package de.rki.coronawarnapp.dccticketing.core.check;

import de.rki.coronawarnapp.bugreporting.debuglog.upload.history.storage.UploadHistoryStorageKt$$ExternalSyntheticOutline0;
import de.rki.coronawarnapp.dccticketing.core.allowlist.data.DccTicketingValidationServiceAllowListEntry;
import de.rki.coronawarnapp.dccticketing.core.check.DccTicketingServerCertificateCheckException;
import de.rki.coronawarnapp.dccticketing.core.common.DccJWKConverter;
import de.rki.coronawarnapp.dccticketing.core.transaction.DccJWK;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import kotlin.Metadata;
import kotlin.NoWhenBranchMatchedException;
import kotlin.Pair;
import kotlin.collections.CollectionsKt__IteratorsJVMKt;
import kotlin.collections.CollectionsKt___CollectionsKt;
import kotlin.collections.EmptyList;
import kotlin.collections.MapsKt___MapsJvmKt;
import kotlin.jvm.internal.Intrinsics;
import okhttp3.Handshake;
import okhttp3.Response;
import okio.ByteString;
import timber.log.Timber;

/* compiled from: DccTicketingServerCertificateChecker.kt */
@Metadata(d1 = {"\u0000B\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\"\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0005\b\u0007\u0018\u0000 \u00192\u00020\u0001:\u0001\u0019B\u000f\b\u0007\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\"\u0010\n\u001a\u00020\u000b2\f\u0010\f\u001a\b\u0012\u0004\u0012\u00020\u000e0\r2\f\u0010\u000f\u001a\b\u0012\u0004\u0012\u00020\u00110\u0010J\u001c\u0010\n\u001a\u00020\u000b2\u0006\u0010\u0012\u001a\u00020\u00072\f\u0010\u000f\u001a\b\u0012\u0004\u0012\u00020\u00110\u0010J*\u0010\u0013\u001a\u00020\u000b2\u0006\u0010\u0005\u001a\u00020\u00062\f\u0010\f\u001a\b\u0012\u0004\u0012\u00020\u000e0\r2\f\u0010\u0014\u001a\b\u0012\u0004\u0012\u00020\u00150\u0010J\u001c\u0010\u0013\u001a\u00020\u000b2\u0006\u0010\u0012\u001a\u00020\u00072\f\u0010\u0014\u001a\b\u0012\u0004\u0012\u00020\u00150\u0010J\f\u0010\u0016\u001a\u00020\u0006*\u00020\u000eH\u0002J \u0010\u0017\u001a\b\u0012\u0004\u0012\u00020\u00110\u0010*\b\u0012\u0004\u0012\u00020\u00110\u00102\u0006\u0010\u0018\u001a\u00020\u0006H\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000R\u0018\u0010\u0005\u001a\u00020\u0006*\u00020\u00078BX\u0082\u0004¢\u0006\u0006\u001a\u0004\b\b\u0010\t¨\u0006\u001a"}, d2 = {"Lde/rki/coronawarnapp/dccticketing/core/check/DccTicketingServerCertificateChecker;", "", "dccJWKConverter", "Lde/rki/coronawarnapp/dccticketing/core/common/DccJWKConverter;", "(Lde/rki/coronawarnapp/dccticketing/core/common/DccJWKConverter;)V", "hostname", "", "Lokhttp3/Response;", "getHostname", "(Lokhttp3/Response;)Ljava/lang/String;", "checkCertificate", "", "certificateChain", "", "Ljava/security/cert/Certificate;", "jwkSet", "", "Lde/rki/coronawarnapp/dccticketing/core/transaction/DccJWK;", "response", "checkCertificateAgainstAllowlist", "allowlist", "Lde/rki/coronawarnapp/dccticketing/core/allowlist/data/DccTicketingValidationServiceAllowListEntry;", "createKid", "findRequiredJwkSet", "requiredKid", "Companion", "Corona-Warn-App_deviceRelease"}, k = 1, mv = {1, 7, 1}, xi = 48)
/* loaded from: classes.dex */
public final class DccTicketingServerCertificateChecker {
    private static final String TAG = UploadHistoryStorageKt$$ExternalSyntheticOutline0.m(DccTicketingServerCertificateChecker.class);
    private final DccJWKConverter dccJWKConverter;

