package com.adyen.terminal.security;

import com.adyen.model.nexo.MessageHeader;
import com.adyen.model.terminal.security.NexoDerivedKey;
import com.adyen.model.terminal.security.SaleToPOISecuredMessage;
import com.adyen.model.terminal.security.SecurityKey;
import com.adyen.model.terminal.security.SecurityTrailer;
import com.adyen.terminal.security.exception.NexoCryptoException;
import com.adyen.util.HMACValidator;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.util.Random;
import javax.crypto.Cipher;
import javax.crypto.Mac;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import r.a.a.a.b.a;

/* loaded from: classes.dex */
public class NexoCrypto {
    private byte[] crypt(byte[] bArr, NexoDerivedKey nexoDerivedKey, byte[] bArr2, int i2) {
        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
        SecretKeySpec secretKeySpec = new SecretKeySpec(nexoDerivedKey.getCipherKey(), "AES");
        byte[] iv = nexoDerivedKey.getIv();
        byte[] bArr3 = new byte[16];
        for (int i3 = 0; i3 < 16; i3++) {
            bArr3[i3] = (byte) (iv[i3] ^ bArr2[i3]);
        }
        cipher.init(i2, secretKeySpec, new IvParameterSpec(bArr3));
        return cipher.doFinal(bArr);
    }

    private byte[] generateRandomIvNonce() {
        byte[] bArr = new byte[16];
        new Random().nextBytes(bArr);
        return bArr;
    }

    private byte[] hmac(byte[] bArr, NexoDerivedKey nexoDerivedKey) {
        Mac mac = Mac.getInstance(HMACValidator.HMAC_SHA256_ALGORITHM);
        mac.init(new SecretKeySpec(nexoDerivedKey.getHmacKey(), HMACValidator.HMAC_SHA256_ALGORITHM));
        return mac.doFinal(bArr);
    }

    private void validateHmac(byte[] bArr, byte[] bArr2, NexoDerivedKey nexoDerivedKey) {
        if (!MessageDigest.isEqual(hmac(bArr2, nexoDerivedKey), bArr)) {
            throw new NexoCryptoException("Hmac validation failed");
        }
    }

    private void validateSecurityKey(SecurityKey securityKey) {
        if (securityKey == null || securityKey.getPassphrase() == null || securityKey.getPassphrase().isEmpty() || securityKey.getKeyIdentifier() == null || securityKey.getKeyVersion() == null || securityKey.getAdyenCryptoVersion() == null) {
            throw new NexoCryptoException("Invalid Security Key");
        }
    }

    public String decrypt(SaleToPOISecuredMessage saleToPOISecuredMessage, SecurityKey securityKey) {
        validateSecurityKey(securityKey);
        byte[] q2 = a.q(saleToPOISecuredMessage.getNexoBlob().getBytes());
        NexoDerivedKey deriveKeyMaterial = NexoDerivedKeyGenerator.deriveKeyMaterial(securityKey.getPassphrase());
        byte[] crypt = crypt(q2, deriveKeyMaterial, saleToPOISecuredMessage.getSecurityTrailer().getNonce(), 2);
        validateHmac(saleToPOISecuredMessage.getSecurityTrailer().getHmac(), crypt, deriveKeyMaterial);
        return new String(crypt, StandardCharsets.UTF_8);
    }

    public SaleToPOISecuredMessage encrypt(String str, MessageHeader messageHeader, SecurityKey securityKey) {
        validateSecurityKey(securityKey);
        NexoDerivedKey deriveKeyMaterial = NexoDerivedKeyGenerator.deriveKeyMaterial(securityKey.getPassphrase());
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        byte[] generateRandomIvNonce = generateRandomIvNonce();
        byte[] crypt = crypt(bytes, deriveKeyMaterial, generateRandomIvNonce, 1);
        byte[] hmac = hmac(bytes, deriveKeyMaterial);
        SecurityTrailer securityTrailer = new SecurityTrailer();
        securityTrailer.setKeyVersion(securityKey.getKeyVersion());
        securityTrailer.setKeyIdentifier(securityKey.getKeyIdentifier());
        securityTrailer.setHmac(hmac);
        securityTrailer.setNonce(generateRandomIvNonce);
        securityTrailer.setAdyenCryptoVersion(securityKey.getAdyenCryptoVersion());
        SaleToPOISecuredMessage saleToPOISecuredMessage = new SaleToPOISecuredMessage();
        saleToPOISecuredMessage.setMessageHeader(messageHeader);
        saleToPOISecuredMessage.setNexoBlob(new String(a.r(crypt)));
        saleToPOISecuredMessage.setSecurityTrailer(securityTrailer);
        return saleToPOISecuredMessage;
    }
}
