package com.yubico.yubikit.piv;

import android.os.Build;
import android.util.SparseArray;
import com.google.common.base.Ascii;
import com.yubico.yubikit.Iso7816Application;
import com.yubico.yubikit.apdu.Apdu;
import com.yubico.yubikit.apdu.Tlv;
import com.yubico.yubikit.apdu.TlvUtils;
import com.yubico.yubikit.apdu.Version;
import com.yubico.yubikit.exceptions.ApduException;
import com.yubico.yubikit.exceptions.ApplicationNotFound;
import com.yubico.yubikit.exceptions.BadRequestException;
import com.yubico.yubikit.exceptions.BadResponseException;
import com.yubico.yubikit.exceptions.NotSupportedOperation;
import com.yubico.yubikit.exceptions.UnexpectedTagException;
import com.yubico.yubikit.exceptions.YubiKeyCommunicationException;
import com.yubico.yubikit.piv.CryptoUtils;
import com.yubico.yubikit.transport.YubiKeySession;
import com.yubico.yubikit.utils.Logger;
import com.yubico.yubikit.utils.StringUtils;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import javax.crypto.BadPaddingException;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: classes2.dex */
public class PivApplication extends Iso7816Application {
    public static final short APPLICATION_NOT_FOUND_ERROR = 27266;
    public static final short AUTHENTICATION_REQUIRED_ERROR = 27010;
    public static final short AUTH_METHOD_BLOCKED = 27011;
    public static final short FILE_NOT_FOUND_ERROR = 27266;
    public static final short INCORRECT_VALUES_ERROR = 27264;
    private static final byte INS_ATTEST = -7;
    private static final byte INS_AUTHENTICATE = -121;
    private static final byte INS_CHANGE_REFERENCE = 36;
    private static final byte INS_GENERATE_ASYMMETRIC = 71;
    private static final byte INS_GET_DATA = -53;
    private static final byte INS_GET_VERSION = -3;
    private static final byte INS_IMPORT_KEY = -2;
    private static final byte INS_PUT_DATA = -37;
    private static final byte INS_RESET = -5;
    private static final byte INS_RESET_RETRY = 44;
    private static final byte INS_SET_MGMKEY = -1;
    private static final byte INS_SET_PIN_RETRIES = -6;
    private static final byte INS_VERIFY = 32;
    private static final byte PIN_P2 = Byte.MIN_VALUE;
    private static final int PIN_SIZE = 8;
    private static final byte PUK_P2 = -127;
    private static final int TAG_AUTH_CHALLENGE = 129;
    private static final int TAG_AUTH_RESPONSE = 130;
    private static final int TAG_AUTH_WITNESS = 128;
    private static final int TAG_CERTIFICATE = 112;
    private static final int TAG_CERT_INFO = 113;
    private static final int TAG_DYN_AUTH = 124;
    private static final int TAG_GEN_ALGORITHM = 128;
    private static final int TAG_LRC = 254;
    private static final int TAG_OBJ_DATA = 83;
    private static final int TAG_OBJ_ID = 92;
    private static final int TAG_PIN_POLICY = 170;
    private static final int TAG_TOUCH_POLICY = 171;
    private static final byte TDES = 3;
    private Version version;
    private static final byte[] AID = {-96, 0, 0, 3, 8};
    private static final List<Algorithm> SUPPORTED_ALGORITHMS = Arrays.asList(Algorithm.RSA1024, Algorithm.RSA2048, Algorithm.ECCP256, Algorithm.ECCP384);
    private static final byte[] RSA_HASH_SHA256_PREFIX = {48, 49, 48, Ascii.CR, 6, 9, 96, -122, 72, 1, 101, 3, 4, 2, 1, 5, 0, 4, 32};

    /* renamed from: com.yubico.yubikit.piv.PivApplication$1, reason: invalid class name */
    /* loaded from: classes2.dex */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yubico$yubikit$piv$Algorithm;

        static {
            int[] iArr = new int[Algorithm.values().length];
            $SwitchMap$com$yubico$yubikit$piv$Algorithm = iArr;
            try {
                iArr[Algorithm.RSA1024.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$yubico$yubikit$piv$Algorithm[Algorithm.RSA2048.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            try {
                $SwitchMap$com$yubico$yubikit$piv$Algorithm[Algorithm.ECCP256.ordinal()] = 3;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                $SwitchMap$com$yubico$yubikit$piv$Algorithm[Algorithm.ECCP384.ordinal()] = 4;
            } catch (NoSuchFieldError unused4) {
            }
        }
    }

