package de.cotech.hw.fido2.internal.operations.ctap2;

import de.cotech.hw.fido2.PublicKeyCredential;
import de.cotech.hw.fido2.PublicKeyCredentialGet;
import de.cotech.hw.fido2.domain.CollectedClientData;
import de.cotech.hw.fido2.domain.PublicKeyCredentialDescriptor;
import de.cotech.hw.fido2.domain.PublicKeyCredentialUserEntity;
import de.cotech.hw.fido2.domain.UserVerificationRequirement;
import de.cotech.hw.fido2.domain.get.AssertionCreationData;
import de.cotech.hw.fido2.domain.get.AuthenticatorAssertionResponse;
import de.cotech.hw.fido2.domain.get.PublicKeyCredentialRequestOptions;
import de.cotech.hw.fido2.exceptions.FidoClientPinNotSetException;
import de.cotech.hw.fido2.exceptions.FidoClientPinNotSupportedException;
import de.cotech.hw.fido2.exceptions.FidoClientPinRequiredException;
import de.cotech.hw.fido2.exceptions.FidoInvalidCredentialException;
import de.cotech.hw.fido2.exceptions.FidoResidentKeyNoCredentialException;
import de.cotech.hw.fido2.exceptions.FidoResidentKeyNotSupportedException;
import de.cotech.hw.fido2.exceptions.FidoSecurityError;
import de.cotech.hw.fido2.internal.Fido2AppletConnection;
import de.cotech.hw.fido2.internal.cbor.CborPublicKeyCredentialDescriptorParser;
import de.cotech.hw.fido2.internal.ctap2.Ctap2Exception;
import de.cotech.hw.fido2.internal.ctap2.commands.getAssertion.AuthenticatorGetAssertion;
import de.cotech.hw.fido2.internal.ctap2.commands.getAssertion.AuthenticatorGetAssertionResponse;
import de.cotech.hw.fido2.internal.json.JsonCollectedClientDataSerializer;
import de.cotech.hw.fido2.internal.operations.WebauthnSecurityKeyOperation;
import de.cotech.hw.fido2.internal.pinauth.PinProtocolV1;
import de.cotech.hw.fido2.internal.pinauth.PinToken;
import de.cotech.hw.fido2.internal.utils.RelyingPartyIdUtils;
import de.cotech.hw.util.HashUtil;
import de.cotech.hw.util.HwTimber;
import java.io.IOException;
import java.util.List;

/* loaded from: classes2.dex */
public class AuthenticatorGetAssertionOperation extends WebauthnSecurityKeyOperation<PublicKeyCredential, PublicKeyCredentialGet> {
    private static final String CLIENT_DATA_TYPE_GET = "webauthn.get";
    private final CborPublicKeyCredentialDescriptorParser cborPublicKeyCredentialDescriptorParser;
    private final JsonCollectedClientDataSerializer jsonCollectedClientDataSerializer;
    private final PinProtocolV1 pinProtocolV1;
    private final RelyingPartyIdUtils relyingPartyIdUtils;

    public AuthenticatorGetAssertionOperation(CborPublicKeyCredentialDescriptorParser cborPublicKeyCredentialDescriptorParser, PinProtocolV1 pinProtocolV1, JsonCollectedClientDataSerializer jsonCollectedClientDataSerializer, RelyingPartyIdUtils relyingPartyIdUtils) {
        this.cborPublicKeyCredentialDescriptorParser = cborPublicKeyCredentialDescriptorParser;
        this.pinProtocolV1 = pinProtocolV1;
        this.jsonCollectedClientDataSerializer = jsonCollectedClientDataSerializer;
        this.relyingPartyIdUtils = relyingPartyIdUtils;
    }

    private PinToken acquirePinToken(Fido2AppletConnection fido2AppletConnection, PublicKeyCredentialGet publicKeyCredentialGet) throws IOException {
        if (fido2AppletConnection.getCachedPinToken() != null) {
            return fido2AppletConnection.getCachedPinToken();
        }
        if (publicKeyCredentialGet.options().userVerification() == UserVerificationRequirement.REQUIRED) {
            if (!fido2AppletConnection.isSupportClientPin()) {
                throw new FidoClientPinNotSupportedException();
            }
            if (!fido2AppletConnection.isClientPinSet()) {
                throw new FidoClientPinNotSetException();
            }
            if (publicKeyCredentialGet.clientPin() == null) {
                throw new FidoClientPinRequiredException();
            }
        }
        if (publicKeyCredentialGet.clientPin() == null || !fido2AppletConnection.isSupportClientPin() || !fido2AppletConnection.isClientPinSet()) {
            return null;
        }
        PinToken clientPinAuthenticate = this.pinProtocolV1.clientPinAuthenticate(fido2AppletConnection, publicKeyCredentialGet.clientPin(), publicKeyCredentialGet.lastAttemptOk());
        fido2AppletConnection.setCachedPinToken(clientPinAuthenticate);
        return clientPinAuthenticate;
    }

