package im.status.keycard;

import im.status.keycard.applet.ApplicationInfo;
import im.status.keycard.applet.RecoverableSignature;
import javacard.framework.JCSystem;
import javacard.framework.Util;
import javacard.security.AESKey;
import javacard.security.CryptoException;
import javacard.security.HMACKey;
import javacard.security.KeyAgreement;
import javacard.security.KeyBuilder;
import javacard.security.MessageDigest;
import javacard.security.RandomData;
import javacard.security.Signature;
import javacardx.crypto.Cipher;
import kotlin.UByte;
import kotlin.jvm.internal.ByteCompanionObject;

/* loaded from: input_file:assets/keycard_v2.2.1.cap:APPLET-INF/classes/im/status/keycard/Crypto.class */
public class Crypto {
    public static final short AES_BLOCK_SIZE = 16;
    static final short KEY_SECRET_SIZE = 32;
    static final short KEY_PUB_SIZE = 65;
    static final short KEY_DERIVATION_SCRATCH_SIZE = 37;
    private static final short HMAC_OUT_SIZE = 64;
    private static final byte HMAC_IPAD = 54;
    private static final byte HMAC_OPAD = 92;
    private static final short HMAC_BLOCK_SIZE = 128;
    private Signature hmacSHA512;
    private HMACKey hmacKey;
    private byte[] hmacBlock;
    private static final byte[] MAX_S = {ByteCompanionObject.MAX_VALUE, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 93, 87, 110, 115, 87, ApplicationInfo.TLV_APPLICATION_INFO_TEMPLATE, 80, 29, -33, -23, 47, 70, 104, 27, 32, RecoverableSignature.TLV_SIGNATURE_TEMPLATE};
    private static final byte[] S_SUB = {-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -70, -82, -36, -26, -81, 72, RecoverableSignature.TLV_SIGNATURE_TEMPLATE, 59, -65, -46, 94, -116, -48, 54, 65, 65};
    private static final byte[] KEY_BITCOIN_SEED = {66, 105, 116, 99, 111, 105, 110, 32, 115, 101, 101, 100};
    RandomData random = RandomData.getInstance((byte) 2);
    MessageDigest sha256 = MessageDigest.getInstance((byte) 4, false);
    KeyAgreement ecdh = KeyAgreement.getInstance((byte) 3, false);
    MessageDigest sha512 = MessageDigest.getInstance((byte) 6, false);
    Cipher aesCbcIso9797m2 = Cipher.getInstance((byte) 23, false);
    private AESKey tmpAES256 = KeyBuilder.buildKey((byte) 14, 256, false);

    Crypto() {
        try {
            this.hmacSHA512 = Signature.getInstance((byte) 27, false);
            this.hmacKey = KeyBuilder.buildKey((byte) 20, (short) 32, false);
        } catch (CryptoException e) {
            this.hmacSHA512 = null;
            this.hmacBlock = JCSystem.makeTransientByteArray((short) 128, (byte) 1);
        }
    }

    public short oneShotAES(byte b, byte[] bArr, short s, short s2, byte[] bArr2, short s3, byte[] bArr3, short s4) {
        this.tmpAES256.setKey(bArr3, s4);
        this.aesCbcIso9797m2.init(this.tmpAES256, b, bArr, s, (short) 16);
        return this.aesCbcIso9797m2.doFinal(bArr, (short) (s + 16), s2, bArr2, s3);
    }

    boolean bip32IsHardened(byte[] bArr, short s) {
        return (bArr[s] & Byte.MIN_VALUE) == -128;
    }

    boolean bip32CKDPriv(byte[] bArr, short s, byte[] bArr2, short s2, byte[] bArr3, short s3, byte[] bArr4, short s4) {
        short arrayCopyNonAtomic;
        if (bip32IsHardened(bArr, s)) {
            bArr2[s2] = 0;
            arrayCopyNonAtomic = Util.arrayCopyNonAtomic(bArr3, s3, bArr2, (short) (s2 + 1), (short) 32);
        } else {
            short s5 = (short) (s2 + 1);
            bArr2[s2] = (bArr3[(short) ((((s3 + 32) + 32) + 65) - 1)] & 1) != 0 ? (byte) 3 : (byte) 2;
            arrayCopyNonAtomic = Util.arrayCopyNonAtomic(bArr3, (short) (s3 + 32 + 32 + 1), bArr2, s5, (short) 32);
        }
        hmacSHA512(bArr3, (short) (s3 + 32), (short) 32, bArr2, s2, (short) (Util.arrayCopyNonAtomic(bArr, s, bArr2, arrayCopyNonAtomic, (short) 4) - s2), bArr4, s4);
        if (ucmp256(bArr4, s4, SECP256k1.SECP256K1_R, (short) 0) >= 0) {
            return false;
        }
        addm256(bArr4, s4, bArr3, s3, SECP256k1.SECP256K1_R, (short) 0, bArr4, s4);
        return !isZero256(bArr4, s4);
    }

