package de.gematik.ti.healthcard.control.security;

import cardfilesystem.egk21mf.Ef;
import de.gematik.ti.healthcard.control.exceptions.VerifyReceivedMacPiccException;
import de.gematik.ti.healthcard.control.security.KeyDerivationFunction;
import de.gematik.ti.healthcardaccess.IHealthCard;
import de.gematik.ti.healthcardaccess.cardobjects.FileIdentifier;
import de.gematik.ti.healthcardaccess.cardobjects.Key;
import de.gematik.ti.healthcardaccess.commands.GeneralAuthenticateCommand;
import de.gematik.ti.healthcardaccess.commands.ManageSecurityEnvironmentCommand;
import de.gematik.ti.healthcardaccess.commands.ReadCommand;
import de.gematik.ti.healthcardaccess.commands.SelectCommand;
import de.gematik.ti.healthcardaccess.operation.CheckedFunction;
import de.gematik.ti.healthcardaccess.operation.ResultOperation;
import de.gematik.ti.healthcardaccess.result.Response;
import de.gematik.ti.openhealthcard.events.response.entities.PaceKey;
import de.gematik.ti.utils.codec.Hex;
import de.gematik.ti.utils.primitives.Bytes;
import java.io.IOException;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Random;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spongycastle.asn1.ASN1EncodableVector;
import org.spongycastle.asn1.ASN1ObjectIdentifier;
import org.spongycastle.asn1.DERApplicationSpecific;
import org.spongycastle.asn1.DEROctetString;
import org.spongycastle.asn1.DERTaggedObject;
import org.spongycastle.crypto.Mac;
import org.spongycastle.crypto.engines.AESEngine;
import org.spongycastle.crypto.macs.CMac;
import org.spongycastle.crypto.params.KeyParameter;
import org.spongycastle.jce.ECNamedCurveTable;
import org.spongycastle.jce.spec.ECNamedCurveParameterSpec;
import org.spongycastle.math.ec.ECCurve;
import org.spongycastle.math.ec.ECPoint;

/* loaded from: classes5.dex */
public class TrustedChannelPaceKeyExchange {
    private static final int AES_BLOCK_SIZE = 16;
    private static final int BYTE_LENGTH = 8;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TrustedChannelPaceKeyExchange.class);
    private static final int MAX = 64;
    private static final int SECRET_KEY_REFERENCE = 2;
    private static final int TAG_49 = 73;
    private static final int TAG_6 = 6;
    private byte[] authTokenX;
    private final String can;
    private final IHealthCard card;
    private ECCurve.Fp curve;
    private ECPoint ecPointG;
    private byte[] kEnc;
    private byte[] kMac;
    private Mac mac;
    private BigInteger nonceSInt;
    private final PaceInfo[] paceInfo = new PaceInfo[1];
    private PaceKey paceKey;
    private BigInteger pcdSkX1;
    private BigInteger pcdSkX2;
    private SecureRandom randomGenerator;

    public TrustedChannelPaceKeyExchange(IHealthCard iHealthCard, String str) {
        this.can = str;
        this.card = iHealthCard;
    }

    private byte[] createAsn1AuthToken(ECPoint.Fp fp, String str) {
        ASN1EncodableVector aSN1EncodableVector = new ASN1EncodableVector();
        aSN1EncodableVector.add(new ASN1ObjectIdentifier(str));
        aSN1EncodableVector.add(new DERTaggedObject(false, 6, new DEROctetString(fp.getEncoded(false))));
        byte[] bArr = new byte[0];
        try {
            return new DERApplicationSpecific(73, aSN1EncodableVector).getEncoded();
        } catch (IOException e) {
            LOG.error("Failed to encoding ASN1 AuthToken" + e.getMessage());
            return bArr;
        }
    }

