package com.google.crypto.tink.apps.paymentmethodtoken;

import com.google.crypto.tink.HybridDecrypt;
import com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenConstants;
import com.google.crypto.tink.subtle.Base64;
import com.google.crypto.tink.subtle.EcdsaVerifyJce;
import com.google.crypto.tink.subtle.EllipticCurves;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.joda.time.Instant;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: input_file:com/google/crypto/tink/apps/paymentmethodtoken/PaymentMethodTokenRecipient.class */
public final class PaymentMethodTokenRecipient {
    private final String protocolVersion;
    private final List<SenderVerifyingKeysProvider> senderVerifyingKeysProviders;
    private final List<HybridDecrypt> hybridDecrypters;
    private final String senderId;
    private final String recipientId;

    /* loaded from: input_file:com/google/crypto/tink/apps/paymentmethodtoken/PaymentMethodTokenRecipient$Builder.class */
    public static class Builder {
        private String protocolVersion = PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V1;
        private String senderId = PaymentMethodTokenConstants.GOOGLE_SENDER_ID;
        private String recipientId = null;
        private final List<SenderVerifyingKeysProvider> senderVerifyingKeysProviders = new ArrayList();
        private final List<ECPrivateKey> recipientPrivateKeys = new ArrayList();
        private final List<PaymentMethodTokenRecipientKem> recipientKems = new ArrayList();

        public Builder protocolVersion(String str) {
            this.protocolVersion = str;
            return this;
        }

        public Builder senderId(String str) {
            this.senderId = str;
            return this;
        }

        public Builder recipientId(String str) {
            this.recipientId = str;
            return this;
        }

        public Builder fetchSenderVerifyingKeysWith(final GooglePaymentsPublicKeysManager googlePaymentsPublicKeysManager) throws GeneralSecurityException {
            this.senderVerifyingKeysProviders.add(new SenderVerifyingKeysProvider() { // from class: com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.Builder.1
                @Override // com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.SenderVerifyingKeysProvider
                public List<ECPublicKey> get(String str) throws GeneralSecurityException {
                    try {
                        return PaymentMethodTokenRecipient.parseTrustedSigningKeysJson(str, googlePaymentsPublicKeysManager.getTrustedSigningKeysJson());
                    } catch (IOException e) {
                        throw new GeneralSecurityException("Failed to fetch keys!", e);
                    }
                }
            });
            return this;
        }

        public Builder senderVerifyingKeys(final String str) throws GeneralSecurityException {
            this.senderVerifyingKeysProviders.add(new SenderVerifyingKeysProvider() { // from class: com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.Builder.2
                @Override // com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.SenderVerifyingKeysProvider
                public List<ECPublicKey> get(String str2) throws GeneralSecurityException {
                    return PaymentMethodTokenRecipient.parseTrustedSigningKeysJson(str2, str);
                }
            });
            return this;
        }

        public Builder addSenderVerifyingKey(final String str) throws GeneralSecurityException {
            this.senderVerifyingKeysProviders.add(new SenderVerifyingKeysProvider() { // from class: com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.Builder.3
                @Override // com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.SenderVerifyingKeysProvider
                public List<ECPublicKey> get(String str2) throws GeneralSecurityException {
                    return Collections.singletonList(PaymentMethodTokenUtil.x509EcPublicKey(str));
                }
            });
            return this;
        }

        public Builder addSenderVerifyingKey(final ECPublicKey eCPublicKey) throws GeneralSecurityException {
            this.senderVerifyingKeysProviders.add(new SenderVerifyingKeysProvider() { // from class: com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.Builder.4
                @Override // com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.SenderVerifyingKeysProvider
                public List<ECPublicKey> get(String str) throws GeneralSecurityException {
                    return Collections.singletonList(eCPublicKey);
                }
            });
            return this;
        }

        public Builder addRecipientPrivateKey(String str) throws GeneralSecurityException {
            return addRecipientPrivateKey(PaymentMethodTokenUtil.pkcs8EcPrivateKey(str));
        }

        public Builder addRecipientPrivateKey(ECPrivateKey eCPrivateKey) throws GeneralSecurityException {
            this.recipientPrivateKeys.add(eCPrivateKey);
            return this;
        }

        public Builder addRecipientKem(PaymentMethodTokenRecipientKem paymentMethodTokenRecipientKem) {
            this.recipientKems.add(paymentMethodTokenRecipientKem);
            return this;
        }

        public PaymentMethodTokenRecipient build() throws GeneralSecurityException {
            return new PaymentMethodTokenRecipient(this);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/crypto/tink/apps/paymentmethodtoken/PaymentMethodTokenRecipient$SenderVerifyingKeysProvider.class */
    public interface SenderVerifyingKeysProvider {
        List<ECPublicKey> get(String str) throws GeneralSecurityException;
    }

