package org.jmrtd;

import com.mixpanel.android.java_websocket.drafts.Draft_75;
import io.fabric.sdk.android.services.common.CommonUtils;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.Signature;
import java.security.cert.CertPath;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertPathBuilderException;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathBuilderResult;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.logging.Logger;
import javax.crypto.Cipher;
import javax.security.auth.x500.X500Principal;
import net.sf.scuba.smartcards.CardFileInputStream;
import net.sf.scuba.smartcards.CardServiceException;
import org.jmrtd.FeatureStatus;
import org.jmrtd.VerificationStatus;
import org.jmrtd.cert.CVCPrincipal;
import org.jmrtd.cert.CardVerifiableCertificate;
import org.jmrtd.lds.ActiveAuthenticationInfo;
import org.jmrtd.lds.COMFile;
import org.jmrtd.lds.CVCAFile;
import org.jmrtd.lds.CardAccessFile;
import org.jmrtd.lds.ChipAuthenticationPublicKeyInfo;
import org.jmrtd.lds.DG14File;
import org.jmrtd.lds.DG15File;
import org.jmrtd.lds.DG1File;
import org.jmrtd.lds.LDS;
import org.jmrtd.lds.LDSFileUtil;
import org.jmrtd.lds.PACEInfo;
import org.jmrtd.lds.SODFile;
import org.spongycastle.asn1.ASN1Encodable;
import org.spongycastle.asn1.ASN1Integer;
import org.spongycastle.asn1.DERSequence;

/* loaded from: classes.dex */
public class Passport {
    static final /* synthetic */ boolean $assertionsDisabled;
    private static final Provider BC_PROVIDER;
    private static final List<Certificate> EMPTY_CERTIFICATE_CHAIN;
    private static final List<BACKeySpec> EMPTY_TRIED_BAC_ENTRY_LIST;
    private static final boolean IS_PKIX_REVOCATION_CHECING_ENABLED = false;
    private static final Logger LOGGER;
    private PrivateKey aaPrivateKey;
    private CardVerifiableCertificate cvcaCertificate;
    private short cvcaFID;
    private MessageDigest digest;
    private PrivateKey docSigningPrivateKey;
    private PrivateKey eacPrivateKey;
    private transient MessageDigest ecdsaAADigest;
    private transient Signature ecdsaAASignature;
    private FeatureStatus featureStatus;
    private LDS lds;
    private Random random;
    private transient Cipher rsaAACipher;
    private transient MessageDigest rsaAADigest;
    private transient Signature rsaAASignature;
    private PassportService service;
    private MRTDTrustStore trustManager;
    private VerificationStatus verificationStatus;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public class EACCredentials {
        private Certificate[] chain;
        private PrivateKey privateKey;

        public EACCredentials(PrivateKey privateKey, Certificate[] certificateArr) {
            this.privateKey = privateKey;
            this.chain = certificateArr;
        }

        public Certificate[] getChain() {
            return this.chain;
        }

        public PrivateKey getPrivateKey() {
            return this.privateKey;
        }
    }

    static {
        $assertionsDisabled = !Passport.class.desiredAssertionStatus();
        BC_PROVIDER = JMRTDSecurityProvider.getBouncyCastleProvider();
        EMPTY_TRIED_BAC_ENTRY_LIST = Collections.emptyList();
        EMPTY_CERTIFICATE_CHAIN = Collections.emptyList();
        LOGGER = Logger.getLogger("org.jmrtd");
    }

    private Passport() throws GeneralSecurityException {
        this.cvcaFID = (short) 284;
        this.featureStatus = new FeatureStatus();
        this.verificationStatus = new VerificationStatus();
        this.random = new SecureRandom();
        this.rsaAADigest = MessageDigest.getInstance("SHA1");
        this.rsaAASignature = Signature.getInstance("SHA1WithRSA/ISO9796-2", BC_PROVIDER);
        this.rsaAACipher = Cipher.getInstance("RSA/NONE/NoPadding");
        this.ecdsaAASignature = Signature.getInstance("SHA256withECDSA", BC_PROVIDER);
        this.ecdsaAADigest = MessageDigest.getInstance("SHA-256");
    }

