package de.cardcontact.opencard.eac;

import de.cardcontact.ctapi.CTAPI;
import de.cardcontact.opencard.security.IsoSecureChannelCredential;
import de.cardcontact.opencard.security.SecureChannel;
import de.cardcontact.opencard.service.isocard.IsoCommandAPDU;
import de.cardcontact.opencard.service.isocard.apdu.ChipAuthenticationCommandData;
import de.cardcontact.opencard.service.isocard.apdu.ChipAuthenticationResponseData;
import de.cardcontact.opencard.service.isocard.apdu.GeneralAuthenticateCommandAPDU;
import de.cardcontact.opencard.service.isocard.apdu.GetChallengeCommandAPDU;
import de.cardcontact.opencard.service.isocard.apdu.ManageSECommandAPDU;
import de.cardcontact.opencard.service.isocard.apdu.VerifyCertificateCommandAPDU;
import de.cardcontact.tlv.HexString;
import de.cardcontact.tlv.ObjectIdentifier;
import de.cardcontact.tlv.PrimitiveTLV;
import de.cardcontact.tlv.Sequence;
import de.cardcontact.tlv.TLV;
import de.cardcontact.tlv.TLVEncodingException;
import de.cardcontact.tlv.Tag;
import java.nio.ByteBuffer;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.spec.ECParameterSpec;
import opencard.core.OpenCardException;
import opencard.core.service.CardService;
import opencard.core.service.CardServiceException;
import opencard.core.service.CardServiceScheduler;
import opencard.core.service.SmartCard;
import opencard.core.terminal.ResponseAPDU;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/cardcontact/opencard/eac/EACCardService.class */
public class EACCardService extends CardService {
    ChipAuthentication ca;
    PublicKey caPublicKey;
    final Logger logger = LoggerFactory.getLogger(EACCardService.class);
    String rootCHR = null;
    byte[] idPICC = new byte[0];

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // opencard.core.service.CardService
    public void initialize(CardServiceScheduler cardServiceScheduler, SmartCard smartCard, boolean z) throws CardServiceException {
        super.initialize(cardServiceScheduler, smartCard, z);
    }

    public void setRootCHR(String str) {
        this.rootCHR = str;
    }

    public void setChipAuthenticationParameter(ObjectIdentifier objectIdentifier, StandardizedDomainParameter standardizedDomainParameter) {
        this.ca = new ChipAuthentication(objectIdentifier, standardizedDomainParameter);
    }

    public void setChipAuthenticationParameter(ObjectIdentifier objectIdentifier, ECParameterSpec eCParameterSpec) {
        this.ca = new ChipAuthentication(objectIdentifier, eCParameterSpec);
    }

    public void setChipAuthenticationPublicKey(PublicKey publicKey) {
        this.caPublicKey = publicKey;
    }

    private CardVerifiableCertificate[] getCVCChain(TerminalAuthenticationSigner terminalAuthenticationSigner) throws CertificateException {
        byte[][] certificateChain = terminalAuthenticationSigner.getCertificateChain(this.rootCHR);
        CardVerifiableCertificate[] cardVerifiableCertificateArr = new CardVerifiableCertificate[certificateChain.length];
        for (int i = 0; i < certificateChain.length; i++) {
            cardVerifiableCertificateArr[i] = new CardVerifiableCertificate(certificateChain[i]);
        }
        return cardVerifiableCertificateArr;
    }

    private boolean selectPublicKey(byte[] bArr, boolean z) throws OpenCardException {
        Sequence sequence = new Sequence();
        sequence.add(new PrimitiveTLV(new Tag(3, Byte.MIN_VALUE, false), bArr));
        ManageSECommandAPDU manageSECommandAPDU = new ManageSECommandAPDU(129, 182, sequence);
        manageSECommandAPDU.setQueueable(z);
        return getCardChannel().sendCommandAPDU(manageSECommandAPDU).sw() == 36864;
    }

    private void verifyCertificate(CardVerifiableCertificate cardVerifiableCertificate) throws OpenCardException {
        VerifyCertificateCommandAPDU verifyCertificateCommandAPDU = new VerifyCertificateCommandAPDU(cardVerifiableCertificate);
        verifyCertificateCommandAPDU.setQueueable(true);
        ResponseAPDU sendCommandAPDU = getCardChannel().sendCommandAPDU(verifyCertificateCommandAPDU);
        if (sendCommandAPDU.sw() != 36864) {
            throw new CardServiceException("Could not verify certificate (SW=" + Integer.toHexString(sendCommandAPDU.sw()) + ")");
        }
    }

    private void verifyCertificateChain(CardVerifiableCertificate[] cardVerifiableCertificateArr) throws OpenCardException {
        int length = cardVerifiableCertificateArr.length - 1;
        while (length >= 0 && !selectPublicKey(cardVerifiableCertificateArr[length].getCertificationAuthorityReference().getValue(), false)) {
            length--;
        }
        if (length < 0) {
            throw new CardServiceException("Could not select a public key for verification.");
        }
        while (length < cardVerifiableCertificateArr.length) {
            verifyCertificate(cardVerifiableCertificateArr[length]);
            length++;
            if (length < cardVerifiableCertificateArr.length && !selectPublicKey(cardVerifiableCertificateArr[length].getCertificationAuthorityReference().getValue(), true)) {
                throw new CardServiceException("Could not select a public key " + new String(cardVerifiableCertificateArr[length].getCertificationAuthorityReference().getValue()) + " for verification.");
            }
        }
    }

