package com.squareup.cash.e2ee.trifle;

import app.cash.trifle.Certificate;
import app.cash.trifle.KeyHandle;
import app.cash.trifle.SignedData$EnvelopedData;
import app.cash.trifle.TrifleErrors;
import app.cash.trifle.extensions.CertificateExtensions;
import app.cash.trifle.protos.api.alpha.SignedData;
import app.cash.trifle.providers.jca.JCAContentVerifierProvider;
import app.cash.trifle.signers.Buffer;
import app.cash.trifle.signers.jca.JCAContentSigner;
import app.cash.trifle.validators.CertChainValidator$X509CertChainValidator;
import com.fillr.v1;
import com.fillr.x0;
import com.google.android.gms.safetynet.SafetyNet;
import com.squareup.cash.e2ee.signature.Signature;
import com.squareup.wire.ProtoAdapter;
import java.io.OutputStream;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import kotlin.Result;
import kotlin.ResultKt;
import kotlin.Unit;
import kotlin.collections.CollectionsKt__IterablesKt;
import kotlin.collections.CollectionsKt___CollectionsKt;
import kotlin.io.CloseableKt;
import kotlin.jvm.internal.Intrinsics;
import okhttp3.HttpUrl;
import okio.ByteString;
import org.bouncycastle.operator.ContentVerifier;

/* loaded from: classes7.dex */
public final class RealTrifleService {
    public final v1 trifle = new v1("com.squareup.cash.sign", 1);

    public final void delete(byte[] key) {
        Intrinsics.checkNotNullParameter(key, "key");
        v1 v1Var = this.trifle;
        KeyHandle keyHandle = SafetyNet.toKeyHandle(key);
        v1Var.getClass();
        Intrinsics.checkNotNullParameter(keyHandle, "keyHandle");
        KeyStore keyStore = KeyHandle.KEY_STORE;
        String tag = keyHandle.tag;
        Intrinsics.checkNotNullParameter(tag, "tag");
        Intrinsics.checkNotNullParameter(tag, "tag");
        KeyStore keyStore2 = KeyHandle.KEY_STORE;
        if (keyStore2.containsAlias(tag)) {
            keyStore2.deleteEntry(tag);
        }
    }

