package de.rki.coronawarnapp.dccticketing.core.common;

import androidx.core.graphics.PathParser$$ExternalSyntheticOutline0;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jca.JCAContext;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.StandardCharset;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.SignedJWT;
import de.rki.coronawarnapp.SecurityProvider;
import de.rki.coronawarnapp.dccticketing.core.common.DccTicketingJwtException;
import de.rki.coronawarnapp.dccticketing.core.transaction.DccJWK;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt__CollectionsKt;
import kotlin.collections.CollectionsKt___CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlinx.coroutines.internal.LockFreeLinkedList_commonKt;
import okio.ByteString;
import org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import timber.log.Timber;

/* compiled from: DccJWKVerification.kt */
@Metadata(d1 = {"\u00004\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\"\n\u0002\u0018\u0002\n\u0000\u0018\u00002\u00020\u0001B\u000f\b\u0007\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0016\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\nJ\u001c\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u000b\u001a\u00020\f2\f\u0010\r\u001a\b\u0012\u0004\u0012\u00020\u000f0\u000e¨\u0006\u0010"}, d2 = {"Lde/rki/coronawarnapp/dccticketing/core/common/DccJWKVerification;", "", "securityProvider", "Lde/rki/coronawarnapp/SecurityProvider;", "(Lde/rki/coronawarnapp/SecurityProvider;)V", "verify", "", "signedJWT", "Lcom/nimbusds/jwt/SignedJWT;", "publicKey", "Ljava/security/PublicKey;", "jwt", "", "jwkSet", "", "Lde/rki/coronawarnapp/dccticketing/core/transaction/DccJWK;", "Corona-Warn-App_deviceRelease"}, k = 1, mv = {1, 7, 1}, xi = 48)
/* loaded from: classes.dex */
public final class DccJWKVerification {
    public DccJWKVerification(SecurityProvider securityProvider) {
        Intrinsics.checkNotNullParameter(securityProvider, "securityProvider");
        securityProvider.initialize();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v13, types: [com.nimbusds.jose.crypto.ECDSAVerifier, com.nimbusds.jose.crypto.impl.BaseJWSProvider] */
    public final void verify(SignedJWT signedJWT, PublicKey publicKey) {
        RSASSAVerifier rSASSAVerifier;
        boolean verify;
        Intrinsics.checkNotNullParameter(signedJWT, "signedJWT");
        Intrinsics.checkNotNullParameter(publicKey, "publicKey");
        JWSAlgorithm jWSAlgorithm = (JWSAlgorithm) signedJWT.header.alg;
        if (Intrinsics.areEqual(jWSAlgorithm, JWSAlgorithm.ES256)) {
            ?? eCDSAVerifier = new ECDSAVerifier((BCECPublicKey) publicKey);
            JCAContext jCAContext = (JCAContext) eCDSAVerifier.jcaContext;
            if (LockFreeLinkedList_commonKt.bouncyCastleProvider == null) {
                LockFreeLinkedList_commonKt.bouncyCastleProvider = new BouncyCastleProvider();
            }
            jCAContext.provider = LockFreeLinkedList_commonKt.bouncyCastleProvider;
            rSASSAVerifier = eCDSAVerifier;
        } else {
            if (!(Intrinsics.areEqual(jWSAlgorithm, JWSAlgorithm.PS256) ? true : Intrinsics.areEqual(jWSAlgorithm, JWSAlgorithm.RS256))) {
                throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_ALG_NOT_SUPPORTED, null, 2, null);
            }
            RSASSAVerifier rSASSAVerifier2 = new RSASSAVerifier((RSAPublicKey) publicKey);
            JCAContext jCAContext2 = (JCAContext) rSASSAVerifier2.jcaContext;
            if (LockFreeLinkedList_commonKt.bouncyCastleProvider == null) {
                LockFreeLinkedList_commonKt.bouncyCastleProvider = new BouncyCastleProvider();
            }
            jCAContext2.provider = LockFreeLinkedList_commonKt.bouncyCastleProvider;
            rSASSAVerifier = rSASSAVerifier2;
        }
        synchronized (signedJWT) {
            AtomicReference<JWSObject.State> atomicReference = signedJWT.state;
            if (atomicReference.get() != JWSObject.State.SIGNED && atomicReference.get() != JWSObject.State.VERIFIED) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                verify = rSASSAVerifier.verify(signedJWT.header, signedJWT.signingInputString.getBytes(StandardCharset.UTF_8), signedJWT.signature);
                if (verify) {
                    signedJWT.state.set(JWSObject.State.VERIFIED);
                }
            } catch (JOSEException e) {
                throw e;
            } catch (Exception e2) {
                throw new JOSEException(e2.getMessage(), e2);
            }
        }
        if (!verify) {
            throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_SIG_INVALID, null, 2, null);
        }
    }

    public final void verify(String jwt, Set<DccJWK> jwkSet) throws DccTicketingJwtException {
        X509Certificate x509Certificate;
        Intrinsics.checkNotNullParameter(jwt, "jwt");
        Intrinsics.checkNotNullParameter(jwkSet, "jwkSet");
        if (jwkSet.isEmpty()) {
            throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_EMPTY_JWKS, null, 2, null);
        }
        try {
            Base64URL[] split = JOSEObject.split(jwt);
            if (split.length != 3) {
                throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
            }
            SignedJWT signedJWT = new SignedJWT(split[0], split[1], split[2]);
            List listOf = CollectionsKt__CollectionsKt.listOf((Object[]) new JWSAlgorithm[]{JWSAlgorithm.ES256, JWSAlgorithm.PS256, JWSAlgorithm.RS256});
            JWSHeader jWSHeader = signedJWT.header;
            if (!listOf.contains((JWSAlgorithm) jWSHeader.alg)) {
                throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_ALG_NOT_SUPPORTED, null, 2, null);
            }
            String str = jWSHeader.kid;
            if (str == null || str.length() == 0) {
                throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_NO_KID, null, 2, null);
            }
            ArrayList arrayList = new ArrayList();
            for (Object obj : jwkSet) {
                if (Intrinsics.areEqual(((DccJWK) obj).getKid(), str)) {
                    arrayList.add(obj);
                }
            }
            if (arrayList.isEmpty()) {
                throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_NO_JWK_FOR_KID, null, 2, null);
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                DccJWK dccJWK = (DccJWK) it.next();
                try {
                    ByteString byteString = ByteString.EMPTY;
                    ByteString decodeBase64 = ByteString.Companion.decodeBase64((String) CollectionsKt___CollectionsKt.first((List) dccJWK.getX5c()));
                    try {
                        x509Certificate = X509CertUtils.parseWithException(decodeBase64 != null ? decodeBase64.toByteArray() : null);
                    } catch (CertificateException unused) {
                        x509Certificate = null;
                    }
                    PublicKey publicKey = x509Certificate.getPublicKey();
                    Intrinsics.checkNotNullExpressionValue(publicKey, "publicKey");
                    verify(signedJWT, publicKey);
                    return;
                } catch (Exception e) {
                    Timber.Forest.w(PathParser$$ExternalSyntheticOutline0.m("JWT with matching kid ", dccJWK.getKid(), " was not verified"), e);
                }
            }
            throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_SIG_INVALID, null, 2, null);
        } catch (Exception e2) {
            Timber.Forest.e("Can't parse JWT token ".concat(jwt), e2);
            throw new DccTicketingJwtException(DccTicketingJwtException.ErrorCode.JWT_VER_ALG_NOT_SUPPORTED, null, 2, null);
        }
    }
}