    public ResultOperation<Response> createMacPcdForMutualAuthentication(byte[] bArr) {
        Logger logger = LOG;
        logger.debug("pk2Picc: " + Hex.encodeHexString(bArr));
        try {
            String protocolID = this.paceInfo[0].getProtocolID();
            byte[] keyObjectEncoded = Utilities.getKeyObjectEncoded(bArr);
            ECPoint.Fp fp = (ECPoint.Fp) Utilities.byteArrayToECPoint(keyObjectEncoded, this.curve).multiply(this.pcdSkX2);
            logger.debug("BIGINT:" + fp.normalize().getXCoord().toBigInteger());
            byte[] bigIntToByteArray = Bytes.bigIntToByteArray(fp.normalize().getXCoord().toBigInteger());
            logger.debug("sharedSecretKBytes: " + Hex.encodeHexString(bigIntToByteArray));
            this.kEnc = KeyDerivationFunction.getAES128Key(bigIntToByteArray, KeyDerivationFunction.Mode.ENC);
            this.kMac = KeyDerivationFunction.getAES128Key(bigIntToByteArray, KeyDerivationFunction.Mode.MAC);
            AESEngine aESEngine = new AESEngine();
            KeyParameter keyParameter = new KeyParameter(this.kMac);
            CMac cMac = new CMac(aESEngine, 64);
            this.mac = cMac;
            cMac.init(keyParameter);
            return ResultOperation.unitRo(new Response(Response.ResponseStatus.SUCCESS, generateMacPcdPicc2(createAsn1AuthToken((ECPoint.Fp) Utilities.byteArrayToECPoint(keyObjectEncoded, this.curve), protocolID))));
        } catch (IOException e) {
            throw new RuntimeException("Error on creating MacPcd for Mutual Authentication " + e.getMessage());
        }
    }

    private ResultOperation<PaceKey> createPaceKey() {
        return ResultOperation.unitRo(new PaceKey(this.kEnc, this.kMac));
    }

    public ResultOperation<Response> generateEphemeralPublicKeyFirstECDH(byte[] bArr) {
        LOG.debug("nonceZBytes: " + Hex.encodeHexString(bArr));
        String parameterIDString = this.paceInfo[0].getParameterIDString();
        try {
            byte[] keyObjectEncoded = Utilities.getKeyObjectEncoded(bArr);
            byte[] bArr2 = new byte[16];
            KeyParameter keyParameter = new KeyParameter(KeyDerivationFunction.getAES128Key(this.can.getBytes(), KeyDerivationFunction.Mode.PASSWORD));
            AESEngine aESEngine = new AESEngine();
            ECNamedCurveParameterSpec parameterSpec = ECNamedCurveTable.getParameterSpec(parameterIDString);
            this.curve = (ECCurve.Fp) parameterSpec.getCurve();
            this.ecPointG = parameterSpec.getG();
            this.randomGenerator = new SecureRandom();
            this.randomGenerator.setSeed(new Random().nextLong());
            aESEngine.init(false, keyParameter);
            aESEngine.processBlock(keyObjectEncoded, 0, bArr2, 0);
            this.nonceSInt = new BigInteger(1, bArr2);
            byte[] bArr3 = new byte[this.curve.getFieldSize() / 8];
            this.randomGenerator.nextBytes(bArr3);
            BigInteger bigInteger = new BigInteger(1, bArr3);
            this.pcdSkX1 = bigInteger;
            return ResultOperation.unitRo(new Response(Response.ResponseStatus.SUCCESS, this.ecPointG.multiply(bigInteger).getEncoded(false)));
        } catch (IOException e) {
            LOG.error("Failed to get encoded NonceZ " + e.getMessage());
            return ResultOperation.unitRo(new Response(Response.ResponseStatus.UNKNOWN_EXCEPTION, null));
        }
    }

    public ResultOperation<Response> generateEphemeralPublicKeySecondECDH(byte[] bArr) {
        LOG.debug("pk1PiccBytes: " + Hex.encodeHexString(bArr));
        try {
            ECPoint add = this.ecPointG.multiply(this.nonceSInt).add((ECPoint.Fp) ((ECPoint.Fp) Utilities.byteArrayToECPoint(Utilities.getKeyObjectEncoded(bArr), this.curve)).multiply(this.pcdSkX1));
            byte[] bArr2 = new byte[this.curve.getFieldSize() / 8];
            this.randomGenerator.nextBytes(bArr2);
            BigInteger bigInteger = new BigInteger(1, bArr2);
            this.pcdSkX2 = bigInteger;
            byte[] encoded = add.multiply(bigInteger).getEncoded(false);
            this.authTokenX = createAsn1AuthToken((ECPoint.Fp) Utilities.byteArrayToECPoint(encoded, this.curve), this.paceInfo[0].getProtocolID());
            return ResultOperation.unitRo(new Response(Response.ResponseStatus.SUCCESS, encoded));
        } catch (IOException e) {
            LOG.error("Failed to get encoded pk1PiccBytes " + e.getMessage());
            return ResultOperation.unitRo(new Response(Response.ResponseStatus.KEY_INVALID, null));
        }
    }

