package com.stripe.android.stripe3ds2.transaction;

import Gm.e;
import Gm.m;
import Gm.n;
import Gm.o;
import Gm.p;
import Hm.c;
import Hm.d;
import Jm.q;
import Jm.t;
import Jn.f;
import Jn.o;
import Tm.a;
import Tm.h;
import Tm.i;
import Tm.j;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.KeyTypeException;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.StringCompanionObject;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jetbrains.annotations.NotNull;
import org.json.JSONException;
import org.json.JSONObject;
import t6.C14222a;

@Metadata
/* loaded from: classes3.dex */
public final class DefaultJwsValidator implements JwsValidator {

    @NotNull
    public static final Companion Companion = new Companion(null);

    @NotNull
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;

    @NotNull
    private final List<X509Certificate> rootCerts;

    @Metadata
    /* loaded from: classes3.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends a> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
            LinkedList a10 = i.a(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) a10.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(a10)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        @NotNull
        public final KeyStore createKeyStore(@NotNull List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            Intrinsics.checkNotNullParameter(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i10 = 0;
            for (Object obj : rootCerts) {
                int i11 = i10 + 1;
                if (i10 < 0) {
                    f.l();
                    throw null;
                }
                StringCompanionObject stringCompanionObject = StringCompanionObject.f89785a;
                keyStore.setCertificateEntry(C14222a.a(new Object[]{Integer.valueOf(i10)}, 1, Locale.ROOT, "ca_%d", "format(locale, format, *args)"), rootCerts.get(i10));
                i10 = i11;
            }
            Intrinsics.checkNotNullExpressionValue(keyStore, "keyStore");
            return keyStore;
        }

        @NotNull
        public final n sanitizedJwsHeader$3ds2sdk_release(@NotNull n jwsHeader) {
            Intrinsics.checkNotNullParameter(jwsHeader, "jwsHeader");
            m mVar = (m) jwsHeader.f10280a;
            if (mVar.f10278a.equals(Gm.a.f10277b.f10278a)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            n nVar = new n(mVar, jwsHeader.f10281b, jwsHeader.f10282c, jwsHeader.f10283d, jwsHeader.f10286h, null, jwsHeader.f10288j, jwsHeader.f10289k, jwsHeader.f10290l, jwsHeader.f10291m, jwsHeader.f10292n, jwsHeader.f10367p, jwsHeader.f10284f, null);
            Intrinsics.checkNotNullExpressionValue(nVar, "Builder(jwsHeader)\n     …\n                .build()");
            return nVar;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z10, @NotNull List<? extends X509Certificate> rootCerts, @NotNull ErrorReporter errorReporter) {
        Intrinsics.checkNotNullParameter(rootCerts, "rootCerts");
        Intrinsics.checkNotNullParameter(errorReporter, "errorReporter");
        this.isLiveMode = z10;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(n nVar) throws CertificateException {
        List<a> list = nVar.f10291m;
        Intrinsics.checkNotNullExpressionValue(list, "jwsHeader.x509CertChain");
        PublicKey publicKey = j.a(((a) o.F(list)).a()).getPublicKey();
        Intrinsics.checkNotNullExpressionValue(publicKey, "parseWithException(\n    …ode()\n        ).publicKey");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v13, types: [Hm.d] */
    /* JADX WARN: Type inference failed for: r5v9, types: [Hm.f] */
    private final p getVerifier(n nVar) throws JOSEException, CertificateException {
        c cVar;
        Km.a aVar = new Im.a().f12559a;
        if (V7.a.f28108a == null) {
            V7.a.f28108a = new BouncyCastleProvider();
        }
        aVar.f14686a = V7.a.f28108a;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(nVar);
        if (!q.f13368d.contains((m) nVar.f10280a)) {
            Set<m> set = t.f13372c;
            m mVar = (m) nVar.f10280a;
            if (set.contains(mVar)) {
                if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                    throw new KeyTypeException(RSAPublicKey.class);
                }
                cVar = new Hm.f((RSAPublicKey) publicKeyFromHeader);
            } else {
                if (!Jm.m.f13363c.contains(mVar)) {
                    throw new Exception("Unsupported JWS algorithm: " + mVar);
                }
                if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                    throw new KeyTypeException(ECPublicKey.class);
                }
                cVar = new c((ECPublicKey) publicKeyFromHeader);
            }
        } else {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new KeyTypeException(SecretKey.class);
            }
            cVar = new d((SecretKey) publicKeyFromHeader);
        }
        cVar.f13358b.f14686a = aVar.f14686a;
        Intrinsics.checkNotNullExpressionValue(cVar, "verifierFactory.createJW…KeyFromHeader(jwsHeader))");
        return cVar;
    }

