package com.xone.android.dniemanager.connections;

import com.xone.android.dniemanager.apdu.CommandApdu;
import com.xone.android.dniemanager.apdu.GetResponseApduCommand;
import com.xone.android.dniemanager.apdu.ResponseApdu;
import com.xone.android.dniemanager.apdu.StatusWord;
import com.xone.android.dniemanager.card.Dnie;
import com.xone.android.dniemanager.exceptions.ApduConnectionException;
import com.xone.android.dniemanager.exceptions.DnieException;
import com.xone.android.dniemanager.exceptions.SecureChannelException;
import com.xone.android.dniemanager.interfaces.ApduConnection;
import com.xone.android.dniemanager.tools.CryptoHelper;
import com.xone.android.dniemanager.tools.DnieTools;
import java.io.ByteArrayOutputStream;
import java.math.BigInteger;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;

/* loaded from: classes2.dex */
public class SecureApduConnection implements ApduConnection {
    private static final byte MSB_INCORRECT_LE = 108;
    private final Dnie card;
    private final ApduConnection connection;
    private final byte[] kenc;
    private final byte[] kmac;
    private byte[] ssc;
    private static final StatusWord INVALID_CRYPTO_CHECKSUM = new StatusWord((byte) 102, (byte) -120);
    private static final StatusWord INVALID_CIPHERED_DATA = new StatusWord((byte) 105, (byte) -120);
    private static final byte[] SECURE_CHANNEL_KENC_AUX = {0, 0, 0, 1};
    private static final byte[] SECURE_CHANNEL_KMAC_AUX = {0, 0, 0, 2};

    public SecureApduConnection(Dnie dnie, ApduConnection apduConnection) {
        if (dnie == null) {
            throw new IllegalArgumentException("No se ha proporcionado la tarjeta CWA-14890 con la que abrir el canal seguro");
        }
        this.card = dnie;
        if (apduConnection == null) {
            throw new IllegalArgumentException("Connection cannot be null");
        }
        this.connection = apduConnection;
        byte[] paddedSerial = getPaddedSerial();
        dnie.verifyCaIntermediateIcc();
        dnie.verifyIcc();
        RSAPublicKey rSAPublicKey = (RSAPublicKey) CryptoHelper.generateCertificate(dnie.getIccCertEncoded()).getPublicKey();
        dnie.verifyIfdCertificateChain();
        byte[] generateRandomBytes = CryptoHelper.generateRandomBytes(8);
        byte[] internalAuthentication = internalAuthentication(generateRandomBytes, rSAPublicKey);
        byte[] challenge = dnie.getChallenge();
        byte[] xor = DnieTools.xor(internalAuthentication, externalAuthentication(paddedSerial, challenge, rSAPublicKey));
        this.kenc = generateKenc(xor);
        this.kmac = generateKmac(xor);
        this.ssc = generateSsc(generateRandomBytes, challenge);
    }

    private byte[] externalAuthentication(byte[] bArr, byte[] bArr2, RSAPublicKey rSAPublicKey) {
        byte[] generateRandomBytes = CryptoHelper.generateRandomBytes(74);
        byte[] generateRandomBytes2 = CryptoHelper.generateRandomBytes(32);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(generateRandomBytes, 0, generateRandomBytes.length);
        byteArrayOutputStream.write(generateRandomBytes2, 0, generateRandomBytes2.length);
        byteArrayOutputStream.write(bArr2, 0, bArr2.length);
        byteArrayOutputStream.write(bArr, 0, bArr.length);
        byte[] sha1 = CryptoHelper.sha1(byteArrayOutputStream.toByteArray());
        byteArrayOutputStream.reset();
        byteArrayOutputStream.write(106);
        byteArrayOutputStream.write(generateRandomBytes, 0, generateRandomBytes.length);
        byteArrayOutputStream.write(generateRandomBytes2, 0, generateRandomBytes2.length);
        byteArrayOutputStream.write(sha1, 0, sha1.length);
        byteArrayOutputStream.write(-68);
        byte[] byteArray = byteArrayOutputStream.toByteArray();
        RSAPrivateKey ifdPrivateKey = this.card.getIfdPrivateKey();
        BigInteger bigInteger = new BigInteger(1, CryptoHelper.rsaDecrypt(byteArray, ifdPrivateKey));
        if (this.card.externalAuthentication(CryptoHelper.rsaEncrypt(ifdPrivateKey.getModulus().subtract(bigInteger).min(bigInteger).toByteArray(), rSAPublicKey))) {
            return generateRandomBytes2;
        }
        throw new SecureChannelException("Error durante la autenticación externa del canal seguro");
    }

