package de.authada.eid.core.authentication.paos;

import de.authada.eid.card.api.ByteArray;
import de.authada.eid.card.api.ImmutableByteArray;
import de.authada.eid.card.asn1.CVCertificate;
import de.authada.eid.card.asn1.CertificateHolderAuthorizationTemplate;
import de.authada.eid.card.asn1.pace.UserSecretType;
import de.authada.eid.core.api.chat.AccessRights;
import de.authada.eid.core.api.chat.AccessRightsUtil;
import de.authada.eid.core.api.chat.CHAT;
import de.authada.eid.core.api.chat.CHATImpl;
import de.authada.eid.core.authentication.paos.steps.PAOSContext;
import de.authada.eid.core.callback.CallbackException;
import de.authada.eid.paos.models.Result;
import de.authada.eid.paos.models.input.EAC1InputType;
import de.authada.org.bouncycastle.asn1.eac.CertificateHolderReference;
import de.authada.org.bouncycastle.asn1.eac.CertificationAuthorityReference;
import de.authada.org.bouncycastle.crypto.Digest;
import de.authada.org.bouncycastle.tls.crypto.TlsCertificate;
import de.authada.org.bouncycastle.util.encoders.Hex;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;

/* loaded from: classes2.dex */
public final class PAOSUtils {
    private static final int CAN_ALLOWED_BIT = 16;
    private static final int RANDOM_ID_SIZE = 32;
    private static final Bm.b LOGGER = Bm.d.b(PAOSUtils.class);
    public static final Result ECARD_RESULT_OK = new Result(Result.MAJOR_OK);
    public static final Result ECARD_RESULT_ERROR_AL_UNKNOWN = new Result(Result.MAJOR_ERROR, Result.MINOR_AL_UNKNOWN);

    private PAOSUtils() {
    }

    private static ByteArray addCANAllowedBit(ByteArray byteArray) {
        byte[] bytes = byteArray.getBytes();
        bytes[4] = (byte) (bytes[4] | 16);
        return ImmutableByteArray.of(bytes);
    }

    public static boolean carEquals(CertificationAuthorityReference certificationAuthorityReference, CertificationAuthorityReference certificationAuthorityReference2) {
        return Objects.equals(certificationAuthorityReference2.getCountryCode(), certificationAuthorityReference.getCountryCode()) && Objects.equals(certificationAuthorityReference2.getHolderMnemonic(), certificationAuthorityReference.getHolderMnemonic()) && Objects.equals(certificationAuthorityReference2.getSequenceNumber(), certificationAuthorityReference.getSequenceNumber());
    }

    public static void checkCANMode(PAOSContext pAOSContext, CVCertificate cVCertificate) {
        if (pAOSContext.getConfig().isStrictCANMode()) {
            if ((pAOSContext.getUserSecretType() == UserSecretType.CAN) != isCANAllowed(cVCertificate.getCvCertificateBody().getCHAT())) {
                throw new PAOSException("Invalid secret type for terminal certificate");
            }
        }
    }

    public static boolean chrEqualsCar(CertificateHolderReference certificateHolderReference, CertificationAuthorityReference certificationAuthorityReference) {
        return Objects.equals(certificationAuthorityReference.getCountryCode(), certificateHolderReference.getCountryCode()) && Objects.equals(certificationAuthorityReference.getHolderMnemonic(), certificateHolderReference.getHolderMnemonic()) && Objects.equals(certificationAuthorityReference.getSequenceNumber(), certificateHolderReference.getSequenceNumber());
    }

    public static String generateRandomID(SecureRandom secureRandom) {
        byte[] bArr = new byte[32];
        secureRandom.nextBytes(bArr);
        return Hex.toHexString(bArr);
    }

    public static CertificateHolderAuthorizationTemplate getAccessRightsForPACE(PAOSContext pAOSContext, CVCertificate cVCertificate) {
        CHAT accessRightsRequired = pAOSContext.getCallbackHelper().accessRightsRequired();
        if (!(accessRightsRequired instanceof CHATImpl)) {
            throw new CallbackException("Received invalid chat implementation");
        }
        CHATImpl cHATImpl = (CHATImpl) accessRightsRequired;
        Bm.b bVar = LOGGER;
        bVar.v(cHATImpl.getSelectedOptionals(), "Optional Access Rights selected by callback: {}");
        ArrayList arrayList = new ArrayList(cHATImpl.getRequiredRights());
        arrayList.addAll(cHATImpl.getSelectedOptionals());
        ByteArray accessRightsToBytes = AccessRightsUtil.accessRightsToBytes(arrayList);
        if (pAOSContext.getUserSecretType() == UserSecretType.CAN) {
            bVar.r("Adding CAN bits to access rights");
            accessRightsToBytes = addCANAllowedBit(accessRightsToBytes);
        }
        CertificateHolderAuthorizationTemplate chat = cVCertificate.getCvCertificateBody().getCHAT();
        bVar.r("Adding Role to chat");
        ByteArray copyRole = AccessRightsUtil.copyRole(chat, accessRightsToBytes);
        bVar.v(Hex.toHexString(copyRole.getBytes()), "Result CHAT: {}");
        return new CertificateHolderAuthorizationTemplate(chat.getObjectIdentifier(), copyRole);
    }

