuthAlreadyCalled = true;
        }
        return this.mDidUserAuthResult;
    }

    private boolean didUserAuthNoCache() {
        BiometricPrompt.CryptoObject cryptoObject = this.mCryptoObject;
        if (cryptoObject == null) {
            return false;
        }
        try {
            cryptoObject.getCipher().doFinal(new byte[16]);
            return true;
        } catch (BadPaddingException | IllegalBlockSizeException unused) {
            return false;
        }
    }

    private void ensureAuthKey() throws NoAuthenticationKeyAvailableException {
        if (this.mAuthKey != null) {
            return;
        }
        Pair<PrivateKey, byte[]> selectAuthenticationKey = this.mData.selectAuthenticationKey(this.mAllowUsingExhaustedKeys, this.mAllowUsingExpiredKeys);
        if (selectAuthenticationKey == null) {
            throw new NoAuthenticationKeyAvailableException("No authentication key available for signing");
        }
        this.mAuthKey = (PrivateKey) selectAuthenticationKey.first;
        this.mAuthKeyAssociatedData = (byte[]) selectAuthenticationKey.second;
    }

    private void ensureCryptoObject() {
        String perReaderSessionKeyAlias = this.mData.getPerReaderSessionKeyAlias();
        if (perReaderSessionKeyAlias.isEmpty()) {
            return;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("AndroidKeyStore");
            keyStore.load(null);
            SecretKey secretKey = ((KeyStore.SecretKeyEntry) keyStore.getEntry(perReaderSessionKeyAlias, null)).getSecretKey();
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, secretKey);
            this.mCryptoObject = new BiometricPrompt.CryptoObject(cipher);
        } catch (IOException | InvalidKeyException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException | NoSuchPaddingException e) {
            throw new RuntimeException("Error creating Cipher for perReaderSessionKey", e);
        }
    }

    private void ensureSessionEncryptionKey() {
        if (this.mSKDevice != null) {
            return;
        }
        if (this.mReaderEphemeralPublicKey == null) {
            throw new RuntimeException("Reader ephemeral key not set");
        }
        if (this.mSessionTranscript == null) {
            throw new RuntimeException("Session transcript not set");
        }
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
            keyAgreement.init(this.mEphemeralKeyPair.getPrivate());
            keyAgreement.doPhase(this.mReaderEphemeralPublicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(Util.prependSemanticTagForEncodedCbor(this.mSessionTranscript));
            this.mSKDevice = new SecretKeySpec(Util.computeHkdf("HmacSha256", generateSecret, digest, new byte[]{83, 75, 68, 101, 118, 105, 99, 101}, 32), AES256KeyLoader.AES_ALGORITHM);
            this.mSKReader = new SecretKeySpec(Util.computeHkdf("HmacSha256", generateSecret, digest, new byte[]{83, 75, 82, 101, 97, 100, 101, 114}, 32), AES256KeyLoader.AES_ALGORITHM);
            this.mSKDeviceCounter = 1;
            this.mSKReaderCounter = 1;
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException("Error performing key agreement", e);
        }
    }

    private boolean hasEphemeralKeyInDeviceEngagement(byte[] bArr) {
        if (this.mEphemeralKeyPair == null) {
            return false;
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1 || !(decode.get(0) instanceof Array) || ((Array) decode.get(0)).getDataItems().size() != 2) {
                Log.e(TAG, "SessionTranscript is not an array of length 2");
                return false;
            }
            if (!(((Array) decode.get(0)).getDataItems().get(0) instanceof ByteString)) {
                Log.e(TAG, "First element of SessionTranscript array is not a bstr");
                return false;
            }
            byte[] bytes = ((ByteString) ((Array) decode.get(0)).getDataItems().get(0)).getBytes();
            ECPoint w = ((ECPublicKey) this.mEphemeralKeyPair.getPublic()).getW();
            return Util.hasSubByteArray(bytes, Util.stripLeadingZeroes(w.getAffineX().toByteArray())) || Util.hasSubByteArray(bytes, Util.stripLeadingZeroes(w.getAffineY().toByteArray()));
        } catch (CborException unused) {
            Log.e(TAG, "Error parsing SessionTranscript CBOR");
            return false;
        }
    }

