package com.alipay.android.phone.seauthenticator.iotauth.digitalkey.etc;

import android.text.TextUtils;
import android.util.Base64;
import com.alibaba.fastjson.JSONObject;
import com.alipay.android.iot.security.api.IotSecurity;
import com.alipay.android.iot.security.api.crypto.EC_CURVE;
import com.alipay.android.iot.security.api.crypto.KeyPair;
import com.alipay.android.iot.security.api.crypto.MD;
import com.alipay.android.iot.security.api.crypto.PKI_ALGORITHM;
import com.alipay.android.phone.seauthenticator.iotauth.did.SecurityGuardHelper;
import com.alipay.android.phone.seauthenticator.iotauth.digitalkey.DkConstants;
import com.alipay.android.phone.seauthenticator.iotauth.digitalkey.SecurityCmdEntry;
import com.alipay.android.phone.seauthenticator.iotauth.digitalkey.db.DigitalKey;
import com.alipay.android.phone.seauthenticator.iotauth.digitalkey.utils.TimeUtils;
import com.alipay.dexaop.DexAOPEntry;
import com.alipay.fido.message.ByteUtils;
import com.alipay.mobile.framework.MpaasClassInfo;
import com.alipay.mobile.security.bio.utils.DESCoder;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import kotlin.jvm.internal.ByteCompanionObject;

@MpaasClassInfo(BundleName = "android-phone-secauthenticator-iotauth", ExportJarName = "unknown", Level = "product", Product = ":android-phone-secauthenticator-iotauth")
/* loaded from: classes9.dex */
public class ETCAuthenticator {
    private static final String DID_KEY = "iotauth_etc_didKey";
    private static final String DK_ROOT_KEY = "DkSyncRootKey";
    private static final String KEY_HASH = "iotauth_etc_keyHash";
    private static final String ROOT_KEY = "iotauth_etc_rootKey";
    private static final String SESSION_PUB = "iotauth_etc_sessionPub";
    private static final String SYNC_PRI_KEY = "iotauth_etc_syncPriKey";
    private static SecureRandom random = new SecureRandom();
    private static Map<String, Challenge> challenges = new HashMap();

    @MpaasClassInfo(BundleName = "android-phone-secauthenticator-iotauth", ExportJarName = "unknown", Level = "product", Product = ":android-phone-secauthenticator-iotauth")
    /* loaded from: classes9.dex */
    static class Challenge {
        private static final long PERIOD_OF_VALIDITY = 600000;
        final byte[] data;
        final long expiredTime;

        private Challenge(byte[] bArr) {
            this.expiredTime = TimeUtils.getServerTime() + PERIOD_OF_VALIDITY;
            this.data = bArr;
        }

        boolean isValid() {
            return TimeUtils.getServerTime() <= this.expiredTime && this.data != null && this.data.length == 8;
        }
    }

    public static JSONObject auth(String str, String str2) {
        JSONObject jSONObject = new JSONObject();
        byte[] rootKey = getRootKey();
        byte[] didKey = getDidKey();
        if (rootKey == null || rootKey.length != 16 || didKey == null || didKey.length != 16) {
            jSONObject.put("code", (Object) 1);
        } else {
            byte[] generateSeed = random.generateSeed(8);
            challenges.put(str, new Challenge(generateSeed));
            try {
                byte[] hexToBytes = ByteUtils.hexToBytes(str);
                byte[] hexToBytes2 = ByteUtils.hexToBytes(str2);
                if (hexToBytes.length == 16 && hexToBytes2.length == 8 && checkDid(didKey, hexToBytes)) {
                    byte[] pboc = pboc(pboc(rootKey, Arrays.copyOfRange(hexToBytes, 0, 8)), hexToBytes2);
                    String str3 = ByteUtils.toHexString(desEdeEcb(1, pboc, generateSeed)) + ByteUtils.toHexString(mac(pboc, generateSeed, ByteUtils.hexToBytes(ByteUtils.toHexString(hexToBytes2) + ByteUtils.toHexString(generateSeed))));
                    jSONObject.put("code", (Object) 0);
                    jSONObject.put("data", (Object) str3);
                } else {
                    jSONObject.put("code", (Object) 2);
                }
            } catch (Throwable th) {
                jSONObject.put("code", (Object) 3);
            }
        }
        return jSONObject;
    }