    private final boolean isValid(Gm.o oVar, List<? extends X509Certificate> list) throws JOSEException, CertificateException {
        boolean a10;
        if (oVar.f10368b.f10287i != null) {
            this.errorReporter.reportError(new IllegalArgumentException(Intrinsics.k(oVar.f10368b, "Encountered a JWK in ")));
        }
        Companion companion = Companion;
        n nVar = oVar.f10368b;
        Intrinsics.checkNotNullExpressionValue(nVar, "jwsObject.header");
        n sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(nVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f10291m, list)) {
            return false;
        }
        p verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (oVar) {
            AtomicReference<o.a> atomicReference = oVar.f10371f;
            if (atomicReference.get() != o.a.SIGNED && atomicReference.get() != o.a.VERIFIED) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                a10 = verifier.a(oVar.f10368b, oVar.f10369c.getBytes(h.f27099a), oVar.f10370d);
                if (a10) {
                    oVar.f10371f.set(o.a.VERIFIED);
                }
            } catch (JOSEException e10) {
                throw e10;
            } catch (Exception e11) {
                throw new Exception(e11.getMessage(), e11);
            }
        }
        return a10;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    @NotNull
    public JSONObject getPayload(@NotNull String jws) throws JSONException, ParseException, JOSEException, CertificateException {
        Intrinsics.checkNotNullParameter(jws, "jws");
        Tm.c[] a10 = e.a(jws);
        if (a10.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        Gm.o jwsObject = new Gm.o(a10[0], a10[1], a10[2]);
        if (this.isLiveMode) {
            Intrinsics.checkNotNullExpressionValue(jwsObject, "jwsObject");
            if (!isValid(jwsObject, this.rootCerts)) {
                throw new IllegalStateException("Could not validate JWS");
            }
        }
        return new JSONObject(jwsObject.f10305a.toString());
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x001c A[Catch: all -> 0x0016, TryCatch #0 {all -> 0x0016, blocks: (B:3:0x0006, B:5:0x000d, B:9:0x0019, B:11:0x001c, B:13:0x0026, B:20:0x002e, B:21:0x0039, B:22:0x003a, B:23:0x0045), top: B:2:0x0006 }] */
    /* JADX WARN: Removed duplicated region for block: B:22:0x003a A[Catch: all -> 0x0016, TryCatch #0 {all -> 0x0016, blocks: (B:3:0x0006, B:5:0x000d, B:9:0x0019, B:11:0x001c, B:13:0x0026, B:20:0x002e, B:21:0x0039, B:22:0x003a, B:23:0x0045), top: B:2:0x0006 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final boolean isCertificateChainValid(java.util.List<? extends Tm.a> r3, @org.jetbrains.annotations.NotNull java.util.List<? extends java.security.cert.X509Certificate> r4) {
        /*
            r2 = this;
            java.lang.String r0 = "rootCerts"
            kotlin.jvm.internal.Intrinsics.checkNotNullParameter(r4, r0)
            r0 = 1
            kotlin.Result$Companion r1 = kotlin.Result.f89552b     // Catch: java.lang.Throwable -> L16
            r1 = r3
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L16
            if (r1 == 0) goto L18
            boolean r1 = r1.isEmpty()     // Catch: java.lang.Throwable -> L16
            if (r1 == 0) goto L14
            goto L18
        L14:
            r1 = 0
            goto L19
        L16:
            r3 = move-exception
            goto L46
        L18:
            r1 = r0
        L19:
            r1 = r1 ^ r0
            if (r1 == 0) goto L3a
            r1 = r4
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L16
            boolean r1 = r1.isEmpty()     // Catch: java.lang.Throwable -> L16
            r1 = r1 ^ r0
            if (r1 == 0) goto L2e
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator$Companion r1 = com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion     // Catch: java.lang.Throwable -> L16
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion.access$validateChain(r1, r3, r4)     // Catch: java.lang.Throwable -> L16
            kotlin.Unit r3 = kotlin.Unit.f89583a     // Catch: java.lang.Throwable -> L16
            goto L4c
        L2e:
            java.lang.String r3 = "Root certificates are empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L16
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L16
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L16
            throw r4     // Catch: java.lang.Throwable -> L16
        L3a:
            java.lang.String r3 = "JWSHeader's X.509 certificate chain is null or empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L16
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L16
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L16
            throw r4     // Catch: java.lang.Throwable -> L16
        L46:
            kotlin.Result$Companion r4 = kotlin.Result.f89552b
            kotlin.Result$Failure r3 = kotlin.ResultKt.a(r3)
        L4c:
            java.lang.Throwable r4 = kotlin.Result.a(r3)
            if (r4 != 0) goto L53
            goto L58
        L53:
            com.stripe.android.stripe3ds2.observability.ErrorReporter r1 = r2.errorReporter
            r1.reportError(r4)
        L58:
            boolean r3 = r3 instanceof kotlin.Result.Failure
            r3 = r3 ^ r0
            return r3
        */
        throw new UnsupportedOperationException("Method not decompiled: com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.isCertificateChainValid(java.util.List, java.util.List):boolean");
    }
}
