package de.cardcontact.opencard.service.eac20;

import de.cardcontact.opencard.security.IsoCredentialStore;
import de.cardcontact.opencard.security.IsoSecureChannel;
import de.cardcontact.opencard.security.IsoSecureChannelCredential;
import de.cardcontact.opencard.security.MessageAuthenticationCode;
import de.cardcontact.opencard.security.SecureChannel;
import de.cardcontact.opencard.security.SecureChannelCredential;
import de.cardcontact.opencard.service.CardServiceUnexpectedStatusWordException;
import de.cardcontact.opencard.service.smartcardhsm.SmartCardHSMCardService;
import de.cardcontact.opencard.service.smartcardhsm.SmartCardHSMKey;
import de.cardcontact.tlv.ConstructedTLV;
import de.cardcontact.tlv.PrimitiveTLV;
import de.cardcontact.tlv.TLVEncodingException;
import de.cardcontact.tlv.Tag;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECFieldFp;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.EllipticCurve;
import java.util.Arrays;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.DESedeKeySpec;
import javax.crypto.spec.SecretKeySpec;
import opencard.core.service.CardServiceException;
import opencard.core.terminal.CardTerminalException;
import opencard.opt.iso.fs.CardFilePath;
import opencard.opt.security.CredentialStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/cardcontact/opencard/service/eac20/EAC20.class */
public class EAC20 {
    private SmartCardHSMCardService hsms;
    private ECPrivateKey prkCA;
    private ECPublicKey pukCA;
    private byte[] ephemeralPublicKeyIfd;
    private ECPublicKey devAuthPK;
    private SecretKey kenc;
    private SecretKey kmac;
    private IsoSecureChannel sc;
    private IsoSecureChannelCredential credential;
    private CredentialStore store;
    private byte[] protocol;
    private static ECParameterSpec eCParameterSpecBrainpoolP256r1 = null;
    final Logger log = LoggerFactory.getLogger(EAC20.class);
    private CardFilePath securityDomain = new CardFilePath("#E82B0601040181C31F0201");

    public static ECParameterSpec getECParameterSpecforBrainpoolP256r1() {
        if (eCParameterSpecBrainpoolP256r1 == null) {
            eCParameterSpecBrainpoolP256r1 = new ECParameterSpec(new EllipticCurve(new ECFieldFp(new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16)), new BigInteger("7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", 16), new BigInteger("26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 16)), new ECPoint(new BigInteger("8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262", 16), new BigInteger("547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997", 16)), new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16), 1);
        }
        return eCParameterSpecBrainpoolP256r1;
    }

    public EAC20(SmartCardHSMCardService smartCardHSMCardService, ECPublicKey eCPublicKey) {
        this.hsms = smartCardHSMCardService;
        this.devAuthPK = eCPublicKey;
    }

