package org.multipaz.util;

import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlinx.io.bytestring.ByteString;
import org.multipaz.asn1.OID;
import org.multipaz.cbor.Cbor;
import org.multipaz.cbor.DataItem;
import org.multipaz.crypto.X509Cert;
import org.multipaz.crypto.X509CertChain;
import org.multipaz.securearea.cloud.CloudAttestationExtension;

/* compiled from: validateCloudSecureAreaAttestation.kt */
@Metadata(d1 = {"\u0000&\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\"\n\u0000\u001a\u000e\u0010\u0002\u001a\u00020\u00032\u0006\u0010\u0004\u001a\u00020\u0005\u001a$\u0010\u0006\u001a\u00020\u00072\u0006\u0010\u0004\u001a\u00020\u00052\u0006\u0010\b\u001a\u00020\t2\f\u0010\n\u001a\b\u0012\u0004\u0012\u00020\t0\u000b\"\u000e\u0010\u0000\u001a\u00020\u0001X\u0082T¢\u0006\u0002\n\u0000¨\u0006\f"}, d2 = {"TAG", "", "isCloudKeyAttestation", "", "chain", "Lorg/multipaz/crypto/X509CertChain;", "validateCloudKeyAttestation", "", IDTokenClaimsSet.NONCE_CLAIM_NAME, "Lkotlinx/io/bytestring/ByteString;", "trustedRootKeys", "", "multipaz_release"}, k = 2, mv = {2, 1, 0}, xi = 48)
/* loaded from: classes5.dex */
public final class ValidateCloudSecureAreaAttestationKt {
    private static final String TAG = "validateCloudSecureAreaAttestation";

    public static final boolean isCloudKeyAttestation(X509CertChain chain) {
        Intrinsics.checkNotNullParameter(chain, "chain");
        return ((X509Cert) CollectionsKt.first((List) chain.getCertificates())).getExtensionValue(OID.X509_EXTENSION_MULTIPAZ_KEY_ATTESTATION.getOid()) != null;
    }

    public static final void validateCloudKeyAttestation(X509CertChain chain, ByteString nonce, Set<ByteString> trustedRootKeys) {
        Object obj;
        Intrinsics.checkNotNullParameter(chain, "chain");
        Intrinsics.checkNotNullParameter(nonce, "nonce");
        Intrinsics.checkNotNullParameter(trustedRootKeys, "trustedRootKeys");
        if (!chain.validate()) {
            throw new IllegalStateException("Certificate chain did not validate".toString());
        }
        List<X509Cert> certificates = chain.getCertificates();
        byte[] extensionValue = ((X509Cert) CollectionsKt.first((List) certificates)).getExtensionValue(OID.X509_EXTENSION_MULTIPAZ_KEY_ATTESTATION.getOid());
        if (extensionValue == null) {
            throw new IllegalStateException("No attestation extension at OID " + OID.X509_EXTENSION_MULTIPAZ_KEY_ATTESTATION.getOid());
        }
        if (!Intrinsics.areEqual(CloudAttestationExtension.INSTANCE.decode(new ByteString(extensionValue, 0, 0, 6, null)).getChallenge(), nonce)) {
            throw new IllegalStateException("Challenge in attestation does match expected nonce");
        }
        DataItem dataItem = ((X509Cert) CollectionsKt.last((List) certificates)).getEcPublicKey().toDataItem();
        Iterator<T> it = trustedRootKeys.iterator();
        while (true) {
            obj = null;
            if (!it.hasNext()) {
                break;
            }
            Object next = it.next();
            if (Intrinsics.areEqual(Cbor.INSTANCE.decode(ByteString.toByteArray$default((ByteString) next, 0, 0, 3, null)), dataItem)) {
                obj = next;
                break;
            }
        }
        if (((ByteString) obj) == null) {
            throw new IllegalArgumentException("Unexpected cloud attestation root");
        }
    }
}
