package org.sufficientlysecure.keychain.securitytoken;

import android.content.Context;
import android.os.SystemClock;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.util.Arrays;
import java.util.List;
import org.sufficientlysecure.keychain.securitytoken.KdfParameters;
import org.sufficientlysecure.keychain.securitytoken.SecurityTokenInfo;
import org.sufficientlysecure.keychain.util.Passphrase;
import timber.log.Timber;

/* loaded from: classes.dex */
public class SecurityTokenConnection {
    private static final String AID_PREFIX_FIDESMO = "A000000617";
    private static final int APDU_SW1_RESPONSE_AVAILABLE = 97;
    private static SecurityTokenConnection sCachedInstance;
    private final Passphrase cachedPin;
    private CardCapabilities cardCapabilities;
    private final OpenPgpCommandApduFactory commandFactory;
    private boolean isPw1ValidatedForOther;
    private boolean isPw1ValidatedForSignature;
    private boolean isPw3Validated;
    private KdfParameters kdfParameters;
    private OpenPgpCapabilities openPgpCapabilities;
    private SecureMessaging secureMessaging;
    private SecurityTokenInfo.TokenType tokenType;
    private final Transport transport;

    SecurityTokenConnection(Transport transport, Passphrase passphrase, OpenPgpCommandApduFactory openPgpCommandApduFactory) {
        this.transport = transport;
        this.cachedPin = passphrase;
        this.commandFactory = openPgpCommandApduFactory;
    }

    private byte[] calculateKdfIfNecessary(byte[] bArr, KdfParameters.PasswordType passwordType) throws IOException {
        KdfParameters retrieveKdfDo;
        return (this.openPgpCapabilities.isHasKdf() && (retrieveKdfDo = retrieveKdfDo()) != null && retrieveKdfDo.isHasUsesKdf()) ? KdfCalculator.calculateKdf(retrieveKdfDo.forType(passwordType), bArr) : bArr;
    }

    public static void clearCachedConnections() {
        sCachedInstance = null;
    }

    public static SecurityTokenConnection getInstanceForTransport(Transport transport, Passphrase passphrase) {
        SecurityTokenConnection securityTokenConnection = sCachedInstance;
        if (securityTokenConnection == null || !securityTokenConnection.isPersistentConnectionAllowed() || !sCachedInstance.isConnected() || !sCachedInstance.transport.equals(transport) || (passphrase != null && !passphrase.equals(sCachedInstance.cachedPin))) {
            sCachedInstance = new SecurityTokenConnection(transport, passphrase, new OpenPgpCommandApduFactory());
        }
        return sCachedInstance;
    }

    private static String parseHolderName(byte[] bArr) {
        try {
            return new String(bArr, 4, (int) bArr[3]).replace('<', ' ');
        } catch (IndexOutOfBoundsException e2) {
            Timber.e(e2, "Couldn't get holder name, returning empty string!", new Object[0]);
            return "";
        }
    }

    private ResponseApdu readChainedResponseIfAvailable(ResponseApdu responseApdu) throws IOException {
        if (responseApdu.getSw1() != 97) {
            return responseApdu;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byteArrayOutputStream.write(responseApdu.getData());
        do {
            responseApdu = this.transport.transceive(this.commandFactory.createGetResponseCommand(responseApdu.getSw2()));
            byteArrayOutputStream.write(responseApdu.getData());
        } while (responseApdu.getSw1() == 97);
        byteArrayOutputStream.write(responseApdu.getSw1());
        byteArrayOutputStream.write(responseApdu.getSw2());
        return ResponseApdu.fromBytes(byteArrayOutputStream.toByteArray());
    }

    private byte[] readData(int i2, int i3) throws IOException {
        ResponseApdu communicate = communicate(this.commandFactory.createGetDataCommand(i2, i3));
        if (communicate.isSuccess()) {
            return communicate.getData();
        }
        throw new CardException("Failed to get pw status bytes", communicate.getSw());
    }

    private String readUrl() throws IOException {
        return new String(readData(95, 80)).trim();
    }

    private byte[] readUserId() throws IOException {
        return readData(0, 101);
    }

    private KdfParameters retrieveKdfDo() throws IOException {
        KdfParameters kdfParameters = this.kdfParameters;
        if (kdfParameters != null) {
            return kdfParameters;
        }
        ResponseApdu communicate = communicate(this.commandFactory.createGetDataCommand(0, 249));
        if (!communicate.isSuccess()) {
            throw new CardException("Couldn't get KDF.DO!", communicate.getSw());
        }
        byte[] data = communicate.getData();
        if (data.length == 0) {
            return null;
        }
        KdfParameters fromKdfDo = KdfParameters.fromKdfDo(data);
        this.kdfParameters = fromKdfDo;
        return fromKdfDo;
    }