    public PivApplication(YubiKeySession yubiKeySession) throws IOException, ApduException, ApplicationNotFound {
        super(AID, yubiKeySession);
        try {
            try {
                select();
                Version parse = Version.parse(sendAndReceive(new Apdu(0, -3, 0, 0, null)));
                this.version = parse;
                if (parse == null) {
                    close();
                }
            } catch (ApduException e) {
                if (e.getStatusCode() != 27266) {
                    throw e;
                }
                throw new ApplicationNotFound("PIV application is disabled on this device");
            }
        } catch (Throwable th) {
            if (this.version == null) {
                close();
            }
            throw th;
        }
    }

    private byte[] addPkcs1_15Padding(int i, byte[] bArr) throws IOException {
        int length = (i - (RSA_HASH_SHA256_PREFIX.length + bArr.length)) - 3;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(new byte[]{0, 1});
        while (true) {
            int i2 = length - 1;
            if (length <= 0) {
                byteArrayOutputStream.write(0);
                byteArrayOutputStream.write(RSA_HASH_SHA256_PREFIX);
                byteArrayOutputStream.write(bArr);
                return byteArrayOutputStream.toByteArray();
            }
            byteArrayOutputStream.write(-1);
            length = i2;
        }
    }

    private void blockPin() throws IOException, ApduException {
        int pinAttempts = getPinAttempts();
        while (pinAttempts > 0) {
            try {
                verify("");
            } catch (BadRequestException e) {
                throw new RuntimeException(e);
            } catch (InvalidPinException e2) {
                pinAttempts = e2.getRetryCounter();
            }
        }
        Logger.d("PIN is blocked");
    }

    private void blockPuk() throws IOException, ApduException {
        int i = 1;
        while (i > 0) {
            try {
                unblockPin(null, null);
            } catch (BadRequestException e) {
                throw new RuntimeException(e);
            } catch (InvalidPinException e2) {
                i = e2.getRetryCounter();
            }
        }
        Logger.d("PUK is blocked");
    }

    private static byte[] bytesToLength(BigInteger bigInteger, int i) {
        byte[] byteArray = bigInteger.toByteArray();
        Logger.d("Changing byte array from " + byteArray.length + " to " + i);
        if (byteArray.length == i) {
            return byteArray;
        }
        if (byteArray.length > i) {
            return Arrays.copyOfRange(byteArray, byteArray.length - i, byteArray.length);
        }
        byte[] bArr = new byte[i];
        System.arraycopy(byteArray, 0, bArr, i - byteArray.length, byteArray.length);
        return bArr;
    }

    private void changeReference(byte b, byte b2, String str, String str2) throws IOException, ApduException, BadRequestException, InvalidPinException {
        if (str == null) {
            str = "";
        }
        if (str2 == null) {
            str2 = "";
        }
        try {
            sendAndReceive(new Apdu(0, b, 0, b2, pinBytes(str, str2)));
        } catch (ApduException e) {
            int retriesFromCode = getRetriesFromCode(e.getStatusCode());
            if (retriesFromCode < 0) {
                throw e;
            }
            throw new InvalidPinException(retriesFromCode);
        }
    }

    private static byte[] generateChallenge() {
        byte[] bArr = new byte[8];
        if (Build.VERSION.SDK_INT >= 26) {
            try {
                SecureRandom.getInstanceStrong().nextBytes(bArr);
            } catch (NoSuchAlgorithmException unused) {
                new SecureRandom().nextBytes(bArr);
            }
        } else {
            new SecureRandom().nextBytes(bArr);
        }
        return bArr;
    }

    private byte[] getMessageHash(byte[] bArr) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA256");
        messageDigest.update(bArr);
        return messageDigest.digest();
    }

    private int getRetriesFromCode(int i) {
        if (i == 27011) {
            return 0;
        }
        if (this.version.isLessThan(1, 0, 4)) {
            if (i < 25344 || i > 25599) {
                return -1;
            }
            return i & 255;
        }
        if (i < 25536 || i > 25551) {
            return -1;
        }
        return i & 15;
    }

    private X509Certificate parseCertificate(byte[] bArr) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
    }

    private static byte[] pinBytes(String str) throws BadRequestException {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        if (bytes.length > 8) {
            throw new BadRequestException("PIN/PUK must be no longer than 8 bytes");
        }
        byte[] copyOf = Arrays.copyOf(bytes, 8);
        Arrays.fill(copyOf, str.length(), 8, (byte) -1);
        return copyOf;
    }

