package com.clevercloud.biscuit.token.format;

import biscuit.format.schema.Schema;
import com.clevercloud.biscuit.crypto.KeyDelegate;
import com.clevercloud.biscuit.crypto.KeyPair;
import com.clevercloud.biscuit.crypto.PublicKey;
import com.clevercloud.biscuit.error.Error;
import com.clevercloud.biscuit.token.Block;
import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import io.vavr.API;
import io.vavr.control.Either;
import io.vavr.control.Option;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import net.i2p.crypto.eddsa.EdDSAEngine;

/* loaded from: input_file:com/clevercloud/biscuit/token/format/SerializedBiscuit.class */
public class SerializedBiscuit {
    public SignedBlock authority;
    public List<SignedBlock> blocks;
    public Proof proof;
    public Option<Integer> root_key_id;
    public static int MIN_SCHEMA_VERSION = 3;
    public static int MAX_SCHEMA_VERSION = 3;

    public static SerializedBiscuit from_bytes(byte[] bArr, PublicKey publicKey) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, Error {
        try {
            return from_bytes_inner(Schema.Biscuit.parseFrom(bArr), publicKey);
        } catch (InvalidProtocolBufferException e) {
            throw new Error.FormatError.DeserializationError(e.toString());
        }
    }

    public static SerializedBiscuit from_bytes(byte[] bArr, KeyDelegate keyDelegate) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, Error {
        try {
            Schema.Biscuit parseFrom = Schema.Biscuit.parseFrom(bArr);
            Option<Integer> none = Option.none();
            if (parseFrom.hasRootKeyId()) {
                none = Option.some(Integer.valueOf(parseFrom.getRootKeyId()));
            }
            Option<PublicKey> root_key = keyDelegate.root_key(none);
            if (root_key.isEmpty()) {
                throw new InvalidKeyException("unknown root key id");
            }
            return from_bytes_inner(parseFrom, (PublicKey) root_key.get());
        } catch (InvalidProtocolBufferException e) {
            throw new Error.FormatError.DeserializationError(e.toString());
        }
    }

    static SerializedBiscuit from_bytes_inner(Schema.Biscuit biscuit2, PublicKey publicKey) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, Error {
        SignedBlock signedBlock = new SignedBlock(biscuit2.getAuthority().getBlock().toByteArray(), new PublicKey(biscuit2.getAuthority().getNextKey().getAlgorithm(), biscuit2.getAuthority().getNextKey().getKey().toByteArray()), biscuit2.getAuthority().getSignature().toByteArray());
        ArrayList arrayList = new ArrayList();
        for (Schema.SignedBlock signedBlock2 : biscuit2.getBlocksList()) {
            arrayList.add(new SignedBlock(signedBlock2.getBlock().toByteArray(), new PublicKey(signedBlock2.getNextKey().getAlgorithm(), signedBlock2.getNextKey().getKey().toByteArray()), signedBlock2.getSignature().toByteArray()));
        }
        Option none = Option.none();
        if (biscuit2.getProof().hasNextSecret()) {
            none = Option.some(new KeyPair(biscuit2.getProof().getNextSecret().toByteArray()));
        }
        Option none2 = Option.none();
        if (biscuit2.getProof().hasFinalSignature()) {
            none2 = Option.some(biscuit2.getProof().getFinalSignature().toByteArray());
        }
        if (none.isEmpty() && none2.isEmpty()) {
            throw new Error.FormatError.DeserializationError("empty proof");
        }
        Proof proof = new Proof(none, none2);
        Option none3 = Option.none();
        if (biscuit2.hasRootKeyId()) {
            none3 = Option.some(Integer.valueOf(biscuit2.getRootKeyId()));
        }
        SerializedBiscuit serializedBiscuit = new SerializedBiscuit(signedBlock, arrayList, proof, none3);
        Either<Error, Void> verify = serializedBiscuit.verify(publicKey);
        if (verify.isLeft()) {
            throw ((Error) verify.getLeft());
        }
        return serializedBiscuit;
    }

