package com.webauthn4j.ctap.authenticator;

import com.webauthn4j.ctap.authenticator.execution.CtapCommandExecutionException;
import com.webauthn4j.ctap.authenticator.store.AuthenticatorPropertyStore;
import com.webauthn4j.ctap.core.data.AuthenticatorClientPINResponse;
import com.webauthn4j.ctap.core.data.AuthenticatorClientPINResponseData;
import com.webauthn4j.ctap.core.data.CtapStatusCode;
import com.webauthn4j.ctap.core.util.internal.ArrayUtil;
import com.webauthn4j.ctap.core.util.internal.CipherUtil;
import com.webauthn4j.ctap.core.util.internal.KeyAgreementUtil;
import com.webauthn4j.data.attestation.authenticator.COSEKey;
import com.webauthn4j.data.attestation.authenticator.EC2COSEKey;
import com.webauthn4j.data.attestation.statement.COSEAlgorithmIdentifier;
import com.webauthn4j.util.ECUtil;
import com.webauthn4j.util.MACUtil;
import com.webauthn4j.util.MessageDigestUtil;
import java.nio.ByteBuffer;
import java.security.KeyPair;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.util.Arrays;
import javax.crypto.spec.SecretKeySpec;
import kotlin.Metadata;
import kotlin.UInt;
import kotlin.collections.ArraysKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: ClientPINService.kt */
@Metadata(mv = {2, 1, 0}, k = 1, xi = 48, d1 = {"��L\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\b\n��\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0010\u0012\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0006\n\u0002\u0010\u0002\n\u0002\b\u0003\n\u0002\u0010\u000b\n\u0002\b\u0005\u0018�� '2\u00020\u0001:\u0001'B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J\u0006\u0010\u0013\u001a\u00020\u0014J\u0006\u0010\u0015\u001a\u00020\u0014J$\u0010\u0016\u001a\u00020\u00142\b\u0010\u0017\u001a\u0004\u0018\u00010\u00182\b\u0010\u0019\u001a\u0004\u0018\u00010\u00102\b\u0010\u001a\u001a\u0004\u0018\u00010\u0010J.\u0010\u001b\u001a\u00020\u00142\b\u0010\u0017\u001a\u0004\u0018\u00010\u00182\b\u0010\u0019\u001a\u0004\u0018\u00010\u00102\b\u0010\u001a\u001a\u0004\u0018\u00010\u00102\b\u0010\u001c\u001a\u0004\u0018\u00010\u0010J\u001a\u0010\u0011\u001a\u00020\u00142\b\u0010\u0017\u001a\u0004\u0018\u00010\u00182\b\u0010\u001c\u001a\u0004\u0018\u00010\u0010J\u000e\u0010\u001d\u001a\u00020\u00102\u0006\u0010\u0017\u001a\u00020\u0018J\u001a\u0010\u001e\u001a\u00020\u001f2\b\u0010\u0019\u001a\u0004\u0018\u00010\u00102\b\u0010 \u001a\u0004\u0018\u00010\u0010J\u0006\u0010!\u001a\u00020\u001fR\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u000e¢\u0006\u0002\n��R\u001f\u0010\b\u001a\u00070\t¢\u0006\u0002\b\nX\u0086\u000e¢\u0006\u000e\n��\u001a\u0004\b\u000b\u0010\f\"\u0004\b\r\u0010\u000eR\u0011\u0010\u000f\u001a\u00020\u0010¢\u0006\b\n��\u001a\u0004\b\u0011\u0010\u0012R\u0011\u0010\"\u001a\u00020#8F¢\u0006\u0006\u001a\u0004\b\"\u0010$R\u0013\u0010%\u001a\u0004\u0018\u00010\u00108F¢\u0006\u0006\u001a\u0004\b&\u0010\u0012¨\u0006("}, d2 = {"Lcom/webauthn4j/ctap/authenticator/ClientPINService;", "", "authenticatorPropertyStore", "Lcom/webauthn4j/ctap/authenticator/store/AuthenticatorPropertyStore;", "<init>", "(Lcom/webauthn4j/ctap/authenticator/store/AuthenticatorPropertyStore;)V", "volatilePinRetryCounter", "", "authenticatorKeyAgreementKey", "Ljava/security/KeyPair;", "Lorg/jetbrains/annotations/NotNull;", "getAuthenticatorKeyAgreementKey", "()Ljava/security/KeyPair;", "setAuthenticatorKeyAgreementKey", "(Ljava/security/KeyPair;)V", "pinToken", "", "getPinToken", "()[B", "getPinRetries", "Lcom/webauthn4j/ctap/core/data/AuthenticatorClientPINResponse;", "getKeyAgreement", "setPIN", "platformKeyAgreementKey", "Lcom/webauthn4j/data/attestation/authenticator/COSEKey;", "pinAuth", "newPinEnc", "changePIN", "pinHashEnc", "generateSharedSecret", "validatePINAuth", "", "clientDataHash", "resetVolatilePinRetryCounter", "isClientPINReady", "", "()Z", "clientPIN", "getClientPIN", "Companion", "webauthn4j-ctap-authenticator"})
/* loaded from: input_file:com/webauthn4j/ctap/authenticator/ClientPINService.class */
public final class ClientPINService {