    private byte[] generateKenc(byte[] bArr) {
        int length = bArr.length;
        byte[] bArr2 = SECURE_CHANNEL_KENC_AUX;
        byte[] bArr3 = new byte[length + bArr2.length];
        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
        System.arraycopy(bArr2, 0, bArr3, bArr.length, bArr2.length);
        byte[] bArr4 = new byte[16];
        System.arraycopy(CryptoHelper.sha1(bArr3), 0, bArr4, 0, 16);
        return bArr4;
    }

    private byte[] generateKmac(byte[] bArr) {
        int length = bArr.length;
        byte[] bArr2 = SECURE_CHANNEL_KMAC_AUX;
        byte[] bArr3 = new byte[length + bArr2.length];
        System.arraycopy(bArr, 0, bArr3, 0, bArr.length);
        System.arraycopy(bArr2, 0, bArr3, bArr.length, bArr2.length);
        byte[] bArr4 = new byte[16];
        System.arraycopy(CryptoHelper.sha1(bArr3), 0, bArr4, 0, 16);
        return bArr4;
    }

    private static byte[] generateSsc(byte[] bArr, byte[] bArr2) {
        byte[] bArr3 = new byte[8];
        System.arraycopy(bArr2, 4, bArr3, 0, 4);
        System.arraycopy(bArr, 4, bArr3, 4, 4);
        return bArr3;
    }

    private byte[] getPaddedSerial() {
        byte[] serialNumber = this.card.getSerialNumber();
        if (serialNumber.length >= 8) {
            return serialNumber;
        }
        byte[] bArr = new byte[8];
        System.arraycopy(serialNumber, 0, bArr, 8 - serialNumber.length, serialNumber.length);
        return bArr;
    }

    private static byte[] increment(byte[] bArr) {
        byte[] byteArray = new BigInteger(1, bArr).add(BigInteger.ONE).toByteArray();
        if (byteArray.length > 8) {
            byte[] bArr2 = new byte[8];
            System.arraycopy(byteArray, byteArray.length - 8, bArr2, 0, 8);
            return bArr2;
        }
        if (byteArray.length >= 8) {
            return byteArray;
        }
        byte[] bArr3 = new byte[8];
        System.arraycopy(byteArray, 0, bArr3, 8 - byteArray.length, byteArray.length);
        return bArr3;
    }

    private byte[] internalAuthentication(byte[] bArr, RSAPublicKey rSAPublicKey) {
        Dnie dnie = this.card;
        dnie.setKeysToAuthentication(dnie.getChrCCvIfd(), this.card.getRefIccPrivateKey());
        Dnie dnie2 = this.card;
        byte[] rsaDecrypt = CryptoHelper.rsaDecrypt(dnie2.getInternalAuthenticateMessage(bArr, dnie2.getChrCCvIfd()), this.card.getIfdPrivateKey());
        byte[] rsaEncrypt = CryptoHelper.rsaEncrypt(rsaDecrypt, rSAPublicKey);
        if (rsaEncrypt[0] != 106 || rsaEncrypt[rsaEncrypt.length - 1] != -68) {
            byte[] byteArray = rSAPublicKey.getModulus().subtract(new BigInteger(rsaDecrypt)).toByteArray();
            byte[] bArr2 = new byte[128];
            if (byteArray.length <= 128 || byteArray[0] != 0) {
                System.arraycopy(byteArray, 0, bArr2, 0, byteArray.length);
            } else {
                System.arraycopy(byteArray, 1, bArr2, 0, byteArray.length - 1);
            }
            rsaEncrypt = CryptoHelper.rsaEncrypt(bArr2, rSAPublicKey);
            if (rsaEncrypt[0] != 106 || rsaEncrypt[rsaEncrypt.length - 1] != -68) {
                throw new SecureChannelException("Error en la autenticación interna para el establecimiento del canal seguro");
            }
        }
        byte[] bArr3 = new byte[74];
        System.arraycopy(rsaEncrypt, 1, bArr3, 0, 74);
        byte[] bArr4 = new byte[32];
        System.arraycopy(rsaEncrypt, 75, bArr4, 0, 32);
        byte[] bArr5 = new byte[20];
        System.arraycopy(rsaEncrypt, 107, bArr5, 0, 20);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(bArr3, 0, 74);
        byteArrayOutputStream.write(bArr4, 0, 32);
        byteArrayOutputStream.write(bArr, 0, bArr.length);
        byte[] chrCCvIfd = this.card.getChrCCvIfd();
        byteArrayOutputStream.write(chrCCvIfd, 0, chrCCvIfd.length);
        if (Arrays.equals(bArr5, CryptoHelper.sha1(byteArrayOutputStream.toByteArray()))) {
            return bArr4;
        }
        throw new SecureChannelException("Error en la comprobación de la clave de autenticación interna");
    }

