package com.microsoft.azure.sdk.iot.provisioning.security.hsm;

import com.microsoft.azure.sdk.iot.provisioning.security.SecurityProviderTpm;
import com.microsoft.azure.sdk.iot.provisioning.security.exceptions.SecurityProviderException;
import java.util.Arrays;
import javax.xml.bind.DatatypeConverter;
import tss.Helpers;
import tss.InByteBuf;
import tss.Tpm;
import tss.TpmFactory;
import tss.TpmHelpers;
import tss.tpm.CreatePrimaryResponse;
import tss.tpm.CreateResponse;
import tss.tpm.ReadPublicResponse;
import tss.tpm.StartAuthSessionResponse;
import tss.tpm.TPM2B_DATA;
import tss.tpm.TPM2B_DIGEST_Symcipher;
import tss.tpm.TPM2B_ENCRYPTED_SECRET;
import tss.tpm.TPM2B_ID_OBJECT;
import tss.tpm.TPM2B_PRIVATE;
import tss.tpm.TPM2B_PUBLIC;
import tss.tpm.TPM2B_PUBLIC_KEY_RSA;
import tss.tpm.TPMA_OBJECT;
import tss.tpm.TPMS_NULL_ASYM_SCHEME;
import tss.tpm.TPMS_PCR_SELECTION;
import tss.tpm.TPMS_RSA_PARMS;
import tss.tpm.TPMS_SENSITIVE_CREATE;
import tss.tpm.TPMS_SYMCIPHER_PARMS;
import tss.tpm.TPMT_PUBLIC;
import tss.tpm.TPMT_SYM_DEF;
import tss.tpm.TPMT_SYM_DEF_OBJECT;
import tss.tpm.TPM_ALG_ID;
import tss.tpm.TPM_HANDLE;
import tss.tpm.TPM_PT;
import tss.tpm.TPM_RC;
import tss.tpm.TPM_RH;
import tss.tpm.TPM_SE;

/* loaded from: input_file:com/microsoft/azure/sdk/iot/provisioning/security/hsm/SecurityProviderTPMHsm.class */
public class SecurityProviderTPMHsm extends SecurityProviderTpm {
    private static final String REGEX_FOR_VALID_REGISTRATION_ID = "^[a-z0-9-]{1,128}$";
    private static final TPM_HANDLE SRK_PERSISTENT_HANDLE = TPM_HANDLE.persistent(1);
    private static final TPM_HANDLE EK_PERSISTENT_HANDLE = TPM_HANDLE.persistent(65537);
    private static final TPM_HANDLE ID_KEY_PERSISTENT_HANDLE = TPM_HANDLE.persistent(256);
    private static final TPMT_SYM_DEF_OBJECT AES_128_SYM_DEF = new TPMT_SYM_DEF_OBJECT(TPM_ALG_ID.AES, 128, TPM_ALG_ID.CFB);
    private static final TPMT_PUBLIC EK_TEMPLATE = new TPMT_PUBLIC(TPM_ALG_ID.SHA256, new TPMA_OBJECT(new TPMA_OBJECT[]{TPMA_OBJECT.restricted, TPMA_OBJECT.decrypt, TPMA_OBJECT.fixedTPM, TPMA_OBJECT.fixedParent, TPMA_OBJECT.adminWithPolicy, TPMA_OBJECT.sensitiveDataOrigin}), DatatypeConverter.parseHexBinary("837197674484b3f81a90cc8d46a5d724fd52d76e06520b64f2a1da1b331469aa"), new TPMS_RSA_PARMS(AES_128_SYM_DEF, new TPMS_NULL_ASYM_SCHEME(), 2048, 0), new TPM2B_PUBLIC_KEY_RSA());
    private static final TPMT_PUBLIC SRK_TEMPLATE = new TPMT_PUBLIC(TPM_ALG_ID.SHA256, new TPMA_OBJECT(new TPMA_OBJECT[]{TPMA_OBJECT.restricted, TPMA_OBJECT.decrypt, TPMA_OBJECT.fixedTPM, TPMA_OBJECT.fixedParent, TPMA_OBJECT.noDA, TPMA_OBJECT.userWithAuth, TPMA_OBJECT.sensitiveDataOrigin}), new byte[0], new TPMS_RSA_PARMS(AES_128_SYM_DEF, new TPMS_NULL_ASYM_SCHEME(), 2048, 0), new TPM2B_PUBLIC_KEY_RSA());
    private final String registrationId;
    private Tpm tpm;
    private TPMT_PUBLIC ekPublic;
    private TPMT_PUBLIC srkPublic;
    private TPM2B_PUBLIC idKeyPub = null;

