package com.assaabloy.seos.access.commands;

import com.assaabloy.seos.access.auth.AsymmetricAuthenticationKeyset;
import com.assaabloy.seos.access.crypto.EncryptionAlgorithm;
import com.assaabloy.seos.access.crypto.InvalidSignatureException;
import com.assaabloy.seos.access.crypto.KeyDerivationResult;
import com.assaabloy.seos.access.crypto.SessionEstablishmentResult;
import com.assaabloy.seos.access.crypto.SymmetricKey;
import com.assaabloy.seos.access.domain.AkeCertificate;
import com.assaabloy.seos.access.internal.util.DataValidator;
import com.assaabloy.seos.access.internal.util.FluentOutputStream;
import com.assaabloy.seos.access.internal.util.HexUtils;
import com.assaabloy.seos.access.util.SeosConstants;
import com.assaabloy.seos.access.util.SeosException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Map;
import jjjjjj.qxqqqx;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes.dex */
public abstract class AkeCommandBase<T> implements Command<T> {
    static final byte[] ALGORITHM_CONSTANT = HexUtils.toBytes("0909");
    static final byte CERTIFICATE_TAG = -96;
    static final byte ENCRYPTED_CERT_TAG = Byte.MIN_VALUE;
    private static final byte ENC_LABEL = 4;
    static final int IDENTITY_LENGTH = 8;
    static final byte K0_LABEL = 0;
    private static final byte K1_LABEL = 1;
    private static final byte K2_LABEL = 2;
    private static final byte KEK_ENC_LABEL = 5;
    private static final byte KEK_MAC_LABEL = 7;
    private static final byte MAC_LABEL = 6;
    private static final int PUBLIC_KEY_ENCODED_LENGTH = 65;
    private static final byte PUBLIC_KEY_ENCODING = 4;
    private static final byte PUBLIC_KEY_TAG = -127;
    private final AsymmetricAuthenticationKeyset asymmetricAuthenticationKeyset;
    private final boolean useDynamicKek;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AkeCommandBase(AsymmetricAuthenticationKeyset asymmetricAuthenticationKeyset, boolean z) {
        DataValidator.notNull(asymmetricAuthenticationKeyset, "akeGenesisKeyset");
        this.asymmetricAuthenticationKeyset = asymmetricAuthenticationKeyset;
        this.useDynamicKek = z;
    }

    private AkeCertificate decryptCertificate(SymmetricKey symmetricKey, byte[] bArr) throws InvalidSignatureException {
        return AkeCertificate.parse(symmetricKey.decrypt(bArr, new byte[16], Boolean.TRUE.booleanValue()), this.asymmetricAuthenticationKeyset.cardRootPublicKey());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AsymmetricAuthenticationKeyset authenticationKeyset() {
        return this.asymmetricAuthenticationKeyset;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public byte[] encryptCertificate(SymmetricKey symmetricKey, byte[] bArr) {
        return symmetricKey.encrypt(bArr, new byte[16], Boolean.TRUE.booleanValue());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FluentOutputStream ephemeralPublicKey() {
        return new FluentOutputStream().write((byte) -127).writeLength(65).write((byte) 4).write(this.asymmetricAuthenticationKeyset.terminalEphemeralKey().getX()).write(this.asymmetricAuthenticationKeyset.terminalEphemeralKey().getY());
    }

    SessionEstablishmentResult parseResponse(byte[] bArr, byte[] bArr2) throws InvalidSignatureException {
        byte[] copyOf = Arrays.copyOf(this.asymmetricAuthenticationKeyset.terminalEphemeralKey().getX(), 8);
        byte[] copyOf2 = Arrays.copyOf(this.asymmetricAuthenticationKeyset.terminalStaticKey().getX(), 8);
        byte[] copyOfRange = Arrays.copyOfRange(bArr, 1, 9);
        Map<Byte, SymmetricKey> deriveKeys = this.asymmetricAuthenticationKeyset.terminalStaticKey().deriveKeys(bArr, new FluentOutputStream().write(ALGORITHM_CONSTANT).write(copyOf2).write(copyOfRange).toByteArray(), 1, 2);
        byte[] cmac = deriveKeys.get((byte) 2).cmac(new byte[1]);
        AkeCertificate decryptCertificate = decryptCertificate(deriveKeys.get((byte) 1), bArr2);
        Iterator<SymmetricKey> it2 = deriveKeys.values().iterator();
        while (it2.hasNext()) {
            it2.next().destroy();
        }
        Map<Byte, SymmetricKey> deriveKeys2 = this.asymmetricAuthenticationKeyset.terminalEphemeralKey().deriveKeys(decryptCertificate.publicPoint(), new FluentOutputStream().write(ALGORITHM_CONSTANT).write(copyOf2).write(copyOfRange).write(copyOf).write(cmac).toByteArray(), this.useDynamicKek ? new byte[]{4, 6, 5, 7} : new byte[]{4, 6});
        return new SessionEstablishmentResult(EncryptionAlgorithm.AES_128, new KeyDerivationResult(deriveKeys2.get((byte) 4), deriveKeys2.get((byte) 6), deriveKeys2.get((byte) 5), deriveKeys2.get((byte) 7)), deriveKeys2.get((byte) 6).cmac(new FluentOutputStream().write(ALGORITHM_CONSTANT).write(copyOf2).write(copyOfRange).write(copyOf).write(SeosConstants.getSeosRootOid()).toByteArray()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionEstablishmentResult parseResponseNoPrivacy(qxqqqx qxqqqxVar) {
        try {
            return parseResponse(qxqqqxVar.m1432b042E042E042E042E(qxqqqx.f1262b043F043F043F), qxqqqxVar.m1432b042E042E042E042E(qxqqqx.f1253b043F043F043F043F043F));
        } catch (Exception e) {
            throw new SeosException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionEstablishmentResult parseResponseWithPrivacy(byte[] bArr, qxqqqx qxqqqxVar) {
        try {
            return parseResponse(bArr, qxqqqxVar.m1432b042E042E042E042E(qxqqqx.f1253b043F043F043F043F043F));
        } catch (Exception e) {
            throw new SeosException(e);
        }
    }

    @Override // com.assaabloy.seos.access.commands.Command
    public boolean supportsSecureMessaging() {
        return false;
    }
}
