package de.rki.covpass.sdk.cert;

import COSE.CoseException;
import COSE.OneKey;
import COSE.Sign1Message;
import com.upokecenter.cbor.CBORObject;
import de.rki.covpass.sdk.cert.models.CBORWebToken;
import de.rki.covpass.sdk.cert.models.CovCertificate;
import de.rki.covpass.sdk.cert.models.DGCEntry;
import de.rki.covpass.sdk.cert.models.TestCert;
import de.rki.covpass.sdk.cert.models.Vaccination;
import de.rki.covpass.sdk.crypto.KeyIdentifier;
import de.rki.covpass.sdk.utils.CBORObjectUtilsKt;
import de.rki.covpass.sdk.utils.HexKt;
import j$.time.Instant;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.collections.CollectionsKt__CollectionsKt;
import kotlin.collections.CollectionsKt___CollectionsKt;
import kotlin.collections.SetsKt__SetsKt;
import kotlin.collections.SetsKt___SetsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.Reflection;
import kotlin.ranges.IntRange;
import kotlin.text.StringsKt__StringsKt;
import kotlinx.serialization.SerializersKt;
import kotlinx.serialization.cbor.Cbor;

/* loaded from: classes4.dex */
public final class CertValidator {
    private static final Companion Companion = new Companion(null);
    private final Set<String> allCertOids;
    private final Cbor cbor;
    private final Set<String> recoveryCertOids;
    private CertValidatorState state;
    private final Set<String> testCertOids;
    private final Set<String> vaccinationCertOids;

    /* loaded from: classes4.dex */
    private static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public CertValidator(Iterable<TrustedCert> trusted, Cbor cbor) {
        Set<String> of;
        Set<String> of2;
        Set<String> of3;
        Set plus;
        Set<String> plus2;
        Intrinsics.checkNotNullParameter(trusted, "trusted");
        Intrinsics.checkNotNullParameter(cbor, "cbor");
        this.cbor = cbor;
        this.state = new CertValidatorState(trusted);
        of = SetsKt__SetsKt.setOf((Object[]) new String[]{"1.3.6.1.4.1.1847.2021.1.2", "1.3.6.1.4.1.0.1847.2021.1.2"});
        this.vaccinationCertOids = of;
        of2 = SetsKt__SetsKt.setOf((Object[]) new String[]{"1.3.6.1.4.1.1847.2021.1.1", "1.3.6.1.4.1.0.1847.2021.1.1"});
        this.testCertOids = of2;
        of3 = SetsKt__SetsKt.setOf((Object[]) new String[]{"1.3.6.1.4.1.1847.2021.1.3", "1.3.6.1.4.1.0.1847.2021.1.3"});
        this.recoveryCertOids = of3;
        plus = SetsKt___SetsKt.plus((Set) of, (Iterable) of2);
        plus2 = SetsKt___SetsKt.plus((Set) plus, (Iterable) of3);
        this.allCertOids = plus2;
    }

    private final CovCertificate addDataForExportMode(boolean z, CovCertificate covCertificate, String str, byte[] bArr) {
        CharSequence trim;
        if (!z) {
            return covCertificate;
        }
        String hex = HexKt.toHex(bArr);
        Objects.requireNonNull(hex, "null cannot be cast to non-null type kotlin.CharSequence");
        trim = StringsKt__StringsKt.trim(hex);
        return CovCertificate.copy$default(covCertificate, null, null, null, null, null, null, null, null, null, str, trim.toString(), 511, null);
    }

    private final boolean checkCertOid(X509Certificate x509Certificate, DGCEntry dGCEntry) {
        Set set;
        Set intersect;
        Set intersect2;
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || extendedKeyUsage.isEmpty()) {
            intersect = SetsKt__SetsKt.emptySet();
        } else {
            List<String> extendedKeyUsage2 = x509Certificate.getExtendedKeyUsage();
            Intrinsics.checkNotNullExpressionValue(extendedKeyUsage2, "extendedKeyUsage");
            set = CollectionsKt___CollectionsKt.toSet(extendedKeyUsage2);
            intersect = CollectionsKt___CollectionsKt.intersect(set, this.allCertOids);
        }
        if (!intersect.isEmpty()) {
            intersect2 = CollectionsKt___CollectionsKt.intersect(dGCEntry instanceof Vaccination ? this.vaccinationCertOids : dGCEntry instanceof TestCert ? this.testCertOids : this.recoveryCertOids, intersect);
            if (!(!intersect2.isEmpty())) {
                return false;
            }
        }
        return true;
    }

    private final List<TrustedCert> findByKid(KeyIdentifier keyIdentifier) {
        List<TrustedCert> emptyList;
        List<TrustedCert> list = this.state.getKidToCerts().get(keyIdentifier);
        if (list != null) {
            return list;
        }
        emptyList = CollectionsKt__CollectionsKt.emptyList();
        return emptyList;
    }

