package com.theguardian.coverdrop.core.crypto;

import com.goterl.lazysodium.SodiumAndroid;
import com.theguardian.coverdrop.core.api.models.PublishedCoverNodeKeyHierarchy;
import com.theguardian.coverdrop.core.api.models.PublishedJournalistsKeyHierarchy;
import com.theguardian.coverdrop.core.api.models.PublishedKeyFamily;
import com.theguardian.coverdrop.core.api.models.PublishedKeyHierarchy;
import com.theguardian.coverdrop.core.api.models.PublishedKeysAndProfiles;
import com.theguardian.coverdrop.core.api.models.PublishedSignedEncryptionKey;
import com.theguardian.coverdrop.core.api.models.PublishedSignedSigningKey;
import com.theguardian.coverdrop.core.api.models.TrustedRootSigningKey;
import com.theguardian.coverdrop.core.api.models.VerifiedCoverNodeKeyHierarchy;
import com.theguardian.coverdrop.core.api.models.VerifiedJournalistsKeyHierarchy;
import com.theguardian.coverdrop.core.api.models.VerifiedKeyFamily;
import com.theguardian.coverdrop.core.api.models.VerifiedKeyHierarchy;
import com.theguardian.coverdrop.core.api.models.VerifiedKeys;
import com.theguardian.coverdrop.core.api.models.VerifiedSignedEncryptionKey;
import com.theguardian.coverdrop.core.api.models.VerifiedSignedSigningKey;
import com.theguardian.coverdrop.core.utils.HexDecodeEncodeExtensionsKt;
import java.time.Instant;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt__IterablesKt;
import kotlin.collections.MapsKt__MapsJVMKt;
import kotlin.jvm.internal.Intrinsics;