    public DccTicketingServerCertificateChecker(DccJWKConverter dccJWKConverter) {
        Intrinsics.checkNotNullParameter(dccJWKConverter, "dccJWKConverter");
        this.dccJWKConverter = dccJWKConverter;
    }

    private final String createKid(Certificate certificate) {
        return DccTicketingServerCertificateCheckerKt.createSha256Fingerprint(certificate).substring(0, 8).base64();
    }

    private final Set<DccJWK> findRequiredJwkSet(Set<DccJWK> set, String str) {
        Timber.Forest forest = Timber.Forest;
        forest.tag(TAG);
        forest.d("findRequiredJwkSet(requiredKid=%s)", str);
        ArrayList arrayList = new ArrayList();
        for (Object obj : set) {
            if (Intrinsics.areEqual(((DccJWK) obj).getKid(), str)) {
                arrayList.add(obj);
            }
        }
        Set<DccJWK> set2 = CollectionsKt___CollectionsKt.toSet(arrayList);
        if (!set2.isEmpty()) {
            return set2;
        }
        Timber.Forest forest2 = Timber.Forest;
        forest2.tag(TAG);
        forest2.d("Didn't find jwk for required kid, aborting", new Object[0]);
        throw new DccTicketingServerCertificateCheckException(DccTicketingServerCertificateCheckException.ErrorCode.CERT_PIN_NO_JWK_FOR_KID, null, 2, null);
    }

    private final String getHostname(Response response) {
        return response.request.url.host;
    }

    public final void checkCertificate(List<? extends Certificate> certificateChain, Set<DccJWK> jwkSet) throws DccTicketingServerCertificateCheckException {
        Intrinsics.checkNotNullParameter(certificateChain, "certificateChain");
        Intrinsics.checkNotNullParameter(jwkSet, "jwkSet");
        try {
            Timber.Forest forest = Timber.Forest;
            String str = TAG;
            forest.tag(str);
            forest.d("checkCertificate(certificateChain=%s, jwkSet=%s)", certificateChain, jwkSet);
            Certificate certificate = (Certificate) CollectionsKt___CollectionsKt.first((List) certificateChain);
            String createKid = createKid(certificate);
            forest.tag(str);
            forest.d("requiredKid=%s", createKid);
            Set<DccJWK> findRequiredJwkSet = findRequiredJwkSet(jwkSet, createKid);
            ArrayList arrayList = new ArrayList(CollectionsKt__IteratorsJVMKt.collectionSizeOrDefault(findRequiredJwkSet, 10));
            Iterator<T> it = findRequiredJwkSet.iterator();
            while (it.hasNext()) {
                arrayList.add(this.dccJWKConverter.createX509Certificate((DccJWK) it.next()));
            }
            ArrayList arrayList2 = new ArrayList(CollectionsKt__IteratorsJVMKt.collectionSizeOrDefault(arrayList, 10));
            Iterator it2 = arrayList.iterator();
            while (it2.hasNext()) {
                arrayList2.add(DccTicketingServerCertificateCheckerKt.createSha256Fingerprint((X509Certificate) it2.next()));
            }
            boolean contains = arrayList2.contains(DccTicketingServerCertificateCheckerKt.createSha256Fingerprint(certificate));
            if (!contains) {
                if (!contains) {
                    throw new DccTicketingServerCertificateCheckException(DccTicketingServerCertificateCheckException.ErrorCode.CERT_PIN_MISMATCH, null, 2, null);
                }
                throw new NoWhenBranchMatchedException();
            }
            Timber.Forest forest2 = Timber.Forest;
            forest2.tag(TAG);
            forest2.d("Certificate check was successful against jwk set=%s", jwkSet);
        } catch (Exception e) {
            if (e instanceof DccTicketingServerCertificateCheckException) {
                throw e;
            }
            Timber.Forest forest3 = Timber.Forest;
            forest3.tag(TAG);
            forest3.w(e, "Certificate check failed with an unspecified error. Needs further investigation!", new Object[0]);
            throw new DccTicketingServerCertificateCheckException(DccTicketingServerCertificateCheckException.ErrorCode.CERT_PIN_MISMATCH, e);
        }
    }

