package com.google.android.apps.authenticator.seedrotation.reseeder;

import com.google.android.apps.authenticator.CryptoUtils;
import com.google.android.apps.authenticator.HexEncoding;
import com.google.android.apps.authenticator.Utilities;
import com.google.android.apps.authenticator.seedrotation.backend.ReseedRequest;
import com.google.android.apps.authenticator.seedrotation.backend.ReseedResponse;
import com.google.android.apps.authenticator.seedrotation.backend.StatusRequest;
import com.google.common.annotations.VisibleForTesting;
import java.math.BigInteger;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: classes.dex */
public class ProtocolCryptoOperations {

    /* loaded from: classes.dex */
    public static class SeedDerivation {
        private final DiffieHellman mDiffieHellman;

        @VisibleForTesting
        final byte[] mSeed;

        public SeedDerivation(byte[] bArr) {
            this(bArr, DiffieHellman.getGroup14(CryptoUtils.digest(CryptoUtils.DIGEST_SHA_512, bArr)));
        }

        @VisibleForTesting
        SeedDerivation(byte[] bArr, DiffieHellman diffieHellman) {
            this.mSeed = bArr;
            this.mDiffieHellman = diffieHellman;
        }

        @VisibleForTesting
        static byte[] deriveSeed(byte[] bArr) {
            return Utilities.copyOfRange(CryptoUtils.digest(CryptoUtils.DIGEST_SHA_256, Utilities.concat(Utilities.getAsciiBytes("key derivation"), bArr)), 0, 20);
        }

        public byte[] complete(BigInteger bigInteger) {
            return deriveSeed(Utilities.concat(this.mDiffieHellman.getExchangedKey(bigInteger).toByteArray(), ProtocolCryptoOperations.getMacKeyBytes(this.mSeed)));
        }

        public BigInteger getMyPublicKey() {
            return this.mDiffieHellman.getPublicKey();
        }
    }

    private static byte[] generateMac(byte[] bArr, byte[] bArr2) {
        SecretKey macKey = getMacKey(bArr);
        return CryptoUtils.generateMac(macKey.getAlgorithm(), macKey, bArr2);
    }

    @VisibleForTesting
    static SecretKey getMacKey(byte[] bArr) {
        return new SecretKeySpec(getMacKeyBytes(bArr), CryptoUtils.HMAC_SHA_256);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] getMacKeyBytes(byte[] bArr) {
        return Utilities.copyOfRange(CryptoUtils.digest(CryptoUtils.DIGEST_SHA_512, bArr), 16, 16);
    }

    private static byte[] getReseedResponseMacInput(ReseedRequest reseedRequest, ReseedResponse reseedResponse) {
        return Utilities.getAsciiBytes("done:" + reseedResponse.backendDhPublicKey + ":" + reseedResponse.minSecondsTillNextReseed + ":" + reseedResponse.maxSecondsTillNextReseed + ":" + (reseedResponse.reseedUrl != null ? reseedResponse.reseedUrl : "") + ":" + reseedRequest.clientDhPublicKey);
    }

    private static boolean verifyMac(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        SecretKey macKey = getMacKey(bArr);
        return CryptoUtils.verifyMac(macKey.getAlgorithm(), macKey, bArr2, bArr3);
    }

    public byte[] completeNewSeedDerivation(SeedDerivation seedDerivation, BigInteger bigInteger) {
        return seedDerivation.complete(bigInteger);
    }

    public String generateConfirmRequestMac(byte[] bArr) {
        return HexEncoding.encode(generateMac(bArr, Utilities.getAsciiBytes("confirm")));
    }

    public String generateReseedRequestMac(byte[] bArr, ReseedRequest reseedRequest) {
        return HexEncoding.encode(generateMac(bArr, Utilities.getAsciiBytes("reseed" + reseedRequest.timestampSeconds + reseedRequest.clientDhPublicKey)));
    }

    public String generateStatusRequestMac(byte[] bArr, StatusRequest statusRequest) {
        return HexEncoding.encode(generateMac(bArr, Utilities.getAsciiBytes("status" + statusRequest.timestampSeconds)));
    }

    public byte[] getSeedId(byte[] bArr) {
        return Utilities.copyOfRange(CryptoUtils.digest(CryptoUtils.DIGEST_SHA_512, bArr), 0, 16);
    }

    public SeedDerivation startNewSeedDerivation(byte[] bArr) {
        return new SeedDerivation(bArr);
    }

    public boolean verifyReseedResponseMac(byte[] bArr, ReseedRequest reseedRequest, ReseedResponse reseedResponse) {
        return verifyMac(bArr, getReseedResponseMacInput(reseedRequest, reseedResponse), HexEncoding.decode(reseedResponse.authCode));
    }

    public boolean verifyReseedResponseMac2(byte[] bArr, ReseedRequest reseedRequest, ReseedResponse reseedResponse) {
        return verifyMac(bArr, getReseedResponseMacInput(reseedRequest, reseedResponse), HexEncoding.decode(reseedResponse.authCode2));
    }
}
