package com.stripe.android.stripe3ds2.transaction;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.KeyTypeException;
import com.nimbusds.jose.util.Base64;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import defpackage.cz2;
import defpackage.d13;
import defpackage.d3;
import defpackage.f03;
import defpackage.fs5;
import defpackage.h3;
import defpackage.h71;
import defpackage.hk0;
import defpackage.ih7;
import defpackage.j4;
import defpackage.le7;
import defpackage.nc5;
import defpackage.ot3;
import defpackage.qz7;
import defpackage.tl1;
import defpackage.vy2;
import defpackage.w51;
import defpackage.xe0;
import defpackage.zw;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.crypto.SecretKey;
import kotlin.Result;
import kotlin.collections.c;
import kotlin.io.encoding.Base64;
import kotlin.text.a;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes6.dex */
public final class DefaultJwsValidator implements JwsValidator {
    public static final Companion Companion = new Companion(null);
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;
    private final List<X509Certificate> rootCerts;

    /* loaded from: classes6.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(w51 w51Var) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends Base64> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
            LinkedList F = nc5.F(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) F.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(F)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        public final KeyStore createKeyStore(List<? extends X509Certificate> list) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            vy2.s(list, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 0;
            for (Object obj : list) {
                int i2 = i + 1;
                if (i < 0) {
                    hk0.l();
                    throw null;
                }
                keyStore.setCertificateEntry(String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i)}, 1)), list.get(i));
                i = i2;
            }
            return keyStore;
        }

        public final JWSHeader sanitizedJwsHeader$3ds2sdk_release(JWSHeader jWSHeader) {
            vy2.s(jWSHeader, "jwsHeader");
            JWSHeader.a aVar = new JWSHeader.a(jWSHeader);
            aVar.f = null;
            return aVar.a();
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z, List<? extends X509Certificate> list, ErrorReporter errorReporter) {
        vy2.s(list, "rootCerts");
        vy2.s(errorReporter, "errorReporter");
        this.isLiveMode = z;
        this.rootCerts = list;
        this.errorReporter = errorReporter;
    }