    public Passport(PassportService passportService, MRTDTrustStore mRTDTrustStore, List<BACKeySpec> list) throws CardServiceException, GeneralSecurityException {
        this();
        if (passportService == null) {
            throw new IllegalArgumentException("Service cannot be null");
        }
        this.service = passportService;
        this.trustManager = mRTDTrustStore;
        boolean z = false;
        try {
            try {
                passportService.open();
                PACEInfo pACEInfo = null;
                try {
                    LOGGER.info("Inspecting card access file");
                    Collection<PACEInfo> pACEInfos = new CardAccessFile(passportService.getInputStream((short) 284)).getPACEInfos();
                    LOGGER.info("DEBUG: found a card access file: paceInfos (" + (pACEInfos == null ? 0 : pACEInfos.size()) + ") = " + pACEInfos);
                    if (pACEInfos != null && pACEInfos.size() > 0) {
                        if (pACEInfos.size() > 1) {
                            LOGGER.warning("Found multiple PACEInfos " + pACEInfos.size());
                        }
                        pACEInfo = pACEInfos.iterator().next();
                        this.featureStatus.setSAC(FeatureStatus.Verdict.PRESENT);
                    }
                } catch (Exception e) {
                    LOGGER.info("DEBUG: failed to get card access file: " + e.getMessage());
                    e.printStackTrace();
                }
                boolean z2 = this.featureStatus.hasSAC() == FeatureStatus.Verdict.PRESENT;
                if (z2) {
                    try {
                        tryToDoPACE(passportService, pACEInfo, list.get(0));
                    } catch (Exception e2) {
                        e2.printStackTrace();
                        LOGGER.info("PACE failed, falling back to BAC");
                        z = false;
                    }
                }
                passportService.sendSelectApplet();
                try {
                    new COMFile(passportService.getInputStream(PassportService.EF_COM));
                    if (z) {
                        this.verificationStatus.setSAC(VerificationStatus.Verdict.SUCCEEDED, "Succeeded");
                        this.featureStatus.setBAC(FeatureStatus.Verdict.UNKNOWN);
                        this.verificationStatus.setBAC(VerificationStatus.Verdict.NOT_CHECKED, "Using SAC, BAC not checked", EMPTY_TRIED_BAC_ENTRY_LIST);
                    } else {
                        this.featureStatus.setBAC(FeatureStatus.Verdict.NOT_PRESENT);
                        this.verificationStatus.setBAC(VerificationStatus.Verdict.NOT_PRESENT, "Non-BAC document", EMPTY_TRIED_BAC_ENTRY_LIST);
                    }
                } catch (Exception e3) {
                    LOGGER.info("Attempt to read EF.COM before BAC failed with: " + e3.getMessage());
                    this.featureStatus.setBAC(FeatureStatus.Verdict.PRESENT);
                    this.verificationStatus.setBAC(VerificationStatus.Verdict.NOT_CHECKED, "BAC document", EMPTY_TRIED_BAC_ENTRY_LIST);
                }
                String str = null;
                if ((this.featureStatus.hasBAC() == FeatureStatus.Verdict.PRESENT) && (!z2 || !z)) {
                    str = tryToDoBAC(passportService, list).getDocumentNumber();
                }
                this.lds = new LDS();
                COMFile cOMFile = null;
                SODFile sODFile = null;
                TreeSet treeSet = new TreeSet();
                try {
                    CardFileInputStream inputStream = passportService.getInputStream(PassportService.EF_COM);
                    this.lds.add(PassportService.EF_COM, inputStream, inputStream.getLength());
                    cOMFile = this.lds.getCOMFile();
                    CardFileInputStream inputStream2 = passportService.getInputStream(PassportService.EF_SOD);
                    this.lds.add(PassportService.EF_SOD, inputStream2, inputStream2.getLength());
                    sODFile = this.lds.getSODFile();
                    CardFileInputStream inputStream3 = passportService.getInputStream(PassportService.EF_DG1);
                    this.lds.add(PassportService.EF_DG1, inputStream3, inputStream3.getLength());
                    DG1File dG1File = this.lds.getDG1File();
                    treeSet.add(1);
                    if (str == null) {
                        str = dG1File.getMRZInfo().getDocumentNumber();
                    }
                } catch (IOException e4) {
                    e4.printStackTrace();
                    LOGGER.warning("Could not read file");
                }
                ArrayList arrayList = new ArrayList();
                if (sODFile != null) {
                    arrayList.addAll(sODFile.getDataGroupHashes().keySet());
                } else if (cOMFile != null) {
                    LOGGER.warning("Failed to get DG list from EF.SOd. Getting DG list from EF.COM.");
                    arrayList.addAll(toDataGroupList(cOMFile.getTagList()));
                }
                Collections.sort(arrayList);
                LOGGER.info("Found DGs: " + arrayList);
                Map<Integer, VerificationStatus.HashMatchResult> hashResults = this.verificationStatus.getHashResults();
                hashResults = hashResults == null ? new TreeMap<>() : hashResults;
                if (sODFile != null) {
                    Map<Integer, byte[]> dataGroupHashes = sODFile.getDataGroupHashes();
                    Iterator it2 = arrayList.iterator();
                    while (it2.hasNext()) {
                        int intValue = ((Integer) it2.next()).intValue();
                        byte[] bArr = dataGroupHashes.get(Integer.valueOf(intValue));
                        if (hashResults.get(Integer.valueOf(intValue)) == null) {
                            hashResults.put(Integer.valueOf(intValue), treeSet.contains(Integer.valueOf(intValue)) ? verifyHash(intValue) : new VerificationStatus.HashMatchResult(bArr, null));
                        }
                    }
                }
                this.verificationStatus.setHT(VerificationStatus.Verdict.UNKNOWN, this.verificationStatus.getHTReason(), hashResults);
                if (arrayList.contains(14)) {
                    this.featureStatus.setEAC(FeatureStatus.Verdict.PRESENT);
                } else {
                    this.featureStatus.setEAC(FeatureStatus.Verdict.NOT_PRESENT);
                }
                boolean z3 = this.featureStatus.hasEAC() == FeatureStatus.Verdict.PRESENT;
                List<KeyStore> cVCAStores = mRTDTrustStore.getCVCAStores();
                if (z3 && cVCAStores != null && cVCAStores.size() > 0) {
                    tryToDoEAC(passportService, this.lds, str, cVCAStores);
                    treeSet.add(14);
                }
                if (arrayList.contains(15)) {
                    this.featureStatus.setAA(FeatureStatus.Verdict.PRESENT);
                } else {
                    this.featureStatus.setAA(FeatureStatus.Verdict.NOT_PRESENT);
                }
                if (this.featureStatus.hasAA() == FeatureStatus.Verdict.PRESENT) {
                    try {
                        CardFileInputStream inputStream4 = passportService.getInputStream(PassportService.EF_DG15);
                        this.lds.add(PassportService.EF_DG15, inputStream4, inputStream4.getLength());
                        this.lds.getDG15File();
                        treeSet.add(15);
                    } catch (IOException e5) {
                        e5.printStackTrace();
                        LOGGER.warning("Could not read file");
                    } catch (Exception e6) {
                        this.verificationStatus.setAA(VerificationStatus.Verdict.NOT_CHECKED, "Failed to read DG15");
                    }
                } else {
                    this.verificationStatus.setAA(VerificationStatus.Verdict.NOT_PRESENT, "AA is not supported");
                }
                Iterator it3 = arrayList.iterator();
                while (it3.hasNext()) {
                    int intValue2 = ((Integer) it3.next()).intValue();
                    if (!treeSet.contains(Integer.valueOf(intValue2)) && ((intValue2 != 3 && intValue2 != 4) || this.verificationStatus.getEAC().equals(VerificationStatus.Verdict.SUCCEEDED))) {
                        try {
                            short lookupFIDByDataGroupNumber = LDSFileUtil.lookupFIDByDataGroupNumber(intValue2);
                            CardFileInputStream inputStream5 = passportService.getInputStream(lookupFIDByDataGroupNumber);
                            this.lds.add(lookupFIDByDataGroupNumber, inputStream5, inputStream5.getLength());
                        } catch (IOException e7) {
                            LOGGER.warning("Error reading DG" + intValue2 + ": " + e7.getMessage());
                            return;
                        } catch (NumberFormatException e8) {
                            LOGGER.warning("NumberFormatException trying to get FID for DG" + intValue2);
                            e8.printStackTrace();
                        } catch (CardServiceException e9) {
                            LOGGER.info("Could not read DG" + intValue2 + ": " + e9.getMessage());
                        }
                    }
                }
            } catch (CardServiceException e10) {
                throw e10;
            }
        } catch (Exception e11) {
            e11.printStackTrace();
            throw new CardServiceException("Cannot open document. " + e11.getMessage());
        }
    }

