package de.cotech.hw.fido2.internal.operations.ctap2;

import android.net.Uri;
import de.cotech.hw.fido2.PublicKeyCredential;
import de.cotech.hw.fido2.PublicKeyCredentialCreate;
import de.cotech.hw.fido2.domain.CollectedClientData;
import de.cotech.hw.fido2.domain.PublicKeyCredentialRpEntity;
import de.cotech.hw.fido2.domain.UserVerificationRequirement;
import de.cotech.hw.fido2.domain.create.AttestationObject;
import de.cotech.hw.fido2.domain.create.CredentialCreationData;
import de.cotech.hw.fido2.domain.create.PublicKeyCredentialCreationOptions;
import de.cotech.hw.fido2.exceptions.FidoClientPinNotSetException;
import de.cotech.hw.fido2.exceptions.FidoClientPinNotSupportedException;
import de.cotech.hw.fido2.exceptions.FidoClientPinRequiredException;
import de.cotech.hw.fido2.exceptions.FidoSecurityError;
import de.cotech.hw.fido2.internal.Fido2AppletConnection;
import de.cotech.hw.fido2.internal.ctap2.Ctap2Exception;
import de.cotech.hw.fido2.internal.ctap2.commands.makeCredential.AuthenticatorMakeCredential;
import de.cotech.hw.fido2.internal.ctap2.commands.makeCredential.AuthenticatorMakeCredentialResponse;
import de.cotech.hw.fido2.internal.json.JsonCollectedClientDataSerializer;
import de.cotech.hw.fido2.internal.operations.WebauthnSecurityKeyOperation;
import de.cotech.hw.fido2.internal.pinauth.PinProtocolV1;
import de.cotech.hw.fido2.internal.pinauth.PinToken;
import de.cotech.hw.fido2.internal.webauthn.ConstructCredentialAlg;
import de.cotech.hw.util.HashUtil;
import de.cotech.hw.util.HwTimber;
import java.io.IOException;

/* loaded from: classes2.dex */
public class AuthenticatorMakeCredentialOperation extends WebauthnSecurityKeyOperation<PublicKeyCredential, PublicKeyCredentialCreate> {
    private static final String CLIENT_DATA_TYPE_CREATE = "webauthn.create";
    private final ConstructCredentialAlg constructCredentialAlg;
    private final PinProtocolV1 pinProtocolV1;

    public AuthenticatorMakeCredentialOperation(ConstructCredentialAlg constructCredentialAlg, PinProtocolV1 pinProtocolV1) {
        this.constructCredentialAlg = constructCredentialAlg;
        this.pinProtocolV1 = pinProtocolV1;
    }

    private PinToken acquirePinToken(Fido2AppletConnection fido2AppletConnection, PublicKeyCredentialCreate publicKeyCredentialCreate) throws IOException {
        if (fido2AppletConnection.getCachedPinToken() != null) {
            return fido2AppletConnection.getCachedPinToken();
        }
        if (publicKeyCredentialCreate.options().authenticatorSelection().userVerification() == UserVerificationRequirement.REQUIRED) {
            if (!fido2AppletConnection.isSupportClientPin()) {
                throw new FidoClientPinNotSupportedException();
            }
            if (!fido2AppletConnection.isClientPinSet()) {
                throw new FidoClientPinNotSetException();
            }
            if (publicKeyCredentialCreate.clientPin() == null) {
                throw new FidoClientPinRequiredException();
            }
        }
        if (publicKeyCredentialCreate.clientPin() == null || !fido2AppletConnection.isSupportClientPin() || !fido2AppletConnection.isClientPinSet()) {
            return null;
        }
        PinToken clientPinAuthenticate = this.pinProtocolV1.clientPinAuthenticate(fido2AppletConnection, publicKeyCredentialCreate.clientPin(), publicKeyCredentialCreate.lastAttemptOk());
        fido2AppletConnection.setCachedPinToken(clientPinAuthenticate);
        return clientPinAuthenticate;
    }

    private PublicKeyCredential ctap2ToWebauthnResponse(PublicKeyCredentialCreate publicKeyCredentialCreate, AuthenticatorMakeCredentialResponse authenticatorMakeCredentialResponse) throws IOException {
        return this.constructCredentialAlg.publicKeyCredential(CredentialCreationData.create(AttestationObject.create(authenticatorMakeCredentialResponse.fmt(), authenticatorMakeCredentialResponse.authData(), authenticatorMakeCredentialResponse.attStmt()), authenticatorMakeCredentialResponse.clientDataJSON(), publicKeyCredentialCreate.options().attestation()));
    }

    @Override // de.cotech.hw.fido2.internal.operations.WebauthnSecurityKeyOperation
    public PublicKeyCredential performWebauthnSecurityKeyOperation(Fido2AppletConnection fido2AppletConnection, PublicKeyCredentialCreate publicKeyCredentialCreate) throws IOException {
        AuthenticatorMakeCredential webauthnToCtap2Command = webauthnToCtap2Command(publicKeyCredentialCreate, acquirePinToken(fido2AppletConnection, publicKeyCredentialCreate));
        HwTimber.d(webauthnToCtap2Command.toString(), new Object[0]);
        try {
            return ctap2ToWebauthnResponse(publicKeyCredentialCreate, (AuthenticatorMakeCredentialResponse) fido2AppletConnection.ctap2CommunicateOrThrow(webauthnToCtap2Command));
        } catch (Ctap2Exception e) {
            if (e.ctapErrorResponse.errorCode() != 54) {
                throw e;
            }
            throw new FidoClientPinRequiredException();
        }
    }

    public AuthenticatorMakeCredential webauthnToCtap2Command(PublicKeyCredentialCreate publicKeyCredentialCreate, PinToken pinToken) throws FidoSecurityError {
        String host = Uri.parse(publicKeyCredentialCreate.origin()).getHost();
        PublicKeyCredentialCreationOptions options = publicKeyCredentialCreate.options();
        PublicKeyCredentialRpEntity rp = options.rp();
        String id = rp.id();
        if (id == null) {
            rp = rp.withId(host);
        } else if (!id.equals(host)) {
            throw new FidoSecurityError("Security error: rpId is not a valid subdomain of caller origin!");
        }
        PublicKeyCredentialRpEntity publicKeyCredentialRpEntity = rp;
        String clientClientDataToJson = new JsonCollectedClientDataSerializer().clientClientDataToJson(CollectedClientData.create(CLIENT_DATA_TYPE_CREATE, options.challenge(), publicKeyCredentialCreate.origin(), "SHA-256"));
        byte[] sha256 = HashUtil.sha256(clientClientDataToJson);
        AuthenticatorMakeCredential.AuthenticatorMakeCredentialOptions create = options.authenticatorSelection().requireResidentKey() ? AuthenticatorMakeCredential.AuthenticatorMakeCredentialOptions.create(true, false) : null;
        if (pinToken != null) {
            return AuthenticatorMakeCredential.create(sha256, clientClientDataToJson, publicKeyCredentialRpEntity, options.user(), options.pubKeyCredParams(), options.excludeCredentials(), create, this.pinProtocolV1.calculatePinAuth(pinToken, sha256), 1);
        }
        return AuthenticatorMakeCredential.create(sha256, clientClientDataToJson, publicKeyCredentialRpEntity, options.user(), options.pubKeyCredParams(), options.excludeCredentials(), create, null, null);
    }
}