    private ResponseApdu send(CommandApdu commandApdu) {
        ApduConnection apduConnection = this.connection;
        if (apduConnection == null) {
            throw new ApduConnectionException("No se puede transmitir sobre una conexión NFC cerrada");
        }
        if (commandApdu == null) {
            throw new IllegalArgumentException("No se puede transmitir una APDU nula");
        }
        if (!apduConnection.isConnected()) {
            this.connection.connect();
        }
        ResponseApdu responseApdu = new ResponseApdu(this.connection.sendDirect(commandApdu.getBytes()));
        StatusWord statusWord = responseApdu.getStatusWord();
        if (statusWord.getMsb() == 97) {
            if (responseApdu.getDataCopy().length <= 0) {
                return send(new GetResponseApduCommand((byte) 0, statusWord.getLsb()));
            }
            ResponseApdu send = send(new GetResponseApduCommand((byte) 0, statusWord.getLsb()));
            send.toFullResponse();
            return send;
        }
        if (statusWord.getMsb() != 108 || commandApdu.getCla() != 0) {
            return responseApdu;
        }
        commandApdu.setLe(statusWord.getLsb());
        return send(commandApdu);
    }

    @Override // com.xone.android.dniemanager.interfaces.ApduConnection
    public void connect() {
        this.connection.connect();
    }

    @Override // com.xone.android.dniemanager.interfaces.ApduConnection
    public boolean isConnected() {
        return this.connection.isConnected();
    }

    @Override // com.xone.android.dniemanager.interfaces.ApduConnection
    public byte[] sendDirect(byte[] bArr) {
        return this.connection.sendDirect(bArr);
    }

    @Override // com.xone.android.dniemanager.interfaces.ApduConnection
    public ResponseApdu sendSecure(CommandApdu commandApdu) {
        byte[] increment = increment(this.ssc);
        this.ssc = increment;
        commandApdu.protectApdu(this.kenc, this.kmac, increment);
        ResponseApdu send = send(commandApdu);
        if (INVALID_CRYPTO_CHECKSUM.equals(send.getStatusWord())) {
            throw new DnieException("Checksum criptografico invalido (APDU respuesta = 6688)");
        }
        if (INVALID_CIPHERED_DATA.equals(send.getStatusWord())) {
            throw new DnieException("Datos cifrados incorrectos (APDU respuesta = 6988)");
        }
        if (!send.isOk()) {
            throw new SecureChannelException("Error en la APDU de respuesta cifrada", send);
        }
        byte[] increment2 = increment(this.ssc);
        this.ssc = increment2;
        ResponseApdu decryptResponseApdu = send.decryptResponseApdu(this.kenc, increment2, this.kmac);
        if (decryptResponseApdu.getStatusWord().getMsb() != 108) {
            return decryptResponseApdu;
        }
        commandApdu.setLe(decryptResponseApdu.getStatusWord().getLsb());
        return send(commandApdu);
    }
}