    private byte[] generateMacPcdPicc2(byte[] bArr) {
        this.mac.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[this.mac.getMacSize()];
        this.mac.doFinal(bArr2, 0);
        return bArr2;
    }

    public ResultOperation<Boolean> verifyReceivedMacPicc(byte[] bArr) {
        LOG.debug("macPiccBytes: " + Hex.encodeHexString(bArr));
        try {
            if (Hex.encodeHexString(Utilities.getKeyObjectEncoded(bArr)).equals(Hex.encodeHexString(generateMacPcdPicc2(this.authTokenX)))) {
                return ResultOperation.unitRo(true);
            }
            throw new RuntimeException(VerifyReceivedMacPiccException.MESSAGE);
        } catch (IOException e) {
            throw new RuntimeException("Error on encoding key object " + e.getMessage());
        }
    }

    /* renamed from: lambda$negotiatePaceKey$0$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7875x57e1b277(Response response) throws Throwable {
        Ef.CardAccess cardAccess = Ef.CardAccess;
        return new SelectCommand(new FileIdentifier(284), false).executeOn(this.card);
    }

    /* renamed from: lambda$negotiatePaceKey$2$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7876xe5f98079(Response response) throws Throwable {
        ResultOperation<Response> executeOn = new ReadCommand().executeOn(this.card);
        Response.ResponseStatus responseStatus = Response.ResponseStatus.SUCCESS;
        responseStatus.getClass();
        return executeOn.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).map(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda7
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7883xf60a3051((byte[]) obj);
            }
        });
    }

    /* renamed from: lambda$negotiatePaceKey$3$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7877xad05677a(PaceInfo paceInfo) throws Throwable {
        ResultOperation<Response> executeOn = new ManageSecurityEnvironmentCommand(ManageSecurityEnvironmentCommand.MseUseCase.KEY_SELECTION_FOR_SYMMETRIC_CARD_CONNECTION_WITHOUT_CURVES, new Key(2), false, this.paceInfo[0].getPaceInfoProtocolBytes()).executeOn(this.card);
        Response.ResponseStatus responseStatus = Response.ResponseStatus.SUCCESS;
        responseStatus.getClass();
        return executeOn.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus));
    }

    /* renamed from: lambda$negotiatePaceKey$4$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7878x74114e7b(Response response) throws Throwable {
        return new GeneralAuthenticateCommand(true).executeOn(this.card);
    }

    /* renamed from: lambda$negotiatePaceKey$5$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7879x3b1d357c(byte[] bArr) throws Throwable {
        return new GeneralAuthenticateCommand(true, bArr, 1).executeOn(this.card);
    }

    /* renamed from: lambda$negotiatePaceKey$6$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7880x2291c7d(byte[] bArr) throws Throwable {
        return new GeneralAuthenticateCommand(true, bArr, 3).executeOn(this.card);
    }

    /* renamed from: lambda$negotiatePaceKey$7$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7881xc935037e(byte[] bArr) throws Throwable {
        return new GeneralAuthenticateCommand(false, bArr, 5).executeOn(this.card);
    }

    /* renamed from: lambda$negotiatePaceKey$8$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ ResultOperation m7882x9040ea7f(Boolean bool) throws Throwable {
        if (bool.booleanValue()) {
            return createPaceKey();
        }
        throw new VerifyReceivedMacPiccException();
    }