    private PublicKeyCredential ctap2ResponseToWebauthnResponse(PublicKeyCredentialGet publicKeyCredentialGet, AuthenticatorGetAssertionResponse authenticatorGetAssertionResponse) throws IOException {
        byte[] determinePublicKeyCredentialId = determinePublicKeyCredentialId(publicKeyCredentialGet, authenticatorGetAssertionResponse);
        PublicKeyCredentialUserEntity user = authenticatorGetAssertionResponse.user();
        AssertionCreationData create = AssertionCreationData.create(determinePublicKeyCredentialId, authenticatorGetAssertionResponse.clientDataJSON(), authenticatorGetAssertionResponse.authData(), authenticatorGetAssertionResponse.signature(), user != null ? user.id() : null);
        return PublicKeyCredential.create(create.credentialIdResult(), AuthenticatorAssertionResponse.create(create.clientDataJSONResult(), create.authenticatorDataResult(), create.signatureResult(), create.userHandleResult()));
    }

    private byte[] determinePublicKeyCredentialId(PublicKeyCredentialGet publicKeyCredentialGet, AuthenticatorGetAssertionResponse authenticatorGetAssertionResponse) throws IOException {
        List<PublicKeyCredentialDescriptor> allowCredentials = publicKeyCredentialGet.options().allowCredentials();
        if (allowCredentials != null && allowCredentials.size() == 1) {
            return allowCredentials.get(0).id();
        }
        if (authenticatorGetAssertionResponse.credential() == null) {
            throw new IOException("Authenticator failed to transmit credential!");
        }
        Integer numberOfCredentials = authenticatorGetAssertionResponse.numberOfCredentials();
        if (numberOfCredentials != null && numberOfCredentials.intValue() > 1) {
            HwTimber.d("More than one credential returned, but not supported. Returning first.", new Object[0]);
        }
        return this.cborPublicKeyCredentialDescriptorParser.parse(authenticatorGetAssertionResponse.credential()).id();
    }

    @Override // de.cotech.hw.fido2.internal.operations.WebauthnSecurityKeyOperation
    public PublicKeyCredential performWebauthnSecurityKeyOperation(Fido2AppletConnection fido2AppletConnection, PublicKeyCredentialGet publicKeyCredentialGet) throws IOException {
        List<PublicKeyCredentialDescriptor> allowCredentials = publicKeyCredentialGet.options().allowCredentials();
        boolean z = allowCredentials == null || allowCredentials.isEmpty();
        if (z && !fido2AppletConnection.isSupportResidentKeys()) {
            throw new FidoResidentKeyNotSupportedException();
        }
        AuthenticatorGetAssertion webauthnCommandToCtap2Command = webauthnCommandToCtap2Command(publicKeyCredentialGet, acquirePinToken(fido2AppletConnection, publicKeyCredentialGet));
        HwTimber.d(webauthnCommandToCtap2Command.toString(), new Object[0]);
        try {
            return ctap2ResponseToWebauthnResponse(publicKeyCredentialGet, (AuthenticatorGetAssertionResponse) fido2AppletConnection.ctap2CommunicateOrThrow(webauthnCommandToCtap2Command));
        } catch (Ctap2Exception e) {
            byte errorCode = e.ctapErrorResponse.errorCode();
            if (errorCode == 34 || errorCode == 46) {
                if (z) {
                    throw new FidoResidentKeyNoCredentialException();
                }
                throw new FidoInvalidCredentialException();
            }
            if (errorCode != 54) {
                throw e;
            }
            throw new FidoClientPinRequiredException();
        }
    }

    public AuthenticatorGetAssertion webauthnCommandToCtap2Command(PublicKeyCredentialGet publicKeyCredentialGet, PinToken pinToken) throws FidoSecurityError {
        PublicKeyCredentialRequestOptions options = publicKeyCredentialGet.options();
        String origin = publicKeyCredentialGet.origin();
        String determineRelyingPartyId = this.relyingPartyIdUtils.determineRelyingPartyId(origin, options.rpId());
        String clientClientDataToJson = this.jsonCollectedClientDataSerializer.clientClientDataToJson(CollectedClientData.create(CLIENT_DATA_TYPE_GET, options.challenge(), origin, "SHA-256"));
        byte[] sha256 = HashUtil.sha256(clientClientDataToJson);
        if (pinToken == null) {
            return AuthenticatorGetAssertion.create(determineRelyingPartyId, sha256, clientClientDataToJson, options.allowCredentials(), null);
        }
        return AuthenticatorGetAssertion.create(determineRelyingPartyId, sha256, clientClientDataToJson, options.allowCredentials(), null, this.pinProtocolV1.calculatePinAuth(pinToken, sha256), 1);
    }
}
