package de.cardcontact.opencard.security;

import de.cardcontact.ctapi.CTAPI;
import de.cardcontact.opencard.service.isocard.IsoConstants;
import de.cardcontact.opencard.service.smartcardhsm.SmartCardHSMKey;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.Key;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import opencard.core.service.CardServiceInvalidCredentialException;
import opencard.core.service.CardServiceInvalidParameterException;
import opencard.core.terminal.CommandAPDU;
import opencard.core.terminal.ResponseAPDU;
import opencard.core.util.HexString;
import opencard.opt.util.TLV;
import opencard.opt.util.Tag;

/* loaded from: input_file:de/cardcontact/opencard/security/IsoSecureChannel.class */
public class IsoSecureChannel implements SecureChannel {
    protected String provider;
    protected String macalgorithm;
    protected String cipheralgorithm;
    protected Key kenc;
    protected Key kmac;
    protected byte[] encssc;
    protected byte[] macssc;
    protected byte[] iv;
    protected byte[] crt;
    protected int maclen;
    protected int blocklen;
    protected SSCPolicyEnum sscpolicy;
    private static byte[] one = {1};
    private static final boolean singleByteT97 = false;

    /* loaded from: input_file:de/cardcontact/opencard/security/IsoSecureChannel$SSCPolicyEnum.class */
    public enum SSCPolicyEnum {
        DEFAULT,
        SYNC,
        SYNC_AND_ENCRYPT
    }

    public IsoSecureChannel() {
        this("BC");
    }

    public IsoSecureChannel(String str) {
        this.sscpolicy = SSCPolicyEnum.DEFAULT;
        this.provider = str;
        this.kenc = null;
        this.kmac = null;
        this.encssc = null;
        this.macssc = null;
        this.iv = new byte[8];
        this.maclen = 8;
        this.blocklen = 8;
        this.crt = null;
    }

    protected static byte[] incrementSSC(byte[] bArr) {
        int i;
        int length;
        int length2;
        BigInteger add = new BigInteger(1, bArr).add(new BigInteger(one));
        byte[] bArr2 = new byte[bArr.length];
        byte[] byteArray = add.toByteArray();
        if (byteArray.length > bArr2.length) {
            i = byteArray.length - bArr2.length;
            length = 0;
            length2 = bArr2.length;
        } else {
            i = 0;
            length = bArr2.length - byteArray.length;
            length2 = byteArray.length;
        }
        System.arraycopy(byteArray, i, bArr2, length, length2);
        return bArr2;
    }

    protected void incrementMACSSC() {
        this.macssc = incrementSSC(this.macssc);
    }

    protected void incrementENCSSC() {
        this.encssc = incrementSSC(this.encssc);
    }

    protected byte[] getIV(Cipher cipher) throws GeneralSecurityException {
        byte[] bArr = this.iv;
        if (this.sscpolicy == SSCPolicyEnum.SYNC_AND_ENCRYPT) {
            cipher.init(1, this.kenc, new IvParameterSpec(bArr));
            bArr = cipher.doFinal(this.macssc);
        } else if (this.sscpolicy == SSCPolicyEnum.SYNC) {
            bArr = this.macssc;
        } else if (this.encssc != null) {
            bArr = this.encssc;
        }
        return bArr;
    }

    protected byte[] encodeBodyEvenINS(byte[] bArr, boolean z, boolean z2) {
        TLV tlv;
        if (z) {
            if (this.encssc != null) {
                incrementENCSSC();
            }
            byte[] bArr2 = new byte[(bArr.length & ((this.blocklen - 1) ^ (-1))) + this.blocklen];
            System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
            bArr2[bArr.length] = Byte.MIN_VALUE;
            try {
                Cipher cipher = Cipher.getInstance(this.cipheralgorithm, this.provider);
                cipher.init(1, this.kenc, new IvParameterSpec(getIV(cipher)));
                byte[] doFinal = cipher.doFinal(bArr2);
                byte[] bArr3 = new byte[doFinal.length + 1];
                bArr3[0] = 1;
                System.arraycopy(doFinal, 0, bArr3, 1, doFinal.length);
                tlv = new TLV(new Tag(z2 ? 7 : 6, (byte) 2, false), bArr3);
                if (!z2 && this.macssc != null) {
                    incrementMACSSC();
                }
            } catch (Exception e) {
                throw new CardServiceInvalidParameterException(e.getMessage());
            }
        } else {
            tlv = new TLV(new Tag(z2 ? 1 : 0, (byte) 2, false), bArr);
        }
        return tlv.toBinary();
    }

