package com.gallagher.nzcovidpass;

import com.gallagher.nzcovidpass.Cbor;
import com.gallagher.nzcovidpass.CwtSecurityTokenValidationError;
import com.gallagher.nzcovidpass.DID;
import com.gallagher.nzcovidpass.PassVerifier;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.interfaces.ECPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import kotlin.jvm.internal.ByteCompanionObject;
import org.json.JSONException;

/* loaded from: classes.dex */
public class CwtSecurityTokenValidator {
    private static final byte[] P256_HEAD = Base64.decode("MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE");
    PassVerifier.Options _options;

    public CwtSecurityTokenValidator(PassVerifier.Options options) {
        this._options = options;
    }

    private static byte[] convertRawSignatureIntoAsn1(byte[] bArr) {
        if (bArr.length != 64) {
            return new byte[0];
        }
        byte[] encodeIntegerToAsn1 = encodeIntegerToAsn1(bArr, 0, 32);
        byte[] encodeIntegerToAsn12 = encodeIntegerToAsn1(bArr, 32, 32);
        byte[] bArr2 = new byte[encodeIntegerToAsn1.length + 2 + encodeIntegerToAsn12.length];
        bArr2[0] = 48;
        bArr2[1] = (byte) (encodeIntegerToAsn1.length + encodeIntegerToAsn12.length);
        System.arraycopy(encodeIntegerToAsn1, 0, bArr2, 2, encodeIntegerToAsn1.length);
        System.arraycopy(encodeIntegerToAsn12, 0, bArr2, encodeIntegerToAsn1.length + 2, encodeIntegerToAsn12.length);
        return bArr2;
    }

    private static byte[] encodeIntegerToAsn1(byte[] bArr, int i, int i2) {
        if (bArr.length < i + i2) {
            return new byte[0];
        }
        byte b = bArr[i];
        if (b == 0) {
            return encodeIntegerToAsn1(bArr, i + 1, i2 - 1);
        }
        if ((b & ByteCompanionObject.MIN_VALUE) != 128) {
            byte[] bArr2 = new byte[i2 + 2];
            bArr2[0] = 2;
            bArr2[1] = (byte) i2;
            System.arraycopy(bArr, i, bArr2, 2, i2);
            return bArr2;
        }
        byte[] bArr3 = new byte[i2 + 3];
        bArr3[0] = 2;
        bArr3[1] = (byte) (i2 + 1);
        bArr3[2] = 0;
        System.arraycopy(bArr, i, bArr3, 3, i2);
        return bArr3;
    }

    public static ECPublicKey loadP256PublicKey(byte[] bArr, byte[] bArr2) throws InvalidKeySpecException {
        if (bArr.length != 32 || bArr2.length != 32) {
            throw new InvalidKeySpecException("x and y must both be 32 bytes");
        }
        byte[] bArr3 = P256_HEAD;
        byte[] bArr4 = new byte[bArr3.length + 64];
        System.arraycopy(bArr3, 0, bArr4, 0, bArr3.length);
        System.arraycopy(bArr, 0, bArr4, bArr3.length, bArr.length);
        System.arraycopy(bArr2, 0, bArr4, bArr3.length + bArr.length, bArr2.length);
        try {
            return (ECPublicKey) KeyFactory.getInstance("EC").generatePublic(new X509EncodedKeySpec(bArr4));
        } catch (NoSuchAlgorithmException unused) {
            throw new IllegalStateException("EC key factory not present in runtime");
        }
    }

    private static String toHexString(byte[] bArr) {
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(String.format("%02x", Byte.valueOf(b)));
        }
        return sb.toString();
    }

