package com.ftsafe.skapi.piv;

import com.ftsafe.skapi.communication.TransportAPDU;
import com.ftsafe.skapi.communication.apdu.Apdu;
import com.ftsafe.skapi.communication.apdu.ApduResponse;
import com.ftsafe.skapi.communication.apdu.Tlv;
import com.ftsafe.skapi.communication.apdu.Tlvs;
import com.ftsafe.skapi.otp.OtpIns;
import com.ftsafe.skapi.utils.Def;
import com.ftsafe.skapi.utils.SKError;
import com.ftsafe.skapi.utils.SKException;
import java.io.ByteArrayInputStream;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Random;
import javax.crypto.Cipher;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.ASN1Sequence;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x9.X9ObjectIdentifiers;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.math.ec.Tnaf;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

/* loaded from: classes.dex */
public class PivCertManager {
    private static final byte[] KEY_PREFIX_P256 = {48, OtpIns.VERSION_TAG, 48, 19, 6, 7, 42, -122, 72, -50, 61, 2, 1, 6, 8, 42, -122, 72, -50, 61, 3, 1, 7, 3, 66, 0};
    private static final byte[] KEY_PREFIX_P384 = {48, OtpIns.T_RESPONSE_TAG, 48, Tnaf.POW_2_WIDTH, 6, 7, 42, -122, 72, -50, 61, 2, 1, 6, 5, 43, -127, 4, 0, 34, 3, 98, 0};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.ftsafe.skapi.piv.PivCertManager$1, reason: invalid class name */
    /* loaded from: classes.dex */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$ftsafe$skapi$piv$KeyType;

        static {
            int[] iArr = new int[KeyType.values().length];
            $SwitchMap$com$ftsafe$skapi$piv$KeyType = iArr;
            try {
                iArr[KeyType.ECCP256.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$com$ftsafe$skapi$piv$KeyType[KeyType.ECCP384.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
        }
    }

    private static byte[] bytesToLength(BigInteger bigInteger, int i) {
        byte[] byteArray = bigInteger.toByteArray();
        if (byteArray.length == i) {
            return byteArray;
        }
        if (byteArray.length > i) {
            return Arrays.copyOfRange(byteArray, byteArray.length - i, byteArray.length);
        }
        byte[] bArr = new byte[i];
        System.arraycopy(byteArray, 0, bArr, i - byteArray.length, byteArray.length);
        return bArr;
    }

    public static KeyPair generateEcKey(int i) throws SKException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("EC");
            if (i == 256) {
                keyPairGenerator.initialize(new ECGenParameterSpec("secp256r1"), new SecureRandom());
            } else {
                if (i != 384) {
                    return null;
                }
                keyPairGenerator.initialize(new ECGenParameterSpec("secp384r1"), new SecureRandom());
            }
            return keyPairGenerator.generateKeyPair();
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException unused) {
            throw new SKException(SKError.ERR_PIV_GENERATE_ECC);
        }
    }

    public static KeyPair generateRsaKey(int i) throws SKException {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            if (i != 1024 && i != 2048) {
                return null;
            }
            keyPairGenerator.initialize(i);
            return keyPairGenerator.generateKeyPair();
        } catch (NoSuchAlgorithmException unused) {
            throw new SKException(SKError.ERR_PIV_GENERATE_RSA);
        }
    }

    private X509Certificate parseCertificate(byte[] bArr) throws SKException {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
        } catch (CertificateException unused) {
            throw new SKException(SKError.ERR_PIV_CERT);
        }
    }

    private static List<BigInteger> parsePkcs8RsaKeyValues(byte[] bArr) throws SKException {
        try {
            List<Tlv> decodeList = Tlvs.decodeList(Tlvs.decodeMap(Tlvs.decodeMap(Tlvs.unpackValue(48, bArr)).get(4)).get(48));
            ArrayList arrayList = new ArrayList();
            Iterator<Tlv> it = decodeList.iterator();
            while (it.hasNext()) {
                arrayList.add(new BigInteger(it.next().getValue()));
            }
            if (((BigInteger) arrayList.remove(0)).intValue() == 0) {
                return arrayList;
            }
            throw new SKException(SKError.ERR_PIV_UNKNOWN);
        } catch (Exception unused) {
            throw new SKException(SKError.ERR_PIV_UNKNOWN);
        }
    }