    protected byte[] encodeBodyOddINS(byte[] bArr, boolean z, boolean z2) {
        TLV tlv;
        if (z) {
            if (this.encssc != null) {
                incrementENCSSC();
            }
            byte[] bArr2 = new byte[(bArr.length & ((this.blocklen - 1) ^ (-1))) + this.blocklen];
            System.arraycopy(bArr, 0, bArr2, 0, bArr.length);
            bArr2[bArr.length] = Byte.MIN_VALUE;
            try {
                Cipher cipher = Cipher.getInstance(this.cipheralgorithm, this.provider);
                cipher.init(1, this.kenc, new IvParameterSpec(getIV(cipher)));
                tlv = new TLV(new Tag(z2 ? 5 : 4, (byte) 2, false), cipher.doFinal(bArr2));
                if (!z2 && this.macssc != null) {
                    incrementMACSSC();
                }
            } catch (Exception e) {
                throw new CardServiceInvalidParameterException(e.getMessage());
            }
        } else {
            tlv = new TLV(new Tag(z2 ? 3 : 2, (byte) 2, true), bArr);
        }
        return tlv.toBinary();
    }

    protected byte[] calculateMAC(byte b, byte b2, byte b3, byte b4, byte[] bArr, byte[] bArr2) {
        int i = this.blocklen;
        boolean z = false;
        if (this.macssc != null) {
            i += this.macssc.length;
        }
        if (this.crt != null && (this.crt[0] & 1) == 1) {
            i += this.crt.length;
            z = true;
        }
        if (bArr != null) {
            i += bArr.length;
            z = true;
        }
        if (bArr2 != null) {
            i += bArr2.length;
            z = true;
        }
        if (z) {
            i = (i & ((this.blocklen - 1) ^ (-1))) + this.blocklen;
        }
        byte[] bArr3 = new byte[i];
        int i2 = 0;
        if (this.macssc != null) {
            System.arraycopy(this.macssc, 0, bArr3, 0, this.macssc.length);
            i2 = 0 + this.macssc.length;
        }
        int i3 = i2;
        int i4 = i2 + 1;
        bArr3[i3] = (byte) (b | 12);
        int i5 = i4 + 1;
        bArr3[i4] = b2;
        int i6 = i5 + 1;
        bArr3[i5] = b3;
        int i7 = i6 + 1;
        bArr3[i6] = b4;
        int i8 = i7 + 1;
        bArr3[i7] = Byte.MIN_VALUE;
        for (int i9 = this.blocklen - 5; i9 > 0; i9--) {
            int i10 = i8;
            i8++;
            bArr3[i10] = 0;
        }
        if (this.crt != null && (this.crt[0] & 1) == 1) {
            System.arraycopy(this.crt, 0, bArr3, i8, this.crt.length);
            i8 += this.crt.length;
        }
        if (bArr != null) {
            System.arraycopy(bArr, 0, bArr3, i8, bArr.length);
            i8 += bArr.length;
        }
        if (bArr2 != null) {
            System.arraycopy(bArr2, 0, bArr3, i8, bArr2.length);
            i8 += bArr2.length;
        }
        if (z) {
            int i11 = i8;
            int i12 = i8 + 1;
            bArr3[i11] = Byte.MIN_VALUE;
            while (i12 < i) {
                int i13 = i12;
                i12++;
                bArr3[i13] = 0;
            }
        }
        try {
            Mac mac = Mac.getInstance(this.macalgorithm, this.provider);
            mac.init(this.kmac);
            byte[] doFinal = mac.doFinal(bArr3);
            byte[] bArr4 = new byte[2 + this.maclen];
            bArr4[0] = -114;
            bArr4[1] = (byte) this.maclen;
            System.arraycopy(doFinal, 0, bArr4, 2, this.maclen);
            return bArr4;
        } catch (Exception e) {
            throw new CardServiceInvalidParameterException(e.getMessage());
        }
    }

