package com.stripe.android.stripe3ds2.transaction;

import ae.c0;
import ae.j;
import ae.u;
import ae.v;
import ae.x;
import ae.z;
import b0.g;
import ci.b;
import ci.c;
import ci.d;
import com.google.common.primitives.UnsignedBytes;
import com.nimbusds.jose.util.a;
import com.stripe.android.core.injection.NamedConstantsKt;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import j7.h;
import java.io.ByteArrayInputStream;
import java.net.URI;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import javax.crypto.SecretKey;
import kotlin.Metadata;
import kotlin.collections.s;
import kotlin.collections.t;
import kotlin.jvm.internal.f;
import kotlin.jvm.internal.l;
import li.g0;
import org.json.JSONObject;
import th.i0;

@Metadata(d1 = {"\u0000V\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0010\u000b\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\b\b\u0000\u0018\u0000 &2\u00020\u0001:\u0001&B%\u0012\u0006\u0010\u0003\u001a\u00020\u0002\u0012\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004\u0012\u0006\u0010\b\u001a\u00020\u0007¢\u0006\u0004\b\t\u0010\nJ\u0019\u0010\r\u001a\u0004\u0018\u00010\u00052\u0006\u0010\f\u001a\u00020\u000bH\u0002¢\u0006\u0004\b\r\u0010\u000eJ%\u0010\u0011\u001a\u00020\u00022\u0006\u0010\u0010\u001a\u00020\u000f2\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0002¢\u0006\u0004\b\u0011\u0010\u0012J\u0017\u0010\u0016\u001a\u00020\u00152\u0006\u0010\u0014\u001a\u00020\u0013H\u0002¢\u0006\u0004\b\u0016\u0010\u0017J\u0017\u0010\u0019\u001a\u00020\u00182\u0006\u0010\u0014\u001a\u00020\u0013H\u0002¢\u0006\u0004\b\u0019\u0010\u001aJ\u0017\u0010\u001d\u001a\u00020\u001c2\u0006\u0010\u001b\u001a\u00020\u000bH\u0016¢\u0006\u0004\b\u001d\u0010\u001eJ-\u0010!\u001a\u00020\u00022\u000e\u0010 \u001a\n\u0012\u0004\u0012\u00020\u001f\u0018\u00010\u00042\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0007¢\u0006\u0004\b!\u0010\"R\u0014\u0010\u0003\u001a\u00020\u00028\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0003\u0010#R\u001a\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u00048\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0006\u0010$R\u0014\u0010\b\u001a\u00020\u00078\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\b\u0010%¨\u0006'"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/DefaultJwsValidator;", "Lcom/stripe/android/stripe3ds2/transaction/JwsValidator;", "", NamedConstantsKt.IS_LIVE_MODE, "", "Ljava/security/cert/X509Certificate;", "rootCerts", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "errorReporter", "<init>", "(ZLjava/util/List;Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;)V", "", "base64", "certificateFromString", "(Ljava/lang/String;)Ljava/security/cert/X509Certificate;", "Lae/x;", "jwsObject", "isValid", "(Lae/x;Ljava/util/List;)Z", "Lae/v;", "jwsHeader", "Lae/z;", "getVerifier", "(Lae/v;)Lae/z;", "Ljava/security/PublicKey;", "getPublicKeyFromHeader", "(Lae/v;)Ljava/security/PublicKey;", "jws", "Lorg/json/JSONObject;", "getPayload", "(Ljava/lang/String;)Lorg/json/JSONObject;", "Lcom/nimbusds/jose/util/a;", "encodedChainCerts", "isCertificateChainValid", "(Ljava/util/List;Ljava/util/List;)Z", "Z", "Ljava/util/List;", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "Companion", "3ds2sdk_release"}, k = 1, mv = {2, 0, 0}, xi = 48)
/* loaded from: classes4.dex */
public final class DefaultJwsValidator implements JwsValidator {

    /* renamed from: Companion, reason: from kotlin metadata */
    public static final Companion INSTANCE = new Companion(null);
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;
    private final List<X509Certificate> rootCerts;

