package org.opendof.core.internal.protocol.trp;

import java.util.Arrays;
import org.opendof.core.internal.core.OALChannel;
import org.opendof.core.internal.core.OALOperation;
import org.opendof.core.internal.protocol.ConnectionStack;
import org.opendof.core.internal.protocol.Marshallable;
import org.opendof.core.internal.protocol.PacketData;
import org.opendof.core.internal.protocol.security.AuthenticationException;
import org.opendof.core.internal.protocol.security.Authenticator;
import org.opendof.core.internal.protocol.security.EncryptionUtil;
import org.opendof.core.internal.protocol.security.credentials.Credentials;
import org.opendof.core.internal.util.BufferedPacket;
import org.opendof.core.oal.DOF;
import org.opendof.core.oal.DOFMarshalContext;
import org.opendof.core.oal.DOFMarshalException;
import org.opendof.core.oal.DOFPacket;
import org.opendof.core.oal.security.DOFAuthenticationFailedException;
import org.opendof.core.oal.security.DOFSecurityException;
import org.opendof.core.oal.security.DOFSecurityMode;

/* loaded from: input_file:org/opendof/core/internal/protocol/trp/KEKOperation.class */
public class KEKOperation extends TRPOperation implements Marshallable {
    public static final short OPCODE = 1;
    private volatile Authenticator.RequestKEK kekRequest;
    private volatile Authenticator.RequestKEKResponse kekResponse;
    private volatile byte[] kek;

    public KEKOperation(OALOperation.State state, Authenticator.RequestKEK requestKEK, Credentials credentials, OALChannel oALChannel, short s) {
        super(credentials, state, oALChannel, null, s);
        this.kekRequest = requestKEK;
        this.domain = this.kekRequest.getRequestBlock().getKeyRequest().getDomainID();
        if (this.domain.isBroadcast() || this.domain.hasAttributes()) {
            throw new IllegalArgumentException("KEKOperation: domain.isBroadcast() || domain.hasAttributes()");
        }
    }

    public KEKOperation(OALOperation.State state, Authenticator.RequestKEKResponse requestKEKResponse, short s) {
        super(null, state, null, null, s);
        this.kekResponse = requestKEKResponse;
    }

    public KEKOperation(PacketData packetData, DOFMarshalContext dOFMarshalContext, Object obj, BufferedPacket bufferedPacket) throws DOFMarshalException {
        super(null, packetData.opState, null, null, packetData.appVersion);
        if (dOFMarshalContext != DOFMarshalContext.COMMAND) {
            OALOperation operation = packetData.opState.getCore().getOperation(packetData.opState.getOperationID());
            if (operation != null) {
                this.domain = ((KEKOperation) operation).domain;
            }
            this.kekResponse = new Authenticator.RequestKEKResponse(packetData, dOFMarshalContext, this.domain, bufferedPacket);
            return;
        }
        this.kekRequest = new Authenticator.RequestKEK(dOFMarshalContext, obj, bufferedPacket);
        this.domain = this.kekRequest.getDomain();
        if (this.domain.hasAttributes() || this.domain.isBroadcast()) {
            throw new DOFMarshalException("KEKOperation unmarshal failed: domain.hasAttributes() || domain.isBroadcast()", null);
        }
    }

    @Override // org.opendof.core.internal.protocol.trp.TRPOperation
    public void process(Authenticator authenticator) {
        try {
            respond(new KEKOperation(getState().asResponse(), authenticator.requestKEK(this.kekRequest, DefaultTRP.getCipherAlgorithm(this.appid)), this.appid));
        } catch (AuthenticationException e) {
            if (DOF.Log.isLogDebug()) {
                if (this.kekRequest != null) {
                    DOF.Log.message(DOF.Log.Level.DEBUG, "Authenticator for domain " + authenticator.getDomainID() + " identity " + this.kekRequest.getRequestBlock().getGroup() + ", requestKEK failed with authentication error", e);
                } else {
                    DOF.Log.message(DOF.Log.Level.DEBUG, "Authenticator for domain " + authenticator.getDomainID() + ", requestKEK failed with authentication error", e);
                }
            }
            respond(new RejectOperation(getState().asResponse(), e.getErrorCode(), this.appid));
        } catch (Exception e2) {
            if (DOF.Log.isLogWarn()) {
                if (this.kekRequest != null) {
                    DOF.Log.message(DOF.Log.Level.WARN, "Authenticator for domain " + authenticator.getDomainID() + " identity " + this.kekRequest.getRequestBlock().getGroup() + ", requestKEK failed with internal error", e2);
                } else {
                    DOF.Log.message(DOF.Log.Level.WARN, "Authenticator for domain " + authenticator.getDomainID() + ", requestKEK failed with internal error", e2);
                }
            }
            respond(new RejectOperation(getState().asResponse(), AuthenticationException.INTERNAL_ERROR, this.appid));
        }
        asyncSetComplete();
    }