    public final void checkCertificate(Response response, Set<DccJWK> jwkSet) throws DccTicketingServerCertificateCheckException {
        Intrinsics.checkNotNullParameter(response, "response");
        Intrinsics.checkNotNullParameter(jwkSet, "jwkSet");
        Handshake handshake = response.handshake;
        List<Certificate> peerCertificates = handshake != null ? handshake.peerCertificates() : null;
        if (peerCertificates == null) {
            peerCertificates = EmptyList.INSTANCE;
        }
        checkCertificate(peerCertificates, jwkSet);
    }

    public final void checkCertificateAgainstAllowlist(String hostname, List<? extends Certificate> certificateChain, Set<DccTicketingValidationServiceAllowListEntry> allowlist) throws DccTicketingServerCertificateCheckException {
        Intrinsics.checkNotNullParameter(hostname, "hostname");
        Intrinsics.checkNotNullParameter(certificateChain, "certificateChain");
        Intrinsics.checkNotNullParameter(allowlist, "allowlist");
        try {
            Timber.Forest forest = Timber.Forest;
            forest.tag(TAG);
            forest.d("checkCertificate(hostname=%s, certificateChain=%s, allowList=%s)", hostname, certificateChain, allowlist);
            Certificate certificate = (Certificate) CollectionsKt___CollectionsKt.first((List) certificateChain);
            ArrayList arrayList = new ArrayList(CollectionsKt__IteratorsJVMKt.collectionSizeOrDefault(allowlist, 10));
            for (DccTicketingValidationServiceAllowListEntry dccTicketingValidationServiceAllowListEntry : allowlist) {
                arrayList.add(new Pair(dccTicketingValidationServiceAllowListEntry.getFingerprint256(), dccTicketingValidationServiceAllowListEntry.getHostname()));
            }
            Map map = MapsKt___MapsJvmKt.toMap(arrayList);
            ByteString createSha256Fingerprint = DccTicketingServerCertificateCheckerKt.createSha256Fingerprint(certificate);
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            for (Map.Entry entry : map.entrySet()) {
                if (Intrinsics.areEqual((ByteString) entry.getKey(), createSha256Fingerprint)) {
                    linkedHashMap.put(entry.getKey(), entry.getValue());
                }
            }
            if (linkedHashMap.isEmpty()) {
                throw new DccTicketingServerCertificateCheckException(DccTicketingServerCertificateCheckException.ErrorCode.CERT_PIN_MISMATCH, null, 2, null);
            }
            boolean contains = linkedHashMap.values().contains(hostname);
            if (!contains) {
                if (!contains) {
                    throw new DccTicketingServerCertificateCheckException(DccTicketingServerCertificateCheckException.ErrorCode.CERT_PIN_HOST_MISMATCH, null, 2, null);
                }
                throw new NoWhenBranchMatchedException();
            }
            Timber.Forest forest2 = Timber.Forest;
            forest2.tag(TAG);
            forest2.d("Certificate check was successful against allowlist=%s", allowlist);
        } catch (Exception e) {
            if (e instanceof DccTicketingServerCertificateCheckException) {
                throw e;
            }
            Timber.Forest forest3 = Timber.Forest;
            forest3.tag(TAG);
            forest3.w(e, "Certificate check failed with an unspecified error. Needs further investigation!", new Object[0]);
            throw new DccTicketingServerCertificateCheckException(DccTicketingServerCertificateCheckException.ErrorCode.CERT_PIN_MISMATCH, e);
        }
    }

    public final void checkCertificateAgainstAllowlist(Response response, Set<DccTicketingValidationServiceAllowListEntry> allowlist) throws DccTicketingServerCertificateCheckException {
        Intrinsics.checkNotNullParameter(response, "response");
        Intrinsics.checkNotNullParameter(allowlist, "allowlist");
        String hostname = getHostname(response);
        Handshake handshake = response.handshake;
        List<Certificate> peerCertificates = handshake != null ? handshake.peerCertificates() : null;
        if (peerCertificates == null) {
            peerCertificates = EmptyList.INSTANCE;
        }
        checkCertificateAgainstAllowlist(hostname, peerCertificates, allowlist);
    }
}
