package com.stripe.android.stripe3ds2.transaction;

import Be.n;
import Be.o;
import Be.p;
import Be.q;
import Ce.c;
import Ce.d;
import Ee.m;
import Ee.t;
import Oe.a;
import Oe.b;
import Oe.g;
import Oe.h;
import Oe.i;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.KeyTypeException;
import com.stripe.android.core.injection.NamedConstantsKt;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import ff.C4265a;
import i1.C4705o;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.jvm.internal.StringCompanionObject;
import oi.C5645a;
import org.jetbrains.annotations.NotNull;
import org.json.JSONException;
import org.json.JSONObject;
import qg.f;

/* compiled from: JwsValidator.kt */
@Metadata(d1 = {"\u0000T\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0006\n\u0002\u0018\u0002\n\u0002\b\u0006\b\u0000\u0018\u0000 #2\u00020\u0001:\u0001#B%\u0012\u0006\u0010\u001b\u001a\u00020\u0007\u0012\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004\u0012\u0006\u0010\u001f\u001a\u00020\u001e¢\u0006\u0004\b!\u0010\"J%\u0010\b\u001a\u00020\u00072\u0006\u0010\u0003\u001a\u00020\u00022\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0002¢\u0006\u0004\b\b\u0010\tJ\u0017\u0010\r\u001a\u00020\f2\u0006\u0010\u000b\u001a\u00020\nH\u0002¢\u0006\u0004\b\r\u0010\u000eJ\u0017\u0010\u0010\u001a\u00020\u000f2\u0006\u0010\u000b\u001a\u00020\nH\u0002¢\u0006\u0004\b\u0010\u0010\u0011J\u0017\u0010\u0015\u001a\u00020\u00142\u0006\u0010\u0013\u001a\u00020\u0012H\u0016¢\u0006\u0004\b\u0015\u0010\u0016J-\u0010\u0019\u001a\u00020\u00072\u000e\u0010\u0018\u001a\n\u0012\u0004\u0012\u00020\u0017\u0018\u00010\u00042\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0007¢\u0006\u0004\b\u0019\u0010\u001aR\u0014\u0010\u001b\u001a\u00020\u00078\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u001b\u0010\u001cR\u001a\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u00048\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0006\u0010\u001dR\u0014\u0010\u001f\u001a\u00020\u001e8\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u001f\u0010 ¨\u0006$"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/DefaultJwsValidator;", "Lcom/stripe/android/stripe3ds2/transaction/JwsValidator;", "LBe/p;", "jwsObject", "", "Ljava/security/cert/X509Certificate;", "rootCerts", "", "isValid", "(LBe/p;Ljava/util/List;)Z", "LBe/o;", "jwsHeader", "LBe/q;", "getVerifier", "(LBe/o;)LBe/q;", "Ljava/security/PublicKey;", "getPublicKeyFromHeader", "(LBe/o;)Ljava/security/PublicKey;", "", "jws", "Lorg/json/JSONObject;", "getPayload", "(Ljava/lang/String;)Lorg/json/JSONObject;", "LOe/a;", "encodedChainCerts", "isCertificateChainValid", "(Ljava/util/List;Ljava/util/List;)Z", NamedConstantsKt.IS_LIVE_MODE, "Z", "Ljava/util/List;", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "errorReporter", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "<init>", "(ZLjava/util/List;Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;)V", "Companion", "3ds2sdk_release"}, k = 1, mv = {1, 9, 0})
/* loaded from: classes3.dex */
public final class DefaultJwsValidator implements JwsValidator {

    /* renamed from: Companion, reason: from kotlin metadata */
    @NotNull
    public static final Companion INSTANCE = new Companion(null);

    @NotNull
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;

    @NotNull
    private final List<X509Certificate> rootCerts;

