package de.rki.covpass.sdk.cert;

import COSE.CoseException;
import COSE.n;
import COSE.p;
import com.upokecenter.cbor.l;
import de.rki.covpass.sdk.cert.models.CBORWebToken;
import de.rki.covpass.sdk.cert.models.CovCertificate;
import de.rki.covpass.sdk.cert.models.DGCEntry;
import de.rki.covpass.sdk.cert.models.Test;
import de.rki.covpass.sdk.cert.models.Vaccination;
import de.rki.covpass.sdk.crypto.KeyIdentifier;
import de.rki.covpass.sdk.dependencies.CoreKt;
import j$.time.Instant;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Set;
import kotlin.Metadata;
import kotlin.collections.ArraysKt___ArraysKt;
import kotlin.collections.CollectionsKt___CollectionsKt;
import kotlin.collections.p0;
import kotlin.collections.q;
import kotlin.collections.q0;
import kotlin.jvm.internal.k;
import kotlin.jvm.internal.u;
import kotlin.ranges.IntRange;
import kotlinx.serialization.SerializersKt;
import kotlinx.serialization.cbor.Cbor;

@Metadata(d1 = {"\u0000l\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0010\u001c\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\"\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010 \n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\u0018\u0000 &2\u00020\u0001:\u0001&B\u001d\u0012\f\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00040\u0003\u0012\b\b\u0002\u0010\u0005\u001a\u00020\u0006¢\u0006\u0002\u0010\u0007J\u001d\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\u0006\u0010\u0014\u001a\u00020\u0015H\u0000¢\u0006\u0002\b\u0016J\u0015\u0010\u0017\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u0013H\u0000¢\u0006\u0002\b\u0018J\u0016\u0010\u0019\u001a\b\u0012\u0004\u0012\u00020\u00040\u001a2\u0006\u0010\u001b\u001a\u00020\u001cH\u0002J\u0014\u0010\u001d\u001a\u00020\u001e2\f\u0010\u0002\u001a\b\u0012\u0004\u0012\u00020\u00040\u0003J\u000e\u0010\u001f\u001a\u00020\u00112\u0006\u0010 \u001a\u00020!J\u0014\u0010\"\u001a\u00020#*\u00020\u00152\u0006\u0010$\u001a\u00020%H\u0002R\u0014\u0010\b\u001a\b\u0012\u0004\u0012\u00020\n0\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0005\u001a\u00020\u0006X\u0082\u0004¢\u0006\u0002\n\u0000R\u0014\u0010\u000b\u001a\b\u0012\u0004\u0012\u00020\n0\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\f\u001a\u00020\rX\u0082\u000e¢\u0006\u0002\n\u0000R\u0014\u0010\u000e\u001a\b\u0012\u0004\u0012\u00020\n0\tX\u0082\u0004¢\u0006\u0002\n\u0000R\u0014\u0010\u000f\u001a\b\u0012\u0004\u0012\u00020\n0\tX\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006'"}, d2 = {"Lde/rki/covpass/sdk/cert/CertValidator;", "", "trusted", "", "Lde/rki/covpass/sdk/cert/TrustedCert;", "cbor", "Lkotlinx/serialization/cbor/Cbor;", "(Ljava/lang/Iterable;Lkotlinx/serialization/cbor/Cbor;)V", "allCertOids", "", "", "recoveryCertOids", "state", "Lde/rki/covpass/sdk/cert/CertValidatorState;", "testCertOids", "vaccinationCertOids", "decodeAndValidate", "Lde/rki/covpass/sdk/cert/models/CovCertificate;", "cwt", "Lde/rki/covpass/sdk/cert/models/CBORWebToken;", "cert", "Ljava/security/cert/X509Certificate;", "decodeAndValidate$covpass_sdk_release", "decodeCovCert", "decodeCovCert$covpass_sdk_release", "findByKid", "", "kid", "Lde/rki/covpass/sdk/crypto/KeyIdentifier;", "updateTrustedCerts", "", "validate", "cose", "LCOSE/Sign1Message;", "checkCertOid", "", "dgcEntry", "Lde/rki/covpass/sdk/cert/models/DGCEntry;", "Companion", "covpass-sdk_release"}, k = 1, mv = {1, 5, 1}, xi = 48)
/* renamed from: de.rki.covpass.sdk.cert.b, reason: from Kotlin metadata */
/* loaded from: classes3.dex */
public final class CertValidator {
    private static final a Companion = new a(null);
    private final Cbor a;
    private CertValidatorState b;
    private final Set<String> c;
    private final Set<String> d;

    /* renamed from: e, reason: collision with root package name */
    private final Set<String> f8183e;

    /* renamed from: f, reason: collision with root package name */
    private final Set<String> f8184f;