    public SecurityProviderTPMHsm() throws SecurityProviderException {
        this.tpm = null;
        this.ekPublic = null;
        this.srkPublic = null;
        this.tpm = TpmFactory.platformTpm();
        clearPersistent(this.tpm, EK_PERSISTENT_HANDLE, "EK");
        clearPersistent(this.tpm, SRK_PERSISTENT_HANDLE, "SRK");
        this.ekPublic = createPersistentPrimary(this.tpm, EK_PERSISTENT_HANDLE, TPM_RH.OWNER, EK_TEMPLATE, "EK");
        this.srkPublic = createPersistentPrimary(this.tpm, SRK_PERSISTENT_HANDLE, TPM_RH.OWNER, SRK_TEMPLATE, "SRK");
        this.registrationId = null;
    }

    public SecurityProviderTPMHsm(String str) throws SecurityProviderException {
        this.tpm = null;
        this.ekPublic = null;
        this.srkPublic = null;
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Registration Id cannot be null or empty");
        }
        if (!str.matches(REGEX_FOR_VALID_REGISTRATION_ID)) {
            throw new IllegalArgumentException("The registration ID is alphanumeric, lowercase, and may contain hyphens. Max characters allowed is 128.");
        }
        this.registrationId = str;
        this.tpm = TpmFactory.platformTpm();
        clearPersistent(this.tpm, EK_PERSISTENT_HANDLE, "EK");
        clearPersistent(this.tpm, SRK_PERSISTENT_HANDLE, "SRK");
        this.ekPublic = createPersistentPrimary(this.tpm, EK_PERSISTENT_HANDLE, TPM_RH.OWNER, EK_TEMPLATE, "EK");
        this.srkPublic = createPersistentPrimary(this.tpm, SRK_PERSISTENT_HANDLE, TPM_RH.OWNER, SRK_TEMPLATE, "SRK");
    }

    public String getRegistrationId() throws SecurityProviderException {
        return this.registrationId != null ? this.registrationId : super.getRegistrationId();
    }

    private TPMT_PUBLIC createPersistentPrimary(Tpm tpm, TPM_HANDLE tpm_handle, TPM_RH tpm_rh, TPMT_PUBLIC tpmt_public, String str) throws SecurityProviderException {
        ReadPublicResponse ReadPublic = tpm._allowErrors().ReadPublic(tpm_handle);
        if (ReadPublic == null) {
            throw new SecurityProviderException("ReadPublicResponse cannot be null");
        }
        TPM_RC _getLastResponseCode = tpm._getLastResponseCode();
        if (_getLastResponseCode == TPM_RC.SUCCESS) {
            return ReadPublic.outPublic;
        }
        if (_getLastResponseCode != TPM_RC.HANDLE) {
            throw new SecurityProviderException("Unexpected failure {" + _getLastResponseCode.name() + "} of TPM2_ReadPublic for {" + str + "}");
        }
        CreatePrimaryResponse CreatePrimary = tpm.CreatePrimary(TPM_HANDLE.from(tpm_rh), new TPMS_SENSITIVE_CREATE(new byte[0], new byte[0]), tpmt_public, new byte[0], new TPMS_PCR_SELECTION[0]);
        if (CreatePrimary == null) {
            throw new SecurityProviderException("CreatePrimaryResponse cannot be null");
        }
        tpm.EvictControl(TPM_HANDLE.from(TPM_RH.OWNER), CreatePrimary.handle, tpm_handle);
        tpm.FlushContext(CreatePrimary.handle);
        return CreatePrimary.outPublic;
    }