    /* renamed from: lambda$null$1$de-gematik-ti-healthcard-control-security-TrustedChannelPaceKeyExchange */
    public /* synthetic */ PaceInfo m7883xf60a3051(byte[] bArr) throws Throwable {
        PaceInfo[] paceInfoArr = this.paceInfo;
        PaceInfo paceInfo = new PaceInfo(bArr);
        paceInfoArr[0] = paceInfo;
        return paceInfo;
    }

    public ResultOperation<PaceKey> negotiatePaceKey() {
        ResultOperation<Response> executeOn = new SelectCommand(false, true).executeOn(this.card);
        Response.ResponseStatus responseStatus = Response.ResponseStatus.SUCCESS;
        responseStatus.getClass();
        ResultOperation<R> flatMap = executeOn.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus)).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda11
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7875x57e1b277((Response) obj);
            }
        });
        Response.ResponseStatus responseStatus2 = Response.ResponseStatus.SUCCESS;
        responseStatus2.getClass();
        ResultOperation flatMap2 = flatMap.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus2)).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda2
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7876xe5f98079((Response) obj);
            }
        }).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda3
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7877xad05677a((PaceInfo) obj);
            }
        }).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda4
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7878x74114e7b((Response) obj);
            }
        });
        Response.ResponseStatus responseStatus3 = Response.ResponseStatus.SUCCESS;
        responseStatus3.getClass();
        ResultOperation flatMap3 = flatMap2.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus3)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda5
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                ResultOperation generateEphemeralPublicKeyFirstECDH;
                generateEphemeralPublicKeyFirstECDH = TrustedChannelPaceKeyExchange.this.generateEphemeralPublicKeyFirstECDH((byte[]) obj);
                return generateEphemeralPublicKeyFirstECDH;
            }
        });
        Response.ResponseStatus responseStatus4 = Response.ResponseStatus.SUCCESS;
        responseStatus4.getClass();
        ResultOperation flatMap4 = flatMap3.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus4)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda8
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7879x3b1d357c((byte[]) obj);
            }
        });
        Response.ResponseStatus responseStatus5 = Response.ResponseStatus.SUCCESS;
        responseStatus5.getClass();
        ResultOperation flatMap5 = flatMap4.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus5)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda9
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                ResultOperation generateEphemeralPublicKeySecondECDH;
                generateEphemeralPublicKeySecondECDH = TrustedChannelPaceKeyExchange.this.generateEphemeralPublicKeySecondECDH((byte[]) obj);
                return generateEphemeralPublicKeySecondECDH;
            }
        });
        Response.ResponseStatus responseStatus6 = Response.ResponseStatus.SUCCESS;
        responseStatus6.getClass();
        ResultOperation flatMap6 = flatMap5.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus6)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda10
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7880x2291c7d((byte[]) obj);
            }
        });
        Response.ResponseStatus responseStatus7 = Response.ResponseStatus.SUCCESS;
        responseStatus7.getClass();
        ResultOperation flatMap7 = flatMap6.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus7)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda12
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                ResultOperation createMacPcdForMutualAuthentication;
                createMacPcdForMutualAuthentication = TrustedChannelPaceKeyExchange.this.createMacPcdForMutualAuthentication((byte[]) obj);
                return createMacPcdForMutualAuthentication;
            }
        });
        Response.ResponseStatus responseStatus8 = Response.ResponseStatus.SUCCESS;
        responseStatus8.getClass();
        ResultOperation flatMap8 = flatMap7.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus8)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda13
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7881xc935037e((byte[]) obj);
            }
        });
        Response.ResponseStatus responseStatus9 = Response.ResponseStatus.SUCCESS;
        responseStatus9.getClass();
        return flatMap8.validate(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda0(responseStatus9)).map(new TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda6()).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda14
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                ResultOperation verifyReceivedMacPicc;
                verifyReceivedMacPicc = TrustedChannelPaceKeyExchange.this.verifyReceivedMacPicc((byte[]) obj);
                return verifyReceivedMacPicc;
            }
        }).flatMap(new CheckedFunction() { // from class: de.gematik.ti.healthcard.control.security.TrustedChannelPaceKeyExchange$$ExternalSyntheticLambda1
            @Override // de.gematik.ti.healthcardaccess.operation.CheckedFunction
            public final Object apply(Object obj) {
                return TrustedChannelPaceKeyExchange.this.m7882x9040ea7f((Boolean) obj);
            }
        });
    }
}