    public static JSONObject authConfirm(String str, String str2) {
        JSONObject jSONObject = new JSONObject();
        byte[] rootKey = getRootKey();
        byte[] didKey = getDidKey();
        if (rootKey == null || rootKey.length != 16 || didKey == null || didKey.length != 16) {
            jSONObject.put("code", (Object) 1);
            return jSONObject;
        }
        try {
            byte[] hexToBytes = ByteUtils.hexToBytes(str);
            Challenge challenge = challenges.get(str);
            if (hexToBytes.length != 16 || !checkDid(didKey, hexToBytes) || challenge == null || !challenge.isValid()) {
                jSONObject.put("code", (Object) 2);
                return jSONObject;
            }
            byte[] bArr = challenge.data;
            byte[] pboc = pboc(pboc(desEdeKdf(rootKey), Arrays.copyOfRange(hexToBytes, 8, 16)), bArr);
            if (str2.endsWith(ByteUtils.toHexString(mac(pboc, bArr, ByteUtils.hexToBytes(ByteUtils.toHexString(desEdeEcb(2, pboc, ByteUtils.hexToBytes(str2.substring(0, 16)))) + ByteUtils.toHexString(bArr)))))) {
                jSONObject.put("code", (Object) 0);
            } else {
                jSONObject.put("code", (Object) 3);
            }
            return jSONObject;
        } catch (Throwable th) {
            jSONObject.put("code", (Object) 4);
            return jSONObject;
        }
    }

    private static boolean checkDid(byte[] bArr, byte[] bArr2) {
        return ByteUtils.toHexString(MessageDigest.getInstance("SHA-256").digest((ByteUtils.toHexString(bArr2).substring(0, 27) + ByteUtils.toHexString(bArr)).getBytes())).substring(0, 5).equalsIgnoreCase(ByteUtils.toHexString(bArr2).substring(27));
    }

    public static JSONObject checkRootKey() {
        JSONObject jSONObject = new JSONObject();
        String b = SecurityGuardHelper.b(SESSION_PUB);
        if (TextUtils.isEmpty(b)) {
            String a2 = SecurityGuardHelper.a("DkSyncRootKey");
            KeyPair generateKeyEC = IotSecurity.getInstance().crypto().generateKeyEC(EC_CURVE.secp256r1);
            if (TextUtils.isEmpty(a2) || generateKeyEC == null) {
                jSONObject.put("code", (Object) 2);
                return jSONObject;
            }
            String tripKey = SecurityCmdEntry.tripKey(generateKeyEC.publicKey);
            byte[] sign = IotSecurity.getInstance().crypto().sign(MD.SHA256, SecurityCmdEntry.wrapPriKey(a2), tripKey.getBytes());
            if (sign == null) {
                jSONObject.put("code", (Object) 3);
                return jSONObject;
            }
            SecurityGuardHelper.a(SYNC_PRI_KEY, generateKeyEC.privateKey);
            JSONObject jSONObject2 = new JSONObject();
            jSONObject2.put(DkConstants.SYNC_PUB, (Object) tripKey);
            jSONObject2.put(DkConstants.SYNC_SIGN, (Object) Base64.encodeToString(sign, 0));
            b = jSONObject2.toJSONString();
            SecurityGuardHelper.a(SESSION_PUB, b);
        }
        String b2 = SecurityGuardHelper.b(KEY_HASH);
        if (getRootKey() == null || getDidKey() == null) {
            b2 = null;
        }
        jSONObject.put(DkConstants.SESSION_PUB, (Object) b);
        jSONObject.put(DigitalKey.COL_HASH, (Object) String.valueOf(b2));
        jSONObject.put("code", (Object) 0);
        return jSONObject;
    }

