package com.stripe.android.stripe3ds2.transaction;

import b3.j;
import bx.a;
import bx.b;
import bx.c;
import bx.e;
import bx.f;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import h10.x;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import kotlin.jvm.internal.g;
import kotlin.jvm.internal.m;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONException;
import org.json.JSONObject;
import ow.o;
import ow.p;
import ow.q;
import ow.r;
import ow.u;
import pw.d;
import rw.l;
import rw.n;

/* loaded from: classes4.dex */
public final class DefaultJwsValidator implements JwsValidator {
    public static final Companion Companion = new Companion(null);
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;
    private final List<X509Certificate> rootCerts;

    /* loaded from: classes4.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(g gVar) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends a> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
            LinkedList a11 = f.a(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) a11.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(a11)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        public final KeyStore createKeyStore(List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            m.f(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i11 = 0;
            for (Object obj : rootCerts) {
                int i12 = i11 + 1;
                if (i11 < 0) {
                    j.d1();
                    throw null;
                }
                String format = String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i11)}, 1));
                m.e(format, "format(locale, format, *args)");
                keyStore.setCertificateEntry(format, rootCerts.get(i11));
                i11 = i12;
            }
            return keyStore;
        }

        public final p sanitizedJwsHeader$3ds2sdk_release(p jwsHeader) {
            m.f(jwsHeader, "jwsHeader");
            o oVar = (o) jwsHeader.f46021a;
            if (oVar.f46007a.equals(ow.a.f46006b.f46007a)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            return new p(oVar, jwsHeader.f46022b, jwsHeader.f46023c, jwsHeader.f46024d, jwsHeader.f46009x, null, jwsHeader.X, jwsHeader.Y, jwsHeader.Z, jwsHeader.f46008v1, jwsHeader.H1, jwsHeader.f46081a2, jwsHeader.f46025e, null);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z11, List<? extends X509Certificate> rootCerts, ErrorReporter errorReporter) {
        m.f(rootCerts, "rootCerts");
        m.f(errorReporter, "errorReporter");
        this.isLiveMode = z11;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(p pVar) throws CertificateException {
        List<a> list = pVar.f46008v1;
        m.e(list, "jwsHeader.x509CertChain");
        PublicKey publicKey = c.i(((a) x.D1(list)).a()).getPublicKey();
        m.e(publicKey, "parseWithException(\n    …ode()\n        ).publicKey");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v13, types: [pw.d] */
    /* JADX WARN: Type inference failed for: r5v9, types: [pw.f] */
    private final r getVerifier(p pVar) throws ow.f, CertificateException {
        pw.c cVar;
        sw.a aVar = new qw.a().f48961a;
        if (j.f8354q == null) {
            j.f8354q = new BouncyCastleProvider();
        }
        aVar.f52283a = j.f8354q;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(pVar);
        if (!l.f50819d.contains((o) pVar.f46021a)) {
            Set<o> set = n.f50823c;
            o oVar = (o) pVar.f46021a;
            if (set.contains(oVar)) {
                if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                    throw new u(RSAPublicKey.class);
                }
                cVar = new pw.f((RSAPublicKey) publicKeyFromHeader);
            } else {
                if (!rw.j.f50814c.contains(oVar)) {
                    throw new ow.f("Unsupported JWS algorithm: " + oVar);
                }
                if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                    throw new u(ECPublicKey.class);
                }
                cVar = new pw.c((ECPublicKey) publicKeyFromHeader);
            }
        } else {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new u(SecretKey.class);
            }
            cVar = new d((SecretKey) publicKeyFromHeader);
        }
        cVar.f50808b.f52283a = aVar.f52283a;
        return cVar;
    }

