package com.yubico.yubikit.fido.ctap;

import android.util.Pair;
import com.yubico.yubikit.core.application.CommandException;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;

/* loaded from: classes3.dex */
public class ClientPin {
    private static final byte CMD_CHANGE_PIN = 4;
    private static final byte CMD_GET_KEY_AGREEMENT = 2;
    private static final byte CMD_GET_PIN_TOKEN = 5;
    private static final byte CMD_GET_RETRIES = 1;
    private static final byte CMD_SET_PIN = 3;
    private static final int MAX_PIN_LEN = 63;
    private static final int MIN_PIN_LEN = 4;
    private static final int PIN_BUFFER_LEN = 64;
    private static final int PIN_HASH_LEN = 16;
    private static final int RESULT_KEY_AGREEMENT = 1;
    private static final int RESULT_PIN_TOKEN = 2;
    private static final int RESULT_RETRIES = 3;
    private final Ctap2Session ctap;
    private final PinUvAuthProtocol pinUvAuth;

    public ClientPin(Ctap2Session ctap2Session, PinUvAuthProtocol pinUvAuthProtocol) {
        this.ctap = ctap2Session;
        this.pinUvAuth = pinUvAuthProtocol;
    }

    private Pair<Map<Integer, ?>, byte[]> getSharedSecret() throws IOException, CommandException {
        return this.pinUvAuth.encapsulate((Map) Objects.requireNonNull((Map) this.ctap.clientPin(this.pinUvAuth.getVersion(), (byte) 2, null, null, null, null).get(1)));
    }

    static byte[] preparePin(char[] cArr, boolean z) {
        if (cArr.length < 4) {
            throw new IllegalArgumentException("PIN must be at least 4 characters");
        }
        ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(cArr));
        try {
            int limit = encode.limit() - encode.position();
            if (limit > 63) {
                throw new IllegalArgumentException("PIN must be no more than 63 bytes");
            }
            byte[] bArr = new byte[z ? 64 : limit];
            System.arraycopy(encode.array(), encode.position(), bArr, 0, limit);
            return bArr;
        } finally {
            Arrays.fill(encode.array(), (byte) 0);
        }
    }

    public void changePin(char[] cArr, char[] cArr2) throws IOException, CommandException {
        byte[] preparePin = preparePin(cArr2, true);
        Pair<Map<Integer, ?>, byte[]> sharedSecret = getSharedSecret();
        try {
            byte[] encrypt = this.pinUvAuth.encrypt((byte[]) sharedSecret.second, Arrays.copyOf(MessageDigest.getInstance("SHA-256").digest(preparePin(cArr, false)), 16));
            byte[] encrypt2 = this.pinUvAuth.encrypt((byte[]) sharedSecret.second, preparePin);
            this.ctap.clientPin(this.pinUvAuth.getVersion(), (byte) 4, (Map) sharedSecret.first, this.pinUvAuth.authenticate((byte[]) sharedSecret.second, ByteBuffer.allocate(encrypt2.length + encrypt.length).put(encrypt2).put(encrypt).array()), encrypt2, encrypt);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    public int getPinRetries() throws IOException, CommandException {
        return ((Integer) Objects.requireNonNull((Integer) this.ctap.clientPin(this.pinUvAuth.getVersion(), (byte) 1, null, null, null, null).get(3))).intValue();
    }

    public byte[] getPinToken(char[] cArr) throws IOException, CommandException {
        Pair<Map<Integer, ?>, byte[]> sharedSecret = getSharedSecret();
        try {
            return this.pinUvAuth.decrypt((byte[]) sharedSecret.second, (byte[]) this.ctap.clientPin(this.pinUvAuth.getVersion(), (byte) 5, (Map) sharedSecret.first, null, null, this.pinUvAuth.encrypt((byte[]) sharedSecret.second, Arrays.copyOf(MessageDigest.getInstance("SHA-256").digest(preparePin(cArr, false)), 16))).get(2));
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    public PinUvAuthProtocol getPinUvAuth() {
        return this.pinUvAuth;
    }

    public void setPin(char[] cArr) throws IOException, CommandException {
        Pair<Map<Integer, ?>, byte[]> sharedSecret = getSharedSecret();
        byte[] encrypt = this.pinUvAuth.encrypt((byte[]) sharedSecret.second, preparePin(cArr, true));
        this.ctap.clientPin(this.pinUvAuth.getVersion(), (byte) 3, (Map) sharedSecret.first, this.pinUvAuth.authenticate((byte[]) sharedSecret.second, encrypt), encrypt, null);
    }
}
