package com.stripe.android.stripe3ds2.transaction;

import androidx.annotation.VisibleForTesting;
import bl.a;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.KeyTypeException;
import com.nimbusds.jose.util.Base64;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.crypto.SecretKey;
import kl.o;
import kl.p;
import kotlin.Metadata;
import kotlin.collections.c;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.jetbrains.annotations.NotNull;
import org.json.JSONException;
import org.json.JSONObject;
import un0.v;
import wa.h;
import wk.i;
import xk.d;
import xk.f;
import zk.r;
import zk.u;

/* compiled from: JwsValidator.kt */
@Metadata(d1 = {"\u0000L\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\u0006\b\u0000\u0018\u0000 \u001e2\u00020\u0001:\u0001\u001eB%\u0012\u0006\u0010\u0016\u001a\u00020\u0007\u0012\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004\u0012\u0006\u0010\u001a\u001a\u00020\u0019¢\u0006\u0004\b\u001c\u0010\u001dJ\u001e\u0010\b\u001a\u00020\u00072\u0006\u0010\u0003\u001a\u00020\u00022\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0002J\u0010\u0010\f\u001a\u00020\u000b2\u0006\u0010\n\u001a\u00020\tH\u0002J\u0010\u0010\u000e\u001a\u00020\r2\u0006\u0010\n\u001a\u00020\tH\u0002J\u0010\u0010\u0012\u001a\u00020\u00112\u0006\u0010\u0010\u001a\u00020\u000fH\u0016J&\u0010\u0015\u001a\u00020\u00072\u000e\u0010\u0014\u001a\n\u0012\u0004\u0012\u00020\u0013\u0018\u00010\u00042\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0007R\u0014\u0010\u0016\u001a\u00020\u00078\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0016\u0010\u0017R\u001a\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u00048\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0006\u0010\u0018R\u0014\u0010\u001a\u001a\u00020\u00198\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u001a\u0010\u001b¨\u0006\u001f"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/DefaultJwsValidator;", "Lcom/stripe/android/stripe3ds2/transaction/JwsValidator;", "Lcom/nimbusds/jose/JWSObject;", "jwsObject", "", "Ljava/security/cert/X509Certificate;", "rootCerts", "", "isValid", "Lcom/nimbusds/jose/JWSHeader;", "jwsHeader", "Lwk/i;", "getVerifier", "Ljava/security/PublicKey;", "getPublicKeyFromHeader", "", "jws", "Lorg/json/JSONObject;", "getPayload", "Lcom/nimbusds/jose/util/Base64;", "encodedChainCerts", "isCertificateChainValid", "isLiveMode", "Z", "Ljava/util/List;", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "errorReporter", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "<init>", "(ZLjava/util/List;Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;)V", "Companion", "3ds2sdk_release"}, k = 1, mv = {1, 6, 0})
/* loaded from: classes11.dex */
public final class DefaultJwsValidator implements JwsValidator {

    /* renamed from: Companion, reason: from kotlin metadata */
    @NotNull
    public static final Companion INSTANCE = new Companion(null);

    @NotNull
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;

    @NotNull
    private final List<X509Certificate> rootCerts;

    /* compiled from: JwsValidator.kt */
    @Metadata(d1 = {"\u00000\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\b\u0086\u0003\u0018\u00002\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002J\u0016\u0010\u0003\u001a\u00020\u00042\f\u0010\u0005\u001a\b\u0012\u0004\u0012\u00020\u00070\u0006H\u0007J\u0015\u0010\b\u001a\u00020\t2\u0006\u0010\n\u001a\u00020\tH\u0000¢\u0006\u0002\b\u000bJ$\u0010\f\u001a\u00020\r2\f\u0010\u000e\u001a\b\u0012\u0004\u0012\u00020\u000f0\u00062\f\u0010\u0005\u001a\b\u0012\u0004\u0012\u00020\u00070\u0006H\u0002¨\u0006\u0010"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/DefaultJwsValidator$Companion;", "", "()V", "createKeyStore", "Ljava/security/KeyStore;", "rootCerts", "", "Ljava/security/cert/X509Certificate;", "sanitizedJwsHeader", "Lcom/nimbusds/jose/JWSHeader;", "jwsHeader", "sanitizedJwsHeader$3ds2sdk_release", "validateChain", "", "encodedChainCerts", "Lcom/nimbusds/jose/util/Base64;", "3ds2sdk_release"}, k = 1, mv = {1, 6, 0}, xi = 48)
    /* loaded from: classes11.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends Base64> encodedChainCerts, List<? extends X509Certificate> rootCerts) throws GeneralSecurityException, IOException, ParseException {
            LinkedList a11 = o.a(encodedChainCerts);
            KeyStore createKeyStore = createKeyStore(rootCerts);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) a11.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(a11)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        @VisibleForTesting
        @NotNull
        public final KeyStore createKeyStore(@NotNull List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            Intrinsics.checkNotNullParameter(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i11 = 0;
            for (Object obj : rootCerts) {
                int i12 = i11 + 1;
                if (i11 < 0) {
                    v.o();
                    throw null;
                }
                String format = String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i11)}, 1));
                Intrinsics.checkNotNullExpressionValue(format, "format(locale, format, *args)");
                keyStore.setCertificateEntry(format, rootCerts.get(i11));
                i11 = i12;
            }
            Intrinsics.checkNotNullExpressionValue(keyStore, "keyStore");
            return keyStore;
        }