    private static PublicKey parsePublicKeyFromDevice(KeyType keyType, byte[] bArr) throws SKException {
        Map<Integer, byte[]> decodeMap = Tlvs.decodeMap(bArr);
        return (keyType == KeyType.RSA1024 || keyType == KeyType.RSA2048) ? publicRsaKey(new BigInteger(1, decodeMap.get(129)), new BigInteger(1, decodeMap.get(130))) : publicEccKey(keyType, decodeMap.get(134));
    }

    private static PublicKey publicEccKey(KeyType keyType, byte[] bArr) throws SKException {
        byte[] bArr2;
        int i = AnonymousClass1.$SwitchMap$com$ftsafe$skapi$piv$KeyType[keyType.ordinal()];
        if (i == 1) {
            bArr2 = KEY_PREFIX_P256;
        } else {
            if (i != 2) {
                throw new SKException(SKError.ERR_PIV_KEY_TYPE);
            }
            bArr2 = KEY_PREFIX_P384;
        }
        try {
            return KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(ByteBuffer.allocate(bArr2.length + bArr.length).put(bArr2).put(bArr).array()));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException unused) {
            throw new SKException(SKError.ERR_PIV_GENERATE_ECC);
        }
    }

    private static PublicKey publicRsaKey(BigInteger bigInteger, BigInteger bigInteger2) throws SKException {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(bigInteger, bigInteger2));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException unused) {
            throw new SKException(SKError.ERR_PIV_GENERATE_RSA);
        }
    }

    private ApduResponse putObject(CertSlot certSlot, byte[] bArr) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(92, certSlot.getBytes());
        linkedHashMap.put(83, bArr);
        return TransportAPDU.getInstance().pivSendApduToCOS(new Apdu(0, -37, 63, -1, Tlvs.encodeMap(linkedHashMap)));
    }

    private byte[] usePrivateKey(CertSlot certSlot, KeyType keyType, byte[] bArr, boolean z) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(-126, null);
        linkedHashMap.put(Integer.valueOf(z ? -123 : -127), bArr);
        ApduResponse pivSendApduToCOS = TransportAPDU.getInstance().pivSendApduToCOS(new Apdu(0, -121, keyType.value, certSlot.id, new Tlv(124, Tlvs.encodeMap(linkedHashMap)).getBytes()));
        if (!pivSendApduToCOS.hasStatusCode(Def.SUCCESS_CODE) || pivSendApduToCOS.responseData() == null) {
            return null;
        }
        return Tlvs.unpackValue(-126, Tlvs.unpackValue(124, pivSendApduToCOS.responseData()));
    }

    public X509Certificate createCertificate(String str, byte[] bArr, CertSlot certSlot, KeyType keyType, PublicKey publicKey, PrivateKey privateKey, String str2, int i) throws SKException {
        String str3;
        try {
            Date date = new Date();
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(date);
            calendar.add(1, i);
            Date time = calendar.getTime();
            X500Name x500Name = new X500Name("CN=" + str2);
            X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(x500Name, new BigInteger(80, new Random()), date, time, x500Name, SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(publicKey.getEncoded())));
            if (keyType != KeyType.ECCP256 && keyType != KeyType.ECCP384) {
                if (keyType != KeyType.RSA1024 && keyType != KeyType.RSA2048) {
                    throw new SKException(SKError.ERR_PIV_ALGORITHM);
                }
                str3 = "SHA256WithRSA";
                ASN1ObjectIdentifier aSN1ObjectIdentifier = PKCSObjectIdentifiers.sha256WithRSAEncryption;
                Signature.getInstance(str3);
                return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(str3).build(privateKey)).getEncoded()));
            }
            str3 = "SHA256WithECDSA";
            ASN1ObjectIdentifier aSN1ObjectIdentifier2 = X9ObjectIdentifiers.ecdsa_with_SHA256;
            Signature.getInstance(str3);
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(x509v3CertificateBuilder.build(new JcaContentSignerBuilder(str3).build(privateKey)).getEncoded()));
        } catch (Exception unused) {
            throw new SKException(SKError.ERR_PIV_CREATE_CERT);
        }
    }