    PaymentMethodTokenRecipient(String str, List<SenderVerifyingKeysProvider> list, String str2, List<ECPrivateKey> list2, List<PaymentMethodTokenRecipientKem> list3, String str3) throws GeneralSecurityException {
        this.hybridDecrypters = new ArrayList();
        if (!str.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V1) && !str.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V2) && !str.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V2_SIGNING_ONLY)) {
            throw new IllegalArgumentException("invalid version: " + str);
        }
        this.protocolVersion = str;
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("must set at least one way to get sender's verifying key using Builder.fetchSenderVerifyingKeysWith or Builder.senderVerifyingKeys");
        }
        this.senderVerifyingKeysProviders = list;
        this.senderId = str2;
        PaymentMethodTokenConstants.ProtocolVersionConfig forProtocolVersion = PaymentMethodTokenConstants.ProtocolVersionConfig.forProtocolVersion(str);
        if (forProtocolVersion.isEncryptionRequired) {
            if (list2.isEmpty() && list3.isEmpty()) {
                throw new IllegalArgumentException("must add at least one recipient's decrypting key using Builder.addRecipientPrivateKey or Builder.addRecipientKem");
            }
            Iterator<ECPrivateKey> it = list2.iterator();
            while (it.hasNext()) {
                this.hybridDecrypters.add(new PaymentMethodTokenHybridDecrypt(it.next(), forProtocolVersion));
            }
            Iterator<PaymentMethodTokenRecipientKem> it2 = list3.iterator();
            while (it2.hasNext()) {
                this.hybridDecrypters.add(new PaymentMethodTokenHybridDecrypt(it2.next(), forProtocolVersion));
            }
        } else if (!list2.isEmpty() || !list3.isEmpty()) {
            throw new IllegalArgumentException("must not set private decrypting key using Builder.addRecipientPrivateKey or Builder.addRecipientDecrypter");
        }
        if (str3 == null) {
            throw new IllegalArgumentException("must set recipient Id using Builder.recipientId");
        }
        this.recipientId = str3;
    }

    private PaymentMethodTokenRecipient(Builder builder) throws GeneralSecurityException {
        this(builder.protocolVersion, builder.senderVerifyingKeysProviders, builder.senderId, builder.recipientPrivateKeys, builder.recipientKems, builder.recipientId);
    }

    public String unseal(String str) throws GeneralSecurityException {
        try {
            if (this.protocolVersion.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V1)) {
                return unsealECV1(str);
            }
            if (this.protocolVersion.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V2)) {
                return unsealECV2(str);
            }
            if (this.protocolVersion.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V2_SIGNING_ONLY)) {
                return unsealECV2SigningOnly(str);
            }
            throw new IllegalArgumentException("unsupported version: " + this.protocolVersion);
        } catch (JSONException e) {
            throw new GeneralSecurityException("cannot unseal; invalid JSON message");
        }
    }

    private String unsealECV1(String str) throws JSONException, GeneralSecurityException {
        JSONObject jSONObject = new JSONObject(str);
        validateECV1(jSONObject);
        String decrypt = decrypt(verifyECV1(jSONObject));
        validateMessage(decrypt);
        return decrypt;
    }

    private String unsealECV2(String str) throws JSONException, GeneralSecurityException {
        JSONObject jSONObject = new JSONObject(str);
        validateECV2(jSONObject);
        String decrypt = decrypt(verifyECV2(jSONObject));
        validateMessage(decrypt);
        return decrypt;
    }

    private String unsealECV2SigningOnly(String str) throws JSONException, GeneralSecurityException {
        JSONObject jSONObject = new JSONObject(str);
        validateECV2(jSONObject);
        String verifyECV2 = verifyECV2(jSONObject);
        validateMessage(verifyECV2);
        return verifyECV2;
    }

    private String verifyECV1(JSONObject jSONObject) throws GeneralSecurityException, JSONException {
        byte[] decode = Base64.decode(jSONObject.getString(PaymentMethodTokenConstants.JSON_SIGNATURE_KEY));
        String string = jSONObject.getString(PaymentMethodTokenConstants.JSON_SIGNED_MESSAGE_KEY);
        verify(this.protocolVersion, this.senderVerifyingKeysProviders, Collections.singletonList(decode), getSignedBytes(this.protocolVersion, string));
        return string;
    }