        @NotNull
        public final JWSHeader sanitizedJwsHeader$3ds2sdk_release(@NotNull JWSHeader jwsHeader) {
            Intrinsics.checkNotNullParameter(jwsHeader, "jwsHeader");
            JWSHeader.a aVar = new JWSHeader.a(jwsHeader.getAlgorithm());
            aVar.f13741b = jwsHeader.getType();
            aVar.f13742c = jwsHeader.getContentType();
            aVar.f13743d = jwsHeader.getCriticalParams();
            aVar.f13744e = jwsHeader.getJWKURL();
            aVar.f13745f = jwsHeader.getJWK();
            aVar.f13746g = jwsHeader.getX509CertURL();
            aVar.f13747h = jwsHeader.getX509CertThumbprint();
            aVar.f13748i = jwsHeader.getX509CertSHA256Thumbprint();
            aVar.f13749j = jwsHeader.getX509CertChain();
            aVar.f13750k = jwsHeader.getKeyID();
            aVar.l = jwsHeader.isBase64URLEncodePayload();
            aVar.f13751m = jwsHeader.getCustomParams();
            aVar.f13745f = null;
            JWSHeader a11 = aVar.a();
            Intrinsics.checkNotNullExpressionValue(a11, "Builder(jwsHeader)\n     …\n                .build()");
            return a11;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z11, @NotNull List<? extends X509Certificate> rootCerts, @NotNull ErrorReporter errorReporter) {
        Intrinsics.checkNotNullParameter(rootCerts, "rootCerts");
        Intrinsics.checkNotNullParameter(errorReporter, "errorReporter");
        this.isLiveMode = z11;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(JWSHeader jwsHeader) throws CertificateException {
        List x509CertChain = jwsHeader.getX509CertChain();
        Intrinsics.checkNotNullExpressionValue(x509CertChain, "jwsHeader.x509CertChain");
        PublicKey publicKey = p.a(((Base64) c.M(x509CertChain)).decode()).getPublicKey();
        Intrinsics.checkNotNullExpressionValue(publicKey, "parseWithException(\n    …ode()\n        ).publicKey");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v12, types: [xk.d] */
    /* JADX WARN: Type inference failed for: r5v8, types: [xk.f] */
    private final i getVerifier(JWSHeader jwsHeader) throws JOSEException, CertificateException {
        xk.c cVar;
        a aVar = new yk.a().f66007a;
        if (h.f63610a == null) {
            h.f63610a = new BouncyCastleProvider();
        }
        aVar.f2591a = h.f63610a;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(jwsHeader);
        if (r.f66750d.contains(jwsHeader.getAlgorithm())) {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new KeyTypeException(SecretKey.class);
            }
            cVar = new d((SecretKey) publicKeyFromHeader);
        } else if (u.f66754c.contains(jwsHeader.getAlgorithm())) {
            if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                throw new KeyTypeException(RSAPublicKey.class);
            }
            cVar = new f((RSAPublicKey) publicKeyFromHeader);
        } else {
            if (!zk.o.f66745c.contains(jwsHeader.getAlgorithm())) {
                throw new JOSEException("Unsupported JWS algorithm: " + jwsHeader.getAlgorithm());
            }
            if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                throw new KeyTypeException(ECPublicKey.class);
            }
            cVar = new xk.c((ECPublicKey) publicKeyFromHeader);
        }
        cVar.f66736b.f2591a = aVar.f2591a;
        Intrinsics.checkNotNullExpressionValue(cVar, "verifierFactory.createJW…KeyFromHeader(jwsHeader))");
        return cVar;
    }