    public static ByteArray getFilteredOptionalAccessRights(EAC1InputType eAC1InputType) {
        ByteArray accessRights = eAC1InputType.getOptionalChat().get().getAccessRights();
        if (!eAC1InputType.getRequiredChat().isPresent()) {
            return accessRights;
        }
        byte[] bytes = accessRights.getBytes();
        byte[] bytes2 = eAC1InputType.getRequiredChat().get().getAccessRights().getBytes();
        bytes[0] = (byte) (bytes[0] & (~bytes2[0]));
        bytes[1] = (byte) (bytes[1] & (~bytes2[1]));
        bytes[2] = (byte) (bytes[2] & (~bytes2[2]));
        bytes[3] = (byte) (bytes[3] & (~bytes2[3]));
        bytes[4] = (byte) ((~bytes2[4]) & bytes[4]);
        return ImmutableByteArray.of(bytes);
    }

    public static List<AccessRights> getOptionalAccessRights(EAC1InputType eAC1InputType, CVCertificate cVCertificate) {
        if (eAC1InputType.getOptionalChat().isPresent()) {
            LOGGER.r("Using optional chat from eac1inputtype");
            return AccessRightsUtil.getAccessRightsList(restrictAccessRights(getFilteredOptionalAccessRights(eAC1InputType), cVCertificate.getCvCertificateBody().getCHAT().getAccessRights()));
        }
        if (eAC1InputType.getRequiredChat().isPresent()) {
            return Collections.emptyList();
        }
        LOGGER.r("No optional and no required chat is provided by eac1inputtype, using certificate chat rights as optional");
        return AccessRightsUtil.getAccessRightsList(cVCertificate.getCvCertificateBody().getCHAT().getAccessRights());
    }

    public static List<AccessRights> getRequiredAccessRights(EAC1InputType eAC1InputType, CVCertificate cVCertificate) {
        if (!eAC1InputType.getRequiredChat().isPresent()) {
            return Collections.emptyList();
        }
        LOGGER.r("Using required chat from eac1inputtype");
        return AccessRightsUtil.getAccessRightsList(restrictAccessRights(eAC1InputType.getRequiredChat().get().getAccessRights(), cVCertificate.getCvCertificateBody().getCHAT().getAccessRights()));
    }

    public static CVCertificate getTerminalCertificate(Iterable<CVCertificate> iterable) {
        CVCertificate cVCertificate = null;
        for (CVCertificate cVCertificate2 : iterable) {
            if (cVCertificate2.getCvCertificateBody().getCHAT().getRole() == CertificateHolderAuthorizationTemplate.Role.TERMINAL) {
                if (cVCertificate != null) {
                    throw new PAOSException("More than one Terminal Certificate sent by the eid server");
                }
                cVCertificate = cVCertificate2;
            }
        }
        return cVCertificate;
    }

    public static ByteArray hash(Digest digest, ByteArray byteArray) {
        return hash(digest, byteArray.getBytes());
    }

    public static ByteArray hash(Digest digest, TlsCertificate tlsCertificate) {
        return hash(digest, tlsCertificate.getEncoded());
    }

    private static ByteArray hash(Digest digest, byte[] bArr) {
        digest.reset();
        digest.update(bArr, 0, bArr.length);
        byte[] bArr2 = new byte[digest.getDigestSize()];
        digest.doFinal(bArr2, 0);
        return ImmutableByteArray.of(bArr2);
    }

    public static List<ByteArray> hash(Digest digest, Collection<TlsCertificate> collection) {
        ArrayList arrayList = new ArrayList(collection.size());
        Iterator<TlsCertificate> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(hash(digest, it.next()));
        }
        return arrayList;
    }

    private static boolean isCANAllowed(CertificateHolderAuthorizationTemplate certificateHolderAuthorizationTemplate) {
        return (certificateHolderAuthorizationTemplate.getAccessRights().getBytes()[4] & 16) == 16;
    }

    public static ByteArray restrictAccessRights(ByteArray byteArray, ByteArray byteArray2) {
        byte[] bytes = byteArray.getBytes();
        byte[] bytes2 = byteArray2.getBytes();
        for (int i10 = 0; i10 < bytes2.length; i10++) {
            bytes[i10] = (byte) (bytes[i10] & bytes2[i10]);
        }
        return ImmutableByteArray.of(bytes);
    }
}