    @NotNull
    private final AuthenticatorPropertyStore authenticatorPropertyStore;
    private int volatilePinRetryCounter;

    @NotNull
    private KeyPair authenticatorKeyAgreementKey;

    @NotNull
    private final byte[] pinToken;
    public static final int MAX_PIN_RETRIES = 8;
    public static final int MAX_VOLATILE_PIN_RETRIES = 3;

    @NotNull
    private static final COSEAlgorithmIdentifier ECDH_ES_HKDF_256;

    @NotNull
    public static final Companion Companion = new Companion(null);

    @NotNull
    private static final byte[] ZERO_IV = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};

    /* compiled from: ClientPINService.kt */
    @Metadata(mv = {2, 1, 0}, k = 1, xi = 48, d1 = {"��*\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\b\n��\n\u0002\u0010\u0012\n��\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\b\u0086\u0003\u0018��2\u00020\u0001B\t\b\u0002¢\u0006\u0004\b\u0002\u0010\u0003R\u0010\u0010\u0004\u001a\u00020\u0005X\u0086T¢\u0006\u0004\n\u0002\u0010\u0006R\u000e\u0010\u0007\u001a\u00020\bX\u0086T¢\u0006\u0002\n��R\u000e\u0010\t\u001a\u00020\nX\u0082\u0004¢\u0006\u0002\n��R\u0013\u0010\u000b\u001a\u00070\f¢\u0006\u0002\b\rX\u0082\u0004¢\u0006\u0002\n��¨\u0006\u000e"}, d2 = {"Lcom/webauthn4j/ctap/authenticator/ClientPINService$Companion;", "", "<init>", "()V", "MAX_PIN_RETRIES", "Lkotlin/UInt;", "I", "MAX_VOLATILE_PIN_RETRIES", "", "ZERO_IV", "", "ECDH_ES_HKDF_256", "Lcom/webauthn4j/data/attestation/statement/COSEAlgorithmIdentifier;", "Lorg/jetbrains/annotations/NotNull;", "webauthn4j-ctap-authenticator"})
    /* loaded from: input_file:com/webauthn4j/ctap/authenticator/ClientPINService$Companion.class */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public ClientPINService(@NotNull AuthenticatorPropertyStore authenticatorPropertyStore) {
        Intrinsics.checkNotNullParameter(authenticatorPropertyStore, "authenticatorPropertyStore");
        this.authenticatorPropertyStore = authenticatorPropertyStore;
        this.volatilePinRetryCounter = 3;
        KeyPair createKeyPair = ECUtil.createKeyPair();
        Intrinsics.checkNotNullExpressionValue(createKeyPair, "createKeyPair(...)");
        this.authenticatorKeyAgreementKey = createKeyPair;
        this.pinToken = new byte[16];
        new SecureRandom().nextBytes(this.pinToken);
    }

    @NotNull
    public final KeyPair getAuthenticatorKeyAgreementKey() {
        return this.authenticatorKeyAgreementKey;
    }

    public final void setAuthenticatorKeyAgreementKey(@NotNull KeyPair keyPair) {
        Intrinsics.checkNotNullParameter(keyPair, "<set-?>");
        this.authenticatorKeyAgreementKey = keyPair;
    }

    @NotNull
    public final byte[] getPinToken() {
        return this.pinToken;
    }

    @NotNull
    public final AuthenticatorClientPINResponse getPinRetries() {
        return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_OK(), new AuthenticatorClientPINResponseData((COSEKey) null, (byte[]) null, UInt.box-impl(this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA()), (DefaultConstructorMarker) null));
    }

    @NotNull
    public final AuthenticatorClientPINResponse getKeyAgreement() {
        PublicKey publicKey = this.authenticatorKeyAgreementKey.getPublic();
        Intrinsics.checkNotNull(publicKey, "null cannot be cast to non-null type java.security.interfaces.ECPublicKey");
        COSEKey create = EC2COSEKey.create((ECPublicKey) publicKey, ECDH_ES_HKDF_256);
        Intrinsics.checkNotNullExpressionValue(create, "create(...)");
        return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_OK(), new AuthenticatorClientPINResponseData(create, (byte[]) null, (UInt) null, (DefaultConstructorMarker) null));
    }