    @Metadata(d1 = {"\u00004\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\b\u0002\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0005\b\u0086\u0003\u0018\u00002\u00020\u0001B\t\b\u0002¢\u0006\u0004\b\u0002\u0010\u0003J+\u0010\n\u001a\u00020\t2\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u00042\f\u0010\b\u001a\b\u0012\u0004\u0012\u00020\u00070\u0004H\u0002¢\u0006\u0004\b\n\u0010\u000bJ\u001d\u0010\r\u001a\u00020\f2\f\u0010\b\u001a\b\u0012\u0004\u0012\u00020\u00070\u0004H\u0007¢\u0006\u0004\b\r\u0010\u000eJ\u0017\u0010\u0013\u001a\u00020\u000f2\u0006\u0010\u0010\u001a\u00020\u000fH\u0000¢\u0006\u0004\b\u0011\u0010\u0012¨\u0006\u0014"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/DefaultJwsValidator$Companion;", "", "<init>", "()V", "", "Lcom/nimbusds/jose/util/a;", "encodedChainCerts", "Ljava/security/cert/X509Certificate;", "rootCerts", "Lth/i0;", "validateChain", "(Ljava/util/List;Ljava/util/List;)V", "Ljava/security/KeyStore;", "createKeyStore", "(Ljava/util/List;)Ljava/security/KeyStore;", "Lae/v;", "jwsHeader", "sanitizedJwsHeader$3ds2sdk_release", "(Lae/v;)Lae/v;", "sanitizedJwsHeader", "3ds2sdk_release"}, k = 1, mv = {2, 0, 0}, xi = 48)
    /* loaded from: classes4.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(f fVar) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends a> encodedChainCerts, List<? extends X509Certificate> rootCerts) {
            LinkedList A = g.A(encodedChainCerts);
            KeyStore createKeyStore = createKeyStore(rootCerts);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) A.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(A)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        public final KeyStore createKeyStore(List<? extends X509Certificate> rootCerts) {
            l.f(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i10 = 0;
            for (Object obj : rootCerts) {
                int i11 = i10 + 1;
                if (i10 < 0) {
                    t.J();
                    throw null;
                }
                keyStore.setCertificateEntry(String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i10)}, 1)), rootCerts.get(i10));
                i10 = i11;
            }
            return keyStore;
        }