    private static byte[] pinBytes(String str, String str2) throws IOException, BadRequestException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(pinBytes(str));
        byteArrayOutputStream.write(pinBytes(str2));
        return byteArrayOutputStream.toByteArray();
    }

    public X509Certificate attest(Slot slot) throws IOException, YubiKeyCommunicationException {
        if (this.version.isLessThan(4, 3, 0)) {
            throw new NotSupportedOperation("This operation is supported for version 4.3+");
        }
        try {
            return parseCertificate(sendAndReceive(new Apdu(0, -7, slot.value, 0, null)));
        } catch (ApduException e) {
            if (27264 == e.getStatusCode()) {
                throw new ApduException(e.getApdu(), String.format(Locale.ROOT, "Make sure that key is generated on slot %02X", Integer.valueOf(slot.value)));
            }
            throw e;
        } catch (CertificateException e2) {
            throw new BadResponseException("Failed to parse certificate", e2);
        }
    }

    public void authenticate(byte[] bArr) throws IOException, ApduException, BadResponseException {
        byte[] unwrapTlv = TlvUtils.unwrapTlv(TlvUtils.unwrapTlv(sendAndReceive(new Apdu(0, -121, 3, Slot.CARD_MANAGEMENT.value, new Tlv(124, new Tlv(128, (byte[]) null).getBytes()).getBytes())), 124), 128);
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, "DESede");
        try {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new Tlv(128, CryptoUtils.decryptDESede(secretKeySpec, unwrapTlv)));
            byte[] generateChallenge = generateChallenge();
            arrayList.add(new Tlv(TAG_AUTH_CHALLENGE, generateChallenge));
            byte[] unwrapTlv2 = TlvUtils.unwrapTlv(TlvUtils.unwrapTlv(sendAndReceive(new Apdu(0, -121, 3, Slot.CARD_MANAGEMENT.value, new Tlv(124, TlvUtils.packTlvList(arrayList)).getBytes())), 124), TAG_AUTH_RESPONSE);
            byte[] encryptDESede = CryptoUtils.encryptDESede(secretKeySpec, generateChallenge);
            if (Arrays.equals(unwrapTlv2, encryptDESede)) {
                return;
            }
            Logger.d(String.format(Locale.ROOT, "Expected response: %s and Actual response %s", StringUtils.bytesToHex(encryptDESede), StringUtils.bytesToHex(unwrapTlv2)));
            throw new BadResponseException("Calculated response for challenge is incorrect");
        } catch (InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException e) {
            throw new RuntimeException(e);
        }
    }

    public void changePin(String str, String str2) throws IOException, ApduException, InvalidPinException, BadRequestException {
        changeReference(INS_CHANGE_REFERENCE, Byte.MIN_VALUE, str, str2);
    }

    public void changePuk(String str, String str2) throws IOException, ApduException, BadRequestException, InvalidPinException {
        changeReference(INS_CHANGE_REFERENCE, PUK_P2, str, str2);
    }

    public void deleteCertificate(Slot slot) throws IOException, ApduException {
        putObject(slot.object, null);
    }

    public PublicKey generateKey(Slot slot, Algorithm algorithm, PinPolicy pinPolicy, TouchPolicy touchPolicy) throws IOException, ApduException, BadResponseException {
        if (!SUPPORTED_ALGORITHMS.contains(algorithm)) {
            throw new IllegalArgumentException(String.format(Locale.ROOT, "Unsupported algorithm: 0x%02x", Integer.valueOf(algorithm.value)));
        }
        boolean z = algorithm == Algorithm.RSA1024 || algorithm == Algorithm.RSA2048;
        if (z && this.version.isAtLeast(4, 2, 0) && this.version.isLessThan(4, 3, 5)) {
            throw new UnsupportedOperationException("RSA key generation is not supported on this YubiKey");
        }
        if (this.version.isLessThan(4, 0, 0)) {
            if (algorithm == Algorithm.ECCP384) {
                throw new UnsupportedOperationException("Elliptic curve P384 is not supported on this YubiKey");
            }
            if (touchPolicy != TouchPolicy.DEFAULT || pinPolicy != PinPolicy.DEFAULT) {
                throw new UnsupportedOperationException("PIN/Touch policy is not supported on this YubiKey");
            }
        }
        if (touchPolicy == TouchPolicy.CACHED && this.version.isLessThan(4, 3, 0)) {
            throw new UnsupportedOperationException("Cached touch policy is not supported on this YubiKey");
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(new Tlv(128, new byte[]{(byte) algorithm.value}));
        if (pinPolicy != PinPolicy.DEFAULT) {
            arrayList.add(new Tlv(TAG_PIN_POLICY, new byte[]{(byte) pinPolicy.value}));
        }
        if (touchPolicy != TouchPolicy.DEFAULT) {
            arrayList.add(new Tlv(TAG_TOUCH_POLICY, new byte[]{(byte) touchPolicy.value}));
        }
        SparseArray<byte[]> parseTlvMap = TlvUtils.parseTlvMap(TlvUtils.unwrapTlv(sendAndReceive(new Apdu(0, 71, 0, slot.value, new Tlv(-84, TlvUtils.packTlvList(arrayList)).getBytes())), 32585));
        try {
            if (z) {
                return CryptoUtils.publicRsaKey(new BigInteger(1, parseTlvMap.get(TAG_AUTH_CHALLENGE)), new BigInteger(1, parseTlvMap.get(TAG_AUTH_RESPONSE)));
            }
            return CryptoUtils.publicEccKey(algorithm == Algorithm.ECCP256 ? CryptoUtils.Curve.P256 : CryptoUtils.Curve.P384, parseTlvMap.get(134));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new RuntimeException(e);
        }
    }