@Metadata(d1 = {"\u0000\u0082\u0001\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\b\u0000\u0018\u00002\u00020\u0001B\u000f\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0004\b\u0004\u0010\u0005J+\u0010\u0006\u001a\u00020\u00072\u0006\u0010\b\u001a\u00020\t2\f\u0010\n\u001a\b\u0012\u0004\u0012\u00020\f0\u000b2\u0006\u0010\r\u001a\u00020\u000eH\u0000¢\u0006\u0002\b\u000fJ&\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u0012\u001a\u00020\u00132\f\u0010\n\u001a\b\u0012\u0004\u0012\u00020\f0\u000b2\u0006\u0010\r\u001a\u00020\u000eH\u0002J \u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u00172\u0006\u0010\u0018\u001a\u00020\u00192\u0006\u0010\r\u001a\u00020\u000eH\u0002J \u0010\u001a\u001a\u00020\u001b2\u0006\u0010\u001c\u001a\u00020\u001d2\u0006\u0010\u0018\u001a\u00020\u00192\u0006\u0010\r\u001a\u00020\u000eH\u0002J,\u0010\u001e\u001a\b\u0012\u0004\u0012\u00020\u001f0\u000b2\f\u0010 \u001a\b\u0012\u0004\u0012\u00020!0\u000b2\u0006\u0010\"\u001a\u00020#2\u0006\u0010\r\u001a\u00020\u000eH\u0007J\"\u0010$\u001a\u0004\u0018\u00010\u001f2\u0006\u0010%\u001a\u00020!2\u0006\u0010\"\u001a\u00020#2\u0006\u0010\r\u001a\u00020\u000eH\u0002J&\u0010&\u001a\u00020\u00192\u0006\u0010\u0018\u001a\u00020'2\f\u0010\n\u001a\b\u0012\u0004\u0012\u00020\f0\u000b2\u0006\u0010\r\u001a\u00020\u000eH\u0007J \u0010(\u001a\u0004\u0018\u00010#2\u0006\u0010)\u001a\u00020'2\u0006\u0010*\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eJ \u0010+\u001a\u00020#2\u0006\u0010)\u001a\u00020'2\u0006\u0010*\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0007J \u0010,\u001a\u0004\u0018\u00010-2\u0006\u0010)\u001a\u00020.2\u0006\u0010*\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eJ \u0010/\u001a\u00020-2\u0006\u0010)\u001a\u00020.2\u0006\u0010*\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0007R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u00060"}, d2 = {"Lcom/theguardian/coverdrop/core/crypto/KeyVerifier;", "", "libSodium", "Lcom/goterl/lazysodium/SodiumAndroid;", "<init>", "(Lcom/goterl/lazysodium/SodiumAndroid;)V", "verifyPublishedKeysAndProfiles", "Lcom/theguardian/coverdrop/core/api/models/VerifiedKeys;", "publishedKeysAndProfiles", "Lcom/theguardian/coverdrop/core/api/models/PublishedKeysAndProfiles;", "trustedOrgPks", "", "Lcom/theguardian/coverdrop/core/crypto/PublicSigningKey;", "now", "Ljava/time/Instant;", "verifyPublishedKeysAndProfiles$core_release", "verifyPublishedKeyHierarchy", "Lcom/theguardian/coverdrop/core/api/models/VerifiedKeyHierarchy;", "publishedKeys", "Lcom/theguardian/coverdrop/core/api/models/PublishedKeyHierarchy;", "verifyPublishedCoverNodeKeyHierarchy", "Lcom/theguardian/coverdrop/core/api/models/VerifiedCoverNodeKeyHierarchy;", "coverNodeKeyHierarchy", "Lcom/theguardian/coverdrop/core/api/models/PublishedCoverNodeKeyHierarchy;", "orgPk", "Lcom/theguardian/coverdrop/core/api/models/TrustedRootSigningKey;", "verifyPublishedJournalistsKeyHierarchy", "Lcom/theguardian/coverdrop/core/api/models/VerifiedJournalistsKeyHierarchy;", "journalistsKeyHierarchy", "Lcom/theguardian/coverdrop/core/api/models/PublishedJournalistsKeyHierarchy;", "verifyKeyFamilies", "Lcom/theguardian/coverdrop/core/api/models/VerifiedKeyFamily;", "journalistsKeys", "Lcom/theguardian/coverdrop/core/api/models/PublishedKeyFamily;", "provisioningKey", "Lcom/theguardian/coverdrop/core/api/models/VerifiedSignedSigningKey;", "verifyKeyFamily", "keyFamily", "verifyTrustedRootKeyOrThrow", "Lcom/theguardian/coverdrop/core/api/models/PublishedSignedSigningKey;", "verifySigningKeyWithExpiryOrNull", "candidate", "parent", "verifySigningKeyWithExpiryOrThrow", "verifyEncryptionKeyWithExpiryOrNull", "Lcom/theguardian/coverdrop/core/api/models/VerifiedSignedEncryptionKey;", "Lcom/theguardian/coverdrop/core/api/models/PublishedSignedEncryptionKey;", "verifyEncryptionKeyWithExpiryOrThrow", "core_release"}, k = 1, mv = {2, 1, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class KeyVerifier {
    private final SodiumAndroid libSodium;

    public KeyVerifier(SodiumAndroid libSodium) {
        Intrinsics.checkNotNullParameter(libSodium, "libSodium");
        this.libSodium = libSodium;
    }