    private static HashMap<String, Collection<String>> parseRequestMessage(byte[] bArr) {
        HashMap<String, Collection<String>> hashMap = new HashMap<>();
        if (bArr == null) {
            return hashMap;
        }
        try {
            List<DataItem> decode = new CborDecoder(new ByteArrayInputStream(bArr)).decode();
            if (decode.size() != 1) {
                throw new RuntimeException("Expected 1 item, found " + decode.size());
            }
            if (!(decode.get(0) instanceof Map)) {
                throw new RuntimeException("Item is not a map");
            }
            DataItem dataItem = ((Map) decode.get(0)).get(new UnicodeString("nameSpaces"));
            if (!(dataItem instanceof Map)) {
                throw new RuntimeException("nameSpaces entry not found or not map");
            }
            for (DataItem dataItem2 : ((Map) dataItem).getKeys()) {
                if (!(dataItem2 instanceof UnicodeString)) {
                    throw new RuntimeException("Key item in NameSpaces map not UnicodeString");
                }
                String string = ((UnicodeString) dataItem2).getString();
                ArrayList arrayList = new ArrayList();
                DataItem dataItem3 = ((Map) dataItem).get(dataItem2);
                if (!(dataItem3 instanceof Map)) {
                    throw new RuntimeException("Value item in NameSpaces map not Map");
                }
                for (DataItem dataItem4 : ((Map) dataItem3).getKeys()) {
                    if (!(dataItem4 instanceof UnicodeString)) {
                        throw new RuntimeException("Item in nameSpaces array not UnicodeString");
                    }
                    arrayList.add(((UnicodeString) dataItem4).getString());
                }
                hashMap.put(string, arrayList);
            }
            return hashMap;
        } catch (CborException e) {
            throw new RuntimeException("Error decoding request message", e);
        }
    }

    private void retrieveValues(byte[] bArr, HashMap<String, Collection<String>> hashMap, Collection<X509Certificate> collection, java.util.Map<String, Collection<String>> map, SimpleResultData.Builder builder, MapBuilder<CborBuilder> mapBuilder) {
        for (String str : map.keySet()) {
            retrieveValuesForNamespace(builder, mapBuilder, map.get(str), bArr, hashMap.get(str), collection, str, this.mData.lookupNamespaceData(str));
        }
    }

    private void retrieveValuesForNamespace(SimpleResultData.Builder builder, MapBuilder<CborBuilder> mapBuilder, Collection<String> collection, byte[] bArr, Collection<String> collection2, Collection<X509Certificate> collection3, String str, PersonalizationData.NamespaceData namespaceData) {
        MapBuilder<MapBuilder<CborBuilder>> mapBuilder2 = null;
        for (String str2 : collection) {
            byte[] entryValue = namespaceData != null ? namespaceData.getEntryValue(str2) : null;
            if (entryValue == null) {
                builder.addErrorStatus(str, str2, 1);
            } else if (bArr == null || (collection2 != null && collection2.contains(str2))) {
                int checkAccess = checkAccess(namespaceData.getAccessControlProfileIds(str2), collection3);
                if (checkAccess != 0) {
                    builder.addErrorStatus(str, str2, checkAccess);
                } else {
                    builder.addEntry(str, str2, entryValue);
                    if (mapBuilder2 == null) {
                        mapBuilder2 = mapBuilder.putMap(str);
                    }
                    mapBuilder2.put(new UnicodeString(str2), Util.cborToDataItem(entryValue));
                }
            } else {
                builder.addErrorStatus(str, str2, 3);
            }
        }
    }

    @Override // androidx.security.identity.IdentityCredential
    public KeyPair createEphemeralKeyPair() {
        if (this.mEphemeralKeyPair == null) {
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
                keyPairGenerator.initialize(new ECGenParameterSpec("prime256v1"));
                this.mEphemeralKeyPair = keyPairGenerator.generateKeyPair();
            } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
                throw new RuntimeException("Error generating ephemeral key", e);
            }
        }
        return this.mEphemeralKeyPair;
    }

    @Override // androidx.security.identity.IdentityCredential
    public byte[] decryptMessageFromReader(byte[] bArr) throws MessageDecryptionException {
        ensureSessionEncryptionKey();
        ByteBuffer allocate = ByteBuffer.allocate(12);
        allocate.putInt(0, 0);
        allocate.putInt(4, 0);
        allocate.putInt(8, this.mSKReaderCounter);
        try {
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(2, this.mSKReader, new GCMParameterSpec(128, allocate.array()));
            byte[] doFinal = cipher.doFinal(bArr);
            this.mSKReaderCounter++;
            return doFinal;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new MessageDecryptionException("Error decrypting message", e);
        }
    }