    public Passport(PassportService passportService, MRTDTrustStore mRTDTrustStore, BACKeySpec bACKeySpec) throws CardServiceException, GeneralSecurityException {
        this(passportService, mRTDTrustStore, (List<BACKeySpec>) Collections.singletonList(bACKeySpec));
    }

    public Passport(LDS lds, PrivateKey privateKey, MRTDTrustStore mRTDTrustStore) throws GeneralSecurityException {
        this();
        this.trustManager = mRTDTrustStore;
        this.docSigningPrivateKey = privateKey;
        this.lds = lds;
    }

    private boolean doEAC(String str, DG14File dG14File, CVCPrincipal cVCPrincipal, Certificate[] certificateArr, PrivateKey privateKey) throws CardServiceException {
        Map<BigInteger, PublicKey> chipAuthenticationPublicKeyInfos = dG14File.getChipAuthenticationPublicKeyInfos();
        ArrayList arrayList = new ArrayList(certificateArr.length);
        for (Certificate certificate : certificateArr) {
            arrayList.add((CardVerifiableCertificate) certificate);
        }
        for (Map.Entry<BigInteger, PublicKey> entry : chipAuthenticationPublicKeyInfos.entrySet()) {
            try {
                this.verificationStatus.setEAC(VerificationStatus.Verdict.SUCCEEDED, "EAC succeeded, CA reference is: " + cVCPrincipal, this.service.doEAC(entry.getKey(), entry.getValue(), cVCPrincipal, arrayList, privateKey, str));
                return true;
            } catch (CardServiceException e) {
                e.printStackTrace();
            }
        }
        return false;
    }

    private static List<Certificate> getCertificateChain(X509Certificate x509Certificate, X500Principal x500Principal, BigInteger bigInteger, List<CertStore> list, Set<TrustAnchor> set) {
        X509Certificate trustedCert;
        CertPath certPath;
        ArrayList arrayList = new ArrayList();
        X509CertSelector x509CertSelector = new X509CertSelector();
        try {
            if (x509Certificate != null) {
                x509CertSelector.setCertificate(x509Certificate);
            } else {
                x509CertSelector.setIssuer(x500Principal);
                x509CertSelector.setSerialNumber(bigInteger);
            }
            CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Collections.singleton(x509Certificate)));
            CertPathBuilder certPathBuilder = CertPathBuilder.getInstance("PKIX", BC_PROVIDER);
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, x509CertSelector);
            pKIXBuilderParameters.addCertStore(certStore);
            Iterator<CertStore> it2 = list.iterator();
            while (it2.hasNext()) {
                pKIXBuilderParameters.addCertStore(it2.next());
            }
            pKIXBuilderParameters.setRevocationEnabled(false);
            Security.addProvider(BC_PROVIDER);
            PKIXCertPathBuilderResult pKIXCertPathBuilderResult = null;
            try {
                pKIXCertPathBuilderResult = (PKIXCertPathBuilderResult) certPathBuilder.build(pKIXBuilderParameters);
            } catch (CertPathBuilderException e) {
            }
            if (pKIXCertPathBuilderResult != null && (certPath = pKIXCertPathBuilderResult.getCertPath()) != null) {
                arrayList.addAll(certPath.getCertificates());
            }
            if (x509Certificate != null && !arrayList.contains(x509Certificate)) {
                LOGGER.warning("Adding doc signing certificate after PKIXBuilder finished");
                arrayList.add(0, x509Certificate);
            }
            if (pKIXCertPathBuilderResult != null && (trustedCert = pKIXCertPathBuilderResult.getTrustAnchor().getTrustedCert()) != null && !arrayList.contains(trustedCert)) {
                LOGGER.warning("Adding trust anchor certificate after PKIXBuilder finished");
                arrayList.add(trustedCert);
            }
        } catch (Exception e2) {
            e2.printStackTrace();
            LOGGER.info("Building a chain failed (" + e2.getMessage() + ").");
        }
        return arrayList;
    }