    public final byte[] signData(byte[] data, Signature signature) {
        Intrinsics.checkNotNullParameter(data, "data");
        Intrinsics.checkNotNullParameter(signature, "signature");
        v1 v1Var = this.trifle;
        KeyHandle keyHandle = SafetyNet.toKeyHandle(signature.key);
        ArrayList certificates = SafetyNet.mapToTrifleCertificates(signature.certs);
        v1Var.getClass();
        Intrinsics.checkNotNullParameter(data, "data");
        Intrinsics.checkNotNullParameter(keyHandle, "keyHandle");
        Intrinsics.checkNotNullParameter(certificates, "certificates");
        KeyPair keyPair = (KeyPair) keyHandle.keyPair$delegate.getValue();
        Intrinsics.checkNotNullParameter(keyPair, "keyPair");
        x0 x0Var = new x0(new JCAContentSigner(keyPair));
        Intrinsics.checkNotNullParameter(data, "data");
        Intrinsics.checkNotNullParameter(certificates, "certificates");
        if (!(!certificates.isEmpty())) {
            throw new IllegalStateException("Certificates should not be empty.".toString());
        }
        SignedData$EnvelopedData envelopedData = new SignedData$EnvelopedData(((JCAContentSigner) x0Var.a).getAlgorithmIdentifier(), data);
        Buffer buffer = ((JCAContentSigner) x0Var.a).outputStream;
        try {
            buffer.write(envelopedData.serialize());
            byte[] signature2 = ((JCAContentSigner) x0Var.a).getSignature();
            CloseableKt.closeFinally(buffer, null);
            Intrinsics.checkNotNullExpressionValue(signature2, "signature");
            Intrinsics.checkNotNullParameter(envelopedData, "envelopedData");
            Intrinsics.checkNotNullParameter(signature2, "signature");
            Intrinsics.checkNotNullParameter(certificates, "certificates");
            Certificate certAnchor = (Certificate) CollectionsKt___CollectionsKt.last((List) certificates);
            Intrinsics.checkNotNullParameter(certAnchor, "certAnchor");
            Intrinsics.checkNotNullParameter(certAnchor, "certAnchor");
            if (certAnchor.version != 0) {
                throw new UnsupportedOperationException("Unsupported version of Trifle Certificate");
            }
            Object m910validateIoAF18A = new CertChainValidator$X509CertChainValidator(certAnchor, null).m910validateIoAF18A(certificates);
            Result.Companion companion = Result.INSTANCE;
            if (!(m910validateIoAF18A instanceof Result.Failure)) {
                try {
                    ContentVerifier contentVerifier = new JCAContentVerifierProvider((Certificate) CollectionsKt___CollectionsKt.first((List) certificates)).get(envelopedData.signingAlgorithm);
                    OutputStream outputStream = contentVerifier.getOutputStream();
                    try {
                        outputStream.write(envelopedData.serialize());
                        Unit unit = Unit.INSTANCE;
                        CloseableKt.closeFinally(outputStream, null);
                        if (!contentVerifier.verify(signature2)) {
                            throw TrifleErrors.InvalidSignature.INSTANCE;
                        }
                        m910validateIoAF18A = Unit.INSTANCE;
                    } finally {
                    }
                } catch (Throwable th) {
                    Result.Companion companion2 = Result.INSTANCE;
                    m910validateIoAF18A = ResultKt.createFailure(th);
                }
            }
            ResultKt.throwOnFailure(m910validateIoAF18A);
            ByteString byteString = ByteString.EMPTY;
            ByteString of$default = HttpUrl.Companion.of$default(envelopedData.serialize());
            ByteString of$default2 = HttpUrl.Companion.of$default(signature2);
            ArrayList arrayList = new ArrayList(CollectionsKt__IterablesKt.collectionSizeOrDefault(certificates, 10));
            Iterator it = certificates.iterator();
            while (it.hasNext()) {
                Certificate certificate = (Certificate) it.next();
                ProtoAdapter protoAdapter = app.cash.trifle.protos.api.alpha.Certificate.ADAPTER;
                certificate.getClass();
                ByteString byteString2 = ByteString.EMPTY;
                arrayList.add((app.cash.trifle.protos.api.alpha.Certificate) protoAdapter.decode(new app.cash.trifle.protos.api.alpha.Certificate(0, HttpUrl.Companion.of$default(certificate.certificate), ByteString.EMPTY).encode()));
            }
            return new SignedData(arrayList, of$default, of$default2, ByteString.EMPTY).encode();
        } finally {
        }
    }

    /* renamed from: verifyCerts-IoAF18A, reason: not valid java name */
    public final Object m2681verifyCertsIoAF18A(List certificateChain) {
        Intrinsics.checkNotNullParameter(certificateChain, "certificateChain");
        v1 v1Var = this.trifle;
        ArrayList certificateChain2 = SafetyNet.mapToTrifleCertificates(certificateChain);
        v1Var.getClass();
        Intrinsics.checkNotNullParameter(certificateChain2, "certificateChain");
        Certificate certAnchor = (Certificate) CollectionsKt___CollectionsKt.last((List) certificateChain2);
        CertificateFactory certificateFactory = CertificateExtensions.X509FACTORY;
        Intrinsics.checkNotNullParameter(certAnchor, "$this$validate");
        Intrinsics.checkNotNullParameter(certificateChain2, "certificateChain");
        Intrinsics.checkNotNullParameter(certAnchor, "certAnchor");
        if (certAnchor.version == 0) {
            return new CertChainValidator$X509CertChainValidator(certAnchor, null).m910validateIoAF18A(certificateChain2);
        }
        throw new UnsupportedOperationException("Unsupported version of Trifle Certificate");
    }
}