    @Metadata(d1 = {"\u0000\u0014\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010\b\n\u0002\b\u0002\b\u0082\u0003\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002R\u000e\u0010\u0003\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n\u0000R\u000e\u0010\u0005\u001a\u00020\u0004X\u0082T¢\u0006\u0002\n\u0000¨\u0006\u0006"}, d2 = {"Lde/rki/covpass/sdk/cert/CertValidator$Companion;", "", "()V", "DIGITAL_GREEN_CERTIFICATE", "", "HEALTH_CERTIFICATE_CLAIM", "covpass-sdk_release"}, k = 1, mv = {1, 5, 1}, xi = 48)
    /* renamed from: de.rki.covpass.sdk.cert.b$a */
    /* loaded from: classes3.dex */
    private static final class a {
        private a() {
        }

        public /* synthetic */ a(k kVar) {
            this();
        }
    }

    public CertValidator(Iterable<TrustedCert> iterable, Cbor cbor) {
        Set<String> h2;
        Set<String> h3;
        Set<String> h4;
        Set j2;
        Set<String> j3;
        this.a = cbor;
        this.b = new CertValidatorState(iterable);
        h2 = p0.h("1.3.6.1.4.1.1847.2021.1.2", "1.3.6.1.4.1.0.1847.2021.1.2");
        this.c = h2;
        h3 = p0.h("1.3.6.1.4.1.1847.2021.1.1", "1.3.6.1.4.1.0.1847.2021.1.1");
        this.d = h3;
        h4 = p0.h("1.3.6.1.4.1.1847.2021.1.3", "1.3.6.1.4.1.0.1847.2021.1.3");
        this.f8183e = h4;
        j2 = q0.j(h2, h3);
        j3 = q0.j(j2, h4);
        this.f8184f = j3;
    }

    public /* synthetic */ CertValidator(Iterable iterable, Cbor cbor, int i2, k kVar) {
        this(iterable, (i2 & 2) != 0 ? CoreKt.b() : cbor);
    }

    private final boolean a(X509Certificate x509Certificate, DGCEntry dGCEntry) {
        Set Z0;
        Set i0;
        Set i02;
        List<String> extendedKeyUsage = x509Certificate.getExtendedKeyUsage();
        if (extendedKeyUsage == null || extendedKeyUsage.isEmpty()) {
            i0 = p0.d();
        } else {
            Z0 = CollectionsKt___CollectionsKt.Z0(x509Certificate.getExtendedKeyUsage());
            i0 = CollectionsKt___CollectionsKt.i0(Z0, this.f8184f);
        }
        if (!i0.isEmpty()) {
            i02 = CollectionsKt___CollectionsKt.i0(dGCEntry instanceof Vaccination ? this.c : dGCEntry instanceof Test ? this.d : this.f8183e, i0);
            if (!(!i02.isEmpty())) {
                return false;
            }
        }
        return true;
    }

    private final List<TrustedCert> d(KeyIdentifier keyIdentifier) {
        List<TrustedCert> h2;
        List<TrustedCert> list = this.b.a().get(keyIdentifier);
        if (list != null) {
            return list;
        }
        h2 = q.h();
        return h2;
    }

    public final CovCertificate b(CBORWebToken cBORWebToken, X509Certificate x509Certificate) {
        CovCertificate d;
        CovCertificate c = c(cBORWebToken);
        c.a(c);
        if (!a(x509Certificate, c.g())) {
            throw new NoMatchingExtendedKeyUsageException(null, 1, null);
        }
        d = c.d((r20 & 1) != 0 ? c.issuer : cBORWebToken.getIssuer(), (r20 & 2) != 0 ? c.validFrom : cBORWebToken.getValidFrom(), (r20 & 4) != 0 ? c.validUntil : cBORWebToken.getValidUntil(), (r20 & 8) != 0 ? c.name : null, (r20 & 16) != 0 ? c.birthDate : null, (r20 & 32) != 0 ? c.vaccinations : null, (r20 & 64) != 0 ? c.tests : null, (r20 & 128) != 0 ? c.recoveries : null, (r20 & 256) != 0 ? c.version : null);
        return d;
    }

    public final CovCertificate c(CBORWebToken cBORWebToken) {
        Cbor cbor = this.a;
        return (CovCertificate) cbor.c(SerializersKt.serializer(cbor.getB(), u.i(CovCertificate.class)), cBORWebToken.getRawCbor().j1(-260).j1(1).K());
    }

    public final void e(Iterable<TrustedCert> iterable) {
        this.b = new CertValidatorState(iterable);
    }

    public final CovCertificate f(p pVar) {
        byte[] l0;
        CBORWebToken a2 = CBORWebToken.INSTANCE.a(pVar.i());
        if (a2.getValidUntil().isBefore(Instant.now())) {
            throw new ExpiredCwtException(null, 1, null);
        }
        l d = pVar.d();
        l j1 = d == null ? null : d.j1(4);
        byte[] e0 = (j1 == null || (l0 = j1.l0()) == null) ? null : ArraysKt___ArraysKt.e0(l0, new IntRange(0, 7));
        if (e0 == null) {
            e0 = ArraysKt___ArraysKt.e0(pVar.e().j1(4).l0(), new IntRange(0, 7));
        }
        List<TrustedCert> d2 = d(new KeyIdentifier(e0));
        if (d2 == null || d2.isEmpty()) {
            d2 = CollectionsKt___CollectionsKt.V0(this.b.b());
        }
        for (TrustedCert trustedCert : d2) {
            try {
                trustedCert.getCertificate().checkValidity();
                if (kotlin.jvm.internal.q.c(trustedCert.getCountry(), a2.getIssuer()) && pVar.n(new n(trustedCert.getCertificate().getPublicKey(), null))) {
                    return b(a2, trustedCert.getCertificate());
                }
            } catch (CoseException | GeneralSecurityException unused) {
            }
        }
        throw new BadCoseSignatureException(null, 1, null);
    }
}
