package com.stripe.android.stripe3ds2.transaction;

import androidx.annotation.VisibleForTesting;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.KeyTypeException;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import e9.e;
import e9.n;
import e9.o;
import e9.p;
import f9.c;
import f9.d;
import h9.o;
import h9.q;
import h9.s;
import hc.y;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import kotlin.jvm.internal.f;
import kotlin.jvm.internal.m;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONException;
import org.json.JSONObject;
import r9.a;
import r9.b;
import r9.g;
import r9.h;

/* loaded from: classes5.dex */
public final class DefaultJwsValidator implements JwsValidator {
    public static final Companion Companion = new Companion(null);
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;
    private final List<X509Certificate> rootCerts;

    /* loaded from: classes5.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(f fVar) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends a> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
            LinkedList a10 = g.a(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) a10.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(a10)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        @VisibleForTesting
        public final KeyStore createKeyStore(List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            m.f(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 0;
            for (Object obj : rootCerts) {
                int i10 = i + 1;
                if (i < 0) {
                    com.bumptech.glide.manager.g.e0();
                    throw null;
                }
                String format = String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i)}, 1));
                m.e(format, "format(locale, format, *args)");
                keyStore.setCertificateEntry(format, rootCerts.get(i));
                i = i10;
            }
            return keyStore;
        }

        public final n sanitizedJwsHeader$3ds2sdk_release(n jwsHeader) {
            m.f(jwsHeader, "jwsHeader");
            e9.m mVar = (e9.m) jwsHeader.c;
            if (mVar.c.equals(e9.a.d.c)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            return new n(mVar, jwsHeader.d, jwsHeader.f19433e, jwsHeader.f19434f, jwsHeader.i, null, jwsHeader.f19438k, jwsHeader.f19439l, jwsHeader.f19440m, jwsHeader.f19441n, jwsHeader.f19442o, jwsHeader.f19503q, jwsHeader.f19435g, null);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z10, List<? extends X509Certificate> rootCerts, ErrorReporter errorReporter) {
        m.f(rootCerts, "rootCerts");
        m.f(errorReporter, "errorReporter");
        this.isLiveMode = z10;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(n nVar) throws CertificateException {
        List<a> list = nVar.f19441n;
        m.e(list, "jwsHeader.x509CertChain");
        PublicKey publicKey = h.a(((a) y.z0(list)).a()).getPublicKey();
        m.e(publicKey, "parseWithException(\n    …ode()\n        ).publicKey");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r9v13, types: [f9.d] */
    /* JADX WARN: Type inference failed for: r9v9, types: [f9.f] */
    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    private final p getVerifier(n nVar) throws JOSEException, CertificateException {
        c cVar;
        i9.a aVar = new g9.a().f19997a;
        if (gd.c.f20015a == null) {
            gd.c.f20015a = new BouncyCastleProvider();
        }
        aVar.f20543a = gd.c.f20015a;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(nVar);
        if (!q.d.contains((e9.m) nVar.c)) {
            Set<e9.m> set = s.c;
            e9.m mVar = (e9.m) nVar.c;
            if (set.contains(mVar)) {
                if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                    throw new KeyTypeException(RSAPublicKey.class);
                }
                cVar = new f9.f((RSAPublicKey) publicKeyFromHeader);
            } else {
                if (!o.c.contains(mVar)) {
                    throw new JOSEException("Unsupported JWS algorithm: " + mVar);
                }
                if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                    throw new KeyTypeException(ECPublicKey.class);
                }
                cVar = new c((ECPublicKey) publicKeyFromHeader);
            }
        } else {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new KeyTypeException(SecretKey.class);
            }
            cVar = new d((SecretKey) publicKeyFromHeader);
        }
        cVar.b.f20543a = aVar.f20543a;
        return cVar;
    }