    @Override // de.cardcontact.opencard.security.SecureChannel
    public CommandAPDU wrap(CommandAPDU commandAPDU, int i) {
        boolean z = (i & 1) > 0;
        boolean z2 = (i & 2) > 0;
        int i2 = -1;
        byte[] bArr = null;
        byte b = (byte) (commandAPDU.getByte(0) | 8);
        byte b2 = (byte) commandAPDU.getByte(1);
        byte b3 = (byte) commandAPDU.getByte(2);
        byte b4 = (byte) commandAPDU.getByte(3);
        boolean z3 = (b2 & 1) == 1;
        boolean z4 = false;
        int length = commandAPDU.getLength() - 4;
        if (length > 0) {
            int i3 = 4 + 1;
            int i4 = commandAPDU.getByte(4);
            int i5 = length - 1;
            if (i4 == 0 && i5 > 0) {
                z4 = true;
                if (i5 < 2) {
                    throw new CardServiceInvalidParameterException("Invalid Le in extended APDU");
                }
                i4 = (commandAPDU.getByte(i3) << 8) + commandAPDU.getByte(i3 + 1);
                i3 += 2;
                i5 -= 2;
            }
            if (i5 <= 0) {
                i2 = i4;
            } else {
                if (i5 < i4) {
                    throw new CardServiceInvalidParameterException("Invalid Lc in APDU");
                }
                bArr = new byte[i4];
                System.arraycopy(commandAPDU.getBuffer(), i3, bArr, 0, i4);
                int i6 = i3 + i4;
                i5 -= i4;
                if (i5 > 0) {
                    int i7 = i6 + 1;
                    i2 = commandAPDU.getByte(i6);
                    i5--;
                    if (z4) {
                        if (i5 < 1) {
                            throw new CardServiceInvalidParameterException("Invalid Le in extended APDU");
                        }
                        int i8 = i7 + 1;
                        i2 = (i2 << 8) + commandAPDU.getByte(i7);
                        i5--;
                    }
                }
            }
            if (i5 > 0) {
                throw new CardServiceInvalidParameterException("Unexpected bytes in APDU");
            }
        }
        if (z && this.macssc != null) {
            incrementMACSSC();
        }
        byte[] bArr2 = null;
        if (bArr != null || this.crt != null) {
            bArr2 = z3 ? encodeBodyOddINS(bArr, z2, z) : encodeBodyEvenINS(bArr, z2, z);
        }
        byte[] bArr3 = null;
        byte[] bArr4 = null;
        if (i2 >= 0) {
            bArr3 = new byte[z4 ? 4 : 3];
            bArr3[0] = z ? (byte) -105 : (byte) -106;
            if (z4) {
                bArr3[1] = 2;
                bArr3[2] = (byte) (i2 >> 8);
                bArr3[3] = (byte) (i2 & 255);
            } else {
                bArr3[1] = 1;
                bArr3[2] = (byte) (i2 & 255);
            }
        }
        if (z) {
            b = (byte) (b | 4);
            bArr4 = calculateMAC(b, b2, b3, b4, bArr2, bArr3);
        }
        int i9 = 0;
        if (this.crt != null) {
            i9 = 0 + this.crt.length;
        }
        if (bArr2 != null) {
            i9 += bArr2.length;
        }
        if (bArr3 != null) {
            i9 += bArr3.length;
        }
        if (bArr4 != null) {
            i9 += bArr4.length;
        }
        if (i9 > 255) {
            z4 = true;
        }
        CommandAPDU commandAPDU2 = new CommandAPDU(10 + i9);
        commandAPDU2.append(b);
        commandAPDU2.append(b2);
        commandAPDU2.append(b3);
        commandAPDU2.append(b4);
        if (i9 > 0) {
            if (z4) {
                commandAPDU2.append((byte) 0);
                commandAPDU2.append((byte) (i9 >> 8));
                commandAPDU2.append((byte) (i9 & 255));
            } else {
                commandAPDU2.append((byte) i9);
            }
        }
        if (this.crt != null) {
            commandAPDU2.append(this.crt);
        }
        if (bArr2 != null) {
            commandAPDU2.append(bArr2);
        }
        if (bArr3 != null) {
            commandAPDU2.append(bArr3);
        }
        if (bArr4 != null) {
            commandAPDU2.append(bArr4);
        }
        if (i2 != -1 || (i & 12) > 0) {
            commandAPDU2.append((byte) 0);
            if (z4) {
                commandAPDU2.append((byte) 0);
            }
        }
        return commandAPDU2;
    }

