package com.facebook.delegatedrecovery;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.InvalidParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.util.Arrays;
import java.util.Base64;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DERSequenceGenerator;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.params.ECPrivateKeyParameters;
import org.bouncycastle.crypto.signers.ECDSASigner;
import org.bouncycastle.crypto.signers.HMacDSAKCalculator;

/* loaded from: input_file:com/facebook/delegatedrecovery/RecoveryToken.class */
public class RecoveryToken {
    public static final byte NO_OPTIONS = 0;
    public static final byte STATUS_REQUESTED_FLAG = 1;
    public static final byte VERSION = 0;
    public static final byte TYPE_RECOVERY_TOKEN = 0;
    public static final byte TYPE_COUNTERSIGNED_TOKEN = 1;
    protected byte type;
    protected byte version;
    protected byte[] id;
    protected byte options;
    protected String issuer;
    protected String audience;
    protected String issuedTime;
    protected byte[] data;
    protected byte[] binding;
    protected byte[] signature;
    protected byte[] decoded;
    protected String encoded;

    public RecoveryToken(ECPrivateKey eCPrivateKey, byte[] bArr, byte b, String str, String str2, byte[] bArr2, byte[] bArr3) throws InvalidOriginException, IOException {
        if (bArr == null || bArr.length != 16) {
            throw new InvalidParameterException("token id must be byte[16]");
        }
        DelegatedRecoveryUtils.validateOrigin(str);
        DelegatedRecoveryUtils.validateOrigin(str2);
        this.version = (byte) 0;
        this.type = (byte) 0;
        this.id = (byte[]) bArr.clone();
        this.options = b;
        this.issuer = str;
        this.audience = str2;
        this.data = (byte[]) bArr2.clone();
        this.binding = (byte[]) bArr3.clone();
        this.issuedTime = DelegatedRecoveryUtils.nowISO8601();
        byte[] bArr4 = new byte[21 + str.length() + 2 + str2.length() + 2 + this.issuedTime.length() + 2 + bArr2.length + 2 + bArr3.length];
        ByteBuffer.wrap(bArr4).put((byte) 0).put((byte) 0).put(bArr).put(b).putChar((char) str.length()).put(str.getBytes(StandardCharsets.US_ASCII)).putChar((char) str2.length()).put(str2.getBytes(StandardCharsets.US_ASCII)).putChar((char) this.issuedTime.length()).put(this.issuedTime.getBytes(StandardCharsets.US_ASCII)).putChar((char) bArr2.length).put(bArr2).putChar((char) bArr3.length).put(bArr3);
        this.signature = getSignature(bArr4, eCPrivateKey);
        this.decoded = new byte[bArr4.length + this.signature.length];
        System.arraycopy(bArr4, 0, this.decoded, 0, bArr4.length);
        System.arraycopy(this.signature, 0, this.decoded, bArr4.length, this.signature.length);
        this.encoded = Base64.getEncoder().encodeToString(this.decoded);
    }

    public boolean isSignatureValid(ECPublicKey[] eCPublicKeyArr) throws InvalidKeyException, SignatureException {
        try {
            Signature signature = Signature.getInstance("SHA256withECDSA");
            for (ECPublicKey eCPublicKey : eCPublicKeyArr) {
                signature.initVerify(eCPublicKey);
                signature.update(Arrays.copyOfRange(this.decoded, 0, this.decoded.length - this.signature.length));
                if (signature.verify(this.signature)) {
                    return true;
                }
            }
            return false;
        } catch (NoSuchAlgorithmException e) {
            throw new Error(e.getMessage());
        }
    }