    private MessageDigest getDigest(String str) throws NoSuchAlgorithmException {
        if (this.digest != null) {
            this.digest.reset();
            return this.digest;
        }
        LOGGER.info("Using hash algorithm " + str);
        if (Security.getAlgorithms("MessageDigest").contains(str)) {
            this.digest = MessageDigest.getInstance(str);
        } else {
            this.digest = MessageDigest.getInstance(str, BC_PROVIDER);
        }
        return this.digest;
    }

    private EACCredentials getEACCredentials(CVCPrincipal cVCPrincipal, KeyStore keyStore) throws GeneralSecurityException {
        if (cVCPrincipal == null) {
            throw new IllegalArgumentException("CA reference cannot be null");
        }
        PrivateKey privateKey = null;
        Certificate[] certificateArr = null;
        for (String str : Collections.list(keyStore.aliases())) {
            if (keyStore.isKeyEntry(str)) {
                Security.insertProviderAt(BC_PROVIDER, 0);
                Key key = keyStore.getKey(str, "".toCharArray());
                if (key instanceof PrivateKey) {
                    return new EACCredentials((PrivateKey) key, keyStore.getCertificateChain(str));
                }
                LOGGER.warning("skipping non-private key " + str);
            } else if (keyStore.isCertificateEntry(str)) {
                CardVerifiableCertificate cardVerifiableCertificate = (CardVerifiableCertificate) keyStore.getCertificate(str);
                CVCPrincipal authorityReference = cardVerifiableCertificate.getAuthorityReference();
                CVCPrincipal holderReference = cardVerifiableCertificate.getHolderReference();
                if (cVCPrincipal.equals(authorityReference)) {
                    privateKey = (PrivateKey) keyStore.getKey(holderReference.getName(), "".toCharArray());
                    certificateArr = keyStore.getCertificateChain(holderReference.getName());
                    if (privateKey != null) {
                        LOGGER.fine("found a key, privateKey = " + privateKey);
                        return new EACCredentials(privateKey, certificateArr);
                    }
                } else {
                    continue;
                }
            } else if (privateKey == null || certificateArr == null) {
                LOGGER.severe("null chain or key for entry " + str + ": chain = " + Arrays.toString(certificateArr) + ", privateKey = " + privateKey);
            }
        }
        return null;
    }

    private EACCredentials getEACCredentials(CVCPrincipal cVCPrincipal, List<KeyStore> list) throws GeneralSecurityException {
        Iterator<KeyStore> it2 = list.iterator();
        while (it2.hasNext()) {
            EACCredentials eACCredentials = getEACCredentials(cVCPrincipal, it2.next());
            if (eACCredentials != null) {
                return eACCredentials;
            }
        }
        return null;
    }

    private List<Integer> toDataGroupList(int[] iArr) {
        if (iArr == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList(iArr.length);
        for (int i : iArr) {
            try {
                arrayList.add(Integer.valueOf(LDSFileUtil.lookupDataGroupNumberByTag(i)));
            } catch (NumberFormatException e) {
                LOGGER.warning("Could not find DG number for tag: " + Integer.toHexString(i));
                e.printStackTrace();
            }
        }
        return arrayList;
    }

    private BACKeySpec tryToDoBAC(PassportService passportService, List<BACKeySpec> list) throws BACDeniedException {
        ArrayList arrayList = new ArrayList();
        int i = -1;
        synchronized (list) {
            for (BACKeySpec bACKeySpec : list) {
                try {
                    arrayList.add(bACKeySpec);
                    tryToDoBAC(passportService, bACKeySpec);
                    this.verificationStatus.setBAC(VerificationStatus.Verdict.SUCCEEDED, "BAC succeeded with key " + bACKeySpec, arrayList);
                    return bACKeySpec;
                } catch (CardServiceException e) {
                    LOGGER.info("Ignoring the following exception: " + e.getClass().getCanonicalName());
                    e.printStackTrace();
                    i = e.getSW();
                }
            }
            this.verificationStatus.setBAC(VerificationStatus.Verdict.FAILED, "BAC failed", arrayList);
            throw new BACDeniedException("Basic Access denied!", arrayList, i);
        }
    }

    private void tryToDoBAC(PassportService passportService, BACKeySpec bACKeySpec) throws CardServiceException {
        try {
            LOGGER.info("Trying BAC: " + bACKeySpec);
            passportService.doBAC(bACKeySpec);
        } catch (Exception e) {
            if (e instanceof CardServiceException) {
                throw ((CardServiceException) e);
            }
            LOGGER.warning("DEBUG: Unexpected exception " + e.getClass().getCanonicalName() + " during BAC with " + bACKeySpec);
            e.printStackTrace();
            throw new CardServiceException(e.getMessage());
        }
    }