    public byte[] decrypt(CertSlot certSlot, byte[] bArr, Cipher cipher) throws SKException {
        KeyType keyType;
        int length = bArr.length;
        if (length == 128) {
            keyType = KeyType.RSA1024;
        } else {
            if (length != 256) {
                throw new SKException(SKError.ERR_PIV_KEY_LENGTH);
            }
            keyType = KeyType.RSA2048;
        }
        byte[] usePrivateKey = usePrivateKey(certSlot, keyType, bArr, false);
        if (usePrivateKey == null) {
            return null;
        }
        return Padding.unpad(usePrivateKey, cipher);
    }

    public void deleteCertificate(String str, byte[] bArr, CertSlot certSlot) throws SKException {
        PivModule.authenticate(str, bArr);
        ApduResponse putObject = putObject(certSlot, null);
        if (!putObject.hasStatusCode(Def.SUCCESS_CODE)) {
            throw new SKException(putObject.statusCode());
        }
    }

    public PublicKey generateKey(String str, byte[] bArr, CertSlot certSlot, KeyType keyType, PinPolicy pinPolicy, TouchPolicy touchPolicy) throws SKException {
        PivModule.authenticate(str, bArr);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(-128, new byte[]{keyType.value});
        if (pinPolicy != PinPolicy.DEFAULT) {
            linkedHashMap.put(-86, new byte[]{(byte) pinPolicy.value});
        }
        if (touchPolicy != TouchPolicy.DEFAULT) {
            linkedHashMap.put(-85, new byte[]{(byte) touchPolicy.value});
        }
        return parsePublicKeyFromDevice(keyType, Tlvs.unpackValue(32585, TransportAPDU.getInstance().pivSendApduToCOS(new Apdu(0, 71, 0, certSlot.id, new Tlv(-84, Tlvs.encodeMap(linkedHashMap)).getBytes())).responseData()));
    }

    public void importCertificate(String str, byte[] bArr, CertSlot certSlot, X509Certificate x509Certificate) throws SKException {
        PivModule.authenticate(str, bArr);
        try {
            byte[] encoded = x509Certificate.getEncoded();
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put(112, encoded);
            linkedHashMap.put(113, new byte[1]);
            linkedHashMap.put(-2, null);
            ApduResponse putObject = putObject(certSlot, Tlvs.encodeMap(linkedHashMap));
            if (!putObject.hasStatusCode(Def.SUCCESS_CODE)) {
                throw new SKException(putObject.statusCode());
            }
        } catch (CertificateEncodingException unused) {
            throw new SKException(SKError.ERR_PIV_CERT_ENCODE);
        }
    }