    void bip32MasterFromSeed(byte[] bArr, short s, short s2, byte[] bArr2, short s3) {
        hmacSHA512(KEY_BITCOIN_SEED, (short) 0, (short) KEY_BITCOIN_SEED.length, bArr, s, s2, bArr2, s3);
    }

    short fixS(byte[] bArr, short s) {
        short s2 = (short) (bArr[(short) (s + 3)] + ((short) (s + 5)));
        short s3 = 0;
        if (bArr[s2] == 33) {
            Util.arrayCopyNonAtomic(bArr, (short) (s2 + 2), bArr, (short) (s2 + 1), (short) 32);
            bArr[s2] = 32;
            short s4 = (short) (s + 1);
            bArr[s4] = (byte) (bArr[s4] - 1);
            s3 = -1;
        }
        short s5 = (short) (s2 + 1);
        if (s3 == -1 || ucmp256(bArr, s5, MAX_S, (short) 0) > 0) {
            sub256(S_SUB, (short) 0, bArr, s5, bArr, s5);
        }
        return s3;
    }

    private void hmacSHA512(byte[] bArr, short s, short s2, byte[] bArr2, short s3, short s4, byte[] bArr3, short s5) {
        if (this.hmacSHA512 != null) {
            this.hmacKey.setKey(bArr, s, s2);
            this.hmacSHA512.init(this.hmacKey, (byte) 1);
            this.hmacSHA512.sign(bArr2, s3, s4, bArr3, s5);
            return;
        }
        byte b = 0;
        while (true) {
            byte b2 = b;
            if (b2 >= 2) {
                return;
            }
            Util.arrayFillNonAtomic(this.hmacBlock, (short) 0, (short) 128, b2 == 0 ? (byte) 54 : (byte) 92);
            short s6 = 0;
            while (true) {
                short s7 = s6;
                if (s7 >= s2) {
                    break;
                }
                byte[] bArr4 = this.hmacBlock;
                bArr4[s7] = (byte) (bArr4[s7] ^ bArr[(short) (s + s7)]);
                s6 = (short) (s7 + 1);
            }
            this.sha512.update(this.hmacBlock, (short) 0, (short) 128);
            if (b2 == 0) {
                this.sha512.doFinal(bArr2, s3, s4, bArr3, s5);
            } else {
                this.sha512.doFinal(bArr3, s5, (short) 64, bArr3, s5);
            }
            b = (byte) (b2 + 1);
        }
    }

    private void addm256(byte[] bArr, short s, byte[] bArr2, short s2, byte[] bArr3, short s3, byte[] bArr4, short s4) {
        if (add256(bArr, s, bArr2, s2, bArr4, s4) != 0 || ucmp256(bArr4, s4, bArr3, s3) > 0) {
            sub256(bArr4, s4, bArr3, s3, bArr4, s4);
        }
    }

    private short ucmp256(byte[] bArr, short s, byte[] bArr2, short s2) {
        short s3 = 0;
        while (true) {
            short s4 = s3;
            if (s4 >= 32) {
                return (short) 0;
            }
            short s5 = (short) (bArr[(short) (s + s4)] & UByte.MAX_VALUE);
            short s6 = (short) (bArr2[(short) (s2 + s4)] & UByte.MAX_VALUE);
            if (s5 != s6) {
                return (short) (s5 - s6);
            }
            s3 = (short) (s4 + 1);
        }
    }

    private boolean isZero256(byte[] bArr, short s) {
        boolean z = true;
        short s2 = 0;
        while (true) {
            short s3 = s2;
            if (s3 >= 32) {
                break;
            }
            if (bArr[(short) (s + s3)] != 0) {
                z = false;
                break;
            }
            s2 = (short) (s3 + 1);
        }
        return z;
    }

    private short add256(byte[] bArr, short s, byte[] bArr2, short s2, byte[] bArr3, short s3) {
        short s4 = 0;
        short s5 = 31;
        while (true) {
            short s6 = s5;
            if (s6 < 0) {
                return s4;
            }
            short s7 = (short) (((short) (bArr[(short) (s + s6)] & UByte.MAX_VALUE)) + ((short) (bArr2[(short) (s2 + s6)] & UByte.MAX_VALUE)) + s4);
            bArr3[(short) (s3 + s6)] = (byte) s7;
            s4 = (short) (s7 >> 8);
            s5 = (short) (s6 - 1);
        }
    }

    private short sub256(byte[] bArr, short s, byte[] bArr2, short s2, byte[] bArr3, short s3) {
        short s4 = 0;
        short s5 = 31;
        while (true) {
            short s6 = s5;
            if (s6 < 0) {
                return s4;
            }
            short s7 = (short) ((((short) (bArr[(short) (s + s6)] & UByte.MAX_VALUE)) - ((short) (bArr2[(short) (s2 + s6)] & UByte.MAX_VALUE))) - s4);
            bArr3[(short) (s3 + s6)] = (byte) s7;
            s4 = (short) ((s7 >> 8) != 0 ? 1 : 0);
            s5 = (short) (s6 - 1);
        }
    }
}
