package com.zing.zalo.nfc.protocol;

import com.zing.zalo.nfc.APDULevelEACCACapable;
import com.zing.zalo.nfc.UtilsKt;
import com.zing.zalo.nfc.exception.CardServiceException;
import com.zing.zalo.nfc.lds.ChipAuthenticationInfo;
import com.zing.zalo.nfc.lds.SecurityInfo;
import it0.k;
import it0.t;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Iterator;
import java.util.List;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.crypto.interfaces.DHPublicKey;
import org.bouncycastle.crypto.tls.CipherSuite;
import org.bouncycastle.jce.interfaces.ECPublicKey;
import ou0.a;
import rt0.v;

/* loaded from: classes4.dex */
public final class EACCAProtocol {
    private static final Provider BC_PROVIDER;
    private static final int COMMAND_CHAINING_CHUNK_SIZE = 224;
    public static final Companion Companion = new Companion(null);
    private static final String TAG;
    private int maxTranceiveLength;
    private APDULevelEACCACapable service;
    private boolean shouldCheckMAC;
    private SecureMessagingWrapper wrapper;

    /* loaded from: classes4.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(k kVar) {
            this();
        }

        private final byte[] getKeyData(String str, PublicKey publicKey) {
            if (t.b("DH", str)) {
                t.d(publicKey, "null cannot be cast to non-null type javax.crypto.interfaces.DHPublicKey");
                BigInteger y11 = ((DHPublicKey) publicKey).getY();
                t.e(y11, "getY(...)");
                return UtilsKt.i2os(y11);
            }
            if (t.b("ECDH", str)) {
                t.d(publicKey, "null cannot be cast to non-null type org.bouncycastle.jce.interfaces.ECPublicKey");
                byte[] encoded = ((ECPublicKey) publicKey).getQ().getEncoded(false);
                t.e(encoded, "getEncoded(...)");
                return encoded;
            }
            throw new IllegalArgumentException("Unsupported agreement algorithm " + str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final String inferChipAuthenticationOIDfromPublicKeyOID(String str) {
            SecurityInfo.Companion companion = SecurityInfo.Companion;
            if (t.b(companion.getID_PK_ECDH(), str)) {
                a.f109184a.z(EACCAProtocol.TAG).u("Could not determine ChipAuthentication algorithm, defaulting to id-CA-ECDH-3DES-CBC-CBC", new Object[0]);
                return companion.getID_CA_ECDH_3DES_CBC_CBC();
            }
            if (t.b(companion.getID_PK_DH(), str)) {
                a.f109184a.z(EACCAProtocol.TAG).u("Could not determine ChipAuthentication algorithm, defaulting to id-CA-DH-3DES-CBC-CBC", new Object[0]);
                return companion.getID_CA_DH_3DES_CBC_CBC();
            }
            a.f109184a.z(EACCAProtocol.TAG).u("No ChipAuthenticationInfo and unsupported ChipAuthenticationPublicKeyInfo public key OID " + str, new Object[0]);
            return null;
        }

        public final byte[] computeSharedSecret(String str, PublicKey publicKey, PrivateKey privateKey) throws NoSuchAlgorithmException, InvalidKeyException {
            KeyAgreement keyAgreement = KeyAgreement.getInstance(str, EACCAProtocol.BC_PROVIDER);
            keyAgreement.init(privateKey);
            keyAgreement.doPhase(publicKey, true);
            byte[] generateSecret = keyAgreement.generateSecret();
            t.e(generateSecret, "generateSecret(...)");
            return generateSecret;
        }

        public final byte[] getKeyHash(String str, PublicKey publicKey) throws NoSuchAlgorithmException {
            t.f(str, "agreementAlg");
            t.f(publicKey, "pcdPublicKey");
            if (t.b("DH", str)) {
                byte[] digest = MessageDigest.getInstance("SHA-1").digest(getKeyData(str, publicKey));
                t.e(digest, "digest(...)");
                return digest;
            }
            if (t.b("ECDH", str)) {
                BigInteger bigInteger = ((ECPublicKey) publicKey).getQ().getAffineXCoord().toBigInteger();
                t.e(bigInteger, "toBigInteger(...)");
                return UtilsKt.alignKeyDataToSize(UtilsKt.i2os(bigInteger), (int) Math.ceil(r6.getParameters().getCurve().getFieldSize() / 8.0d));
            }
            throw new IllegalArgumentException("Unsupported agreement algorithm " + str);
        }

        public final SecureMessagingWrapper restartSecureMessaging(String str, byte[] bArr, int i7, boolean z11) throws GeneralSecurityException {
            boolean J;
            boolean J2;
            t.f(bArr, "sharedSecret");
            ChipAuthenticationInfo.Companion companion = ChipAuthenticationInfo.Companion;
            String cipherAlgorithm = companion.toCipherAlgorithm(str);
            int keyLength = companion.toKeyLength(str);
            SecretKey deriveKey = UtilsKt.deriveKey(bArr, cipherAlgorithm, keyLength, 1);
            SecretKey deriveKey2 = UtilsKt.deriveKey(bArr, cipherAlgorithm, keyLength, 2);
            J = v.J(cipherAlgorithm, "DESede", false, 2, null);
            if (J) {
                return new DESedeSecureMessagingWrapper(deriveKey, deriveKey2, i7, z11, 0L);
            }
            J2 = v.J(cipherAlgorithm, "AES", false, 2, null);
            if (J2) {
                return new AESSecureMessagingWrapper(deriveKey, deriveKey2, i7, z11, 0L);
            }
            throw new IllegalStateException("Unsupported cipher algorithm " + cipherAlgorithm);
        }