    public void importKey(String str, byte[] bArr, CertSlot certSlot, PrivateKey privateKey, PinPolicy pinPolicy, TouchPolicy touchPolicy) throws SKException {
        KeyType keyType;
        KeyType keyType2;
        List<BigInteger> parsePkcs8RsaKeyValues;
        PivModule.authenticate(str, bArr);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        String algorithm = privateKey.getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals("EC")) {
            ECPrivateKey eCPrivateKey = (ECPrivateKey) privateKey;
            int fieldSize = eCPrivateKey.getParams().getCurve().getField().getFieldSize();
            if (fieldSize == 256) {
                keyType = KeyType.ECCP256;
            } else {
                if (fieldSize != 384) {
                    throw new SKException(SKError.ERR_PIV_KEY_TYPE);
                }
                keyType = KeyType.ECCP384;
            }
            keyType2 = keyType;
            linkedHashMap.put(6, bytesToLength(eCPrivateKey.getS(), fieldSize / 8));
        } else {
            if (!algorithm.equals("RSA")) {
                throw new SKException(SKError.ERR_PIV_KEY_TYPE);
            }
            if (privateKey instanceof RSAPrivateCrtKey) {
                RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) privateKey;
                parsePkcs8RsaKeyValues = Arrays.asList(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent(), rSAPrivateCrtKey.getPrivateExponent(), rSAPrivateCrtKey.getPrimeP(), rSAPrivateCrtKey.getPrimeQ(), rSAPrivateCrtKey.getPrimeExponentP(), rSAPrivateCrtKey.getPrimeExponentQ(), rSAPrivateCrtKey.getCrtCoefficient());
            } else {
                if (!"PKCS#8".equals(privateKey.getFormat())) {
                    throw new SKException(SKError.ERR_PIV_RSA_PRIVATE_KEY);
                }
                parsePkcs8RsaKeyValues = parsePkcs8RsaKeyValues(privateKey.getEncoded());
            }
            if (parsePkcs8RsaKeyValues.get(1).intValue() != 65537) {
                throw new SKException(SKError.ERR_PIV_RSA_PUBLIC_KEY);
            }
            int length = parsePkcs8RsaKeyValues.get(0).toString(2).length();
            if (length == 1024) {
                keyType2 = KeyType.RSA1024;
            } else {
                if (length != 2048) {
                    throw new SKException(SKError.ERR_PIV_KEY_TYPE);
                }
                keyType2 = KeyType.RSA2048;
            }
            int i = (length / 8) / 2;
            linkedHashMap.put(1, bytesToLength(parsePkcs8RsaKeyValues.get(3), i));
            linkedHashMap.put(2, bytesToLength(parsePkcs8RsaKeyValues.get(4), i));
            linkedHashMap.put(3, bytesToLength(parsePkcs8RsaKeyValues.get(5), i));
            linkedHashMap.put(4, bytesToLength(parsePkcs8RsaKeyValues.get(6), i));
            linkedHashMap.put(5, bytesToLength(parsePkcs8RsaKeyValues.get(7), i));
        }
        if (pinPolicy != PinPolicy.DEFAULT) {
            linkedHashMap.put(-86, new byte[]{(byte) pinPolicy.value});
        }
        if (touchPolicy != TouchPolicy.DEFAULT) {
            linkedHashMap.put(-85, new byte[]{(byte) touchPolicy.value});
        }
        ApduResponse pivSendApduToCOS = TransportAPDU.getInstance().pivSendApduToCOS(new Apdu(0, -29, keyType2.value, certSlot.id, Tlvs.encodeMap(linkedHashMap)));
        if (!pivSendApduToCOS.hasStatusCode(Def.SUCCESS_CODE)) {
            throw new SKException(pivSendApduToCOS.statusCode());
        }
    }

    public X509Certificate readCertificate(CertSlot certSlot) throws SKException {
        ApduResponse pivSendApduToCOS = TransportAPDU.getInstance().pivSendApduToCOS(new Apdu(0, -53, 63, -1, new Tlv(92, certSlot.getBytes()).getBytes()));
        if (!pivSendApduToCOS.hasStatusCode(Def.SUCCESS_CODE)) {
            if (pivSendApduToCOS.hasStatusCode((short) 27266)) {
                return null;
            }
            throw new SKException(pivSendApduToCOS.statusCode());
        }
        Map<Integer, byte[]> decodeMap = Tlvs.decodeMap(Tlvs.unpackValue(83, pivSendApduToCOS.responseData()));
        byte[] bArr = decodeMap.get(113);
        if (bArr == null || bArr.length <= 0 || bArr[0] == 0) {
            return parseCertificate(decodeMap.get(112));
        }
        throw new SKException(SKError.ERR_PIV_CERT);
    }

    public byte[] sign(String str, byte[] bArr, CertSlot certSlot, KeyType keyType, byte[] bArr2, Signature signature) throws SKException {
        try {
            PivModule.authenticate(str, bArr);
            return usePrivateKey(certSlot, keyType, Padding.pad(keyType, bArr2, signature), false);
        } catch (NoSuchAlgorithmException unused) {
            throw new SKException(SKError.ERR_PIV_UNKNOWN);
        }
    }
}