    @NotNull
    public final AuthenticatorClientPINResponse setPIN(@Nullable COSEKey cOSEKey, @Nullable byte[] bArr, @Nullable byte[] bArr2) {
        byte[] copyOf;
        if (cOSEKey == null || bArr == null || bArr2 == null) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_MISSING_PARAMETER());
        }
        if (isClientPINReady()) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_AUTH_INVALID());
        }
        byte[] generateSharedSecret = generateSharedSecret(cOSEKey);
        if (!Arrays.equals(MACUtil.calculateHmacSHA256(bArr2, generateSharedSecret, 16), bArr)) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_AUTH_INVALID());
        }
        byte[] decryptWithAESCBCNoPadding = CipherUtil.INSTANCE.decryptWithAESCBCNoPadding(bArr2, new SecretKeySpec(generateSharedSecret, "AES"), ZERO_IV);
        int indexOf = ArraysKt.indexOf(decryptWithAESCBCNoPadding, (byte) 0);
        if (indexOf < 0) {
            copyOf = decryptWithAESCBCNoPadding;
        } else {
            copyOf = Arrays.copyOf(decryptWithAESCBCNoPadding, indexOf);
            Intrinsics.checkNotNullExpressionValue(copyOf, "copyOf(...)");
        }
        byte[] bArr3 = copyOf;
        if (bArr3.length >= 4 && bArr3.length <= 63) {
            this.authenticatorPropertyStore.saveClientPIN(bArr3);
            this.authenticatorPropertyStore.mo45savePINRetriesWZ4Q5Ns(8);
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_OK(), new AuthenticatorClientPINResponseData((COSEKey) null, (byte[]) null, UInt.box-impl(8), (DefaultConstructorMarker) null));
        }
        return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_POLICY_VIOLATION());
    }

    @NotNull
    public final AuthenticatorClientPINResponse changePIN(@Nullable COSEKey cOSEKey, @Nullable byte[] bArr, @Nullable byte[] bArr2, @Nullable byte[] bArr3) {
        if (cOSEKey == null || bArr == null || bArr2 == null || bArr3 == null) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_MISSING_PARAMETER());
        }
        if (this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA() == 0) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_BLOCKED());
        }
        if (this.volatilePinRetryCounter == 0) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_AUTH_BLOCKED());
        }
        byte[] generateSharedSecret = generateSharedSecret(cOSEKey);
        if (!Arrays.equals(MACUtil.calculateHmacSHA256(ByteBuffer.allocate(bArr2.length + bArr3.length).put(bArr2).put(bArr3).array(), generateSharedSecret, 16), bArr)) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_AUTH_INVALID());
        }
        this.authenticatorPropertyStore.mo45savePINRetriesWZ4Q5Ns(UInt.constructor-impl(this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA() - 1));
        if (this.volatilePinRetryCounter > 0) {
            this.volatilePinRetryCounter--;
        }
        SecretKeySpec secretKeySpec = new SecretKeySpec(generateSharedSecret, "AES");
        byte[] decryptWithAESCBCNoPadding = CipherUtil.INSTANCE.decryptWithAESCBCNoPadding(bArr3, secretKeySpec, ZERO_IV);
        byte[] loadClientPIN = this.authenticatorPropertyStore.loadClientPIN();
        if (loadClientPIN == null) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_NOT_SET());
        }
        if (!Arrays.equals(decryptWithAESCBCNoPadding, Arrays.copyOf(MessageDigestUtil.createSHA256().digest(loadClientPIN), 16))) {
            KeyPair createKeyPair = ECUtil.createKeyPair();
            Intrinsics.checkNotNullExpressionValue(createKeyPair, "createKeyPair(...)");
            this.authenticatorKeyAgreementKey = createKeyPair;
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_INVALID());
        }
        this.authenticatorPropertyStore.mo45savePINRetriesWZ4Q5Ns(8);
        byte[] decryptWithAESCBCNoPadding2 = CipherUtil.INSTANCE.decryptWithAESCBCNoPadding(bArr2, secretKeySpec, ZERO_IV);
        int indexOf = ArrayUtil.INSTANCE.indexOf(decryptWithAESCBCNoPadding2, (byte) 0);
        if (indexOf < 0) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_POLICY_VIOLATION());
        }
        byte[] copyOf = Arrays.copyOf(decryptWithAESCBCNoPadding2, indexOf);
        Intrinsics.checkNotNullExpressionValue(copyOf, "copyOf(...)");
        if (copyOf.length >= 4 && copyOf.length <= 63) {
            this.authenticatorPropertyStore.saveClientPIN(copyOf);
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_OK(), new AuthenticatorClientPINResponseData((COSEKey) null, (byte[]) null, UInt.box-impl(this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA()), (DefaultConstructorMarker) null));
        }
        return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_POLICY_VIOLATION());
    }