    public RecoveryToken(String str) throws InvalidOriginException {
        try {
            this.encoded = str;
            this.decoded = Base64.getDecoder().decode(str);
            this.version = this.decoded[0];
            int i = 0 + 1;
            this.type = this.decoded[i];
            int i2 = i + 1;
            this.id = Arrays.copyOfRange(this.decoded, i2, i2 + 16);
            int i3 = i2 + 16;
            this.options = this.decoded[i3];
            int i4 = i3 + 1;
            int i5 = ((this.decoded[i4] << 8) & 65280) | (this.decoded[i4 + 1] & 255);
            int i6 = i4 + 2;
            this.issuer = new String(Arrays.copyOfRange(this.decoded, i6, i6 + i5), "US-ASCII");
            int i7 = i6 + i5;
            int i8 = ((this.decoded[i7] << 8) & 65280) | (this.decoded[i7 + 1] & 255);
            int i9 = i7 + 2;
            this.audience = new String(Arrays.copyOfRange(this.decoded, i9, i9 + i8), "US-ASCII");
            int i10 = i9 + i8;
            int i11 = ((this.decoded[i10] << 8) & 65280) | (this.decoded[i10 + 1] & 255);
            int i12 = i10 + 2;
            this.issuedTime = new String(Arrays.copyOfRange(this.decoded, i12, i12 + i11), "US-ASCII");
            int i13 = i12 + i11;
            int i14 = ((this.decoded[i13] << 8) & 65280) | (this.decoded[i13 + 1] & 255);
            int i15 = i13 + 2;
            this.data = Arrays.copyOfRange(this.decoded, i15, i15 + i14);
            int i16 = i15 + i14;
            int i17 = ((this.decoded[i16] << 8) & 65280) | (this.decoded[i16 + 1] & 255);
            int i18 = i16 + 2;
            this.binding = Arrays.copyOfRange(this.decoded, i18, i18 + i17);
            this.signature = Arrays.copyOfRange(this.decoded, i18 + i17, this.decoded.length);
            commonSanityCheck();
            typedSanityCheck();
        } catch (UnsupportedEncodingException e) {
            throw new Error(e.getMessage());
        }
    }

    protected void commonSanityCheck() throws InvalidOriginException {
        if (this.version != 0) {
            throw new IllegalArgumentException("illegal version");
        }
        DelegatedRecoveryUtils.validateOrigin(this.issuer);
        DelegatedRecoveryUtils.validateOrigin(this.audience);
    }

    protected void typedSanityCheck() {
        if (this.type != 1) {
            throw new IllegalArgumentException("illegal token type");
        }
    }

    private byte[] getSignature(byte[] bArr, ECPrivateKey eCPrivateKey) throws IOException {
        if (this.signature != null) {
            throw new IllegalStateException("This token already has a signature.");
        }
        BigInteger s = eCPrivateKey.getS();
        SHA256Digest sHA256Digest = new SHA256Digest();
        byte[] bArr2 = new byte[sHA256Digest.getByteLength()];
        sHA256Digest.update(bArr, 0, bArr.length);
        sHA256Digest.doFinal(bArr2, 0);
        ECDSASigner eCDSASigner = new ECDSASigner(new HMacDSAKCalculator(new SHA256Digest()));
        eCDSASigner.init(true, new ECPrivateKeyParameters(s, DelegatedRecoveryUtils.P256_DOMAIN_PARAMS));
        BigInteger[] generateSignature = eCDSASigner.generateSignature(bArr2);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DERSequenceGenerator dERSequenceGenerator = new DERSequenceGenerator(byteArrayOutputStream);
        dERSequenceGenerator.addObject(new ASN1Integer(generateSignature[0]));
        dERSequenceGenerator.addObject(new ASN1Integer(generateSignature[1]));
        dERSequenceGenerator.close();
        return byteArrayOutputStream.toByteArray();
    }

    public byte getType() {
        return this.type;
    }

    public byte getVersion() {
        return this.version;
    }

    public byte[] getId() {
        if (this.id == null) {
            return null;
        }
        return (byte[]) this.id.clone();
    }

    public byte getOptions() {
        return this.options;
    }

    public String getIssuer() {
        return this.issuer;
    }

    public String getAudience() {
        return this.audience;
    }

    public String getIssuedTime() {
        if (this.signature == null) {
            throw new IllegalStateException("This token has not been signed.  Call getSigned(privateKey) first.");
        }
        return this.issuedTime;
    }

    public byte[] getData() {
        if (this.data == null) {
            return null;
        }
        return (byte[]) this.data.clone();
    }

    public byte[] getBinding() {
        if (this.binding == null) {
            return null;
        }
        return (byte[]) this.binding.clone();
    }

    public byte[] getSignature() {
        if (this.signature == null) {
            return null;
        }
        return (byte[]) this.signature.clone();
    }

    public String getEncoded() throws IllegalStateException {
        return this.encoded;
    }
}