    private String verifyECV2(JSONObject jSONObject) throws GeneralSecurityException, JSONException {
        byte[] decode = Base64.decode(jSONObject.getString(PaymentMethodTokenConstants.JSON_SIGNATURE_KEY));
        String string = jSONObject.getString(PaymentMethodTokenConstants.JSON_SIGNED_MESSAGE_KEY);
        verify(this.protocolVersion, verifyIntermediateSigningKey(jSONObject), Collections.singletonList(decode), getSignedBytes(this.protocolVersion, string));
        return string;
    }

    private byte[] getSignedBytes(String str, String str2) throws GeneralSecurityException {
        return PaymentMethodTokenUtil.toLengthValue(this.senderId, this.recipientId, str, str2);
    }

    private void validateMessage(String str) throws GeneralSecurityException, JSONException {
        try {
            JSONObject jSONObject = new JSONObject(str);
            if (jSONObject.has(PaymentMethodTokenConstants.JSON_MESSAGE_EXPIRATION_KEY) && Long.valueOf(Long.parseLong(jSONObject.getString(PaymentMethodTokenConstants.JSON_MESSAGE_EXPIRATION_KEY))).longValue() <= Instant.now().getMillis()) {
                throw new GeneralSecurityException("expired payload");
            }
        } catch (JSONException e) {
        }
    }

    private static void verify(String str, List<SenderVerifyingKeysProvider> list, List<byte[]> list2, byte[] bArr) throws GeneralSecurityException {
        boolean z = false;
        Iterator<SenderVerifyingKeysProvider> it = list.iterator();
        while (it.hasNext()) {
            Iterator<ECPublicKey> it2 = it.next().get(str).iterator();
            while (it2.hasNext()) {
                EcdsaVerifyJce ecdsaVerifyJce = new EcdsaVerifyJce(it2.next(), PaymentMethodTokenConstants.ECDSA_HASH_SHA256, EllipticCurves.EcdsaEncoding.DER);
                Iterator<byte[]> it3 = list2.iterator();
                while (it3.hasNext()) {
                    try {
                        ecdsaVerifyJce.verify(it3.next(), bArr);
                        z = true;
                    } catch (GeneralSecurityException e) {
                    }
                }
            }
        }
        if (!z) {
            throw new GeneralSecurityException("cannot verify signature");
        }
    }

    private String decrypt(String str) throws GeneralSecurityException {
        Iterator<HybridDecrypt> it = this.hybridDecrypters.iterator();
        while (it.hasNext()) {
            try {
                return new String(it.next().decrypt(str.getBytes(StandardCharsets.UTF_8), PaymentMethodTokenConstants.GOOGLE_CONTEXT_INFO_ECV1), StandardCharsets.UTF_8);
            } catch (GeneralSecurityException e) {
            }
        }
        throw new GeneralSecurityException("cannot decrypt");
    }

    private void validateECV1(JSONObject jSONObject) throws GeneralSecurityException, JSONException {
        if (!jSONObject.has(PaymentMethodTokenConstants.JSON_PROTOCOL_VERSION_KEY) || !jSONObject.has(PaymentMethodTokenConstants.JSON_SIGNATURE_KEY) || !jSONObject.has(PaymentMethodTokenConstants.JSON_SIGNED_MESSAGE_KEY) || jSONObject.length() != 3) {
            throw new GeneralSecurityException("ECv1 message must contain exactly protocolVersion, signature and signedMessage");
        }
        String string = jSONObject.getString(PaymentMethodTokenConstants.JSON_PROTOCOL_VERSION_KEY);
        if (!string.equals(this.protocolVersion)) {
            throw new GeneralSecurityException("invalid version: " + string);
        }
    }

    private void validateECV2(JSONObject jSONObject) throws GeneralSecurityException, JSONException {
        if (!jSONObject.has(PaymentMethodTokenConstants.JSON_PROTOCOL_VERSION_KEY) || !jSONObject.has(PaymentMethodTokenConstants.JSON_SIGNATURE_KEY) || !jSONObject.has(PaymentMethodTokenConstants.JSON_SIGNED_MESSAGE_KEY) || !jSONObject.has(PaymentMethodTokenConstants.JSON_INTERMEDIATE_SIGNING_KEY) || jSONObject.length() != 4) {
            throw new GeneralSecurityException(this.protocolVersion + " message must contain exactly protocolVersion, intermediateSigningKey, signature and signedMessage");
        }
        String string = jSONObject.getString(PaymentMethodTokenConstants.JSON_PROTOCOL_VERSION_KEY);
        if (!string.equals(this.protocolVersion)) {
            throw new GeneralSecurityException("invalid version: " + string);
        }
    }