    private final VerifiedKeyFamily verifyKeyFamily(PublishedKeyFamily keyFamily, VerifiedSignedSigningKey provisioningKey, Instant now) {
        VerifiedSignedSigningKey verifySigningKeyWithExpiryOrNull = verifySigningKeyWithExpiryOrNull(keyFamily.getIdPk(), provisioningKey.getPk(), now);
        if (verifySigningKeyWithExpiryOrNull == null) {
            return null;
        }
        List<PublishedSignedEncryptionKey> msgPks = keyFamily.getMsgPks();
        ArrayList arrayList = new ArrayList();
        Iterator<T> it = msgPks.iterator();
        while (it.hasNext()) {
            VerifiedSignedEncryptionKey verifyEncryptionKeyWithExpiryOrNull = verifyEncryptionKeyWithExpiryOrNull((PublishedSignedEncryptionKey) it.next(), verifySigningKeyWithExpiryOrNull.getPk(), now);
            if (verifyEncryptionKeyWithExpiryOrNull != null) {
                arrayList.add(verifyEncryptionKeyWithExpiryOrNull);
            }
        }
        return new VerifiedKeyFamily(verifySigningKeyWithExpiryOrNull, arrayList);
    }

    private final VerifiedCoverNodeKeyHierarchy verifyPublishedCoverNodeKeyHierarchy(PublishedCoverNodeKeyHierarchy coverNodeKeyHierarchy, TrustedRootSigningKey orgPk, Instant now) {
        VerifiedSignedSigningKey verifySigningKeyWithExpiryOrThrow = verifySigningKeyWithExpiryOrThrow(coverNodeKeyHierarchy.getProvisioningPk(), orgPk.getPk(), now);
        HashMap<String, List<PublishedKeyFamily>> coverNodes = coverNodeKeyHierarchy.getCoverNodes();
        LinkedHashMap linkedHashMap = new LinkedHashMap(MapsKt__MapsJVMKt.mapCapacity(coverNodes.size()));
        Iterator<T> it = coverNodes.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry entry = (Map.Entry) it.next();
            linkedHashMap.put(entry.getKey(), verifyKeyFamilies((List) entry.getValue(), verifySigningKeyWithExpiryOrThrow, now));
        }
        return new VerifiedCoverNodeKeyHierarchy(verifySigningKeyWithExpiryOrThrow, linkedHashMap);
    }

    private final VerifiedJournalistsKeyHierarchy verifyPublishedJournalistsKeyHierarchy(PublishedJournalistsKeyHierarchy journalistsKeyHierarchy, TrustedRootSigningKey orgPk, Instant now) {
        VerifiedSignedSigningKey verifySigningKeyWithExpiryOrThrow = verifySigningKeyWithExpiryOrThrow(journalistsKeyHierarchy.getProvisioningPk(), orgPk.getPk(), now);
        HashMap<String, List<PublishedKeyFamily>> journalists = journalistsKeyHierarchy.getJournalists();
        LinkedHashMap linkedHashMap = new LinkedHashMap(MapsKt__MapsJVMKt.mapCapacity(journalists.size()));
        Iterator<T> it = journalists.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry entry = (Map.Entry) it.next();
            linkedHashMap.put(entry.getKey(), verifyKeyFamilies((List) entry.getValue(), verifySigningKeyWithExpiryOrThrow, now));
        }
        return new VerifiedJournalistsKeyHierarchy(verifySigningKeyWithExpiryOrThrow, linkedHashMap);
    }

    private final VerifiedKeyHierarchy verifyPublishedKeyHierarchy(PublishedKeyHierarchy publishedKeys, List<PublicSigningKey> trustedOrgPks, Instant now) {
        TrustedRootSigningKey verifyTrustedRootKeyOrThrow = verifyTrustedRootKeyOrThrow(publishedKeys.getOrgPk(), trustedOrgPks, now);
        List<PublishedCoverNodeKeyHierarchy> coverNodesKeyHierarchy = publishedKeys.getCoverNodesKeyHierarchy();
        ArrayList arrayList = new ArrayList(CollectionsKt__IterablesKt.collectionSizeOrDefault(coverNodesKeyHierarchy, 10));
        Iterator<T> it = coverNodesKeyHierarchy.iterator();
        while (it.hasNext()) {
            arrayList.add(verifyPublishedCoverNodeKeyHierarchy((PublishedCoverNodeKeyHierarchy) it.next(), verifyTrustedRootKeyOrThrow, now));
        }
        List<PublishedJournalistsKeyHierarchy> journalistsKeyHierarchy = publishedKeys.getJournalistsKeyHierarchy();
        ArrayList arrayList2 = new ArrayList(CollectionsKt__IterablesKt.collectionSizeOrDefault(journalistsKeyHierarchy, 10));
        Iterator<T> it2 = journalistsKeyHierarchy.iterator();
        while (it2.hasNext()) {
            arrayList2.add(verifyPublishedJournalistsKeyHierarchy((PublishedJournalistsKeyHierarchy) it2.next(), verifyTrustedRootKeyOrThrow, now));
        }
        return new VerifiedKeyHierarchy(verifyTrustedRootKeyOrThrow, arrayList2, arrayList);
    }