    private static byte[] desEdeEcb(int i, byte[] bArr, byte[] bArr2) {
        Cipher cipher = Cipher.getInstance("DESede/ECB/NoPadding");
        cipher.init(i, new SecretKeySpec(desEdeKdf(bArr), DESCoder.ALGORITHM));
        return DexAOPEntry.javax_crypto_Cipher_doFinal_proxy(cipher, bArr2);
    }

    private static byte[] desEdeKdf(byte[] bArr) {
        byte[] bArr2 = new byte[24];
        System.arraycopy(bArr, 0, bArr2, 0, 16);
        System.arraycopy(bArr, 0, bArr2, 16, 8);
        return bArr2;
    }

    private static byte[] getDidKey() {
        try {
            String b = SecurityGuardHelper.b(DID_KEY);
            if (b == null || b.length() != 32) {
                return null;
            }
            return ByteUtils.hexToBytes(b);
        } catch (Throwable th) {
            return null;
        }
    }

    private static byte[] getRootKey() {
        try {
            String b = SecurityGuardHelper.b(ROOT_KEY);
            if (b == null || b.length() != 32) {
                return null;
            }
            return ByteUtils.hexToBytes(b);
        } catch (Throwable th) {
            return null;
        }
    }

    public static JSONObject importRootKey(String str, String str2, String str3) {
        JSONObject jSONObject = new JSONObject();
        String b = SecurityGuardHelper.b(SYNC_PRI_KEY);
        if (b == null) {
            jSONObject.put("code", (Object) 1);
        } else {
            byte[] decrypt = IotSecurity.getInstance().crypto().decrypt(PKI_ALGORITHM.EC, b, Base64.decode(str, 0));
            if (decrypt == null || decrypt.length != 32) {
                jSONObject.put("code", (Object) 2);
            } else {
                byte[] decrypt2 = IotSecurity.getInstance().crypto().decrypt(PKI_ALGORITHM.EC, b, Base64.decode(str2, 0));
                if (decrypt2 == null || decrypt2.length != 32) {
                    jSONObject.put("code", (Object) 3);
                } else if (SecurityGuardHelper.a(ROOT_KEY, new String(decrypt)) && SecurityGuardHelper.a(DID_KEY, new String(decrypt2)) && (TextUtils.isEmpty(str3) || SecurityGuardHelper.a(KEY_HASH, str3))) {
                    jSONObject.put("code", (Object) 0);
                } else {
                    jSONObject.put("code", (Object) 4);
                }
            }
        }
        return jSONObject;
    }

    private static byte[] mac(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        byte[] copyOf = Arrays.copyOf(bArr, 8);
        Cipher cipher = Cipher.getInstance("DES/CBC/NoPadding");
        cipher.init(1, new SecretKeySpec(copyOf, "DES"), new IvParameterSpec(bArr2));
        byte[] copyOfRange = Arrays.copyOfRange(DexAOPEntry.javax_crypto_Cipher_doFinal_proxy(cipher, bArr3), 8, 16);
        Cipher cipher2 = Cipher.getInstance("DESede/CBC/NoPadding");
        cipher2.init(1, new SecretKeySpec(desEdeKdf(bArr), DESCoder.ALGORITHM), new IvParameterSpec(copyOfRange));
        return Arrays.copyOf(DexAOPEntry.javax_crypto_Cipher_doFinal_proxy(cipher2, new byte[]{ByteCompanionObject.MIN_VALUE, 0, 0, 0, 0, 0, 0, 0}), 4);
    }

    private static byte[] pboc(byte[] bArr, byte[] bArr2) {
        byte[] bArr3 = new byte[16];
        for (int i = 0; i < 8; i++) {
            bArr3[i] = bArr2[i];
            bArr3[i + 8] = (byte) (bArr2[i] ^ (-1));
        }
        return desEdeEcb(1, bArr, bArr3);
    }
}