    private final X509Certificate certificateFromString(String str) {
        int i;
        int i2;
        Base64.PaddingOption paddingOption;
        int i3;
        int i4;
        Base64.a aVar;
        int i5;
        Base64.a aVar2 = kotlin.io.encoding.Base64.d;
        int length = str.length();
        aVar2.getClass();
        int length2 = str.length();
        d3 d3Var = h3.Companion;
        d3Var.getClass();
        int i6 = 0;
        d3.a(0, length, length2);
        String substring = str.substring(0, length);
        vy2.r(substring, "substring(...)");
        byte[] bytes = substring.getBytes(xe0.b);
        vy2.r(bytes, "getBytes(...)");
        int length3 = bytes.length;
        int length4 = bytes.length;
        d3Var.getClass();
        d3.a(0, length3, length4);
        int i7 = 8;
        int i8 = -2;
        int i9 = 1;
        boolean z = aVar2.b;
        if (length3 == 0) {
            i2 = 0;
        } else {
            if (length3 == 1) {
                throw new IllegalArgumentException(cz2.o(length3, "Input should have at least 2 symbols for Base64 decoding, startIndex: 0, endIndex: "));
            }
            if (z) {
                i = length3;
                int i10 = 0;
                while (true) {
                    if (i10 >= length3) {
                        break;
                    }
                    int i11 = zw.a[bytes[i10] & 255];
                    if (i11 < 0) {
                        if (i11 == -2) {
                            i -= length3 - i10;
                            break;
                        }
                        i--;
                    }
                    i10++;
                }
            } else if (bytes[length3 - 1] == 61) {
                i = length3 - 1;
                if (bytes[length3 - 2] == 61) {
                    i = length3 - 2;
                }
            } else {
                i = length3;
            }
            i2 = (int) ((i * 6) / 8);
        }
        byte[] bArr = new byte[i2];
        int[] iArr = aVar2.a ? zw.b : zw.a;
        int i12 = -8;
        int i13 = 0;
        int i14 = 0;
        int i15 = -8;
        while (true) {
            int i16 = i9;
            paddingOption = aVar2.c;
            int i17 = i7;
            if (i13 >= length3) {
                i3 = i8;
                i4 = 0;
                break;
            }
            if (i15 != i12 || (i5 = i13 + 3) >= length3) {
                aVar = aVar2;
            } else {
                aVar = aVar2;
                int i18 = i13 + 4;
                int i19 = (iArr[bytes[i13 + 2] & 255] << 6) | (iArr[bytes[i13] & 255] << 18) | (iArr[bytes[i13 + 1] & 255] << 12) | iArr[bytes[i5] & 255];
                if (i19 >= 0) {
                    bArr[i6] = (byte) (i19 >> 16);
                    int i20 = i6 + 2;
                    bArr[i6 + 1] = (byte) (i19 >> 8);
                    i6 += 3;
                    bArr[i20] = (byte) i19;
                    i9 = i16;
                    i7 = i17;
                    i13 = i18;
                    aVar2 = aVar;
                    i8 = -2;
                    i12 = -8;
                }
            }
            int i21 = bytes[i13] & 255;
            int i22 = iArr[i21];
            if (i22 >= 0) {
                i13++;
                i14 = (i14 << 6) | i22;
                int i23 = i15 + 6;
                if (i23 >= 0) {
                    bArr[i6] = (byte) (i14 >>> i23);
                    i14 &= (i16 << i23) - 1;
                    i15 -= 2;
                    i6++;
                } else {
                    i15 = i23;
                }
                i9 = i16;
                aVar2 = aVar;
                i7 = 8;
            } else if (i22 == -2) {
                if (i15 == -8) {
                    throw new IllegalArgumentException(cz2.o(i13, "Redundant pad character at index "));
                }
                if (i15 != -6) {
                    if (i15 != -4) {
                        if (i15 != -2) {
                            throw new IllegalStateException("Unreachable");
                        }
                    } else {
                        if (paddingOption == Base64.PaddingOption.ABSENT) {
                            throw new IllegalArgumentException(cz2.o(i13, "The padding option is set to ABSENT, but the input has a pad character at index "));
                        }
                        int i24 = i13 + 1;
                        if (z) {
                            while (i24 < length3) {
                                if (zw.a[bytes[i24] & 255] != -1) {
                                    break;
                                }
                                i24++;
                            }
                        }
                        if (i24 == length3 || bytes[i24] != 61) {
                            throw new IllegalArgumentException(cz2.o(i24, "Missing one pad character at index "));
                        }
                        i13 = i24 + 1;
                        i4 = i16;
                        i3 = -2;
                    }
                } else if (paddingOption == Base64.PaddingOption.ABSENT) {
                    throw new IllegalArgumentException(cz2.o(i13, "The padding option is set to ABSENT, but the input has a pad character at index "));
                }
                i13++;
                i4 = i16;
                i3 = -2;
            } else {
                if (!z) {
                    StringBuilder sb = new StringBuilder("Invalid symbol '");
                    sb.append((char) i21);
                    sb.append("'(");
                    a.a(i17);
                    String num = Integer.toString(i21, i17);
                    vy2.r(num, "toString(...)");
                    sb.append(num);
                    sb.append(") at index ");
                    sb.append(i13);
                    throw new IllegalArgumentException(sb.toString());
                }
                i13++;
                i9 = i16;
                i7 = i17;
                aVar2 = aVar;
            }
            i8 = -2;
            i12 = -8;
        }
        if (i15 == i3) {
            throw new IllegalArgumentException("The last unit of input does not have enough bits");
        }
        if (i15 != -8 && i4 == 0 && paddingOption == Base64.PaddingOption.PRESENT) {
            throw new IllegalArgumentException("The padding option is set to PRESENT, but the input is not properly padded");
        }
        if (i14 != 0) {
            throw new IllegalArgumentException("The pad bits must be zeros");
        }
        if (z) {
            while (i13 < length3) {
                if (zw.a[bytes[i13] & 255] != -1) {
                    break;
                }
                i13++;
            }
        }
        if (i13 >= length3) {
            if (i6 != i2) {
                throw new IllegalStateException("Check failed.");
            }
            Certificate generateCertificate = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
            if (generateCertificate instanceof X509Certificate) {
                return (X509Certificate) generateCertificate;
            }
            return null;
        }
        int i25 = bytes[i13] & 255;
        StringBuilder sb2 = new StringBuilder("Symbol '");
        sb2.append((char) i25);
        sb2.append("'(");
        a.a(8);
        String num2 = Integer.toString(i25, 8);
        vy2.r(num2, "toString(...)");
        sb2.append(num2);
        sb2.append(") at index ");
        throw new IllegalArgumentException(j4.q(sb2, i13 - 1, " is prohibited after the pad character"));
    }