    @Override // de.cardcontact.opencard.security.SecureChannel
    public ResponseAPDU unwrap(ResponseAPDU responseAPDU, int i) {
        boolean z = (i & 4) > 0;
        byte[] bArr = null;
        byte[] bArr2 = null;
        byte[] bArr3 = null;
        byte[] buffer = responseAPDU.getBuffer();
        int length = responseAPDU.getLength();
        int[] iArr = {0};
        while (length > 2) {
            try {
                byte[] binary = new TLV(buffer, iArr).toBinary();
                switch (binary[0]) {
                    case Byte.MIN_VALUE:
                    case CTAPI.ERR_HOST /* -127 */:
                    case -124:
                    case -123:
                    case IsoConstants.INS_GENERAL_AUTH1 /* -122 */:
                    case IsoConstants.INS_GENERAL_AUTH2 /* -121 */:
                    case IsoConstants.INS_READ_RECORD /* -78 */:
                    case -77:
                        if (bArr != null) {
                            throw new CardServiceInvalidParameterException("Data object " + HexString.hexify(binary[0]) + " detected in secure messaging response that contains data object 80,81,84,85,86,86,B2 or B3 as well");
                        }
                        bArr = binary;
                        break;
                    case -114:
                        if (bArr3 != null) {
                            throw new CardServiceInvalidParameterException("Duplicate data object 8E (MAC) found in secure messaging response");
                        }
                        bArr3 = binary;
                        break;
                    case -103:
                        if (bArr2 != null) {
                            throw new CardServiceInvalidParameterException("Duplicate data object 99 (SW) found in secure messaging response");
                        }
                        bArr2 = binary;
                        break;
                    default:
                        throw new CardServiceInvalidParameterException("Unknown data object found in secure messaging response");
                }
                length -= binary.length;
            } catch (Exception e) {
                throw new CardServiceInvalidParameterException("Invalid encoding of TLV object in secure messaging response detected");
            }
        }
        if (length != 2) {
            throw new CardServiceInvalidParameterException("Length of secure messaging response message invalid");
        }
        if (z) {
            if (bArr3 == null) {
                if (responseAPDU.sw() == 27015 || responseAPDU.sw() == 27016 || responseAPDU.sw() == 26754) {
                    return responseAPDU;
                }
                throw new CardServiceInvalidParameterException("MAC data object missing from secure messaging response");
            }
            if (bArr3.length != this.maclen + 2) {
                throw new CardServiceInvalidParameterException("MAC data object has wrong length");
            }
            int i2 = 0;
            if (this.macssc != null) {
                incrementMACSSC();
                i2 = 0 + this.macssc.length;
            }
            if (bArr != null) {
                i2 += bArr.length;
            }
            if (bArr2 != null) {
                i2 += bArr2.length;
            }
            int i3 = (i2 & ((this.blocklen - 1) ^ (-1))) + this.blocklen;
            byte[] bArr4 = new byte[i3];
            int i4 = 0;
            if (this.macssc != null) {
                System.arraycopy(this.macssc, 0, bArr4, 0, this.macssc.length);
                i4 = 0 + this.macssc.length;
            }
            if (bArr != null) {
                System.arraycopy(bArr, 0, bArr4, i4, bArr.length);
                i4 += bArr.length;
            }
            if (bArr2 != null) {
                System.arraycopy(bArr2, 0, bArr4, i4, bArr2.length);
                i4 += bArr2.length;
            }
            int i5 = i4;
            int i6 = i4 + 1;
            bArr4[i5] = Byte.MIN_VALUE;
            while (i6 < i3) {
                int i7 = i6;
                i6++;
                bArr4[i7] = 0;
            }
            try {
                Mac mac = Mac.getInstance(this.macalgorithm, this.provider);
                mac.init(this.kmac);
                byte[] doFinal = mac.doFinal(bArr4);
                if (bArr3[1] != this.maclen) {
                    throw new CardServiceInvalidParameterException("MAC data object has wrong length");
                }
                for (int i8 = 0; i8 < this.maclen; i8++) {
                    if (bArr3[i8 + 2] != doFinal[i8]) {
                        throw new CardServiceInvalidCredentialException("MAC verification failed");
                    }
                }
            } catch (Exception e2) {
                throw new CardServiceInvalidParameterException(e2.getMessage());
            }
        }
        byte[] bArr5 = null;
        if (bArr != null) {
            int i9 = bArr[0] & 254;
            if ((i & 8) > 0) {
                if (i9 != 132 && i9 != 134) {
                    throw new CardServiceInvalidParameterException("Expected enciphered response");
                }
                byte[] valueAsByteArray = new TLV(bArr).valueAsByteArray();
                int i10 = 0;
                if (i9 == 134) {
                    i10 = 1;
                    if (valueAsByteArray[0] != 1) {
                        throw new CardServiceInvalidParameterException("Invalid padding indicator in enciphered block");
                    }
                }
                if (this.encssc != null) {
                    incrementENCSSC();
                }
                byte[] bArr6 = new byte[valueAsByteArray.length - i10];
                System.arraycopy(valueAsByteArray, i10, bArr6, 0, bArr6.length);
                try {
                    Cipher cipher = Cipher.getInstance(this.cipheralgorithm, this.provider);
                    cipher.init(2, this.kenc, new IvParameterSpec(getIV(cipher)));
                    byte[] doFinal2 = cipher.doFinal(bArr6);
                    int length2 = doFinal2.length - 1;
                    while (length2 > 0 && doFinal2[length2] == 0) {
                        length2--;
                    }
                    if (doFinal2[length2] != Byte.MIN_VALUE) {
                        throw new CardServiceInvalidCredentialException("Invalid padding in enciphered block");
                    }
                    bArr5 = new byte[length2];
                    System.arraycopy(doFinal2, 0, bArr5, 0, length2);
                    if (!z && this.macssc != null) {
                        incrementMACSSC();
                    }
                } catch (Exception e3) {
                    throw new CardServiceInvalidParameterException(e3.getMessage());
                }
            } else {
                if (i9 != 128 && i9 != 178) {
                    throw new CardServiceInvalidParameterException("Expected plain response");
                }
                bArr5 = new TLV(bArr).toBinaryContent();
            }
        }
        ResponseAPDU responseAPDU2 = new ResponseAPDU((bArr5 == null ? 0 : bArr5.length) + 2);
        if (bArr5 != null) {
            responseAPDU2.append(bArr5);
        }
        if (bArr2 != null) {
            responseAPDU2.append(bArr2[2]);
            responseAPDU2.append(bArr2[3]);
        } else {
            responseAPDU2.append(buffer[responseAPDU.getLength() - 2]);
            responseAPDU2.append(buffer[responseAPDU.getLength() - 1]);
        }
        return responseAPDU2;
    }