    public final VerifiedSignedEncryptionKey verifyEncryptionKeyWithExpiryOrNull(PublishedSignedEncryptionKey candidate, PublicSigningKey parent, Instant now) {
        VerifiedSignedEncryptionKey verifiedSignedEncryptionKey;
        Intrinsics.checkNotNullParameter(candidate, "candidate");
        Intrinsics.checkNotNullParameter(parent, "parent");
        Intrinsics.checkNotNullParameter(now, "now");
        try {
            verifiedSignedEncryptionKey = verifyEncryptionKeyWithExpiryOrThrow(candidate, parent, now);
        } catch (KeyVerificationException unused) {
            verifiedSignedEncryptionKey = null;
        }
        return verifiedSignedEncryptionKey;
    }

    public final VerifiedSignedEncryptionKey verifyEncryptionKeyWithExpiryOrThrow(PublishedSignedEncryptionKey candidate, PublicSigningKey parent, Instant now) {
        Intrinsics.checkNotNullParameter(candidate, "candidate");
        Intrinsics.checkNotNullParameter(parent, "parent");
        Intrinsics.checkNotNullParameter(now, "now");
        PublicEncryptionKey publicEncryptionKey = new PublicEncryptionKey(HexDecodeEncodeExtensionsKt.hexDecode(candidate.getKey()));
        Instant notValidAfter = candidate.getNotValidAfter();
        EncryptionKeyWithExpiryCertificateData from = EncryptionKeyWithExpiryCertificateData.INSTANCE.from(publicEncryptionKey, notValidAfter);
        if (now.isAfter(notValidAfter)) {
            throw new KeyExpirationException("failed to verify encryption key: expired on " + notValidAfter, null, 2, null);
        }
        try {
            Signature.INSTANCE.verifyOrThrow(this.libSodium, parent, from, new Signature(HexDecodeEncodeExtensionsKt.hexDecode(candidate.getCertificate())));
            return new VerifiedSignedEncryptionKey(publicEncryptionKey, notValidAfter);
        } catch (Exception e) {
            throw new KeyVerificationException("failed to verify encryption key: " + e.getMessage(), e);
        }
    }

    public final List<VerifiedKeyFamily> verifyKeyFamilies(List<PublishedKeyFamily> journalistsKeys, VerifiedSignedSigningKey provisioningKey, Instant now) {
        Intrinsics.checkNotNullParameter(journalistsKeys, "journalistsKeys");
        Intrinsics.checkNotNullParameter(provisioningKey, "provisioningKey");
        Intrinsics.checkNotNullParameter(now, "now");
        ArrayList arrayList = new ArrayList();
        Iterator<T> it = journalistsKeys.iterator();
        while (it.hasNext()) {
            VerifiedKeyFamily verifyKeyFamily = verifyKeyFamily((PublishedKeyFamily) it.next(), provisioningKey, now);
            if (verifyKeyFamily != null) {
                arrayList.add(verifyKeyFamily);
            }
        }
        return arrayList;
    }