    /* compiled from: JwsValidator.kt */
    @Metadata(d1 = {"\u00000\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0007\b\u0086\u0003\u0018\u00002\u00020\u0001B\t\b\u0002¢\u0006\u0004\b\u0012\u0010\u0013J+\u0010\b\u001a\u00020\u00072\f\u0010\u0004\u001a\b\u0012\u0004\u0012\u00020\u00030\u00022\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0002H\u0002¢\u0006\u0004\b\b\u0010\tJ\u001d\u0010\u000b\u001a\u00020\n2\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0002H\u0007¢\u0006\u0004\b\u000b\u0010\fJ\u0017\u0010\u0011\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\rH\u0000¢\u0006\u0004\b\u000f\u0010\u0010¨\u0006\u0014"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/DefaultJwsValidator$Companion;", "", "", "LOe/a;", "encodedChainCerts", "Ljava/security/cert/X509Certificate;", "rootCerts", "", "validateChain", "(Ljava/util/List;Ljava/util/List;)V", "Ljava/security/KeyStore;", "createKeyStore", "(Ljava/util/List;)Ljava/security/KeyStore;", "LBe/o;", "jwsHeader", "sanitizedJwsHeader$3ds2sdk_release", "(LBe/o;)LBe/o;", "sanitizedJwsHeader", "<init>", "()V", "3ds2sdk_release"}, k = 1, mv = {1, 9, 0})
    @SourceDebugExtension
    /* loaded from: classes3.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends a> encodedChainCerts, List<? extends X509Certificate> rootCerts) throws GeneralSecurityException, IOException, ParseException {
            LinkedList a10 = h.a(encodedChainCerts);
            KeyStore createKeyStore = createKeyStore(rootCerts);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) a10.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(a10)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        @NotNull
        public final KeyStore createKeyStore(@NotNull List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            Intrinsics.checkNotNullParameter(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i10 = 0;
            for (Object obj : rootCerts) {
                int i11 = i10 + 1;
                if (i10 < 0) {
                    f.m();
                    throw null;
                }
                StringCompanionObject stringCompanionObject = StringCompanionObject.f43438a;
                keyStore.setCertificateEntry(C4265a.a(new Object[]{Integer.valueOf(i10)}, 1, Locale.ROOT, "ca_%d", "format(locale, format, *args)"), rootCerts.get(i10));
                i10 = i11;
            }
            return keyStore;
        }

        @NotNull
        public final o sanitizedJwsHeader$3ds2sdk_release(@NotNull o jwsHeader) {
            Intrinsics.checkNotNullParameter(jwsHeader, "jwsHeader");
            n nVar = (n) jwsHeader.f1188a;
            if (nVar.f1167a.equals(Be.a.f1166d.f1167a)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            o oVar = new o(nVar, jwsHeader.f1189d, jwsHeader.f1190e, jwsHeader.f1191g, jwsHeader.f1171v, null, jwsHeader.f1173x, jwsHeader.f1174y, jwsHeader.f1168A, jwsHeader.f1169B, jwsHeader.f1170C, jwsHeader.f1256H, jwsHeader.f1192i, null);
            Intrinsics.checkNotNullExpressionValue(oVar, "build(...)");
            return oVar;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z10, @NotNull List<? extends X509Certificate> rootCerts, @NotNull ErrorReporter errorReporter) {
        Intrinsics.checkNotNullParameter(rootCerts, "rootCerts");
        Intrinsics.checkNotNullParameter(errorReporter, "errorReporter");
        this.isLiveMode = z10;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final PublicKey getPublicKeyFromHeader(o jwsHeader) throws CertificateException {
        List<a> list = jwsHeader.f1169B;
        Intrinsics.checkNotNullExpressionValue(list, "getX509CertChain(...)");
        PublicKey publicKey = i.a(((a) qg.n.L(list)).a()).getPublicKey();
        Intrinsics.checkNotNullExpressionValue(publicKey, "getPublicKey(...)");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v13, types: [Ce.d] */
    /* JADX WARN: Type inference failed for: r5v9, types: [Ce.f] */
    private final q getVerifier(o jwsHeader) throws JOSEException, CertificateException {
        c cVar;
        Fe.a aVar = new De.a().f2432a;
        if (C4705o.f41198b == null) {
            C4705o.f41198b = new C5645a();
        }
        aVar.f3809a = C4705o.f41198b;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(jwsHeader);
        if (!Ee.q.f3183d.contains((n) jwsHeader.f1188a)) {
            Set<n> set = t.f3187c;
            n nVar = (n) jwsHeader.f1188a;
            if (set.contains(nVar)) {
                if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                    throw new KeyTypeException(RSAPublicKey.class);
                }
                cVar = new Ce.f((RSAPublicKey) publicKeyFromHeader);
            } else {
                if (!m.f3178c.contains(nVar)) {
                    throw new Exception("Unsupported JWS algorithm: " + nVar);
                }
                if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                    throw new KeyTypeException(ECPublicKey.class);
                }
                cVar = new c((ECPublicKey) publicKeyFromHeader);
            }
        } else {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new KeyTypeException(SecretKey.class);
            }
            cVar = new d((SecretKey) publicKeyFromHeader);
        }
        cVar.f3173b.f3809a = aVar.f3809a;
        Intrinsics.checkNotNullExpressionValue(cVar, "createJWSVerifier(...)");
        return cVar;
    }