    public SecureChannelCredential performChipAuthentication() throws CardServiceException, CardTerminalException {
        generateEphemeralCAKeyPair();
        this.protocol = new byte[]{4, 0, Byte.MAX_VALUE, 0, 7, 2, 2, 3, 2, 2};
        try {
            this.hsms.manageSE(new PrimitiveTLV(new Tag(0, Byte.MIN_VALUE, false), this.protocol).getBytes());
        } catch (CardServiceUnexpectedStatusWordException e) {
            if (e.getSW() != 27264) {
                throw e;
            }
            this.protocol = new byte[]{4, 0, Byte.MAX_VALUE, 0, 7, 2, 2, 3, 2, 1};
            this.hsms.manageSE(new PrimitiveTLV(new Tag(0, Byte.MIN_VALUE, false), this.protocol).getBytes());
        }
        try {
            ConstructedTLV constructedTLV = new ConstructedTLV(doGeneralAuthenticate());
            PrimitiveTLV primitiveTLV = (PrimitiveTLV) constructedTLV.get(0);
            PrimitiveTLV primitiveTLV2 = (PrimitiveTLV) constructedTLV.get(1);
            byte[] value = primitiveTLV.getValue();
            byte[] value2 = primitiveTLV2.getValue();
            try {
                PublicKey generatePublic = KeyFactory.getInstance(SmartCardHSMKey.EC).generatePublic(new ECPublicKeySpec(this.devAuthPK.getW(), this.prkCA.getParams()));
                try {
                    KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
                    keyAgreement.init(this.prkCA);
                    keyAgreement.doPhase(generatePublic, true);
                    byte[] generateSecret = keyAgreement.generateSecret();
                    this.kenc = deriveKey(this.protocol[this.protocol.length - 1], generateSecret, 1, value);
                    this.kmac = deriveKey(this.protocol[this.protocol.length - 1], generateSecret, 2, value);
                    if (!verifyAuthenticationToken(value2)) {
                        this.log.error("Authentication token failed verification");
                        throw new CardServiceException("Authentication token failed");
                    }
                    this.sc = new IsoSecureChannel();
                    this.sc.setEncKey(this.kenc);
                    this.sc.setMacKey(this.kmac);
                    if (this.protocol[this.protocol.length - 1] == 1) {
                        this.sc.setMACSendSequenceCounter(new byte[8]);
                    } else {
                        this.sc.setMACSendSequenceCounter(new byte[16]);
                        this.sc.setSendSequenceCounterPolicy(IsoSecureChannel.SSCPolicyEnum.SYNC_AND_ENCRYPT);
                    }
                    this.credential = new IsoSecureChannelCredential(SecureChannel.ALL, this.sc);
                    this.store = new IsoCredentialStore();
                    ((IsoCredentialStore) this.store).setSecureChannelCredential(this.securityDomain, this.credential);
                    return this.credential;
                } catch (GeneralSecurityException e2) {
                    this.log.error(e2.getLocalizedMessage(), e2);
                    throw new RuntimeException(e2);
                }
            } catch (GeneralSecurityException e3) {
                this.log.error(e3.getLocalizedMessage(), e3);
                throw new RuntimeException(e3);
            }
        } catch (TLVEncodingException e4) {
            this.log.error(e4.getLocalizedMessage(), e4);
            throw new RuntimeException(e4);
        }
    }

    private void generateEphemeralCAKeyPair() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(SmartCardHSMKey.EC);
            try {
                keyPairGenerator.initialize(getECParameterSpecforBrainpoolP256r1());
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                this.prkCA = (ECPrivateKey) generateKeyPair.getPrivate();
                this.pukCA = (ECPublicKey) generateKeyPair.getPublic();
            } catch (InvalidAlgorithmParameterException e) {
                this.log.error(e.getLocalizedMessage(), e);
                throw new RuntimeException(e);
            }
        } catch (NoSuchAlgorithmException e2) {
            this.log.error(e2.getLocalizedMessage(), e2);
            throw new RuntimeException(e2);
        }
    }

    private byte[] doGeneralAuthenticate() throws CardTerminalException, CardServiceException {
        byte[] unsignedBigIntegerToByteArray = unsignedBigIntegerToByteArray(this.pukCA.getW().getAffineX(), 256);
        byte[] unsignedBigIntegerToByteArray2 = unsignedBigIntegerToByteArray(this.pukCA.getW().getAffineY(), 256);
        this.ephemeralPublicKeyIfd = new byte[(unsignedBigIntegerToByteArray.length * 2) + 1];
        this.ephemeralPublicKeyIfd[0] = 4;
        System.arraycopy(unsignedBigIntegerToByteArray, 0, this.ephemeralPublicKeyIfd, 1, unsignedBigIntegerToByteArray.length);
        System.arraycopy(unsignedBigIntegerToByteArray2, 0, this.ephemeralPublicKeyIfd, 1 + unsignedBigIntegerToByteArray.length, unsignedBigIntegerToByteArray2.length);
        try {
            ConstructedTLV constructedTLV = new ConstructedTLV(124);
            constructedTLV.add(new PrimitiveTLV(IsoCredentialStore.DEACTIVATE, this.ephemeralPublicKeyIfd));
            return this.hsms.generalAuthenticate(constructedTLV.getBytes());
        } catch (TLVEncodingException e) {
            this.log.error(e.getLocalizedMessage(), e);
            throw new RuntimeException(e);
        }
    }