    private List<SenderVerifyingKeysProvider> verifyIntermediateSigningKey(JSONObject jSONObject) throws GeneralSecurityException, JSONException {
        JSONObject jSONObject2 = jSONObject.getJSONObject(PaymentMethodTokenConstants.JSON_INTERMEDIATE_SIGNING_KEY);
        validateIntermediateSigningKey(jSONObject2);
        ArrayList arrayList = new ArrayList();
        JSONArray jSONArray = jSONObject2.getJSONArray(PaymentMethodTokenConstants.JSON_SIGNATURES_KEY);
        for (int i = 0; i < jSONArray.length(); i++) {
            arrayList.add(Base64.decode(jSONArray.getString(i)));
        }
        String string = jSONObject2.getString(PaymentMethodTokenConstants.JSON_SIGNED_KEY_KEY);
        verify(this.protocolVersion, this.senderVerifyingKeysProviders, arrayList, PaymentMethodTokenUtil.toLengthValue(this.senderId, this.protocolVersion, string));
        JSONObject jSONObject3 = new JSONObject(string);
        validateSignedKey(jSONObject3);
        final String string2 = jSONObject3.getString(PaymentMethodTokenConstants.JSON_KEY_VALUE_KEY);
        return Collections.singletonList(new SenderVerifyingKeysProvider() { // from class: com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.1
            @Override // com.google.crypto.tink.apps.paymentmethodtoken.PaymentMethodTokenRecipient.SenderVerifyingKeysProvider
            public List<ECPublicKey> get(String str) throws GeneralSecurityException {
                return PaymentMethodTokenRecipient.this.protocolVersion.equals(str) ? Collections.singletonList(PaymentMethodTokenUtil.x509EcPublicKey(string2)) : Collections.emptyList();
            }
        });
    }

    private JSONObject validateIntermediateSigningKey(JSONObject jSONObject) throws GeneralSecurityException {
        if (jSONObject.has(PaymentMethodTokenConstants.JSON_SIGNATURES_KEY) && jSONObject.has(PaymentMethodTokenConstants.JSON_SIGNED_KEY_KEY) && jSONObject.length() == 2) {
            return jSONObject;
        }
        throw new GeneralSecurityException("intermediateSigningKey must contain exactly signedKey and signatures");
    }

    private void validateSignedKey(JSONObject jSONObject) throws GeneralSecurityException, JSONException {
        if (!jSONObject.has(PaymentMethodTokenConstants.JSON_KEY_VALUE_KEY) || !jSONObject.has(PaymentMethodTokenConstants.JSON_KEY_EXPIRATION_KEY)) {
            throw new GeneralSecurityException("intermediateSigningKey.signedKey must contain keyValue and keyExpiration");
        }
        if (Long.valueOf(Long.parseLong(jSONObject.getString(PaymentMethodTokenConstants.JSON_KEY_EXPIRATION_KEY))).longValue() <= Instant.now().getMillis()) {
            throw new GeneralSecurityException("expired intermediateSigningKey");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<ECPublicKey> parseTrustedSigningKeysJson(String str, String str2) throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        try {
            JSONArray jSONArray = new JSONObject(str2).getJSONArray("keys");
            for (int i = 0; i < jSONArray.length(); i++) {
                JSONObject jSONObject = jSONArray.getJSONObject(i);
                if (str.equals(jSONObject.getString(PaymentMethodTokenConstants.JSON_PROTOCOL_VERSION_KEY))) {
                    if (!jSONObject.has(PaymentMethodTokenConstants.JSON_KEY_EXPIRATION_KEY)) {
                        if (!str.equals(PaymentMethodTokenConstants.PROTOCOL_VERSION_EC_V1)) {
                        }
                        arrayList.add(PaymentMethodTokenUtil.x509EcPublicKey(jSONObject.getString(PaymentMethodTokenConstants.JSON_KEY_VALUE_KEY)));
                    } else if (Long.valueOf(Long.parseLong(jSONObject.getString(PaymentMethodTokenConstants.JSON_KEY_EXPIRATION_KEY))).longValue() > Instant.now().getMillis()) {
                        arrayList.add(PaymentMethodTokenUtil.x509EcPublicKey(jSONObject.getString(PaymentMethodTokenConstants.JSON_KEY_VALUE_KEY)));
                    }
                }
            }
            if (arrayList.isEmpty()) {
                throw new GeneralSecurityException("no trusted keys are available for this protocol version");
            }
            return arrayList;
        } catch (JSONException e) {
            throw new GeneralSecurityException("failed to extract trusted signing public keys", e);
        }
    }
}