    private final boolean isValid(p jwsObject, List<? extends X509Certificate> rootCerts) throws JOSEException, CertificateException {
        boolean a10;
        if (jwsObject.f1257d.f1172w != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + jwsObject.f1257d));
        }
        Companion companion = INSTANCE;
        o oVar = jwsObject.f1257d;
        Intrinsics.checkNotNullExpressionValue(oVar, "getHeader(...)");
        o sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(oVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f1169B, rootCerts)) {
            return false;
        }
        q verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (jwsObject) {
            AtomicReference<p.a> atomicReference = jwsObject.f1260i;
            if (atomicReference.get() != p.a.SIGNED && atomicReference.get() != p.a.VERIFIED) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                try {
                    a10 = verifier.a(jwsObject.f1257d, jwsObject.f1258e.getBytes(g.f10857a), jwsObject.f1259g);
                    if (a10) {
                        jwsObject.f1260i.set(p.a.VERIFIED);
                    }
                } catch (JOSEException e10) {
                    throw e10;
                }
            } catch (Exception e11) {
                throw new Exception(e11.getMessage(), e11);
            }
        }
        return a10;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    @NotNull
    public JSONObject getPayload(@NotNull String jws) throws JSONException, ParseException, JOSEException, CertificateException {
        Intrinsics.checkNotNullParameter(jws, "jws");
        b[] a10 = Be.f.a(jws);
        if (a10.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        p pVar = new p(a10[0], a10[1], a10[2]);
        if (!this.isLiveMode || isValid(pVar, this.rootCerts)) {
            return new JSONObject(pVar.f1194a.toString());
        }
        throw new IllegalStateException("Could not validate JWS");
    }

    /* JADX WARN: Removed duplicated region for block: B:11:0x001c A[Catch: all -> 0x0016, TryCatch #0 {all -> 0x0016, blocks: (B:3:0x0006, B:5:0x000d, B:9:0x0019, B:11:0x001c, B:13:0x0026, B:20:0x002e, B:21:0x0039, B:22:0x003a, B:23:0x0045), top: B:2:0x0006 }] */
    /* JADX WARN: Removed duplicated region for block: B:22:0x003a A[Catch: all -> 0x0016, TryCatch #0 {all -> 0x0016, blocks: (B:3:0x0006, B:5:0x000d, B:9:0x0019, B:11:0x001c, B:13:0x0026, B:20:0x002e, B:21:0x0039, B:22:0x003a, B:23:0x0045), top: B:2:0x0006 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final boolean isCertificateChainValid(java.util.List<? extends Oe.a> r3, @org.jetbrains.annotations.NotNull java.util.List<? extends java.security.cert.X509Certificate> r4) {
        /*
            r2 = this;
            java.lang.String r0 = "rootCerts"
            kotlin.jvm.internal.Intrinsics.checkNotNullParameter(r4, r0)
            r0 = 1
            kotlin.Result$Companion r1 = kotlin.Result.INSTANCE     // Catch: java.lang.Throwable -> L16
            r1 = r3
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L16
            if (r1 == 0) goto L18
            boolean r1 = r1.isEmpty()     // Catch: java.lang.Throwable -> L16
            if (r1 == 0) goto L14
            goto L18
        L14:
            r1 = 0
            goto L19
        L16:
            r3 = move-exception
            goto L46
        L18:
            r1 = r0
        L19:
            r1 = r1 ^ r0
            if (r1 == 0) goto L3a
            r1 = r4
            java.util.Collection r1 = (java.util.Collection) r1     // Catch: java.lang.Throwable -> L16
            boolean r1 = r1.isEmpty()     // Catch: java.lang.Throwable -> L16
            r1 = r1 ^ r0
            if (r1 == 0) goto L2e
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator$Companion r1 = com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.INSTANCE     // Catch: java.lang.Throwable -> L16
            com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.Companion.access$validateChain(r1, r3, r4)     // Catch: java.lang.Throwable -> L16
            kotlin.Unit r3 = kotlin.Unit.f43246a     // Catch: java.lang.Throwable -> L16
            goto L4c
        L2e:
            java.lang.String r3 = "Root certificates are empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L16
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L16
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L16
            throw r4     // Catch: java.lang.Throwable -> L16
        L3a:
            java.lang.String r3 = "JWSHeader's X.509 certificate chain is null or empty"
            java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L16
            java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L16
            r4.<init>(r3)     // Catch: java.lang.Throwable -> L16
            throw r4     // Catch: java.lang.Throwable -> L16
        L46:
            kotlin.Result$Companion r4 = kotlin.Result.INSTANCE
            kotlin.Result$Failure r3 = kotlin.ResultKt.a(r3)
        L4c:
            java.lang.Throwable r4 = kotlin.Result.a(r3)
            if (r4 == 0) goto L57
            com.stripe.android.stripe3ds2.observability.ErrorReporter r1 = r2.errorReporter
            r1.reportError(r4)
        L57:
            boolean r3 = r3 instanceof kotlin.Result.Failure
            r3 = r3 ^ r0
            return r3
        */
        throw new UnsupportedOperationException("Method not decompiled: com.stripe.android.stripe3ds2.transaction.DefaultJwsValidator.isCertificateChainValid(java.util.List, java.util.List):boolean");
    }
}