    public SecureChannelCredential getCredential() {
        return this.credential;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v44, types: [javax.crypto.SecretKey] */
    private SecretKey deriveKey(byte b, byte[] bArr, int i, byte[] bArr2) {
        SecretKeySpec secretKeySpec;
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            byteArrayOutputStream.write(bArr);
            byteArrayOutputStream.write(bArr2);
            byteArrayOutputStream.write(0);
            byteArrayOutputStream.write(0);
            byteArrayOutputStream.write(0);
            byteArrayOutputStream.write(i);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            try {
                MessageDigest messageDigest = MessageDigest.getInstance("SHA1");
                messageDigest.update(byteArray);
                byte[] digest = messageDigest.digest();
                if (b == 1) {
                    byte[] bArr3 = new byte[24];
                    System.arraycopy(digest, 0, bArr3, 0, 16);
                    System.arraycopy(digest, 0, bArr3, 16, 8);
                    try {
                        try {
                            secretKeySpec = SecretKeyFactory.getInstance("DESede").generateSecret(new DESedeKeySpec(bArr3));
                        } catch (GeneralSecurityException e) {
                            this.log.error(e.getLocalizedMessage(), e);
                            throw new RuntimeException(e);
                        }
                    } catch (InvalidKeyException e2) {
                        this.log.error(e2.getLocalizedMessage(), e2);
                        throw new RuntimeException(e2);
                    }
                } else {
                    byte[] bArr4 = new byte[16];
                    System.arraycopy(digest, 0, bArr4, 0, 16);
                    secretKeySpec = new SecretKeySpec(bArr4, SmartCardHSMKey.AES);
                }
                return secretKeySpec;
            } catch (NoSuchAlgorithmException e3) {
                this.log.error(e3.getLocalizedMessage(), e3);
                throw new RuntimeException(e3);
            }
        } catch (IOException e4) {
            this.log.error(e4.getLocalizedMessage(), e4);
            throw new RuntimeException(e4);
        }
    }

    public boolean verifyAuthenticationToken(byte[] bArr) {
        byte[] encodePublicKey = encodePublicKey();
        try {
            MessageAuthenticationCode messageAuthenticationCode = this.kmac.getAlgorithm().equals(SmartCardHSMKey.AES) ? MessageAuthenticationCode.getInstance("AESCMAC", null) : MessageAuthenticationCode.getInstance("ISO9797ALG3Mac", null);
            messageAuthenticationCode.init(this.kmac);
            byte[] doFinal = messageAuthenticationCode.doFinal(encodePublicKey);
            if (doFinal.length > 8) {
                byte[] bArr2 = new byte[8];
                System.arraycopy(doFinal, 0, bArr2, 0, 8);
                doFinal = bArr2;
            }
            return Arrays.equals(doFinal, bArr);
        } catch (GeneralSecurityException e) {
            this.log.error(e.getLocalizedMessage(), e);
            throw new RuntimeException(e);
        }
    }

    public byte[] encodePublicKey() {
        try {
            ConstructedTLV constructedTLV = new ConstructedTLV(32585);
            constructedTLV.add(new PrimitiveTLV(6, this.protocol));
            constructedTLV.add(new PrimitiveTLV(134, this.ephemeralPublicKeyIfd));
            return constructedTLV.getBytes();
        } catch (TLVEncodingException e) {
            this.log.error(e.getLocalizedMessage(), e);
            throw new RuntimeException(e);
        }
    }

    protected static byte[] unsignedBigIntegerToByteArray(BigInteger bigInteger, int i) {
        byte[] byteArray = bigInteger.toByteArray();
        int i2 = (i >> 3) + ((i & 7) == 0 ? 0 : 1);
        byte[] bArr = new byte[i2];
        int length = i2 - byteArray.length;
        int i3 = 0;
        if (length < 0) {
            if (length < -1 || byteArray[0] != 0) {
                throw new IllegalArgumentException("Size mismatch converting big integer to byte array");
            }
            i3 = -length;
            length = 0;
        }
        System.arraycopy(byteArray, i3, bArr, length, i2 - length);
        return bArr;
    }
}