    private final boolean isValid(e9.o oVar, List<? extends X509Certificate> list) throws JOSEException, CertificateException {
        boolean a10;
        if (oVar.d.f19437j != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + oVar.d));
        }
        Companion companion = Companion;
        n nVar = oVar.d;
        m.e(nVar, "jwsObject.header");
        n sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(nVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f19441n, list)) {
            return false;
        }
        p verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (oVar) {
            AtomicReference<o.a> atomicReference = oVar.f19506g;
            if (atomicReference.get() != o.a.SIGNED && atomicReference.get() != o.a.VERIFIED) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                a10 = verifier.a(oVar.d, oVar.f19504e.getBytes(r9.f.f24057a), oVar.f19505f);
                if (a10) {
                    oVar.f19506g.set(o.a.VERIFIED);
                }
            } catch (JOSEException e10) {
                throw e10;
            } catch (Exception e11) {
                throw new JOSEException(e11.getMessage(), e11);
            }
        }
        return a10;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    public JSONObject getPayload(String jws) throws JSONException, ParseException, JOSEException, CertificateException {
        m.f(jws, "jws");
        b[] a10 = e.a(jws);
        if (a10.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        e9.o oVar = new e9.o(a10[0], a10[1], a10[2]);
        if (!this.isLiveMode || isValid(oVar, this.rootCerts)) {
            return new JSONObject(oVar.c.toString());
        }
        throw new IllegalStateException("Could not validate JWS");
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x001e A[Catch: all -> 0x0050, TryCatch #0 {all -> 0x0050, blocks: (B:3:0x0007, B:5:0x000d, B:9:0x001b, B:11:0x001e, B:13:0x0029, B:20:0x0032, B:21:0x0040, B:22:0x0042, B:23:0x004f), top: B:2:0x0007 }] */
    /* JADX WARN: Removed duplicated region for block: B:22:0x0042 A[Catch: all -> 0x0050, TryCatch #0 {all -> 0x0050, blocks: (B:3:0x0007, B:5:0x000d, B:9:0x001b, B:11:0x001e, B:13:0x0029, B:20:0x0032, B:21:0x0040, B:22:0x0042, B:23:0x004f), top: B:2:0x0007 }] */
    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    @androidx.annotation.VisibleForTesting
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final boolean isCertificateChainValid(java.util.List<? extends r9.a> r4, java.util.List<? extends java.security.cert.X509Certificate> r5) {
        /*
            r3 = this;
            java.lang.String r2 = "rootCerts"
            r0 = r2
            kotlin.jvm.internal.m.f(r5, r0)
            r0 = 1
            r1 = r4
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L50
            r2 = 1
            if (r1 == 0) goto L19
            boolean r2 = r1.isEmpty()     // Catch: java.lang.Throwable -> L50
            r1 = r2
            if (r1 == 0) goto L15
            goto L1a
        L15:
            r2 = 4
            r1 = 0
            r2 = 2
            goto L1b
        L19:
            r2 = 7
        L1a:
            r1 = 1
        L1b:
            r1 = r1 ^ r0
            if (r1 == 0) goto L42
            r1 = r5
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L50
            boolean r2 = r1.isEmpty()     // Catch: java.lang.Throwable -> L50
            r1 = r2
            r1 = r1 ^ r0
            if (r1 == 0) goto L32
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator$Companion r1 = com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion     // Catch: java.lang.Throwable -> L50
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion.access$validateChain(r1, r4, r5)     // Catch: java.lang.Throwable -> L50
            r2 = 3
            gc.v r4 = gc.v.f20014a     // Catch: java.lang.Throwable -> L50
            goto L56
        L32:
            r2 = 1
            java.lang.String r4 = "Root certificates are empty"
            java.lang.IllegalArgumentException r5 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L50
            r2 = 1
            java.lang.String r4 = r4.toString()     // Catch: java.lang.Throwable -> L50
            r5.<init>(r4)     // Catch: java.lang.Throwable -> L50
            r2 = 1
            throw r5     // Catch: java.lang.Throwable -> L50
            r2 = 4
        L42:
            java.lang.String r4 = "JWSHeader's X.509 certificate chain is null or empty"
            r2 = 2
            java.lang.IllegalArgumentException r5 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L50
            java.lang.String r2 = r4.toString()     // Catch: java.lang.Throwable -> L50
            r4 = r2
            r5.<init>(r4)     // Catch: java.lang.Throwable -> L50
            throw r5     // Catch: java.lang.Throwable -> L50
        L50:
            r4 = move-exception
            gc.j$a r2 = c6.e0.e(r4)
            r4 = r2
        L56:
            java.lang.Throwable r5 = gc.j.a(r4)
            if (r5 == 0) goto L64
            r2 = 5
            com.stripe.android.stripe3ds2.observability.ErrorReporter r1 = r3.errorReporter
            r2 = 7
            r1.reportError(r5)
            r2 = 1
        L64:
            boolean r4 = r4 instanceof gc.j.a
            r2 = 7
            r4 = r4 ^ r0
            r2 = 7
            return r4
        */
        throw new UnsupportedOperationException("Method not decompiled: com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.isCertificateChainValid(java.util.List, java.util.List):boolean");
    }
}
