package de.cardcontact.opencard.eac;

import de.cardcontact.opencard.eac.cvc.ECPublicKeyTLV;
import de.cardcontact.opencard.eac.cvc.PublicKeyTLV;
import de.cardcontact.opencard.security.IsoSecureChannel;
import de.cardcontact.opencard.service.smartcardhsm.SmartCardHSMKey;
import de.cardcontact.tlv.ObjectIdentifier;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.util.Arrays;
import javax.crypto.KeyAgreement;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/cardcontact/opencard/eac/ChipAuthentication.class */
public class ChipAuthentication {
    public static final ObjectIdentifier id_CA_ECDH_3DES_CBC_CBC = new ObjectIdentifier(new int[]{0, 4, 0, 127, 0, 7, 2, 2, 3, 2, 1});
    public static final ObjectIdentifier id_CA_ECDH_AES_CBC_CMAC_128 = new ObjectIdentifier(new int[]{0, 4, 0, 127, 0, 7, 2, 2, 3, 2, 2});
    public static final ObjectIdentifier id_CA_ECDH_AES_CBC_CMAC_192 = new ObjectIdentifier(new int[]{0, 4, 0, 127, 0, 7, 2, 2, 3, 2, 3});
    public static final ObjectIdentifier id_CA_ECDH_AES_CBC_CMAC_256 = new ObjectIdentifier(new int[]{0, 4, 0, 127, 0, 7, 2, 2, 3, 2, 4});
    final Logger logger = LoggerFactory.getLogger((Class<?>) ChipAuthentication.class);
    StandardizedDomainParameter domainParameter;
    ObjectIdentifier protocol;
    KeyPair caKeyPair;
    SecretKey kenc;
    SecretKey kmac;

    public ChipAuthentication(ObjectIdentifier objectIdentifier, StandardizedDomainParameter standardizedDomainParameter) {
        this.protocol = objectIdentifier;
        this.domainParameter = standardizedDomainParameter;
    }

    public void generateEphemeralCAKeyPair() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(SmartCardHSMKey.EC);
            keyPairGenerator.initialize(new ECGenParameterSpec(this.domainParameter.name()));
            this.caKeyPair = keyPairGenerator.generateKeyPair();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            this.logger.error("Can not obtain and initialize EC key generator", e);
            throw new RuntimeException(e);
        }
    }

    public byte[] getCompressedPublicKey() {
        ECPublicKey eCPublicKey = (ECPublicKey) this.caKeyPair.getPublic();
        int fieldSize = (eCPublicKey.getParams().getCurve().getField().getFieldSize() + 7) >> 3;
        byte[] bArr = new byte[fieldSize];
        PublicKeyTLV.toUnsignedByteArray(eCPublicKey.getW().getAffineX(), bArr, 0, fieldSize);
        return bArr;
    }

    public byte[] getEncodedPublicKey() {
        ECPublicKey eCPublicKey = (ECPublicKey) this.caKeyPair.getPublic();
        return ECPublicKeyTLV.encodePoint(eCPublicKey.getW(), (eCPublicKey.getParams().getCurve().getField().getFieldSize() + 7) >> 3);
    }

    public byte[] getProtocol() {
        return this.protocol.getValue();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v52, types: [javax.crypto.SecretKey] */
    private SecretKey deriveKey(int i, byte[] bArr, int i2, byte[] bArr2) {
        SecretKeySpec secretKeySpec;
        ByteBuffer allocate = ByteBuffer.allocate(80);
        allocate.put(bArr);
        allocate.put(bArr2);
        allocate.put((byte) 0);
        allocate.put((byte) 0);
        allocate.put((byte) 0);
        allocate.put((byte) i2);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(i <= 2 ? "SHA1" : "SHA256");
            messageDigest.update(allocate.array(), 0, allocate.position());
            byte[] digest = messageDigest.digest();
            if (i == 1) {
                byte[] bArr3 = new byte[24];
                System.arraycopy(digest, 0, bArr3, 0, 16);
                System.arraycopy(digest, 0, bArr3, 16, 8);
                try {
                    try {
                        secretKeySpec = SecretKeyFactory.getInstance("DESede").generateSecret(new DESedeKeySpec(bArr3));
                    } catch (GeneralSecurityException e) {
                        this.logger.error(e.getMessage(), (Throwable) e);
                        throw new RuntimeException(e);
                    }
                } catch (InvalidKeyException e2) {
                    this.logger.error(e2.getMessage(), (Throwable) e2);
                    throw new RuntimeException(e2);
                }
            } else {
                int i3 = 8 * i;
                byte[] bArr4 = new byte[i3];
                System.arraycopy(digest, 0, bArr4, 0, i3);
                secretKeySpec = new SecretKeySpec(bArr4, SmartCardHSMKey.AES);
                Arrays.fill(bArr4, (byte) 0);
            }
            Arrays.fill(digest, (byte) 0);
            return secretKeySpec;
        } catch (NoSuchAlgorithmException e3) {
            this.logger.error(e3.getMessage(), (Throwable) e3);
            throw new RuntimeException(e3);
        }
    }

    public void performKeyAgreement(PublicKey publicKey, byte[] bArr) {
        try {
            KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
            keyAgreement.init(this.caKeyPair.getPrivate());
            keyAgreement.doPhase(publicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            byte[] value = this.protocol.getValue();
            byte b = value[value.length - 1];
            this.kenc = deriveKey(b, generateSecret, 1, bArr);
            this.kmac = deriveKey(b, generateSecret, 2, bArr);
            Arrays.fill(generateSecret, (byte) 0);
        } catch (GeneralSecurityException e) {
            this.logger.error("Can not agree key", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public boolean verifyAuthenticationToken(byte[] bArr) {
        ECPublicKeyTLV eCPublicKeyTLV = new ECPublicKeyTLV(this.protocol, (ECPublicKey) this.caKeyPair.getPublic(), false);
        try {
            Mac mac = ((SecretKeySpec) this.kmac).getAlgorithm().equals(SmartCardHSMKey.AES) ? Mac.getInstance("AESCMAC") : Mac.getInstance("ISO9797ALG3Mac");
            mac.init(this.kmac);
            mac.update(eCPublicKeyTLV.getBytes());
            byte[] doFinal = mac.doFinal();
            if (doFinal.length > 8) {
                byte[] bArr2 = new byte[8];
                System.arraycopy(doFinal, 0, bArr2, 0, 8);
                doFinal = bArr2;
            }
            return Arrays.equals(doFinal, bArr);
        } catch (GeneralSecurityException e) {
            this.logger.error(e.getMessage(), (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public IsoSecureChannel getIsoSecureChannel() {
        IsoSecureChannel isoSecureChannel = new IsoSecureChannel();
        isoSecureChannel.setEncKey(this.kenc);
        isoSecureChannel.setMacKey(this.kmac);
        if (this.protocol.equals(id_CA_ECDH_3DES_CBC_CBC)) {
            isoSecureChannel.setMACSendSequenceCounter(new byte[8]);
        } else {
            isoSecureChannel.setMACSendSequenceCounter(new byte[16]);
            isoSecureChannel.setSendSequenceCounterPolicy(IsoSecureChannel.SSCPolicyEnum.SYNC_AND_ENCRYPT);
        }
        return isoSecureChannel;
    }
}