    public static SerializedBiscuit unsafe_deserialize(byte[] bArr) throws Error.FormatError.DeserializationError {
        try {
            Schema.Biscuit parseFrom = Schema.Biscuit.parseFrom(bArr);
            SignedBlock signedBlock = new SignedBlock(parseFrom.getAuthority().getBlock().toByteArray(), new PublicKey(parseFrom.getAuthority().getNextKey().getAlgorithm(), parseFrom.getAuthority().getNextKey().getKey().toByteArray()), parseFrom.getAuthority().getSignature().toByteArray());
            ArrayList arrayList = new ArrayList();
            for (Schema.SignedBlock signedBlock2 : parseFrom.getBlocksList()) {
                arrayList.add(new SignedBlock(signedBlock2.getBlock().toByteArray(), new PublicKey(signedBlock2.getNextKey().getAlgorithm(), signedBlock2.getNextKey().getKey().toByteArray()), signedBlock2.getSignature().toByteArray()));
            }
            Option none = Option.none();
            if (parseFrom.getProof().hasNextSecret()) {
                none = Option.some(new KeyPair(parseFrom.getProof().getNextSecret().toByteArray()));
            }
            Option none2 = Option.none();
            if (parseFrom.getProof().hasFinalSignature()) {
                none2 = Option.some(parseFrom.getProof().getFinalSignature().toByteArray());
            }
            if (none.isEmpty() && none2.isEmpty()) {
                throw new Error.FormatError.DeserializationError("empty proof");
            }
            return new SerializedBiscuit(signedBlock, arrayList, new Proof(none, none2));
        } catch (InvalidProtocolBufferException e) {
            throw new Error.FormatError.DeserializationError(e.toString());
        }
    }

    public byte[] serialize() throws Error.FormatError.SerializationError {
        Schema.Biscuit.Builder newBuilder = Schema.Biscuit.newBuilder();
        Schema.SignedBlock.Builder newBuilder2 = Schema.SignedBlock.newBuilder();
        SignedBlock signedBlock = this.authority;
        Schema.PublicKey.Builder newBuilder3 = Schema.PublicKey.newBuilder();
        newBuilder3.setKey(ByteString.copyFrom(signedBlock.key.toBytes()));
        newBuilder3.setAlgorithm(signedBlock.key.algorithm);
        newBuilder2.setBlock(ByteString.copyFrom(signedBlock.block));
        newBuilder2.setNextKey(newBuilder3.m618build());
        newBuilder2.setSignature(ByteString.copyFrom(signedBlock.signature));
        newBuilder.setAuthority(newBuilder2.m712build());
        for (SignedBlock signedBlock2 : this.blocks) {
            Schema.SignedBlock.Builder newBuilder4 = Schema.SignedBlock.newBuilder();
            Schema.PublicKey.Builder newBuilder5 = Schema.PublicKey.newBuilder();
            newBuilder5.setKey(ByteString.copyFrom(signedBlock2.key.toBytes()));
            newBuilder5.setAlgorithm(signedBlock2.key.algorithm);
            newBuilder4.setBlock(ByteString.copyFrom(signedBlock2.block));
            newBuilder4.setNextKey(newBuilder5.m618build());
            newBuilder4.setSignature(ByteString.copyFrom(signedBlock2.signature));
            newBuilder.addBlocks(newBuilder4.m712build());
        }
        Schema.Proof.Builder newBuilder6 = Schema.Proof.newBuilder();
        if (this.proof.secretKey.isEmpty()) {
            newBuilder6.setFinalSignature(ByteString.copyFrom((byte[]) this.proof.signature.get()));
        } else {
            newBuilder6.setNextSecret(ByteString.copyFrom(((KeyPair) this.proof.secretKey.get()).toBytes()));
        }
        newBuilder.setProof(newBuilder6.m568build());
        if (!this.root_key_id.isEmpty()) {
            newBuilder.setRootKeyId(((Integer) this.root_key_id.get()).intValue());
        }
        Schema.Biscuit m90build = newBuilder.m90build();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            m90build.writeTo(byteArrayOutputStream);
            return byteArrayOutputStream.toByteArray();
        } catch (IOException e) {
            throw new Error.FormatError.SerializationError(e.toString());
        }
    }