    private void tryToDoEAC(PassportService passportService, LDS lds, String str, List<KeyStore> list) throws CardServiceException {
        try {
            try {
                CardFileInputStream inputStream = passportService.getInputStream(PassportService.EF_DG14);
                lds.add(PassportService.EF_DG14, inputStream, inputStream.getLength());
                DG14File dG14File = lds.getDG14File();
                this.cvcaFID = (short) 284;
                List<Short> cVCAFileIds = dG14File.getCVCAFileIds();
                if (cVCAFileIds != null && cVCAFileIds.size() != 0) {
                    if (cVCAFileIds.size() > 1) {
                        LOGGER.warning("More than one CVCA file id present in DG14");
                    }
                    this.cvcaFID = cVCAFileIds.get(0).shortValue();
                }
                CardFileInputStream inputStream2 = passportService.getInputStream(this.cvcaFID);
                lds.add(this.cvcaFID, inputStream2, inputStream2.getLength());
                CVCAFile cVCAFile = lds.getCVCAFile();
                for (CVCPrincipal cVCPrincipal : new CVCPrincipal[]{cVCAFile.getCAReference(), cVCAFile.getAltCAReference()}) {
                    EACCredentials eACCredentials = getEACCredentials(cVCPrincipal, list);
                    if (eACCredentials != null) {
                        doEAC(str, dG14File, cVCPrincipal, eACCredentials.getChain(), eACCredentials.getPrivateKey());
                        return;
                    }
                }
            } catch (IOException e) {
                e.printStackTrace();
                LOGGER.warning("Could not read EF.DG14 or EF.CVCA, not attempting EAC");
            }
        } catch (Exception e2) {
            LOGGER.warning("EAC failed with exception " + e2.getMessage());
            e2.printStackTrace();
        }
    }

    private void tryToDoPACE(PassportService passportService, PACEInfo pACEInfo, BACKeySpec bACKeySpec) throws CardServiceException {
        LOGGER.info("DEBUG: PACE has been disabled in this version of JMRTD");
    }

    private boolean verifyAA(PublicKey publicKey, String str, String str2, byte[] bArr, byte[] bArr2) throws CardServiceException {
        try {
            String algorithm = publicKey.getAlgorithm();
            if ("RSA".equals(algorithm)) {
                if (!"SHA1".equalsIgnoreCase(str) || !CommonUtils.SHA1_INSTANCE.equalsIgnoreCase(str) || !"SHA1WithRSA/ISO9796-2".equalsIgnoreCase(str2)) {
                    LOGGER.warning("Unexpected algorithms for RSA AA: digest algorithm = " + (str == null ? "null" : str) + ", signature algorithm = " + (str2 == null ? "null" : str2));
                    this.rsaAADigest = MessageDigest.getInstance(str);
                    this.rsaAASignature = Signature.getInstance(str2, BC_PROVIDER);
                }
                RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                this.rsaAACipher.init(2, rSAPublicKey);
                this.rsaAASignature.initVerify(rSAPublicKey);
                int digestLength = this.rsaAADigest.getDigestLength();
                if (!$assertionsDisabled && digestLength != 20) {
                    throw new AssertionError();
                }
                this.rsaAASignature.update(Util.recoverMessage(digestLength, this.rsaAACipher.doFinal(bArr2)));
                this.rsaAASignature.update(bArr);
                return this.rsaAASignature.verify(bArr2);
            }
            if (!"EC".equals(algorithm) && !"ECDSA".equals(algorithm)) {
                LOGGER.severe("Unsupported AA public key type " + publicKey.getClass().getSimpleName());
                return false;
            }
            ECPublicKey eCPublicKey = (ECPublicKey) publicKey;
            if (this.ecdsaAASignature == null || (str2 != null && !str2.equals(this.ecdsaAASignature.getAlgorithm()))) {
                LOGGER.warning("Re-initializing ecdsaAASignature with signature algorithm " + str2);
                this.ecdsaAASignature = Signature.getInstance(str2);
            }
            if (this.ecdsaAADigest == null || (str != null && !str.equals(this.ecdsaAADigest.getAlgorithm()))) {
                LOGGER.warning("Re-initializing ecdsaAADigest with digest algorithm " + str);
                this.ecdsaAADigest = MessageDigest.getInstance(str);
            }
            this.ecdsaAASignature.initVerify(eCPublicKey);
            if (bArr2.length % 2 != 0) {
                LOGGER.warning("Active Authentication response is not of even length");
            }
            int length = bArr2.length / 2;
            BigInteger os2i = Util.os2i(bArr2, 0, length);
            BigInteger os2i2 = Util.os2i(bArr2, length, length);
            this.ecdsaAASignature.update(bArr);
            try {
                return this.ecdsaAASignature.verify(new DERSequence(new ASN1Encodable[]{new ASN1Integer(os2i), new ASN1Integer(os2i2)}).getEncoded());
            } catch (IOException e) {
                LOGGER.severe("Unexpected exception during AA signature verification with ECDSA");
                e.printStackTrace();
                return false;
            }
        } catch (IllegalArgumentException e2) {
            throw new CardServiceException(e2.toString());
        } catch (GeneralSecurityException e3) {
            throw new CardServiceException(e3.toString());
        }
    }

    private VerificationStatus.HashMatchResult verifyHash(int i) {
        Map<Integer, VerificationStatus.HashMatchResult> hashResults = this.verificationStatus.getHashResults();
        if (hashResults == null) {
            hashResults = new TreeMap<>();
        }
        return verifyHash(i, hashResults);
    }