    public X509Certificate getCertificate(Slot slot) throws IOException, ApduException, BadResponseException {
        SparseArray<byte[]> parseTlvMap = TlvUtils.parseTlvMap(getObject(slot.object));
        byte[] bArr = parseTlvMap.get(113);
        if (bArr != null && bArr.length > 0 && bArr[0] != 0) {
            throw new BadResponseException("Compressed certificates are not supported");
        }
        try {
            return parseCertificate(parseTlvMap.get(112));
        } catch (CertificateException e) {
            throw new BadResponseException("Failed to parse certificate: ", e);
        }
    }

    public byte[] getObject(byte[] bArr) throws IOException, ApduException, UnexpectedTagException {
        return TlvUtils.unwrapTlv(sendAndReceive(new Apdu(0, -53, 63, 255, new Tlv(92, bArr).getBytes())), 83);
    }

    public int getPinAttempts() throws IOException, ApduException {
        try {
            verify(null);
            throw new IllegalStateException("Verification with null pin never returns success status");
        } catch (BadRequestException e) {
            throw new RuntimeException(e);
        } catch (InvalidPinException e2) {
            return e2.getRetryCounter();
        }
    }

    public Version getVersion() {
        return this.version;
    }

    public Algorithm importKey(Slot slot, PrivateKey privateKey, PinPolicy pinPolicy, TouchPolicy touchPolicy) throws IOException, ApduException {
        Algorithm algorithm;
        int i;
        int i2;
        ArrayList arrayList = new ArrayList();
        if (!"PKCS#8".equals(privateKey.getFormat())) {
            throw new UnsupportedEncodingException("Unsupported private key encoding");
        }
        if ("RSA".equals(privateKey.getAlgorithm())) {
            RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) privateKey;
            int bitLength = rSAPrivateCrtKey.getModulus().bitLength();
            if (bitLength == 1024) {
                algorithm = Algorithm.RSA1024;
                i2 = 64;
            } else {
                if (bitLength != 2048) {
                    throw new UnsupportedEncodingException("Unsupported RSA key size = " + rSAPrivateCrtKey.getModulus().bitLength());
                }
                algorithm = Algorithm.RSA2048;
                i2 = 128;
            }
            if (rSAPrivateCrtKey.getPublicExponent().intValue() != 65537) {
                throw new UnsupportedEncodingException("Unsupported RSA public exponent");
            }
            arrayList.add(new Tlv(1, bytesToLength(rSAPrivateCrtKey.getPrimeP(), i2)));
            arrayList.add(new Tlv(2, bytesToLength(rSAPrivateCrtKey.getPrimeQ(), i2)));
            arrayList.add(new Tlv(3, bytesToLength(rSAPrivateCrtKey.getPrimeExponentP(), i2)));
            arrayList.add(new Tlv(4, bytesToLength(rSAPrivateCrtKey.getPrimeExponentQ(), i2)));
            arrayList.add(new Tlv(5, bytesToLength(rSAPrivateCrtKey.getCrtCoefficient(), i2)));
        } else {
            if (!"EC".equals(privateKey.getAlgorithm())) {
                throw new UnsupportedEncodingException("Unsupported private key algorithm");
            }
            ECPrivateKey eCPrivateKey = (ECPrivateKey) privateKey;
            int fieldSize = eCPrivateKey.getParams().getCurve().getField().getFieldSize();
            if (fieldSize == 256) {
                algorithm = Algorithm.ECCP256;
                i = 32;
            } else {
                if (fieldSize != 384) {
                    throw new UnsupportedEncodingException("Unsupported curve");
                }
                algorithm = Algorithm.ECCP384;
                i = 48;
            }
            arrayList.add(new Tlv(6, bytesToLength(eCPrivateKey.getS(), i)));
        }
        if (pinPolicy != PinPolicy.DEFAULT) {
            arrayList.add(new Tlv(TAG_PIN_POLICY, new byte[]{(byte) pinPolicy.value}));
        }
        if (touchPolicy != TouchPolicy.DEFAULT) {
            arrayList.add(new Tlv(TAG_TOUCH_POLICY, new byte[]{(byte) touchPolicy.value}));
        }
        sendAndReceive(new Apdu(0, -2, algorithm.value, slot.value, TlvUtils.packTlvList(arrayList)));
        return algorithm;
    }