    @NotNull
    public final AuthenticatorClientPINResponse getPinToken(@Nullable COSEKey cOSEKey, @Nullable byte[] bArr) {
        if (cOSEKey == null || bArr == null) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_MISSING_PARAMETER());
        }
        if (this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA() == 0) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_BLOCKED());
        }
        byte[] generateSharedSecret = generateSharedSecret(cOSEKey);
        this.authenticatorPropertyStore.mo45savePINRetriesWZ4Q5Ns(UInt.constructor-impl(this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA() - 1));
        this.volatilePinRetryCounter--;
        SecretKeySpec secretKeySpec = new SecretKeySpec(generateSharedSecret, "AES");
        byte[] decryptWithAESCBCNoPadding = CipherUtil.INSTANCE.decryptWithAESCBCNoPadding(bArr, secretKeySpec, ZERO_IV);
        byte[] loadClientPIN = this.authenticatorPropertyStore.loadClientPIN();
        if (loadClientPIN == null) {
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_NOT_SET());
        }
        if (Arrays.equals(decryptWithAESCBCNoPadding, Arrays.copyOf(MessageDigestUtil.createSHA256().digest(loadClientPIN), 16))) {
            this.authenticatorPropertyStore.mo45savePINRetriesWZ4Q5Ns(8);
            return new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_OK(), new AuthenticatorClientPINResponseData((COSEKey) null, CipherUtil.INSTANCE.encryptWithAESCBCNoPadding(this.pinToken, secretKeySpec, ZERO_IV), UInt.box-impl(this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA()), (DefaultConstructorMarker) null));
        }
        KeyPair createKeyPair = ECUtil.createKeyPair();
        Intrinsics.checkNotNullExpressionValue(createKeyPair, "createKeyPair(...)");
        this.authenticatorKeyAgreementKey = createKeyPair;
        return this.authenticatorPropertyStore.mo46loadPINRetriespVg5ArA() == 0 ? new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_BLOCKED()) : this.volatilePinRetryCounter == 0 ? new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_AUTH_BLOCKED()) : new AuthenticatorClientPINResponse(CtapStatusCode.Companion.getCTAP2_ERR_PIN_INVALID());
    }

    @NotNull
    public final byte[] generateSharedSecret(@NotNull COSEKey cOSEKey) {
        Intrinsics.checkNotNullParameter(cOSEKey, "platformKeyAgreementKey");
        MessageDigest createSHA256 = MessageDigestUtil.createSHA256();
        KeyAgreementUtil keyAgreementUtil = KeyAgreementUtil.INSTANCE;
        PrivateKey privateKey = this.authenticatorKeyAgreementKey.getPrivate();
        Intrinsics.checkNotNull(privateKey, "null cannot be cast to non-null type java.security.interfaces.ECPrivateKey");
        byte[] digest = createSHA256.digest(keyAgreementUtil.generateSecret((ECPrivateKey) privateKey, (ECPublicKey) cOSEKey.getPublicKey()));
        Intrinsics.checkNotNullExpressionValue(digest, "digest(...)");
        return digest;
    }

    public final void validatePINAuth(@Nullable byte[] bArr, @Nullable byte[] bArr2) {
        if (!Arrays.equals(MACUtil.calculateHmacSHA256(bArr2, this.pinToken, 16), bArr)) {
            throw new CtapCommandExecutionException(CtapStatusCode.Companion.getCTAP2_ERR_PIN_AUTH_INVALID(), null, 2, null);
        }
    }

    public final void resetVolatilePinRetryCounter() {
        this.volatilePinRetryCounter = 3;
    }

    public final boolean isClientPINReady() {
        return this.authenticatorPropertyStore.loadClientPIN() != null;
    }

    @Nullable
    public final byte[] getClientPIN() {
        return this.authenticatorPropertyStore.loadClientPIN();
    }

    static {
        COSEAlgorithmIdentifier create = COSEAlgorithmIdentifier.create(-25L);
        Intrinsics.checkNotNullExpressionValue(create, "create(...)");
        ECDH_ES_HKDF_256 = create;
    }
}