    private VerificationStatus.HashMatchResult verifyHash(int i, Map<Integer, VerificationStatus.HashMatchResult> map) {
        short lookupFIDByTag = LDSFileUtil.lookupFIDByTag(LDSFileUtil.lookupTagByDataGroupNumber(i));
        try {
            SODFile sODFile = this.lds.getSODFile();
            byte[] bArr = sODFile.getDataGroupHashes().get(Integer.valueOf(i));
            String digestAlgorithm = sODFile.getDigestAlgorithm();
            try {
                this.digest = getDigest(digestAlgorithm);
                byte[] bArr2 = null;
                InputStream inputStream = null;
                try {
                    int length = this.lds.getLength(lookupFIDByTag);
                    if (length > 0) {
                        bArr2 = new byte[length];
                        inputStream = this.lds.getInputStream(lookupFIDByTag);
                        new DataInputStream(inputStream).readFully(bArr2);
                    }
                    if (inputStream == null && this.verificationStatus.getEAC() != VerificationStatus.Verdict.SUCCEEDED && (lookupFIDByTag == 259 || lookupFIDByTag == 260)) {
                        LOGGER.warning("Skipping DG" + i + " during HT verification because EAC failed.");
                        VerificationStatus.HashMatchResult hashMatchResult = new VerificationStatus.HashMatchResult(bArr, null);
                        map.put(Integer.valueOf(i), hashMatchResult);
                        return hashMatchResult;
                    }
                    if (inputStream == null) {
                        LOGGER.warning("Skipping DG" + i + " during HT verification because file could not be read.");
                        VerificationStatus.HashMatchResult hashMatchResult2 = new VerificationStatus.HashMatchResult(bArr, null);
                        map.put(Integer.valueOf(i), hashMatchResult2);
                        return hashMatchResult2;
                    }
                    try {
                        byte[] digest = this.digest.digest(bArr2);
                        VerificationStatus.HashMatchResult hashMatchResult3 = new VerificationStatus.HashMatchResult(bArr, digest);
                        map.put(Integer.valueOf(i), hashMatchResult3);
                        if (Arrays.equals(bArr, digest)) {
                            return hashMatchResult3;
                        }
                        this.verificationStatus.setHT(VerificationStatus.Verdict.FAILED, "Hash mismatch", map);
                        return hashMatchResult3;
                    } catch (Exception e) {
                        VerificationStatus.HashMatchResult hashMatchResult4 = new VerificationStatus.HashMatchResult(bArr, null);
                        map.put(Integer.valueOf(i), hashMatchResult4);
                        this.verificationStatus.setHT(VerificationStatus.Verdict.FAILED, "Hash failed due to exception", map);
                        return hashMatchResult4;
                    }
                } catch (Exception e2) {
                    VerificationStatus.HashMatchResult hashMatchResult5 = new VerificationStatus.HashMatchResult(bArr, null);
                    map.put(Integer.valueOf(i), hashMatchResult5);
                    this.verificationStatus.setHT(VerificationStatus.Verdict.FAILED, "DG" + i + " failed due to exception", map);
                    return hashMatchResult5;
                }
            } catch (NoSuchAlgorithmException e3) {
                this.verificationStatus.setHT(VerificationStatus.Verdict.FAILED, "Unsupported algorithm \"" + digestAlgorithm + "\"", null);
                return null;
            }
        } catch (Exception e4) {
            this.verificationStatus.setHT(VerificationStatus.Verdict.FAILED, "DG" + i + " failed, could not get stored hash", map);
            return null;
        }
    }

    public PrivateKey getAAPrivateKey() {
        return this.aaPrivateKey;
    }

    public CardVerifiableCertificate getCVCertificate() {
        return this.cvcaCertificate;
    }

    public PrivateKey getDocSigningPrivateKey() {
        return this.docSigningPrivateKey;
    }

    public PrivateKey getEACPrivateKey() {
        return this.eacPrivateKey;
    }

    public FeatureStatus getFeatures() {
        return this.featureStatus;
    }

    public LDS getLDS() {
        return this.lds;
    }

    public MRTDTrustStore getTrustManager() {
        return this.trustManager;
    }

    public VerificationStatus getVerificationStatus() {
        return this.verificationStatus;
    }

    public void putFile(short s, byte[] bArr) {
        if (bArr == null) {
            return;
        }
        try {
            this.lds.add(s, new ByteArrayInputStream(bArr), bArr.length);
            if (s != 286 && s != 285 && s != this.cvcaFID) {
                updateCOMSODFile(null);
            }
        } catch (IOException e) {
            e.printStackTrace();
        }
        this.verificationStatus.setAll(VerificationStatus.Verdict.UNKNOWN, "Unknown");
    }

    public void setAAPrivateKey(PrivateKey privateKey) {
        this.aaPrivateKey = privateKey;
    }

    public void setAAPublicKey(PublicKey publicKey) {
        putFile(PassportService.EF_DG15, new DG15File(publicKey).getEncoded());
    }

    public void setCVCertificate(CardVerifiableCertificate cardVerifiableCertificate) {
        this.cvcaCertificate = cardVerifiableCertificate;
        try {
            putFile(this.cvcaFID, new CVCAFile(this.cvcaFID, this.cvcaCertificate.getHolderReference().getName()).getEncoded());
        } catch (CertificateException e) {
            e.printStackTrace();
        }
    }