    @Override // androidx.security.identity.IdentityCredential
    public byte[] delete(byte[] bArr) {
        return CredentialData.delete(this.mContext, this.mCredentialName, bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    public byte[] encryptMessageToReader(byte[] bArr) {
        ensureSessionEncryptionKey();
        try {
            ByteBuffer allocate = ByteBuffer.allocate(12);
            allocate.putInt(0, 0);
            allocate.putInt(4, 1);
            allocate.putInt(8, this.mSKDeviceCounter);
            Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
            cipher.init(1, this.mSKDevice, new GCMParameterSpec(128, allocate.array()));
            byte[] doFinal = cipher.doFinal(bArr);
            this.mSKDeviceCounter++;
            return doFinal;
        } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new RuntimeException("Error encrypting message", e);
        }
    }

    @Override // androidx.security.identity.IdentityCredential
    public Collection<X509Certificate> getAuthKeysNeedingCertification() {
        return this.mData.getAuthKeysNeedingCertification();
    }

    @Override // androidx.security.identity.IdentityCredential
    public int[] getAuthenticationDataUsageCount() {
        return this.mData.getAuthKeyUseCounts();
    }

    @Override // androidx.security.identity.IdentityCredential
    public Collection<X509Certificate> getCredentialKeyCertificateChain() {
        return this.mData.getCredentialKeyCertificateChain();
    }

    @Override // androidx.security.identity.IdentityCredential
    public BiometricPrompt.CryptoObject getCryptoObject() {
        ensureCryptoObject();
        return this.mCryptoObject;
    }

    @Override // androidx.security.identity.IdentityCredential
    public ResultData getEntries(byte[] bArr, java.util.Map<String, Collection<String>> map, byte[] bArr2) throws NoAuthenticationKeyAvailableException, InvalidReaderSignatureException, InvalidRequestMessageException, EphemeralPublicKeyNotFoundException {
        Collection<X509Certificate> collection;
        byte[] bArr3 = this.mSessionTranscript;
        if (bArr3 != null && !hasEphemeralKeyInDeviceEngagement(bArr3)) {
            throw new EphemeralPublicKeyNotFoundException("Did not find ephemeral public key X and Y coordinates in SessionTranscript (make sure leading zeroes are not used)");
        }
        HashMap<String, Collection<String>> parseRequestMessage = parseRequestMessage(bArr);
        if (bArr2 == null) {
            collection = null;
        } else {
            if (this.mSessionTranscript == null) {
                throw new InvalidReaderSignatureException("readerSignature non-null but sessionTranscript was null");
            }
            if (bArr == null) {
                throw new InvalidReaderSignatureException("readerSignature non-null but requestMessage was null");
            }
            try {
                Collection<X509Certificate> coseSign1GetX5Chain = Util.coseSign1GetX5Chain(bArr2);
                if (coseSign1GetX5Chain.size() < 1) {
                    throw new InvalidReaderSignatureException("No x5chain element in reader signature");
                }
                if (!Util.validateCertificateChain(coseSign1GetX5Chain)) {
                    throw new InvalidReaderSignatureException("Error validating certificate chain");
                }
                try {
                    if (!Util.coseSign1CheckSignature(bArr2, Util.prependSemanticTagForEncodedCbor(Util.buildReaderAuthenticationCbor(this.mSessionTranscript, bArr)), coseSign1GetX5Chain.iterator().next().getPublicKey())) {
                        throw new InvalidReaderSignatureException("Reader signature check failed");
                    }
                    collection = coseSign1GetX5Chain;
                } catch (InvalidKeyException | NoSuchAlgorithmException e) {
                    throw new InvalidReaderSignatureException("Error checking reader signature", e);
                }
            } catch (CertificateException e2) {
                throw new InvalidReaderSignatureException("Error getting x5chain element", e2);
            }
        }
        SimpleResultData.Builder builder = new SimpleResultData.Builder();
        CborBuilder cborBuilder = new CborBuilder();
        retrieveValues(bArr, parseRequestMessage, collection, map, builder, cborBuilder.addMap());
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            new CborEncoder(byteArrayOutputStream).encode(cborBuilder.build().get(0));
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            builder.setAuthenticatedData(byteArray);
            if (this.mSessionTranscript != null) {
                ensureAuthKey();
                builder.setStaticAuthenticationData(this.mAuthKeyAssociatedData);
                byte[] prependSemanticTagForEncodedCbor = Util.prependSemanticTagForEncodedCbor(Util.buildDeviceAuthenticationCbor(this.mData.getDocType(), this.mSessionTranscript, byteArray));
                try {
                    Signature signature = Signature.getInstance("SHA256withECDSA");
                    signature.initSign(this.mAuthKey);
                    builder.setEcdsaSignature(Util.coseSign1Sign(signature, (byte[]) null, prependSemanticTagForEncodedCbor, (Collection<X509Certificate>) null));
                } catch (InvalidKeyException | NoSuchAlgorithmException | CertificateEncodingException e3) {
                    throw new RuntimeException("Error signing DeviceAuthentication CBOR", e3);
                }
            }
            return builder.build();
        } catch (CborException e4) {
            throw new RuntimeException("Error encoding deviceNameSpace", e4);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean loadData() {
        CredentialData loadCredentialData = CredentialData.loadCredentialData(this.mContext, this.mCredentialName);
        this.mData = loadCredentialData;
        return loadCredentialData != null;
    }