    public static Either<Error.FormatError, SerializedBiscuit> make(KeyPair keyPair, Block block, KeyPair keyPair2) {
        return make(keyPair, Option.none(), block, keyPair2);
    }

    public static Either<Error.FormatError, SerializedBiscuit> make(KeyPair keyPair, Option<Integer> option, Block block, KeyPair keyPair2) {
        Schema.Block serialize = block.serialize();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            serialize.writeTo(byteArrayOutputStream);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            PublicKey public_key = keyPair2.public_key();
            ByteBuffer order = ByteBuffer.allocate(4).order(ByteOrder.LITTLE_ENDIAN);
            order.putInt(Integer.valueOf(public_key.algorithm.getNumber()).intValue());
            order.flip();
            EdDSAEngine edDSAEngine = new EdDSAEngine(MessageDigest.getInstance(KeyPair.ed25519.getHashAlgorithm()));
            edDSAEngine.initSign(keyPair.private_key);
            edDSAEngine.update(byteArray);
            edDSAEngine.update(order);
            edDSAEngine.update(public_key.toBytes());
            return API.Right(new SerializedBiscuit(new SignedBlock(byteArray, public_key, edDSAEngine.sign()), new ArrayList(), new Proof(keyPair2), option));
        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            return API.Left(new Error.FormatError.SerializationError(e.toString()));
        }
    }

    public Either<Error.FormatError, SerializedBiscuit> append(KeyPair keyPair, Block block) {
        if (this.proof.secretKey.isEmpty()) {
            return API.Left(new Error.FormatError.SerializationError("the token is sealed"));
        }
        Schema.Block serialize = block.serialize();
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            serialize.writeTo(byteArrayOutputStream);
            byte[] byteArray = byteArrayOutputStream.toByteArray();
            PublicKey public_key = keyPair.public_key();
            ByteBuffer order = ByteBuffer.allocate(4).order(ByteOrder.LITTLE_ENDIAN);
            order.putInt(Integer.valueOf(public_key.algorithm.getNumber()).intValue());
            order.flip();
            EdDSAEngine edDSAEngine = new EdDSAEngine(MessageDigest.getInstance(KeyPair.ed25519.getHashAlgorithm()));
            edDSAEngine.initSign(((KeyPair) this.proof.secretKey.get()).private_key);
            edDSAEngine.update(byteArray);
            edDSAEngine.update(order);
            edDSAEngine.update(public_key.toBytes());
            SignedBlock signedBlock = new SignedBlock(byteArray, public_key, edDSAEngine.sign());
            ArrayList arrayList = new ArrayList();
            Iterator<SignedBlock> it = this.blocks.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next());
            }
            arrayList.add(signedBlock);
            return API.Right(new SerializedBiscuit(this.authority, arrayList, new Proof(keyPair), this.root_key_id));
        } catch (IOException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            return API.Left(new Error.FormatError.SerializationError(e.toString()));
        }
    }