    public byte[] prepareTerminalAuthentication(ChipAuthentication chipAuthentication, CardVerifiableCertificate cardVerifiableCertificate, TLV tlv) throws OpenCardException {
        Sequence sequence = new Sequence();
        sequence.add(new PrimitiveTLV(new Tag(0, Byte.MIN_VALUE, false), cardVerifiableCertificate.getCVCertificate().getCertificateBody().getPublicKeyTLV().getObjectIdentifier().getValue()));
        sequence.add(new PrimitiveTLV(new Tag(3, Byte.MIN_VALUE, false), cardVerifiableCertificate.getCertificateHolderReference().getValue()));
        if (tlv != null) {
            sequence.add(sequence);
        }
        byte[] compressedPublicKey = chipAuthentication.getCompressedPublicKey();
        sequence.add(new PrimitiveTLV(new Tag(17, Byte.MIN_VALUE, false), compressedPublicKey));
        ResponseAPDU sendCommandAPDU = getCardChannel().sendCommandAPDU(new ManageSECommandAPDU(CTAPI.ERR_HOST, -92, sequence));
        if (sendCommandAPDU.sw() != 36864) {
            throw new CardServiceException("Could not verify certificate (SW=" + Integer.toHexString(sendCommandAPDU.sw()) + ")");
        }
        ResponseAPDU sendCommandAPDU2 = getCardChannel().sendCommandAPDU(new GetChallengeCommandAPDU(8));
        if (sendCommandAPDU2.sw() != 36864) {
            throw new CardServiceException("Could not obtain challenge");
        }
        ByteBuffer allocate = ByteBuffer.allocate(256);
        allocate.put(this.idPICC);
        allocate.put(sendCommandAPDU2.data());
        allocate.put(compressedPublicKey);
        if (tlv != null) {
            allocate.put(tlv.getBytes());
        }
        this.logger.debug("Hash input" + HexString.dump(allocate.array(), 0, allocate.position()));
        allocate.flip();
        byte[] bArr = new byte[allocate.remaining()];
        allocate.get(bArr);
        return bArr;
    }

    public void performTerminalAuthentication(TerminalAuthenticationSigner terminalAuthenticationSigner) throws OpenCardException {
        try {
            CardVerifiableCertificate[] cVCChain = getCVCChain(terminalAuthenticationSigner);
            this.ca.generateEphemeralCAKeyPair();
            try {
                allocateCardChannel();
                verifyCertificateChain(cVCChain);
                CardVerifiableCertificate cardVerifiableCertificate = cVCChain[cVCChain.length - 1];
                if (getCardChannel().sendCommandAPDU(new IsoCommandAPDU((byte) 0, (byte) -126, (byte) 0, (byte) 0, terminalAuthenticationSigner.getTASignature(prepareTerminalAuthentication(this.ca, cardVerifiableCertificate, null), new String(cardVerifiableCertificate.getCertificateHolderReference().getValue())))).sw() != 36864) {
                    throw new CardServiceException("Terminal authentication failed");
                }
            } finally {
                releaseCardChannel();
            }
        } catch (CertificateException e) {
            this.logger.error("Certificates returned from TA-Signer invalid", e);
            throw new CardServiceException("Certificates returned from TA-Signer invalid: " + e.getMessage());
        }
    }

    private void selectChipAuthenticationParameter() throws OpenCardException {
        Sequence sequence = new Sequence();
        sequence.add(new PrimitiveTLV(new Tag(0, Byte.MIN_VALUE, false), this.ca.getProtocol()));
        ManageSECommandAPDU manageSECommandAPDU = new ManageSECommandAPDU(65, 164, sequence);
        manageSECommandAPDU.setQueueable(true);
        if (getCardChannel().sendCommandAPDU(manageSECommandAPDU).sw() != 36864) {
            throw new CardServiceException("Terminal authentication failed");
        }
    }

    public void generateEphemeralCAKeyPair() {
        this.ca.generateEphemeralCAKeyPair();
    }

    public void performChipAuthentication() throws OpenCardException {
        try {
            try {
                allocateCardChannel();
                selectChipAuthenticationParameter();
                ResponseAPDU sendCommandAPDU = getCardChannel().sendCommandAPDU(new GeneralAuthenticateCommandAPDU(new ChipAuthenticationCommandData(this.ca.getEncodedPublicKey())));
                if (sendCommandAPDU.sw() != 36864) {
                    throw new CardServiceException("Chip authentication failed");
                }
                ChipAuthenticationResponseData parse = ChipAuthenticationResponseData.parse(sendCommandAPDU.data());
                this.ca.performKeyAgreement(this.caPublicKey, parse.getNonce());
                if (!this.ca.verifyAuthenticationToken(parse.getAuthenticationToken())) {
                    throw new CardServiceException("Authentication token verification failed");
                }
            } catch (TLVEncodingException e) {
                this.logger.error("Failed to parse GENERAL AUTHENTICATE R-Data", e);
                throw new CardServiceException("Failed to parse GENERAL AUTHENTICATE R-Data: " + e.getMessage());
            }
        } finally {
            releaseCardChannel();
        }
    }

    public IsoSecureChannelCredential getSecureMessagingCredential() {
        return new IsoSecureChannelCredential(SecureChannel.ALL, this.ca.getIsoSecureChannel());
    }
}