    @Override // androidx.security.identity.IdentityCredential
    public byte[] proveOwnership(byte[] bArr) {
        return this.mData.proveOwnership(bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setAllowUsingExhaustedKeys(boolean z) {
        this.mAllowUsingExhaustedKeys = z;
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setAllowUsingExpiredKeys(boolean z) {
        this.mAllowUsingExpiredKeys = z;
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setAvailableAuthenticationKeys(int i, int i2) {
        this.mData.setAvailableAuthenticationKeys(i, i2);
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setReaderEphemeralPublicKey(PublicKey publicKey) {
        this.mReaderEphemeralPublicKey = publicKey;
    }

    @Override // androidx.security.identity.IdentityCredential
    public void setSessionTranscript(byte[] bArr) {
        if (this.mSessionTranscript != null) {
            throw new RuntimeException("SessionTranscript already set");
        }
        this.mSessionTranscript = (byte[]) bArr.clone();
    }

    @Override // androidx.security.identity.IdentityCredential
    public void storeStaticAuthenticationData(X509Certificate x509Certificate, Calendar calendar, byte[] bArr) throws UnknownAuthenticationKeyException {
        this.mData.storeStaticAuthenticationData(x509Certificate, calendar, bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    public void storeStaticAuthenticationData(X509Certificate x509Certificate, byte[] bArr) throws UnknownAuthenticationKeyException {
        this.mData.storeStaticAuthenticationData(x509Certificate, null, bArr);
    }

    @Override // androidx.security.identity.IdentityCredential
    public byte[] update(PersonalizationData personalizationData) {
        try {
            String docType = this.mData.getDocType();
            Collection<X509Certificate> credentialKeyCertificateChain = this.mData.getCredentialKeyCertificateChain();
            PrivateKey credentialKeyPrivate = this.mData.getCredentialKeyPrivate();
            int authKeyCount = this.mData.getAuthKeyCount();
            int authMaxUsesPerKey = this.mData.getAuthMaxUsesPerKey();
            byte[] buildProofOfProvisioningWithSignature = SoftwareWritableIdentityCredential.buildProofOfProvisioningWithSignature(docType, personalizationData, credentialKeyPrivate);
            byte[] digest = MessageDigest.getInstance("SHA-256").digest(Util.coseSign1GetData(buildProofOfProvisioningWithSignature));
            this.mData.deleteKeysForReplacement();
            Context context = this.mContext;
            String str = this.mCredentialName;
            CredentialData createCredentialData = CredentialData.createCredentialData(context, docType, str, CredentialData.getAliasFromCredentialName(str), credentialKeyCertificateChain, personalizationData, digest, true);
            this.mData = createCredentialData;
            createCredentialData.setAvailableAuthenticationKeys(authKeyCount, authMaxUsesPerKey);
            return buildProofOfProvisioningWithSignature;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Error digesting ProofOfProvisioning", e);
        }
    }
}