    public void setEncKey(Key key) {
        this.kenc = key;
        this.cipheralgorithm = key.getAlgorithm() + "/CBC/NoPadding";
    }

    public void setMacKey(Key key) {
        this.kmac = key;
        String algorithm = key.getAlgorithm();
        if (algorithm.equals("DESede")) {
            this.macalgorithm = "ISO9797ALG3Mac";
            this.blocklen = 8;
        } else {
            if (!algorithm.equals(SmartCardHSMKey.AES)) {
                throw new CardServiceInvalidParameterException("Unsupported key type " + algorithm + ". Only DESede or AES allowed.");
            }
            this.macalgorithm = "AESCMAC";
            this.blocklen = 16;
        }
        this.iv = new byte[this.blocklen];
    }

    public void setMacAlgorithm(String str) {
        this.macalgorithm = str;
    }

    public void setCipherAlgorithm(String str) {
        this.cipheralgorithm = str;
    }

    public void setIV(byte[] bArr) {
        this.iv = bArr;
    }

    public void setMacLength(int i) {
        this.maclen = i;
    }

    public void setSendSequenceCounter(byte[] bArr) {
        this.macssc = bArr;
    }

    public void setEncryptionSendSequenceCounter(byte[] bArr) {
        this.encssc = bArr;
    }

    public void setMACSendSequenceCounter(byte[] bArr) {
        this.macssc = bArr;
    }

    public byte[] getSendSequenceCounter() {
        return this.macssc;
    }

    public byte[] getEncryptionSendSequenceCounter() {
        return this.encssc;
    }

    public byte[] getMACSendSequenceCounter() {
        return this.macssc;
    }

    public void setSendSequenceCounterPolicy(SSCPolicyEnum sSCPolicyEnum) {
        this.sscpolicy = sSCPolicyEnum;
    }

    public void setCRT(byte[] bArr) {
        this.crt = bArr;
    }
}