    private void clearPersistent(Tpm tpm, TPM_HANDLE tpm_handle, String str) throws SecurityProviderException {
        tpm._allowErrors().ReadPublic(tpm_handle);
        TPM_RC _getLastResponseCode = tpm._getLastResponseCode();
        if (_getLastResponseCode == TPM_RC.SUCCESS) {
            tpm.EvictControl(TPM_HANDLE.from(TPM_RH.OWNER), tpm_handle, tpm_handle);
        } else if (_getLastResponseCode != TPM_RC.HANDLE) {
            throw new SecurityProviderException("Unexpected failure for {" + _getLastResponseCode.name() + "} of TPM2_ReadPublic for " + str + " 0x" + tpm_handle.handle);
        }
    }

    private byte[] signData(Tpm tpm, TPMT_PUBLIC tpmt_public, byte[] bArr) throws SecurityProviderException {
        TPM_ALG_ID tpm_alg_id = tpmt_public.parameters.scheme.hashAlg;
        int tpmProperty = TpmHelpers.getTpmProperty(tpm, TPM_PT.INPUT_BUFFER);
        if (bArr.length <= tpmProperty) {
            return tpm.HMAC(ID_KEY_PERSISTENT_HANDLE, bArr, tpm_alg_id);
        }
        int i = 0;
        int length = bArr.length;
        TPM_HANDLE HMAC_Start = tpm.HMAC_Start(ID_KEY_PERSISTENT_HANDLE, new byte[0], tpm_alg_id);
        if (HMAC_Start == null) {
            throw new SecurityProviderException("hSeq cannot be null");
        }
        do {
            tpm.SequenceUpdate(HMAC_Start, Arrays.copyOfRange(bArr, i, i + tpmProperty));
            length -= tpmProperty;
            i += tpmProperty;
        } while (length > tpmProperty);
        return tpm.SequenceComplete(HMAC_Start, Arrays.copyOfRange(bArr, i, i + length), TPM_HANDLE.from(TPM_RH.NULL)).result;
    }