    private ResponseApdu smDecryptIfAvailable(ResponseApdu responseApdu) throws IOException {
        SecureMessaging secureMessaging = this.secureMessaging;
        if (secureMessaging == null || !secureMessaging.isEstablished()) {
            return responseApdu;
        }
        try {
            return this.secureMessaging.verifyAndDecrypt(responseApdu);
        } catch (SecureMessagingException e2) {
            clearSecureMessaging();
            throw new IOException("secure messaging verify/decrypt failure : " + e2.getMessage());
        }
    }

    private CommandApdu smEncryptIfAvailable(CommandApdu commandApdu) throws IOException {
        SecureMessaging secureMessaging = this.secureMessaging;
        if (secureMessaging == null || !secureMessaging.isEstablished()) {
            return commandApdu;
        }
        try {
            return this.secureMessaging.encryptAndSign(commandApdu);
        } catch (SecureMessagingException e2) {
            clearSecureMessaging();
            throw new IOException("secure messaging encrypt/sign failure : " + e2.getMessage());
        }
    }

    private void smEstablishIfAvailable(Context context) throws IOException {
        if (this.openPgpCapabilities.isHasScp11bSm()) {
            try {
                long elapsedRealtime = SystemClock.elapsedRealtime();
                this.secureMessaging = SCP11bSecureMessaging.establish(this, context, this.commandFactory);
                Timber.d("Established Secure Messaging in %d ms", Long.valueOf(SystemClock.elapsedRealtime() - elapsedRealtime));
            } catch (SecureMessagingException e2) {
                this.secureMessaging = null;
                Timber.e(e2, "failed to establish secure messaging", new Object[0]);
            }
        }
    }

    private ResponseApdu transceiveWithChaining(CommandApdu commandApdu) throws IOException {
        if (this.cardCapabilities.hasExtended()) {
            return this.transport.transceive(commandApdu);
        }
        if (this.commandFactory.isSuitableForShortApdu(commandApdu)) {
            return this.transport.transceive(this.commandFactory.createShortApdu(commandApdu));
        }
        if (!this.cardCapabilities.hasChaining()) {
            throw new IOException("Command too long, and chaining unavailable");
        }
        List<CommandApdu> createChainedApdus = this.commandFactory.createChainedApdus(commandApdu);
        int size = createChainedApdus.size();
        ResponseApdu responseApdu = null;
        int i2 = 0;
        while (i2 < size) {
            responseApdu = this.transport.transceive(createChainedApdus.get(i2));
            int i3 = size - 1;
            if (!(i2 == i3) && !responseApdu.isSuccess()) {
                throw new IOException("Failed to chain apdu (" + i2 + "/" + i3 + ", last SW: " + responseApdu.getSw() + ")");
            }
            i2++;
        }
        if (responseApdu != null) {
            return responseApdu;
        }
        throw new IllegalStateException();
    }

    public void clearSecureMessaging() {
        SecureMessaging secureMessaging = this.secureMessaging;
        if (secureMessaging != null) {
            secureMessaging.clearSession();
        }
        this.secureMessaging = null;
    }

    public ResponseApdu communicate(CommandApdu commandApdu) throws IOException {
        return smDecryptIfAvailable(readChainedResponseIfAvailable(transceiveWithChaining(smEncryptIfAvailable(commandApdu))));
    }

    public void connectIfNecessary(Context context) throws IOException {
        if (isConnected()) {
            refreshConnectionCapabilities();
        } else {
            connectToDevice(context);
        }
    }

    void connectToDevice(Context context) throws IOException {
        try {
            this.transport.connect();
            this.cardCapabilities = new CardCapabilities();
            determineTokenType();
            ResponseApdu communicate = communicate(this.commandFactory.createSelectFileOpenPgpCommand());
            if (!communicate.isSuccess()) {
                throw new CardException("Initialization failed!", communicate.getSw());
            }
            refreshConnectionCapabilities();
            this.isPw1ValidatedForSignature = false;
            this.isPw1ValidatedForOther = false;
            this.isPw3Validated = false;
            smEstablishIfAvailable(context);
        } catch (IOException e2) {
            this.transport.release();
            throw e2;
        }
    }

    void determineTokenType() throws IOException {
        SecurityTokenInfo.TokenType tokenTypeIfAvailable = this.transport.getTokenTypeIfAvailable();
        this.tokenType = tokenTypeIfAvailable;
        if (tokenTypeIfAvailable != null) {
            return;
        }
        if (communicate(this.commandFactory.createSelectFileCommand(AID_PREFIX_FIDESMO)).isSuccess()) {
            this.tokenType = SecurityTokenInfo.TokenType.FIDESMO;
        } else {
            this.tokenType = SecurityTokenInfo.TokenType.UNKNOWN;
        }
    }

    public OpenPgpCommandApduFactory getCommandFactory() {
        return this.commandFactory;
    }