    public void putCertificate(Slot slot, X509Certificate x509Certificate) throws IOException, ApduException {
        try {
            byte[] encoded = x509Certificate.getEncoded();
            ArrayList arrayList = new ArrayList();
            arrayList.add(new Tlv(112, encoded));
            arrayList.add(new Tlv(113, new byte[]{0}));
            arrayList.add(new Tlv(TAG_LRC, (byte[]) null));
            putObject(slot.object, TlvUtils.packTlvList(arrayList));
        } catch (CertificateEncodingException e) {
            throw new IllegalArgumentException("Failed to get encoded version of certificate", e);
        }
    }

    public void putObject(byte[] bArr, byte[] bArr2) throws IOException, ApduException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new Tlv(92, bArr));
        arrayList.add(new Tlv(83, bArr2));
        sendAndReceive(new Apdu(0, -37, 63, 255, TlvUtils.packTlvList(arrayList)));
    }

    public void reset() throws IOException, ApduException {
        blockPin();
        blockPuk();
        sendAndReceive(new Apdu(0, -5, 0, 0, null));
    }

    public void setManagementKey(byte[] bArr) throws IOException, ApduException {
        if (bArr.length != 24) {
            throw new IllegalArgumentException("Management key must be 24 bytes");
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(3);
        byteArrayOutputStream.write(new Tlv(Slot.CARD_MANAGEMENT.value, bArr).getBytes());
        sendAndReceive(new Apdu(0, -1, 255, 255, byteArrayOutputStream.toByteArray()));
    }

    public void setPinRetries(int i, int i2) throws IOException, ApduException {
        sendAndReceive(new Apdu(0, -6, i, i2, null));
    }

    /* JADX WARN: Code restructure failed: missing block: B:15:0x0035, code lost:
    
        if (r15.length <= 48) goto L21;
     */
    /* JADX WARN: Code restructure failed: missing block: B:16:0x0037, code lost:
    
        r0 = true;
     */
    /* JADX WARN: Code restructure failed: missing block: B:32:0x0039, code lost:
    
        r0 = false;
     */
    /* JADX WARN: Code restructure failed: missing block: B:36:0x0059, code lost:
    
        if (r15.length <= 32) goto L21;
     */
    /* JADX WARN: Code restructure failed: missing block: B:38:0x005d, code lost:
    
        if (r15.length == 256) goto L21;
     */
    /* JADX WARN: Code restructure failed: missing block: B:40:0x0061, code lost:
    
        if (r15.length == 128) goto L21;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public byte[] sign(com.yubico.yubikit.piv.Slot r13, com.yubico.yubikit.piv.Algorithm r14, byte[] r15) throws java.io.IOException, com.yubico.yubikit.exceptions.ApduException {
        /*
            Method dump skipped, instructions count: 272
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.yubico.yubikit.piv.PivApplication.sign(com.yubico.yubikit.piv.Slot, com.yubico.yubikit.piv.Algorithm, byte[]):byte[]");
    }

    public void unblockPin(String str, String str2) throws IOException, ApduException, BadRequestException, InvalidPinException {
        changeReference(INS_RESET_RETRY, Byte.MIN_VALUE, str, str2);
    }

    public void verify(String str) throws IOException, ApduException, BadRequestException, InvalidPinException {
        try {
            sendAndReceive(new Apdu(0, 32, 0, -128, str != null ? pinBytes(str) : null));
        } catch (ApduException e) {
            int retriesFromCode = getRetriesFromCode(e.getStatusCode());
            if (retriesFromCode < 0) {
                throw e;
            }
            throw new InvalidPinException(retriesFromCode);
        }
    }
}
