package com.stripe.android.stripe3ds2.transaction;

import A.C0399k;
import A.C0406s;
import B6.C;
import B6.m;
import C6.n;
import C6.t;
import J.C0633s0;
import J5.a;
import J5.b;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import kotlin.jvm.internal.g;
import kotlin.jvm.internal.l;
import org.json.JSONObject;
import u5.C1995a;
import u5.e;
import u5.o;
import u5.p;
import u5.q;
import v5.c;
import v5.d;
import v5.f;
import x5.C2153a;
import y5.AbstractC2259d;
import y5.AbstractC2261f;
import y5.AbstractC2263h;

/* loaded from: classes2.dex */
public final class DefaultJwsValidator implements JwsValidator {
    public static final Companion Companion = new Companion(null);
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;
    private final List<X509Certificate> rootCerts;

    /* loaded from: classes2.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(g gVar) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends a> list, List<? extends X509Certificate> list2) {
            LinkedList I8 = C0399k.I(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) I8.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(I8)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        public final KeyStore createKeyStore(List<? extends X509Certificate> rootCerts) {
            l.f(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i9 = 0;
            for (Object obj : rootCerts) {
                int i10 = i9 + 1;
                if (i9 < 0) {
                    n.X();
                    throw null;
                }
                keyStore.setCertificateEntry(String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i9)}, 1)), rootCerts.get(i9));
                i9 = i10;
            }
            return keyStore;
        }

        public final o sanitizedJwsHeader$3ds2sdk_release(o jwsHeader) {
            l.f(jwsHeader, "jwsHeader");
            u5.n nVar = (u5.n) jwsHeader.f20275g;
            if (nVar.f20273g.equals(C1995a.f20272h.f20273g)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            return new o(nVar, jwsHeader.f20276h, jwsHeader.f20277i, jwsHeader.f20278j, jwsHeader.f20281m, null, jwsHeader.f20283o, jwsHeader.f20284p, jwsHeader.f20285q, jwsHeader.f20286r, jwsHeader.f20287s, jwsHeader.f20366u, jwsHeader.f20279k, null);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z5, List<? extends X509Certificate> rootCerts, ErrorReporter errorReporter) {
        l.f(rootCerts, "rootCerts");
        l.f(errorReporter, "errorReporter");
        this.isLiveMode = z5;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(o oVar) {
        List<a> list = oVar.f20286r;
        l.e(list, "getX509CertChain(...)");
        PublicKey publicKey = C0406s.B(((a) t.n0(list)).a()).getPublicKey();
        l.e(publicKey, "getPublicKey(...)");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v13, types: [v5.d] */
    /* JADX WARN: Type inference failed for: r5v9, types: [v5.f] */
    private final q getVerifier(o oVar) {
        c cVar;
        A5.a aVar = new C2153a().f21141a;
        if (C0633s0.f4361g == null) {
            C0633s0.f4361g = new N7.a();
        }
        aVar.f536a = C0633s0.f4361g;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(oVar);
        if (!AbstractC2261f.f22100d.contains((u5.n) oVar.f20275g)) {
            Set<u5.n> set = AbstractC2263h.f22104c;
            u5.n nVar = (u5.n) oVar.f20275g;
            if (set.contains(nVar)) {
                if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                    throw new u5.t(RSAPublicKey.class);
                }
                cVar = new f((RSAPublicKey) publicKeyFromHeader);
            } else {
                if (!AbstractC2259d.f22095c.contains(nVar)) {
                    throw new Exception("Unsupported JWS algorithm: " + nVar);
                }
                if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                    throw new u5.t(ECPublicKey.class);
                }
                cVar = new c((ECPublicKey) publicKeyFromHeader);
            }
        } else {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new u5.t(SecretKey.class);
            }
            cVar = new d((SecretKey) publicKeyFromHeader);
        }
        ((A5.a) cVar.f2855b).f536a = aVar.f536a;
        return cVar;
    }

    private final boolean isValid(p pVar, List<? extends X509Certificate> list) {
        boolean a9;
        if (pVar.f20367h.f20282n != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + pVar.f20367h));
        }
        Companion companion = Companion;
        o oVar = pVar.f20367h;
        l.e(oVar, "getHeader(...)");
        o sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(oVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f20286r, list)) {
            return false;
        }
        q verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (pVar) {
            AtomicReference<p.a> atomicReference = pVar.f20370k;
            if (atomicReference.get() != p.a.f20371g && atomicReference.get() != p.a.f20372h) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                try {
                    a9 = verifier.a(pVar.f20367h, pVar.f20368i.getBytes(J5.d.f4503a), pVar.f20369j);
                    if (a9) {
                        pVar.f20370k.set(p.a.f20372h);
                    }
                } catch (e e9) {
                    throw e9;
                }
            } catch (Exception e10) {
                throw new Exception(e10.getMessage(), e10);
            }
        }
        return a9;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    public JSONObject getPayload(String jws) {
        l.f(jws, "jws");
        b[] a9 = u5.f.a(jws);
        if (a9.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        p pVar = new p(a9[0], a9[1], a9[2]);
        if (!this.isLiveMode || isValid(pVar, this.rootCerts)) {
            return new JSONObject(pVar.f20300g.toString());
        }
        throw new IllegalStateException("Could not validate JWS");
    }

    public final boolean isCertificateChainValid(List<? extends a> list, List<? extends X509Certificate> rootCerts) {
        Object a9;
        l.f(rootCerts, "rootCerts");
        if (list != null) {
            try {
            } catch (Throwable th) {
                a9 = B6.n.a(th);
            }
            if (!list.isEmpty()) {
                if (rootCerts.isEmpty()) {
                    throw new IllegalArgumentException("Root certificates are empty");
                }
                Companion.validateChain(list, rootCerts);
                a9 = C.f1214a;
                Throwable a10 = m.a(a9);
                if (a10 != null) {
                    this.errorReporter.reportError(a10);
                }
                return !(a9 instanceof m.a);
            }
        }
        throw new IllegalArgumentException("JWSHeader's X.509 certificate chain is null or empty");
    }
}