    public byte[] activateIdentityKey(byte[] bArr) throws SecurityProviderException {
        InByteBuf inByteBuf = new InByteBuf(Arrays.copyOfRange(bArr, 0, bArr.length));
        TPM2B_ID_OBJECT fromTpm = TPM2B_ID_OBJECT.fromTpm(inByteBuf);
        TPM2B_ENCRYPTED_SECRET fromTpm2 = TPM2B_ENCRYPTED_SECRET.fromTpm(inByteBuf);
        TPM2B_PRIVATE fromTpm3 = TPM2B_PRIVATE.fromTpm(inByteBuf);
        TPM2B_ENCRYPTED_SECRET fromTpm4 = TPM2B_ENCRYPTED_SECRET.fromTpm(inByteBuf);
        this.idKeyPub = TPM2B_PUBLIC.fromTpm(inByteBuf);
        TPM2B_DATA fromTpm5 = TPM2B_DATA.fromTpm(inByteBuf);
        if (this.idKeyPub == null) {
            throw new SecurityProviderException("Id Key Public cannot be null");
        }
        StartAuthSessionResponse StartAuthSession = this.tpm.StartAuthSession(TPM_HANDLE.NULL, TPM_HANDLE.NULL, Helpers.getRandom(20), new byte[0], TPM_SE.POLICY, new TPMT_SYM_DEF(TPM_ALG_ID.NULL, 0, TPM_ALG_ID.NULL), TPM_ALG_ID.SHA256);
        if (StartAuthSession == null) {
            throw new SecurityProviderException("StartAuthSessionResponse cannot be null");
        }
        this.tpm.PolicySecret(TPM_HANDLE.from(TPM_RH.ENDORSEMENT), StartAuthSession.handle, new byte[0], new byte[0], new byte[0], 0);
        byte[] ActivateCredential = this.tpm._withSessions(new TPM_HANDLE[]{TPM_HANDLE.pwSession(new byte[0]), StartAuthSession.handle}).ActivateCredential(SRK_PERSISTENT_HANDLE, EK_PERSISTENT_HANDLE, fromTpm.credential, fromTpm2.secret);
        if (ActivateCredential == null) {
            throw new SecurityProviderException("innerWrapKey cannot be null");
        }
        TPMT_SYM_DEF_OBJECT tpmt_sym_def_object = new TPMT_SYM_DEF_OBJECT(TPM_ALG_ID.AES, ActivateCredential.length * 8, TPM_ALG_ID.CFB);
        TPM2B_PRIVATE Import = this.tpm.Import(SRK_PERSISTENT_HANDLE, ActivateCredential, this.idKeyPub.publicArea, fromTpm3, fromTpm4.secret, tpmt_sym_def_object);
        if (Import == null) {
            throw new SecurityProviderException("idKeyPrivate cannot be null");
        }
        TPM_HANDLE Load = this.tpm.Load(SRK_PERSISTENT_HANDLE, Import, this.idKeyPub.publicArea);
        if (Load == null) {
            throw new SecurityProviderException("hIdKey cannot be null");
        }
        clearPersistent(this.tpm, ID_KEY_PERSISTENT_HANDLE, "ID Key");
        this.tpm.EvictControl(TPM_HANDLE.from(TPM_RH.OWNER), Load, ID_KEY_PERSISTENT_HANDLE);
        this.tpm.FlushContext(Load);
        int tpmProperty = TpmHelpers.getTpmProperty(this.tpm, TPM_PT.INPUT_BUFFER);
        if (fromTpm5.buffer.length > tpmProperty) {
            throw new SecurityProviderException("Too long encrypted URI data string. Max supported length is " + Integer.toString(tpmProperty));
        }
        CreateResponse Create = this.tpm.Create(SRK_PERSISTENT_HANDLE, new TPMS_SENSITIVE_CREATE(new byte[0], ActivateCredential), new TPMT_PUBLIC(TPM_ALG_ID.SHA256, new TPMA_OBJECT(new TPMA_OBJECT[]{TPMA_OBJECT.decrypt, TPMA_OBJECT.fixedTPM, TPMA_OBJECT.fixedParent, TPMA_OBJECT.userWithAuth}), new byte[0], new TPMS_SYMCIPHER_PARMS(tpmt_sym_def_object), new TPM2B_DIGEST_Symcipher()), new byte[0], new TPMS_PCR_SELECTION[0]);
        if (Create == null) {
            throw new SecurityProviderException("CreateResponse cannot be null");
        }
        TPM_HANDLE Load2 = this.tpm.Load(SRK_PERSISTENT_HANDLE, Create.outPrivate, Create.outPublic);
        if (Load2 == null) {
            throw new SecurityProviderException("hSymKey cannot be null");
        }
        if (this.tpm.EncryptDecrypt2(Load2, fromTpm5.buffer, (byte) 1, TPM_ALG_ID.CFB, new byte[ActivateCredential.length]) == null) {
            throw new SecurityProviderException("EncryptDecryptResponse cannot be null");
        }
        this.tpm.FlushContext(Load2);
        return null;
    }

    public byte[] signWithIdentity(byte[] bArr) throws SecurityProviderException {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("deviceIdData cannot be null or empty");
        }
        if (this.idKeyPub == null) {
            throw new SecurityProviderException("activateIdentityKey first before signing");
        }
        return signData(this.tpm, this.idKeyPub.publicArea, bArr);
    }

    public byte[] getEndorsementKey() throws SecurityProviderException {
        return new TPM2B_PUBLIC(this.ekPublic).toTpm();
    }

    public byte[] getStorageRootKey() throws SecurityProviderException {
        return new TPM2B_PUBLIC(this.srkPublic).toTpm();
    }
}