    public final VerifiedKeys verifyPublishedKeysAndProfiles$core_release(PublishedKeysAndProfiles publishedKeysAndProfiles, List<PublicSigningKey> trustedOrgPks, Instant now) {
        Intrinsics.checkNotNullParameter(publishedKeysAndProfiles, "publishedKeysAndProfiles");
        Intrinsics.checkNotNullParameter(trustedOrgPks, "trustedOrgPks");
        Intrinsics.checkNotNullParameter(now, "now");
        List<PublishedKeyHierarchy> keys = publishedKeysAndProfiles.getKeys();
        ArrayList arrayList = new ArrayList(CollectionsKt__IterablesKt.collectionSizeOrDefault(keys, 10));
        Iterator<T> it = keys.iterator();
        while (it.hasNext()) {
            arrayList.add(verifyPublishedKeyHierarchy((PublishedKeyHierarchy) it.next(), trustedOrgPks, now));
        }
        return new VerifiedKeys(arrayList);
    }

    public final VerifiedSignedSigningKey verifySigningKeyWithExpiryOrNull(PublishedSignedSigningKey candidate, PublicSigningKey parent, Instant now) {
        VerifiedSignedSigningKey verifiedSignedSigningKey;
        Intrinsics.checkNotNullParameter(candidate, "candidate");
        Intrinsics.checkNotNullParameter(parent, "parent");
        Intrinsics.checkNotNullParameter(now, "now");
        try {
            verifiedSignedSigningKey = verifySigningKeyWithExpiryOrThrow(candidate, parent, now);
        } catch (KeyVerificationException unused) {
            verifiedSignedSigningKey = null;
        }
        return verifiedSignedSigningKey;
    }

    public final VerifiedSignedSigningKey verifySigningKeyWithExpiryOrThrow(PublishedSignedSigningKey candidate, PublicSigningKey parent, Instant now) {
        Intrinsics.checkNotNullParameter(candidate, "candidate");
        Intrinsics.checkNotNullParameter(parent, "parent");
        Intrinsics.checkNotNullParameter(now, "now");
        PublicSigningKey publicSigningKey = new PublicSigningKey(HexDecodeEncodeExtensionsKt.hexDecode(candidate.getKey()));
        Instant notValidAfter = candidate.getNotValidAfter();
        SigningKeyCertificateData from = SigningKeyCertificateData.INSTANCE.from(publicSigningKey, notValidAfter);
        if (now.isAfter(notValidAfter)) {
            throw new KeyExpirationException("failed to verify signing key: expired on " + notValidAfter, null, 2, null);
        }
        try {
            Signature.INSTANCE.verifyOrThrow(this.libSodium, parent, from, new Signature(HexDecodeEncodeExtensionsKt.hexDecode(candidate.getCertificate())));
            return new VerifiedSignedSigningKey(publicSigningKey);
        } catch (Exception e) {
            throw new KeyVerificationException("failed to verify signing key: " + e.getMessage(), e);
        }
    }

    public final TrustedRootSigningKey verifyTrustedRootKeyOrThrow(PublishedSignedSigningKey orgPk, List<PublicSigningKey> trustedOrgPks, Instant now) {
        Intrinsics.checkNotNullParameter(orgPk, "orgPk");
        Intrinsics.checkNotNullParameter(trustedOrgPks, "trustedOrgPks");
        Intrinsics.checkNotNullParameter(now, "now");
        PublicSigningKey publicSigningKey = new PublicSigningKey(HexDecodeEncodeExtensionsKt.hexDecode(orgPk.getKey()));
        for (PublicSigningKey publicSigningKey2 : trustedOrgPks) {
            if (Intrinsics.areEqual(publicSigningKey2, publicSigningKey) && verifySigningKeyWithExpiryOrNull(orgPk, publicSigningKey2, now) != null) {
                return new TrustedRootSigningKey(publicSigningKey2);
            }
        }
        throw new KeyVerificationException("failed to verify root key", null, 2, null);
    }
}