    public final CovCertificate decodeAndValidate(Sign1Message cose, boolean z) {
        CBORObject cBORObject;
        byte[] GetByteString;
        byte[] sliceArray;
        Intrinsics.checkNotNullParameter(cose, "cose");
        CBORWebToken.Companion companion = CBORWebToken.Companion;
        byte[] GetContent = cose.GetContent();
        Intrinsics.checkNotNullExpressionValue(GetContent, "cose.GetContent()");
        CBORWebToken decode = companion.decode(GetContent);
        if (decode.getValidUntil().isBefore(Instant.now())) {
            throw new ExpiredCwtException(null, 1, null);
        }
        CBORObject protectedAttributes = cose.getProtectedAttributes();
        byte[] sliceArray2 = (protectedAttributes == null || (cBORObject = protectedAttributes.get(4)) == null || (GetByteString = cBORObject.GetByteString()) == null) ? null : ArraysKt___ArraysKt.sliceArray(GetByteString, new IntRange(0, 7));
        if (sliceArray2 == null) {
            byte[] GetByteString2 = cose.getUnprotectedAttributes().get(4).GetByteString();
            Intrinsics.checkNotNullExpressionValue(GetByteString2, "cose.unprotectedAttributes.get(4).GetByteString()");
            sliceArray2 = ArraysKt___ArraysKt.sliceArray(GetByteString2, new IntRange(0, 7));
        }
        KeyIdentifier keyIdentifier = new KeyIdentifier(sliceArray2);
        byte[] GetByteString3 = cose.EncodeToCBORObject().get(3).GetByteString();
        Intrinsics.checkNotNullExpressionValue(GetByteString3, "cose.EncodeToCBORObject().get(3).GetByteString()");
        sliceArray = ArraysKt___ArraysKt.sliceArray(GetByteString3, new IntRange(0, 31));
        List<TrustedCert> findByKid = findByKid(keyIdentifier);
        if (!(!findByKid.isEmpty())) {
            findByKid = null;
        }
        if (findByKid == null) {
            findByKid = CollectionsKt___CollectionsKt.toList(this.state.getTrustedCerts());
        }
        for (TrustedCert trustedCert : findByKid) {
            try {
                trustedCert.getCertificate().checkValidity();
            } catch (CoseException | GeneralSecurityException unused) {
            }
            if (cose.validate(new OneKey(trustedCert.getCertificate().getPublicKey(), null))) {
                return addDataForExportMode(z, decodeAndValidate$covpass_sdk_release(decode, trustedCert.getCertificate()), trustedCert.getKid(), sliceArray);
            }
            continue;
        }
        throw new BadCoseSignatureException(null, 1, null);
    }

    public final CovCertificate decodeAndValidate$covpass_sdk_release(CBORWebToken cwt, X509Certificate cert) {
        Intrinsics.checkNotNullParameter(cwt, "cwt");
        Intrinsics.checkNotNullParameter(cert, "cert");
        CovCertificate decodeCovCert$covpass_sdk_release = decodeCovCert$covpass_sdk_release(cwt);
        if (checkCertOid(cert, decodeCovCert$covpass_sdk_release.getDgcEntry())) {
            return CovCertificate.copy$default(decodeCovCert$covpass_sdk_release, cwt.getIssuer(), cwt.getValidFrom(), cwt.getValidUntil(), null, null, null, null, null, null, null, null, 2040, null);
        }
        throw new NoMatchingExtendedKeyUsageException(null, 1, null);
    }

    public final CovCertificate decodeCovCert$covpass_sdk_release(CBORWebToken cwt) {
        Intrinsics.checkNotNullParameter(cwt, "cwt");
        Cbor cbor = this.cbor;
        CBORObject cBORObject = cwt.getRawCbor().get(-260).get(1);
        Intrinsics.checkNotNullExpressionValue(cBORObject, "cwt.rawCbor[HEALTH_CERTI…IGITAL_GREEN_CERTIFICATE]");
        byte[] EncodeToBytes = CBORObjectUtilsKt.trimAllStrings(cBORObject).EncodeToBytes();
        Intrinsics.checkNotNullExpressionValue(EncodeToBytes, "cwt.rawCbor[HEALTH_CERTI…Strings().EncodeToBytes()");
        return (CovCertificate) cbor.decodeFromByteArray(SerializersKt.serializer(cbor.getSerializersModule(), Reflection.typeOf(CovCertificate.class)), EncodeToBytes);
    }

    public final void updateTrustedCerts(Iterable<TrustedCert> trusted) {
        Intrinsics.checkNotNullParameter(trusted, "trusted");
        this.state = new CertValidatorState(trusted);
    }
}