    public void setDocSigningCertificate(X509Certificate x509Certificate) {
        updateCOMSODFile(x509Certificate);
    }

    public void setDocSigningPrivateKey(PrivateKey privateKey) {
        this.docSigningPrivateKey = privateKey;
        updateCOMSODFile(null);
    }

    public void setEACPrivateKey(PrivateKey privateKey) {
        this.eacPrivateKey = privateKey;
    }

    public void setEACPublicKey(PublicKey publicKey) {
        putFile(PassportService.EF_DG14, new DG14File(Arrays.asList(new ChipAuthenticationPublicKeyInfo(publicKey))).getEncoded());
    }

    public void updateCOMSODFile(X509Certificate x509Certificate) {
        try {
            COMFile cOMFile = this.lds.getCOMFile();
            SODFile sODFile = this.lds.getSODFile();
            String digestAlgorithm = sODFile.getDigestAlgorithm();
            String digestEncryptionAlgorithm = sODFile.getDigestEncryptionAlgorithm();
            X509Certificate docSigningCertificate = x509Certificate != null ? x509Certificate : sODFile.getDocSigningCertificate();
            byte[] encryptedDigest = sODFile.getEncryptedDigest();
            TreeMap treeMap = new TreeMap();
            List<Short> dataGroupList = this.lds.getDataGroupList();
            MessageDigest messageDigest = MessageDigest.getInstance(digestAlgorithm);
            for (Short sh : dataGroupList) {
                if (sh.shortValue() != 286 && sh.shortValue() != 285 && sh.shortValue() != this.cvcaFID) {
                    int length = this.lds.getLength(sh.shortValue());
                    InputStream inputStream = this.lds.getInputStream(sh.shortValue());
                    if (inputStream == null) {
                        LOGGER.warning("Could not get input stream for " + Integer.toHexString(sh.shortValue()));
                    } else {
                        byte[] bArr = new byte[length];
                        new DataInputStream(inputStream).readFully(bArr);
                        byte b = bArr[0];
                        treeMap.put(Integer.valueOf(LDSFileUtil.lookupDataGroupNumberByTag(b)), messageDigest.digest(bArr));
                        cOMFile.insertTag(Integer.valueOf(b & Draft_75.END_OF_FRAME));
                    }
                }
            }
            SODFile sODFile2 = this.docSigningPrivateKey != null ? new SODFile(digestAlgorithm, digestEncryptionAlgorithm, treeMap, this.docSigningPrivateKey, docSigningCertificate) : new SODFile(digestAlgorithm, digestEncryptionAlgorithm, treeMap, encryptedDigest, docSigningCertificate);
            this.lds.add(cOMFile);
            this.lds.add(sODFile2);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public void verifyAA() {
        if (this.lds == null || this.service == null) {
            this.verificationStatus.setAA(VerificationStatus.Verdict.FAILED, "AA failed");
            return;
        }
        try {
            DG15File dG15File = this.lds.getDG15File();
            if (dG15File == null) {
                this.verificationStatus.setAA(VerificationStatus.Verdict.FAILED, "AA failed");
                return;
            }
            PublicKey publicKey = dG15File.getPublicKey();
            String algorithm = publicKey.getAlgorithm();
            String str = "SHA1";
            String str2 = "SHA1WithRSA/ISO9796-2";
            if ("EC".equals(algorithm) || "ECDSA".equals(algorithm)) {
                List<ActiveAuthenticationInfo> activeAuthenticationInfos = this.lds.getDG14File().getActiveAuthenticationInfos();
                int size = activeAuthenticationInfos == null ? 0 : activeAuthenticationInfos.size();
                if (size < 1) {
                    this.verificationStatus.setAA(VerificationStatus.Verdict.FAILED, "Found no active authentication info in EF.DG14");
                    return;
                }
                if (size > 1) {
                    LOGGER.warning("Found " + size + " in EF.DG14, expected 1.");
                }
                str2 = ActiveAuthenticationInfo.lookupMnemonicByOID(activeAuthenticationInfos.get(0).getSignatureAlgorithmOID());
                str = Util.inferDigestAlgorithmFromSignatureAlgorithm(str2);
            }
            byte[] bArr = new byte[8];
            this.random.nextBytes(bArr);
            if (verifyAA(publicKey, str, str2, bArr, this.service.doAA(publicKey, str, str2, bArr))) {
                this.verificationStatus.setAA(VerificationStatus.Verdict.SUCCEEDED, "AA succeeded");
            } else {
                this.verificationStatus.setAA(VerificationStatus.Verdict.FAILED, "AA failed due to signature failure");
            }
        } catch (CardServiceException e) {
            e.printStackTrace();
            this.verificationStatus.setAA(VerificationStatus.Verdict.FAILED, "AA failed due to exception");
        } catch (Exception e2) {
            LOGGER.severe("DEBUG: this exception wasn't caught in verification logic (< 0.4.8) -- MO 3. Type is " + e2.getClass().getCanonicalName());
            e2.printStackTrace();
            this.verificationStatus.setAA(VerificationStatus.Verdict.FAILED, "AA failed due to exception");
        }
    }