    private final boolean isValid(JWSObject jwsObject, List<? extends X509Certificate> rootCerts) throws JOSEException, CertificateException {
        if (jwsObject.getHeader().getJWK() != null) {
            this.errorReporter.reportError(new IllegalArgumentException(Intrinsics.l(jwsObject.getHeader(), "Encountered a JWK in ")));
        }
        Companion companion = INSTANCE;
        JWSHeader header = jwsObject.getHeader();
        Intrinsics.checkNotNullExpressionValue(header, "jwsObject.header");
        JWSHeader sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(header);
        if (isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.getX509CertChain(), rootCerts)) {
            return jwsObject.verify(getVerifier(sanitizedJwsHeader$3ds2sdk_release));
        }
        return false;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    @NotNull
    public JSONObject getPayload(@NotNull String jws) throws JSONException, ParseException, JOSEException, CertificateException {
        Intrinsics.checkNotNullParameter(jws, "jws");
        JWSObject jwsObject = JWSObject.parse(jws);
        if (this.isLiveMode) {
            Intrinsics.checkNotNullExpressionValue(jwsObject, "jwsObject");
            if (!isValid(jwsObject, this.rootCerts)) {
                throw new IllegalStateException("Could not validate JWS");
            }
        }
        return new JSONObject(jwsObject.getPayload().toString());
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x0019 A[Catch: all -> 0x0047, TryCatch #0 {all -> 0x0047, blocks: (B:3:0x0006, B:5:0x000c, B:9:0x0016, B:11:0x0019, B:13:0x0023, B:20:0x002f, B:21:0x003a, B:22:0x003b, B:23:0x0046), top: B:2:0x0006 }] */
    /* JADX WARN: Removed duplicated region for block: B:22:0x003b A[Catch: all -> 0x0047, TryCatch #0 {all -> 0x0047, blocks: (B:3:0x0006, B:5:0x000c, B:9:0x0016, B:11:0x0019, B:13:0x0023, B:20:0x002f, B:21:0x003a, B:22:0x003b, B:23:0x0046), top: B:2:0x0006 }] */
    @androidx.annotation.VisibleForTesting
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final boolean isCertificateChainValid(java.util.List<? extends com.nimbusds.jose.util.Base64> r3, @org.jetbrains.annotations.NotNull java.util.List<? extends java.security.cert.X509Certificate> r4) {
        /*
            r2 = this;
            java.lang.String r0 = "rootCerts"
            kotlin.jvm.internal.Intrinsics.checkNotNullParameter(r4, r0)
            r0 = r3
            java.util.Collection r0 = (java.util.Collection) r0     // Catch: java.lang.Throwable -> L47
            r1 = 1
            if (r0 == 0) goto L15
            boolean r0 = r0.isEmpty()     // Catch: java.lang.Throwable -> L47
            if (r0 == 0) goto L13
            goto L15
        L13:
            r0 = 0
            goto L16
        L15:
            r0 = 1
        L16:
            r0 = r0 ^ r1
            if (r0 == 0) goto L3b
            r0 = r4
            java.util.Collection r0 = (java.util.Collection) r0     // Catch: java.lang.Throwable -> L47
            boolean r0 = r0.isEmpty()     // Catch: java.lang.Throwable -> L47
            r0 = r0 ^ r1
            if (r0 == 0) goto L2f
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator$Companion r0 = com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.INSTANCE     // Catch: java.lang.Throwable -> L47
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion.access$validateChain(r0, r3, r4)     // Catch: java.lang.Throwable -> L47
            kotlin.Unit r3 = kotlin.Unit.f46297a     // Catch: java.lang.Throwable -> L47
            java.lang.Object r3 = kotlin.Result.m7233constructorimpl(r3)     // Catch: java.lang.Throwable -> L47
            goto L50
        L2f:
            java.lang.String r3 = "Root certificates are empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L47
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L47
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L47
            throw r4     // Catch: java.lang.Throwable -> L47
        L3b:
            java.lang.String r3 = "JWSHeader's X.509 certificate chain is null or empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L47
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L47
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L47
            throw r4     // Catch: java.lang.Throwable -> L47
        L47:
            r3 = move-exception
            kotlin.Result$Failure r3 = tn0.g.a(r3)
            java.lang.Object r3 = kotlin.Result.m7233constructorimpl(r3)
        L50:
            java.lang.Throwable r4 = kotlin.Result.m7236exceptionOrNullimpl(r3)
            if (r4 != 0) goto L57
            goto L5c
        L57:
            com.stripe.android.stripe3ds2.observability.ErrorReporter r0 = r2.errorReporter
            r0.reportError(r4)
        L5c:
            boolean r3 = kotlin.Result.m7240isSuccessimpl(r3)
            return r3
        */
        throw new UnsupportedOperationException("Method not decompiled: com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.isCertificateChainValid(java.util.List, java.util.List):boolean");
    }
}