    public Authenticator.RequestKEK getKEKRequest() {
        return this.kekRequest != null ? this.kekRequest : ((KEKOperation) getCommandOperation()).kekRequest;
    }

    public synchronized Authenticator.RequestKEKResponse getKEKResponse() throws DOFSecurityException {
        Authenticator.RequestKEKResponse requestKEKResponse;
        Authenticator.RequestKEK requestKEK;
        if (this.kekRequest == null) {
            requestKEK = getKEKRequest();
            requestKEKResponse = this.kekResponse;
        } else {
            if (this.kekResponse != null) {
                return this.kekResponse;
            }
            if (getFirstResponse() instanceof RejectOperation) {
                throw new AuthenticationException(805306368 | ((RejectOperation) getFirstResponse()).getError());
            }
            requestKEKResponse = ((KEKOperation) getFirstResponse()).kekResponse;
            if (requestKEKResponse == null) {
                throw new DOFSecurityException("No KEK response");
            }
            requestKEK = this.kekRequest;
        }
        if (getCredentials() == null) {
            throw new DOFSecurityException("Credentials not known.");
        }
        byte[] bytes = requestKEK.getRequestBlock().getBytes();
        byte[] sharedSecret = getCredentials().getSharedSecret();
        byte[] sessionKey = requestKEKResponse.getTicket().getSessionKey(sharedSecret);
        byte[] bytes2 = requestKEKResponse.getResponseBlock().getBytes();
        if (!Arrays.equals(requestKEKResponse.getTicket().mac, EncryptionUtil.hmac_SHA256(sharedSecret, requestKEK.getRequestBlock().getKeyRequest().getDomainID(), bytes, 0, bytes.length, null, 0, 0, bytes2, 0, bytes2.length, sessionKey))) {
            throw new DOFAuthenticationFailedException();
        }
        this.kekResponse = requestKEKResponse;
        this.kekRequest = requestKEK;
        this.kek = sessionKey;
        return this.kekResponse;
    }

    public DOFSecurityMode getSecurityMode(ConnectionStack connectionStack) throws DOFSecurityException {
        try {
            Authenticator.RequestKEKResponse kEKResponse = getKEKResponse();
            BufferedPacket bufferedPacket = new BufferedPacket(kEKResponse.getResponseBlock().getMode(), 0, kEKResponse.getResponseBlock().getMode().length);
            int readByte = bufferedPacket.readByte(0);
            short readShort = (short) bufferedPacket.readShort(1);
            if (readByte != 2) {
                throw new DOFMarshalException("KEKOperation.getSecurityMode: code != DefaultDSP.CODE_MODE", null);
            }
            return connectionStack.factory.getSecurityMode(readShort, DOFMarshalContext.STORE, null, bufferedPacket);
        } catch (DOFSecurityException e) {
            throw e;
        } catch (Exception e2) {
            throw new DOFAuthenticationFailedException(e2);
        }
    }

    public byte[] getKEK() throws DOFSecurityException {
        getKEKResponse();
        return this.kek;
    }

    @Override // org.opendof.core.internal.core.OALOperation, org.opendof.core.internal.protocol.Marshallable
    public void marshal(DOFMarshalContext dOFMarshalContext, Object obj, DOFPacket dOFPacket) throws DOFMarshalException {
        if (dOFMarshalContext == DOFMarshalContext.COMMAND) {
            this.kekRequest.marshal(dOFMarshalContext, obj, dOFPacket);
        } else {
            this.kekResponse.marshal(dOFMarshalContext, obj, dOFPacket);
        }
    }
}
