package com.stripe.android.stripe3ds2.transaction;

import H3.b;
import H3.c;
import Jd.AbstractC0199a;
import Jd.B;
import Jd.k;
import Jd.l;
import Kd.n;
import Zb.a;
import Zb.g;
import Zb.o;
import Zb.p;
import Zb.q;
import Zb.r;
import Zb.s;
import Zb.t;
import ac.C0706c;
import ac.C0707d;
import cc.C1057a;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import dc.h;
import dc.j;
import fc.C1531a;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import kotlin.jvm.internal.f;
import kotlin.jvm.internal.m;
import nf.C2308a;
import oc.C2355a;
import oc.d;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes3.dex */
public final class DefaultJwsValidator implements JwsValidator {
    public static final Companion Companion = new Companion(null);
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;
    private final List<X509Certificate> rootCerts;

    /* loaded from: classes3.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(f fVar) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends C2355a> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
            LinkedList x10 = b.x(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) x10.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(x10)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        public final KeyStore createKeyStore(List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            m.g(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 0;
            for (Object obj : rootCerts) {
                int i7 = i + 1;
                if (i < 0) {
                    n.L();
                    throw null;
                }
                keyStore.setCertificateEntry(String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i)}, 1)), rootCerts.get(i));
                i = i7;
            }
            return keyStore;
        }

        public final p sanitizedJwsHeader$3ds2sdk_release(p jwsHeader) {
            m.g(jwsHeader, "jwsHeader");
            o oVar = (o) jwsHeader.a;
            if (oVar.a.equals(a.f8355b.a)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            return new p(oVar, jwsHeader.f8371b, jwsHeader.f8372c, jwsHeader.f8373d, jwsHeader.f8356h, null, jwsHeader.j, jwsHeader.f8357k, jwsHeader.f8358l, jwsHeader.f8359m, jwsHeader.f8360n, jwsHeader.f8429o, jwsHeader.f8374e, null);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z6, List<? extends X509Certificate> rootCerts, ErrorReporter errorReporter) {
        m.g(rootCerts, "rootCerts");
        m.g(errorReporter, "errorReporter");
        this.isLiveMode = z6;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(p pVar) throws CertificateException {
        List list = pVar.f8359m;
        m.f(list, "jwsHeader.x509CertChain");
        PublicKey publicKey = c.s(((C2355a) Kd.m.Z(list)).a()).getPublicKey();
        m.f(publicKey, "parseWithException(\n    …ode()\n        ).publicKey");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r4v13, types: [ac.d] */
    /* JADX WARN: Type inference failed for: r4v9, types: [ac.f] */
    private final s getVerifier(p pVar) throws Zb.f, CertificateException {
        C0706c c0706c;
        C1057a c1057a = new C1057a();
        if (A5.b.a == null) {
            A5.b.a = new C2308a();
        }
        C2308a c2308a = A5.b.a;
        C1531a c1531a = c1057a.a;
        c1531a.a = c2308a;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(pVar);
        Set set = h.f21714d;
        o oVar = (o) pVar.a;
        if (set.contains(oVar)) {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new t(SecretKey.class);
            }
            c0706c = new C0707d((SecretKey) publicKeyFromHeader);
        } else if (j.f21716c.contains(oVar)) {
            if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                throw new t(RSAPublicKey.class);
            }
            c0706c = new ac.f((RSAPublicKey) publicKeyFromHeader);
        } else {
            if (!dc.f.f21710c.contains(oVar)) {
                throw new Exception("Unsupported JWS algorithm: " + oVar);
            }
            if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                throw new t(ECPublicKey.class);
            }
            c0706c = new C0706c((ECPublicKey) publicKeyFromHeader);
        }
        ((C1531a) c0706c.f1360b).a = c1531a.a;
        return c0706c;
    }

    private final boolean isValid(r rVar, List<? extends X509Certificate> list) throws Zb.f, CertificateException {
        boolean c10;
        if (rVar.f8432b.i != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + rVar.f8432b));
        }
        Companion companion = Companion;
        p pVar = rVar.f8432b;
        m.f(pVar, "jwsObject.header");
        p sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(pVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f8359m, list)) {
            return false;
        }
        s verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (rVar) {
            AtomicReference atomicReference = rVar.f8435e;
            if (atomicReference.get() != q.a && atomicReference.get() != q.f8430b) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                try {
                    c10 = verifier.c(rVar.f8432b, rVar.f8433c.getBytes(d.a), rVar.f8434d);
                    if (c10) {
                        rVar.f8435e.set(q.f8430b);
                    }
                } catch (Zb.f e4) {
                    throw e4;
                }
            } catch (Exception e6) {
                throw new Exception(e6.getMessage(), e6);
            }
        }
        return c10;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    public JSONObject getPayload(String jws) throws JSONException, ParseException, Zb.f, CertificateException {
        m.g(jws, "jws");
        oc.b[] a = g.a(jws);
        if (a.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        r rVar = new r(a[0], a[1], a[2]);
        if (!this.isLiveMode || isValid(rVar, this.rootCerts)) {
            return new JSONObject(rVar.a.toString());
        }
        throw new IllegalStateException("Could not validate JWS");
    }

    public final boolean isCertificateChainValid(List<? extends C2355a> list, List<? extends X509Certificate> rootCerts) {
        Object b6;
        List<? extends C2355a> list2;
        m.g(rootCerts, "rootCerts");
        try {
            list2 = list;
        } catch (Throwable th) {
            b6 = AbstractC0199a.b(th);
        }
        if (list2 == null || list2.isEmpty()) {
            throw new IllegalArgumentException("JWSHeader's X.509 certificate chain is null or empty");
        }
        if (rootCerts.isEmpty()) {
            throw new IllegalArgumentException("Root certificates are empty");
        }
        Companion.validateChain(list, rootCerts);
        b6 = B.a;
        Throwable a = l.a(b6);
        if (a != null) {
            this.errorReporter.reportError(a);
        }
        return !(b6 instanceof k);
    }
}