    public OpenPgpCapabilities getOpenPgpCapabilities() {
        return this.openPgpCapabilities;
    }

    public SecurityTokenInfo.TokenType getTokenType() {
        return this.tokenType;
    }

    public void invalidatePw3() {
        this.isPw3Validated = false;
    }

    public void invalidateSingleUsePw1() {
        if (this.openPgpCapabilities.isPw1ValidForMultipleSignatures()) {
            return;
        }
        this.isPw1ValidatedForSignature = false;
    }

    public boolean isConnected() {
        return this.transport.isConnected();
    }

    public boolean isPersistentConnectionAllowed() {
        SecureMessaging secureMessaging;
        return this.transport.isPersistentConnectionAllowed() && ((secureMessaging = this.secureMessaging) == null || !secureMessaging.isEstablished());
    }

    public SecurityTokenInfo readTokenInfo() throws IOException {
        return SecurityTokenInfo.create(this.transport.getTransportType(), this.tokenType, new byte[][]{this.openPgpCapabilities.getFingerprintSign(), this.openPgpCapabilities.getFingerprintEncrypt(), this.openPgpCapabilities.getFingerprintAuth()}, this.openPgpCapabilities.getAid(), parseHolderName(readUserId()), readUrl(), this.openPgpCapabilities.getPw1TriesLeft(), this.openPgpCapabilities.getPw3TriesLeft(), this.cardCapabilities.hasLifeCycleManagement());
    }

    public void refreshConnectionCapabilities() throws IOException {
        setConnectionCapabilities(OpenPgpCapabilities.fromBytes(readData(0, 110)));
    }

    void setConnectionCapabilities(OpenPgpCapabilities openPgpCapabilities) throws IOException {
        this.openPgpCapabilities = openPgpCapabilities;
        this.cardCapabilities = new CardCapabilities(openPgpCapabilities.getHistoricalBytes(), this.tokenType);
    }

    public void verifyAdminPin(Passphrase passphrase) throws IOException {
        if (this.isPw3Validated) {
            return;
        }
        byte[] bytes = passphrase.toStringUnsafe().getBytes();
        byte[] calculateKdfIfNecessary = calculateKdfIfNecessary(bytes, KdfParameters.PasswordType.PW3);
        CommandApdu createVerifyPw3Command = this.commandFactory.createVerifyPw3Command(calculateKdfIfNecessary);
        Arrays.fill(bytes, (byte) 0);
        Arrays.fill(calculateKdfIfNecessary, (byte) 0);
        ResponseApdu communicate = communicate(createVerifyPw3Command);
        if (!communicate.isSuccess()) {
            throw new CardException("Bad PIN!", communicate.getSw());
        }
        this.isPw3Validated = true;
    }

    public void verifyPinForOther() throws IOException {
        if (this.isPw1ValidatedForOther) {
            return;
        }
        Passphrase passphrase = this.cachedPin;
        if (passphrase == null) {
            throw new IllegalStateException("Connection not initialized with Pin!");
        }
        byte[] bytes = passphrase.toStringUnsafe().getBytes();
        byte[] calculateKdfIfNecessary = calculateKdfIfNecessary(bytes, KdfParameters.PasswordType.PW1);
        CommandApdu createVerifyPw1ForOtherCommand = this.commandFactory.createVerifyPw1ForOtherCommand(calculateKdfIfNecessary);
        Arrays.fill(bytes, (byte) 0);
        Arrays.fill(calculateKdfIfNecessary, (byte) 0);
        ResponseApdu communicate = communicate(createVerifyPw1ForOtherCommand);
        if (!communicate.isSuccess()) {
            throw new CardException("Bad PIN!", communicate.getSw());
        }
        this.isPw1ValidatedForOther = true;
    }

    public void verifyPinForSignature() throws IOException {
        if (this.isPw1ValidatedForSignature) {
            return;
        }
        Passphrase passphrase = this.cachedPin;
        if (passphrase == null) {
            throw new IllegalStateException("Connection not initialized with Pin!");
        }
        byte[] bytes = passphrase.toStringUnsafe().getBytes();
        byte[] calculateKdfIfNecessary = calculateKdfIfNecessary(bytes, KdfParameters.PasswordType.PW1);
        CommandApdu createVerifyPw1ForSignatureCommand = this.commandFactory.createVerifyPw1ForSignatureCommand(calculateKdfIfNecessary);
        Arrays.fill(bytes, (byte) 0);
        Arrays.fill(calculateKdfIfNecessary, (byte) 0);
        ResponseApdu communicate = communicate(createVerifyPw1ForSignatureCommand);
        if (!communicate.isSuccess()) {
            throw new CardException("Bad PIN!", communicate.getSw());
        }
        this.isPw1ValidatedForSignature = true;
    }
}