    private final boolean isValid(q qVar, List<? extends X509Certificate> list) throws ow.f, CertificateException {
        boolean a11;
        if (qVar.f46082b.f46010y != null) {
            this.errorReporter.reportError(new IllegalArgumentException(m.l(qVar.f46082b, "Encountered a JWK in ")));
        }
        Companion companion = Companion;
        p pVar = qVar.f46082b;
        m.e(pVar, "jwsObject.header");
        p sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(pVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f46008v1, list)) {
            return false;
        }
        r verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (qVar) {
            AtomicReference<q.a> atomicReference = qVar.f46085e;
            if (atomicReference.get() != q.a.SIGNED && atomicReference.get() != q.a.VERIFIED) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                a11 = verifier.a(qVar.f46082b, qVar.f46083c.getBytes(e.f9262a), qVar.f46084d);
                if (a11) {
                    qVar.f46085e.set(q.a.VERIFIED);
                }
            } catch (ow.f e11) {
                throw e11;
            } catch (Exception e12) {
                throw new ow.f(e12.getMessage(), e12);
            }
        }
        return a11;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    public JSONObject getPayload(String jws) throws JSONException, ParseException, ow.f, CertificateException {
        m.f(jws, "jws");
        b[] a11 = ow.g.a(jws);
        if (a11.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        q qVar = new q(a11[0], a11[1], a11[2]);
        if (!this.isLiveMode || isValid(qVar, this.rootCerts)) {
            return new JSONObject(qVar.f46027a.toString());
        }
        throw new IllegalStateException("Could not validate JWS");
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x0018 A[Catch: all -> 0x0042, TryCatch #0 {all -> 0x0042, blocks: (B:3:0x0006, B:5:0x000b, B:9:0x0015, B:11:0x0018, B:13:0x0022, B:20:0x002a, B:21:0x0035, B:22:0x0036, B:23:0x0041), top: B:2:0x0006 }] */
    /* JADX WARN: Removed duplicated region for block: B:22:0x0036 A[Catch: all -> 0x0042, TryCatch #0 {all -> 0x0042, blocks: (B:3:0x0006, B:5:0x000b, B:9:0x0015, B:11:0x0018, B:13:0x0022, B:20:0x002a, B:21:0x0035, B:22:0x0036, B:23:0x0041), top: B:2:0x0006 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final boolean isCertificateChainValid(java.util.List<? extends bx.a> r3, java.util.List<? extends java.security.cert.X509Certificate> r4) {
        /*
            r2 = this;
            java.lang.String r0 = "rootCerts"
            kotlin.jvm.internal.m.f(r4, r0)
            r0 = 1
            r1 = r3
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L42
            if (r1 == 0) goto L14
            boolean r1 = r1.isEmpty()     // Catch: java.lang.Throwable -> L42
            if (r1 == 0) goto L12
            goto L14
        L12:
            r1 = 0
            goto L15
        L14:
            r1 = r0
        L15:
            r1 = r1 ^ r0
            if (r1 == 0) goto L36
            r1 = r4
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L42
            boolean r1 = r1.isEmpty()     // Catch: java.lang.Throwable -> L42
            r1 = r1 ^ r0
            if (r1 == 0) goto L2a
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator$Companion r1 = com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion     // Catch: java.lang.Throwable -> L42
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion.access$validateChain(r1, r3, r4)     // Catch: java.lang.Throwable -> L42
            g10.a0 r3 = g10.a0.f28335a     // Catch: java.lang.Throwable -> L42
            goto L47
        L2a:
            java.lang.String r3 = "Root certificates are empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L42
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L42
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L42
            throw r4     // Catch: java.lang.Throwable -> L42
        L36:
            java.lang.String r3 = "JWSHeader's X.509 certificate chain is null or empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L42
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L42
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L42
            throw r4     // Catch: java.lang.Throwable -> L42
        L42:
            r3 = move-exception
            g10.l$a r3 = g10.m.a(r3)
        L47:
            java.lang.Throwable r4 = g10.l.a(r3)
            if (r4 != 0) goto L4e
            goto L53
        L4e:
            com.stripe.android.stripe3ds2.observability.ErrorReporter r1 = r2.errorReporter
            r1.reportError(r4)
        L53:
            boolean r3 = r3 instanceof g10.l.a
            r3 = r3 ^ r0
            return r3
        */
        throw new UnsupportedOperationException("Method not decompiled: com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.isCertificateChainValid(java.util.List, java.util.List):boolean");
    }
}