    public Either<Error, Void> verify(PublicKey publicKey) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException {
        ByteBuffer order = ByteBuffer.allocate(4).order(ByteOrder.LITTLE_ENDIAN);
        byte[] bArr = this.authority.block;
        PublicKey publicKey2 = this.authority.key;
        byte[] bArr2 = this.authority.signature;
        if (bArr2.length != 64) {
            return Either.left(new Error.FormatError.InvalidSignatureSize(bArr2.length));
        }
        order.putInt(Integer.valueOf(publicKey2.algorithm.getNumber()).intValue());
        order.flip();
        EdDSAEngine edDSAEngine = new EdDSAEngine(MessageDigest.getInstance(KeyPair.ed25519.getHashAlgorithm()));
        edDSAEngine.initVerify(publicKey.key);
        edDSAEngine.update(bArr);
        edDSAEngine.update(order);
        edDSAEngine.update(publicKey2.toBytes());
        if (!edDSAEngine.verify(bArr2)) {
            return API.Left(new Error.FormatError.Signature.InvalidSignature("signature error: Verification equation was not satisfied"));
        }
        PublicKey publicKey3 = publicKey2;
        for (SignedBlock signedBlock : this.blocks) {
            byte[] bArr3 = signedBlock.block;
            PublicKey publicKey4 = signedBlock.key;
            byte[] bArr4 = signedBlock.signature;
            if (bArr4.length != 64) {
                return Either.left(new Error.FormatError.InvalidSignatureSize(bArr4.length));
            }
            order.clear();
            order.putInt(Integer.valueOf(publicKey4.algorithm.getNumber()).intValue());
            order.flip();
            EdDSAEngine edDSAEngine2 = new EdDSAEngine(MessageDigest.getInstance(KeyPair.ed25519.getHashAlgorithm()));
            edDSAEngine2.initVerify(publicKey3.key);
            edDSAEngine2.update(bArr3);
            edDSAEngine2.update(order);
            edDSAEngine2.update(publicKey4.toBytes());
            if (!edDSAEngine2.verify(bArr4)) {
                return API.Left(new Error.FormatError.Signature.InvalidSignature("signature error: Verification equation was not satisfied"));
            }
            publicKey3 = publicKey4;
        }
        if (!this.proof.secretKey.isEmpty()) {
            return ((KeyPair) this.proof.secretKey.get()).public_key().equals(publicKey3) ? API.Right((Object) null) : API.Left(new Error.FormatError.Signature.InvalidSignature("signature error: Verification equation was not satisfied"));
        }
        byte[] bArr5 = (byte[]) this.proof.signature.get();
        SignedBlock signedBlock2 = this.blocks.isEmpty() ? this.authority : this.blocks.get(this.blocks.size() - 1);
        byte[] bArr6 = signedBlock2.block;
        PublicKey publicKey5 = signedBlock2.key;
        byte[] bArr7 = signedBlock2.signature;
        order.clear();
        order.putInt(publicKey5.algorithm.getNumber());
        order.flip();
        EdDSAEngine edDSAEngine3 = new EdDSAEngine(MessageDigest.getInstance(KeyPair.ed25519.getHashAlgorithm()));
        edDSAEngine3.initVerify(publicKey3.key);
        edDSAEngine3.update(bArr6);
        edDSAEngine3.update(order);
        edDSAEngine3.update(publicKey5.toBytes());
        edDSAEngine3.update(bArr7);
        return edDSAEngine3.verify(bArr5) ? API.Right((Object) null) : API.Left(new Error.FormatError.SealedSignature());
    }

    public Either<Error, Void> seal() throws InvalidKeyException, NoSuchAlgorithmException, SignatureException {
        if (this.proof.secretKey.isEmpty()) {
            return API.Left(new Error.Sealed());
        }
        SignedBlock signedBlock = this.blocks.isEmpty() ? this.authority : this.blocks.get(this.blocks.size() - 1);
        EdDSAEngine edDSAEngine = new EdDSAEngine(MessageDigest.getInstance(KeyPair.ed25519.getHashAlgorithm()));
        ByteBuffer order = ByteBuffer.allocate(4).order(ByteOrder.LITTLE_ENDIAN);
        order.putInt(Integer.valueOf(signedBlock.key.algorithm.getNumber()).intValue());
        order.flip();
        edDSAEngine.initSign(((KeyPair) this.proof.secretKey.get()).private_key);
        edDSAEngine.update(signedBlock.block);
        edDSAEngine.update(order);
        edDSAEngine.update(signedBlock.key.toBytes());
        edDSAEngine.update(signedBlock.signature);
        byte[] sign = edDSAEngine.sign();
        this.proof.secretKey = Option.none();
        this.proof.signature = Option.some(sign);
        return API.Right((Object) null);
    }

    public List<byte[]> revocation_identifiers() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.authority.signature);
        Iterator<SignedBlock> it = this.blocks.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().signature);
        }
        return arrayList;
    }

    SerializedBiscuit(SignedBlock signedBlock, List<SignedBlock> list, Proof proof) {
        this.authority = signedBlock;
        this.blocks = list;
        this.proof = proof;
        this.root_key_id = Option.none();
    }

    SerializedBiscuit(SignedBlock signedBlock, List<SignedBlock> list, Proof proof, Option<Integer> option) {
        this.authority = signedBlock;
        this.blocks = list;
        this.proof = proof;
        this.root_key_id = option;
    }
}