        public final void sendPublicKey(APDULevelEACCACapable aPDULevelEACCACapable, SecureMessagingWrapper secureMessagingWrapper, String str, BigInteger bigInteger, PublicKey publicKey) throws CardServiceException {
            boolean J;
            boolean J2;
            t.f(aPDULevelEACCACapable, "service");
            t.f(publicKey, "pcdPublicKey");
            ChipAuthenticationInfo.Companion companion = ChipAuthenticationInfo.Companion;
            String keyAgreementAlgorithm = companion.toKeyAgreementAlgorithm(str);
            String cipherAlgorithm = companion.toCipherAlgorithm(str);
            byte[] keyData = getKeyData(keyAgreementAlgorithm, publicKey);
            J = v.J(cipherAlgorithm, "DESede", false, 2, null);
            if (J) {
                aPDULevelEACCACapable.sendMSEKAT(secureMessagingWrapper, UtilsKt.wrapDO(CipherSuite.TLS_DHE_PSK_WITH_AES_256_CBC_SHA, keyData), bigInteger != null ? UtilsKt.wrapDO(CipherSuite.TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, UtilsKt.i2os(bigInteger)) : null);
                return;
            }
            J2 = v.J(cipherAlgorithm, "AES", false, 2, null);
            if (!J2) {
                throw new IllegalStateException("Cannot set up secure channel with cipher " + cipherAlgorithm);
            }
            aPDULevelEACCACapable.sendMSESetATIntAuth(secureMessagingWrapper, str, bigInteger);
            byte[] wrapDO = UtilsKt.wrapDO(128, keyData);
            try {
                aPDULevelEACCACapable.sendGeneralAuthenticate(secureMessagingWrapper, wrapDO, true);
            } catch (CardServiceException e11) {
                a.f109184a.z(EACCAProtocol.TAG).d("Failed to send GENERAL AUTHENTICATE, falling back to command chaining, e=" + e11, new Object[0]);
                List<byte[]> partition = UtilsKt.partition(224, wrapDO);
                Iterator<byte[]> it = partition.iterator();
                int i7 = 0;
                while (it.hasNext()) {
                    i7++;
                    aPDULevelEACCACapable.sendGeneralAuthenticate(secureMessagingWrapper, it.next(), i7 >= partition.size());
                }
            }
        }
    }

    static {
        String simpleName = EACCAProtocol.class.getSimpleName();
        t.e(simpleName, "getSimpleName(...)");
        TAG = simpleName;
        BC_PROVIDER = UtilsKt.getBouncyCastleProvider();
    }

    public EACCAProtocol(APDULevelEACCACapable aPDULevelEACCACapable, SecureMessagingWrapper secureMessagingWrapper, int i7, boolean z11) {
        t.f(aPDULevelEACCACapable, "service");
        this.service = aPDULevelEACCACapable;
        this.wrapper = secureMessagingWrapper;
        this.maxTranceiveLength = i7;
        this.shouldCheckMAC = z11;
    }

    public final EACCAResult doCA(BigInteger bigInteger, String str, String str2, PublicKey publicKey) throws CardServiceException {
        t.f(str2, "publicKeyOID");
        if (publicKey == null) {
            throw new IllegalArgumentException("PICC public key is null".toString());
        }
        String keyAgreementAlgorithm = ChipAuthenticationInfo.Companion.toKeyAgreementAlgorithm(str);
        if (!t.b("ECDH", keyAgreementAlgorithm) && !t.b("DH", keyAgreementAlgorithm)) {
            throw new IllegalArgumentException(("Unsupported agreement algorithm, expected ECDH or DH, found " + keyAgreementAlgorithm).toString());
        }
        if (str == null) {
            str = Companion.inferChipAuthenticationOIDfromPublicKeyOID(str2);
        }
        try {
            AlgorithmParameterSpec params = t.b("DH", keyAgreementAlgorithm) ? ((DHPublicKey) publicKey).getParams() : t.b("ECDH", keyAgreementAlgorithm) ? ((java.security.interfaces.ECPublicKey) publicKey).getParams() : null;
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyAgreementAlgorithm, BC_PROVIDER);
            keyPairGenerator.initialize(params);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            PublicKey publicKey2 = generateKeyPair.getPublic();
            PrivateKey privateKey = generateKeyPair.getPrivate();
            Companion companion = Companion;
            APDULevelEACCACapable aPDULevelEACCACapable = this.service;
            SecureMessagingWrapper secureMessagingWrapper = this.wrapper;
            t.c(publicKey2);
            companion.sendPublicKey(aPDULevelEACCACapable, secureMessagingWrapper, str, bigInteger, publicKey2);
            byte[] keyHash = companion.getKeyHash(keyAgreementAlgorithm, publicKey2);
            SecureMessagingWrapper restartSecureMessaging = companion.restartSecureMessaging(str, companion.computeSharedSecret(keyAgreementAlgorithm, publicKey, privateKey), this.maxTranceiveLength, this.shouldCheckMAC);
            this.wrapper = restartSecureMessaging;
            return new EACCAResult(bigInteger, publicKey, keyHash, publicKey2, privateKey, restartSecureMessaging);
        } catch (GeneralSecurityException e11) {
            throw new CardServiceException("Security exception during Chip Authentication", e11);
        }
    }

    public final SecureMessagingWrapper getWrapper() {
        SecureMessagingWrapper secureMessagingWrapper = this.wrapper;
        t.c(secureMessagingWrapper);
        return secureMessagingWrapper;
    }
}