    private final PublicKey getPublicKeyFromHeader(JWSHeader jWSHeader) throws CertificateException {
        List x509CertChain = jWSHeader.getX509CertChain();
        vy2.r(x509CertChain, "getX509CertChain(...)");
        PublicKey publicKey = qz7.a(((com.nimbusds.jose.util.Base64) c.C(x509CertChain)).decode()).getPublicKey();
        vy2.r(publicKey, "getPublicKey(...)");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v12, types: [ot3] */
    /* JADX WARN: Type inference failed for: r5v8, types: [fs5] */
    private final d13 getVerifier(JWSHeader jWSHeader) throws JOSEException, CertificateException {
        tl1 tl1Var;
        f03 f03Var = new h71().a;
        if (le7.m == null) {
            le7.m = new BouncyCastleProvider();
        }
        f03Var.a = le7.m;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(jWSHeader);
        if (ot3.f.contains(jWSHeader.getAlgorithm())) {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new KeyTypeException(SecretKey.class);
            }
            tl1Var = new ot3((SecretKey) publicKeyFromHeader);
        } else if (fs5.e.contains(jWSHeader.getAlgorithm())) {
            if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                throw new KeyTypeException(RSAPublicKey.class);
            }
            tl1Var = new fs5((RSAPublicKey) publicKeyFromHeader);
        } else {
            if (!tl1.e.contains(jWSHeader.getAlgorithm())) {
                throw new JOSEException("Unsupported JWS algorithm: " + jWSHeader.getAlgorithm());
            }
            if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                throw new KeyTypeException(ECPublicKey.class);
            }
            tl1Var = new tl1((ECPublicKey) publicKeyFromHeader);
        }
        tl1Var.b.a = f03Var.a;
        return tl1Var;
    }

    private final boolean isValid(JWSObject jWSObject, List<? extends X509Certificate> list) throws JOSEException, CertificateException {
        if (jWSObject.getHeader().getJWK() != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + jWSObject.getHeader()));
        }
        Companion companion = Companion;
        JWSHeader header = jWSObject.getHeader();
        vy2.r(header, "getHeader(...)");
        JWSHeader sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(header);
        if (isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.getX509CertChain(), list)) {
            return jWSObject.verify(getVerifier(sanitizedJwsHeader$3ds2sdk_release));
        }
        return false;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    public JSONObject getPayload(String str) throws JSONException, ParseException, JOSEException, CertificateException {
        vy2.s(str, "jws");
        JWSObject parse = JWSObject.parse(str);
        if (this.isLiveMode) {
            vy2.p(parse);
            if (isValid(parse, this.rootCerts)) {
                return new JSONObject(parse.getPayload().toString());
            }
            throw new IllegalStateException("Could not validate JWS");
        }
        List x509CertChain = parse.getHeader().getX509CertChain();
        if (x509CertChain == null || x509CertChain.isEmpty()) {
            return new JSONObject(parse.getPayload().toString());
        }
        List x509CertChain2 = parse.getHeader().getX509CertChain();
        vy2.r(x509CertChain2, "getX509CertChain(...)");
        ArrayList arrayList = new ArrayList();
        Iterator it = x509CertChain2.iterator();
        while (it.hasNext()) {
            String base64 = ((com.nimbusds.jose.util.Base64) it.next()).toString();
            vy2.r(base64, "toString(...)");
            X509Certificate certificateFromString = certificateFromString(base64);
            if (certificateFromString != null) {
                arrayList.add(certificateFromString);
            }
        }
        if (arrayList.isEmpty() || !isValid(parse, arrayList)) {
            throw new IllegalStateException("Could not validate JWS");
        }
        return new JSONObject(parse.getPayload().toString());
    }

    public final boolean isCertificateChainValid(List<? extends com.nimbusds.jose.util.Base64> list, List<? extends X509Certificate> list2) {
        Object m3907constructorimpl;
        List<? extends com.nimbusds.jose.util.Base64> list3;
        vy2.s(list2, "rootCerts");
        try {
            Result.a aVar = Result.Companion;
            list3 = list;
        } catch (Throwable th) {
            Result.a aVar2 = Result.Companion;
            m3907constructorimpl = Result.m3907constructorimpl(kotlin.c.a(th));
        }
        if (list3 == null || list3.isEmpty()) {
            throw new IllegalArgumentException("JWSHeader's X.509 certificate chain is null or empty");
        }
        if (list2.isEmpty()) {
            throw new IllegalArgumentException("Root certificates are empty");
        }
        Companion.validateChain(list, list2);
        m3907constructorimpl = Result.m3907constructorimpl(ih7.a);
        Throwable m3910exceptionOrNullimpl = Result.m3910exceptionOrNullimpl(m3907constructorimpl);
        if (m3910exceptionOrNullimpl != null) {
            this.errorReporter.reportError(m3910exceptionOrNullimpl);
        }
        return Result.m3914isSuccessimpl(m3907constructorimpl);
    }
}
