package com.evidence.ambasdk;

import com.axon.android.security.AesGcmCipherOpenSsl;
import com.axon.android.security.AsdhOpenSsl;
import com.axon.android.security.Cryptor;
import com.axon.android.security.KeyPair;
import com.evidence.sdk.util.Util;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes.dex */
public class AmbaSecurity implements Cryptor {
    public AsdhOpenSsl asdh;
    public byte[] challenge;
    public AesGcmCipherOpenSsl cipher;
    public KeyPair derivationKeypair;
    public final Logger logger;
    public byte[] peerChallenge;
    public byte[] pi;
    public KeyPair sessionKeyPair;

    public AmbaSecurity() {
        this(null);
    }

    public AmbaSecurity(byte[] bArr) {
        AsdhOpenSsl asdhOpenSsl = new AsdhOpenSsl(AsdhOpenSsl.PublicKeyFormat.RAW);
        this.logger = LoggerFactory.getLogger("AmbaSecurity");
        this.asdh = asdhOpenSsl;
        this.pi = bArr;
        this.challenge = asdhOpenSsl.generateChallenge();
        this.logger.trace("AmbaSecurity() created with pi={}", bArr);
        if (this.pi == null) {
            this.logger.info("created amba security for initial pairing");
            this.derivationKeypair = asdhOpenSsl.createKeypair();
        } else {
            this.logger.info("created amba security for reconnection");
            this.sessionKeyPair = asdhOpenSsl.createKeypair();
        }
    }

    @Override // com.axon.android.security.Cryptor
    public byte[] decryptData(byte[] bArr, int i) {
        return this.cipher.decryptData(bArr, i);
    }

    public void derivePairingIdentifier(byte[] bArr) {
        this.logger.info("derivePairingIdentifier()");
        KeyPair keyPair = this.derivationKeypair;
        if (keyPair == null) {
            throw new IllegalStateException("This method is only available for establishing a new pairing identifier");
        }
        this.pi = this.asdh.deriveSharedSecret(keyPair, bArr);
        logByteArrayInTraceMode("pairing public key", this.derivationKeypair.getPublicKeyBytes());
        logByteArrayInTraceMode("pi", this.pi);
        this.sessionKeyPair = this.asdh.createKeypair();
    }

    public void destroy() {
        AesGcmCipherOpenSsl aesGcmCipherOpenSsl = this.cipher;
        if (aesGcmCipherOpenSsl != null) {
            aesGcmCipherOpenSsl.destroy();
        }
        this.asdh.destroy();
        this.asdh = null;
    }

    @Override // com.axon.android.security.Cryptor
    public byte[] encryptData(byte[] bArr, int i) {
        return this.cipher.encryptData(bArr, i);
    }

    public byte[] getChallenge() {
        return this.challenge;
    }

    public byte[] getChallengeResponse(byte[] bArr) {
        this.peerChallenge = bArr;
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("peer challenge: {}", Util.byteArrayToHexString(bArr, false));
        }
        return this.asdh.getChallengeResponse(this.challenge, bArr, this.pi);
    }

    public byte[] getPairingPublicKeyBytes() {
        return this.derivationKeypair.getPublicKeyBytes();
    }

    public byte[] getPi() {
        return this.pi;
    }

    public byte[] getSessionPublicKeyBytes() {
        KeyPair keyPair = this.sessionKeyPair;
        if (keyPair != null) {
            return keyPair.getPublicKeyBytes();
        }
        throw new IllegalStateException("Must derive a pairing identifier first");
    }

    public final void logByteArrayInTraceMode(String str, byte[] bArr) {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("{}: {}", str, Util.byteArrayToHexString(bArr, false));
        }
    }

    public void setupEncryptedSession(byte[] bArr, byte[] bArr2) {
        this.logger.info("setupEncryptedSession()");
        logByteArrayInTraceMode("session pub key", this.sessionKeyPair.getPublicKeyBytes());
        logByteArrayInTraceMode("peer pub key", bArr);
        logByteArrayInTraceMode("iv", bArr2);
        byte[] deriveSharedSecret = this.asdh.deriveSharedSecret(this.sessionKeyPair, bArr);
        logByteArrayInTraceMode("shared secret", deriveSharedSecret);
        byte[] sha256 = this.asdh.sha256(deriveSharedSecret, deriveSharedSecret.length);
        logByteArrayInTraceMode("aes key", deriveSharedSecret);
        this.cipher = new AesGcmCipherOpenSsl(sha256, bArr2);
    }

    public boolean validateChallengeResponse(byte[] bArr) {
        this.logger.info("validateChallengeResponse({})", bArr);
        logByteArrayInTraceMode("challenge response", bArr);
        byte[] bArr2 = this.challenge;
        if (bArr2 == null) {
            throw new IllegalStateException("Caller must have generated a challenge first");
        }
        byte[] bArr3 = this.pi;
        if (bArr3 != null) {
            return this.asdh.validatePeerChallenge(bArr, bArr2, this.peerChallenge, bArr3);
        }
        throw new IllegalStateException("cannot call validateChallengeResponse() without establishing a PI first");
    }
}