    private void validateSignature(CwtSecurityToken cwtSecurityToken, String str) throws CwtSecurityTokenValidationError {
        DID.Document document;
        String issuer = cwtSecurityToken.getPayload().getIssuer();
        String str2 = "";
        if (issuer == null) {
            issuer = "";
        }
        String keyId = cwtSecurityToken.getHeader().getKeyId();
        if (keyId == null) {
            keyId = "";
        }
        if (!str.equals(SecurityAlgorithms.ECDSA_SHA_256)) {
            throw new CwtSecurityTokenValidationError.InvalidKeyParameters();
        }
        DID.VerificationMethod verificationMethod = null;
        try {
            document = WellKnownIssuers.find(issuer, keyId);
        } catch (JSONException unused) {
            document = null;
        }
        if (document == null) {
            throw new CwtSecurityTokenValidationError.InvalidIssuer();
        }
        String str3 = issuer + "#" + keyId;
        Iterator<DID.VerificationMethod> it = document.getVerificationMethods().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            DID.VerificationMethod next = it.next();
            if (next.getId().equals(str3) && "P-256".equals(next.getPublicKeyJwk().getCrv()) && "EC".equals(next.getPublicKeyJwk().getKty())) {
                verificationMethod = next;
                break;
            }
        }
        if (verificationMethod == null) {
            throw new CwtSecurityTokenValidationError.UnsupportedVerificationKeyType();
        }
        DID.JsonWebKey publicKeyJwk = verificationMethod.getPublicKeyJwk();
        String x = publicKeyJwk.getX();
        String y = publicKeyJwk.getY();
        if (x == null) {
            x = "";
        }
        try {
            byte[] decode = Base64.decode(x);
            if (y != null) {
                str2 = y;
            }
            try {
                ECPublicKey loadP256PublicKey = loadP256PublicKey(decode, Base64.decode(str2));
                Cbor.Writer writer = new Cbor.Writer();
                writer.write(Cbor.value((List<Cbor.Value>) Arrays.asList(Cbor.value("Signature1"), Cbor.value(cwtSecurityToken.getHeader().getData()), Cbor.value(new byte[0]), Cbor.value(cwtSecurityToken.getPayload().getData()))));
                if (!verifyECDSASignature(cwtSecurityToken.getSignature(), writer.getBuffer(), loadP256PublicKey)) {
                    throw new CwtSecurityTokenValidationError.InvalidSignature();
                }
            } catch (InvalidKeySpecException unused2) {
                throw new CwtSecurityTokenValidationError.InvalidKeyParameters();
            }
        } catch (IllegalArgumentException unused3) {
            throw new CwtSecurityTokenValidationError.InvalidKeyParameters();
        }
    }

    private static boolean verifyECDSASignature(byte[] bArr, byte[] bArr2, PublicKey publicKey) {
        byte[] convertRawSignatureIntoAsn1 = convertRawSignatureIntoAsn1(bArr);
        try {
            Signature signature = Signature.getInstance("SHA256withECDSA");
            signature.initVerify(publicKey);
            signature.update(bArr2);
            return signature.verify(convertRawSignatureIntoAsn1);
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException unused) {
            return false;
        }
    }

    public void validateToken(CwtSecurityToken cwtSecurityToken, Date date) throws CwtSecurityTokenValidationError {
        String keyId = cwtSecurityToken.getHeader().getKeyId();
        if (keyId == null || keyId.length() == 0) {
            throw new CwtSecurityTokenValidationError.InvalidKeyId();
        }
        String algorithm = cwtSecurityToken.getHeader().getAlgorithm();
        if (algorithm == null || !this._options.getValidAlgorithms().contains(algorithm)) {
            throw new CwtSecurityTokenValidationError.UnsupportedAlgorithm();
        }
        String jti = cwtSecurityToken.getPayload().getJti();
        if (jti == null || jti.length() == 0) {
            throw new CwtSecurityTokenValidationError.InvalidTokenId();
        }
        String issuer = cwtSecurityToken.getPayload().getIssuer();
        if (issuer == null || !this._options.getValidIssuers().contains(issuer)) {
            throw new CwtSecurityTokenValidationError.InvalidIssuer();
        }
        Date notBefore = cwtSecurityToken.getPayload().getNotBefore();
        if (notBefore == null) {
            notBefore = new Date(0L);
        }
        Date expiry = cwtSecurityToken.getPayload().getExpiry();
        if (expiry == null) {
            expiry = new Date(4133933999L);
        }
        if (date == null) {
            date = new Date();
        }
        if (notBefore.after(date)) {
            throw new CwtSecurityTokenValidationError.NotYetValid();
        }
        if (expiry.before(date)) {
            throw new CwtSecurityTokenValidationError.Expired();
        }
        validateSignature(cwtSecurityToken, algorithm);
        VerifiableCredential credential = cwtSecurityToken.getPayload().getCredential();
        if (credential == null) {
            throw new CwtSecurityTokenValidationError.MissingCredential();
        }
        if (!credential.getContext().contains(VerifiableCredential.BASE_CONTEXT) || !credential.getContext().contains(credential.getCredentialSubject().getContext())) {
            throw new CwtSecurityTokenValidationError.InvalidCredentialContext();
        }
        if (!credential.getType().contains(VerifiableCredential.BASE_CREDENTIAL_TYPE) || !credential.getType().contains(credential.getCredentialSubject().getType())) {
            throw new CwtSecurityTokenValidationError.InvalidCredentialType();
        }
    }
}