    public void verifyCS() {
        SODFile sODFile = null;
        try {
            try {
                sODFile = this.lds.getSODFile();
            } catch (IOException e) {
                LOGGER.severe("Could not read EF.SOd");
            }
            ArrayList arrayList = new ArrayList();
            if (sODFile == null) {
                this.verificationStatus.setCS(VerificationStatus.Verdict.FAILED, "Unable to build certificate chain", arrayList);
                return;
            }
            X509Certificate x509Certificate = null;
            X500Principal x500Principal = null;
            BigInteger bigInteger = null;
            try {
                x500Principal = sODFile.getIssuerX500Principal();
                bigInteger = sODFile.getSerialNumber();
                x509Certificate = sODFile.getDocSigningCertificate();
            } catch (Exception e2) {
                LOGGER.warning("Error getting document signing certificate: " + e2.getMessage());
            }
            if (x509Certificate != null) {
                arrayList.add(x509Certificate);
            } else {
                LOGGER.warning("Error getting document signing certificate from EF.SOd");
            }
            List<CertStore> cSCAStores = this.trustManager.getCSCAStores();
            if (cSCAStores == null || cSCAStores.size() <= 0) {
                LOGGER.warning("No CSCA certificate stores found.");
                this.verificationStatus.setCS(VerificationStatus.Verdict.FAILED, "No CSCA certificate stores found", arrayList);
            }
            Set<TrustAnchor> cSCAAnchors = this.trustManager.getCSCAAnchors();
            if (cSCAAnchors == null || cSCAAnchors.size() <= 0) {
                LOGGER.warning("No CSCA trust anchors found.");
                this.verificationStatus.setCS(VerificationStatus.Verdict.FAILED, "No CSCA trust anchors found", arrayList);
            }
            if (x509Certificate != null) {
                X500Principal issuerX500Principal = x509Certificate.getIssuerX500Principal();
                if (x500Principal != null && !x500Principal.equals(issuerX500Principal)) {
                    LOGGER.severe("Security object issuer principal is different from embedded DS certificate issuer!");
                }
                BigInteger serialNumber = x509Certificate.getSerialNumber();
                if (bigInteger != null && !bigInteger.equals(serialNumber)) {
                    LOGGER.warning("Security object serial number is different from embedded DS certificate serial number!");
                }
            }
            List<Certificate> certificateChain = getCertificateChain(x509Certificate, x500Principal, bigInteger, cSCAStores, cSCAAnchors);
            if (certificateChain == null) {
                this.verificationStatus.setCS(VerificationStatus.Verdict.FAILED, "Could not build chain to trust anchor (pkixChain == null)", arrayList);
                return;
            }
            for (Certificate certificate : certificateChain) {
                if (!certificate.equals(x509Certificate)) {
                    arrayList.add(certificate);
                }
            }
            int size = arrayList.size();
            if (size <= 1) {
                this.verificationStatus.setCS(VerificationStatus.Verdict.FAILED, "Could not build chain to trust anchor", arrayList);
            } else {
                if (size <= 1 || !this.verificationStatus.getCS().equals(VerificationStatus.Verdict.UNKNOWN)) {
                    return;
                }
                this.verificationStatus.setCS(VerificationStatus.Verdict.SUCCEEDED, "Found a chain to a trust anchor", arrayList);
            }
        } catch (Exception e3) {
            e3.printStackTrace();
            this.verificationStatus.setCS(VerificationStatus.Verdict.FAILED, "Signature failed", EMPTY_CERTIFICATE_CHAIN);
        }
    }

    public void verifyDS() {
        try {
            this.verificationStatus.setDS(VerificationStatus.Verdict.UNKNOWN, "Unknown");
            SODFile sODFile = this.lds.getSODFile();
            X509Certificate docSigningCertificate = sODFile.getDocSigningCertificate();
            if (docSigningCertificate == null) {
                LOGGER.warning("Could not get document signer certificate from EF.SOd");
            }
            if (sODFile.checkDocSignature(docSigningCertificate)) {
                this.verificationStatus.setDS(VerificationStatus.Verdict.SUCCEEDED, "Signature checked");
            } else {
                this.verificationStatus.setDS(VerificationStatus.Verdict.FAILED, "Signature incorrect");
            }
        } catch (NoSuchAlgorithmException e) {
            this.verificationStatus.setDS(VerificationStatus.Verdict.FAILED, "Unsupported signature algorithm");
        } catch (Exception e2) {
            e2.printStackTrace();
            this.verificationStatus.setDS(VerificationStatus.Verdict.FAILED, "Unexpected exception");
        }
    }

    public void verifyHT() {
        Map<Integer, VerificationStatus.HashMatchResult> hashResults = this.verificationStatus.getHashResults();
        if (hashResults == null) {
            hashResults = new TreeMap<>();
        }
        try {
            Iterator<Integer> it2 = this.lds.getSODFile().getDataGroupHashes().keySet().iterator();
            while (it2.hasNext()) {
                verifyHash(it2.next().intValue(), hashResults);
            }
            if (this.verificationStatus.getHT().equals(VerificationStatus.Verdict.UNKNOWN)) {
                this.verificationStatus.setHT(VerificationStatus.Verdict.SUCCEEDED, "All hashes match", hashResults);
            } else {
                this.verificationStatus.setHT(this.verificationStatus.getHT(), this.verificationStatus.getHTReason(), hashResults);
            }
        } catch (Exception e) {
            this.verificationStatus.setHT(VerificationStatus.Verdict.FAILED, "No SOd", hashResults);
        }
    }

    public VerificationStatus verifySecurity() {
        verifyCS();
        verifyDS();
        verifyHT();
        if (this.service != null && this.lds.getDataGroupList().contains(Short.valueOf(PassportService.EF_DG15))) {
            verifyAA();
        }
        return this.verificationStatus;
    }
}