        public final v sanitizedJwsHeader$3ds2sdk_release(v jwsHeader) {
            l.f(jwsHeader, "jwsHeader");
            u algorithm = jwsHeader.getAlgorithm();
            if (algorithm.getName().equals(ae.a.NONE.getName())) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            j type = jwsHeader.getType();
            String contentType = jwsHeader.getContentType();
            Set<String> criticalParams = jwsHeader.getCriticalParams();
            URI jwkurl = jwsHeader.getJWKURL();
            jwsHeader.getJWK();
            return new v(algorithm, type, contentType, criticalParams, jwkurl, null, jwsHeader.getX509CertURL(), jwsHeader.getX509CertThumbprint(), jwsHeader.getX509CertSHA256Thumbprint(), jwsHeader.getX509CertChain(), jwsHeader.getKeyID(), jwsHeader.isBase64URLEncodePayload(), jwsHeader.getCustomParams(), null);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z9, List<? extends X509Certificate> rootCerts, ErrorReporter errorReporter) {
        l.f(rootCerts, "rootCerts");
        l.f(errorReporter, "errorReporter");
        this.isLiveMode = z9;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final X509Certificate certificateFromString(String base64) {
        int i10;
        int i11;
        b bVar;
        int i12;
        int i13;
        boolean z9;
        ci.a aVar;
        char c10;
        int i14;
        ci.a aVar2 = c.f9649d;
        int length = base64.length();
        aVar2.getClass();
        int length2 = base64.length();
        kotlin.collections.c cVar = kotlin.collections.f.Companion;
        cVar.getClass();
        int i15 = 0;
        kotlin.collections.c.a(0, length, length2);
        String substring = base64.substring(0, length);
        l.e(substring, "substring(...)");
        byte[] bytes = substring.getBytes(kotlin.text.a.f60179b);
        l.e(bytes, "getBytes(...)");
        int length3 = bytes.length;
        int length4 = bytes.length;
        cVar.getClass();
        kotlin.collections.c.a(0, length3, length4);
        boolean z10 = aVar2.f9651b;
        if (length3 == 0) {
            i11 = 0;
        } else {
            if (length3 == 1) {
                throw new IllegalArgumentException(a0.f.g(length3, "Input should have at least 2 symbols for Base64 decoding, startIndex: 0, endIndex: "));
            }
            if (z10) {
                i10 = length3;
                int i16 = 0;
                while (true) {
                    if (i16 >= length3) {
                        break;
                    }
                    int i17 = d.f9653a[bytes[i16] & UnsignedBytes.MAX_VALUE];
                    if (i17 < 0) {
                        if (i17 == -2) {
                            i10 -= length3 - i16;
                            break;
                        }
                        i10--;
                    }
                    i16++;
                }
            } else if (bytes[length3 - 1] == 61) {
                i10 = length3 - 1;
                if (bytes[length3 - 2] == 61) {
                    i10 = length3 - 2;
                }
            } else {
                i10 = length3;
            }
            i11 = (int) ((i10 * 6) / 8);
        }
        byte[] bArr = new byte[i11];
        int[] iArr = aVar2.f9650a ? d.f9654b : d.f9653a;
        int i18 = -8;
        int i19 = 0;
        int i20 = 0;
        int i21 = -8;
        while (true) {
            bVar = aVar2.f9652c;
            if (i19 >= length3) {
                i12 = i11;
                i13 = -2;
                z9 = false;
                break;
            }
            if (i21 != i18 || (i14 = i19 + 3) >= length3) {
                aVar = aVar2;
                i12 = i11;
            } else {
                aVar = aVar2;
                i12 = i11;
                int i22 = i19 + 4;
                int i23 = (iArr[bytes[i19 + 1] & UnsignedBytes.MAX_VALUE] << 12) | (iArr[bytes[i19] & UnsignedBytes.MAX_VALUE] << 18) | (iArr[bytes[i19 + 2] & UnsignedBytes.MAX_VALUE] << 6) | iArr[bytes[i14] & UnsignedBytes.MAX_VALUE];
                if (i23 >= 0) {
                    bArr[i15] = (byte) (i23 >> 16);
                    int i24 = i15 + 2;
                    bArr[i15 + 1] = (byte) (i23 >> 8);
                    i15 += 3;
                    bArr[i24] = (byte) i23;
                    i11 = i12;
                    i19 = i22;
                    aVar2 = aVar;
                    i18 = -8;
                }
            }
            int i25 = bytes[i19] & UnsignedBytes.MAX_VALUE;
            int i26 = iArr[i25];
            if (i26 >= 0) {
                c10 = '=';
                i19++;
                i20 = (i20 << 6) | i26;
                int i27 = i21 + 6;
                if (i27 >= 0) {
                    bArr[i15] = (byte) (i20 >>> i27);
                    i20 &= (1 << i27) - 1;
                    i21 -= 2;
                    i15++;
                } else {
                    i21 = i27;
                }
            } else if (i26 != -2) {
                c10 = '=';
                if (!z10) {
                    StringBuilder sb2 = new StringBuilder("Invalid symbol '");
                    sb2.append((char) i25);
                    sb2.append("'(");
                    h.c(8);
                    String num = Integer.toString(i25, 8);
                    l.e(num, "toString(...)");
                    sb2.append(num);
                    sb2.append(") at index ");
                    sb2.append(i19);
                    throw new IllegalArgumentException(sb2.toString());
                }
                i19++;
            } else {
                if (i21 == -8) {
                    throw new IllegalArgumentException(a0.f.g(i19, "Redundant pad character at index "));
                }
                if (i21 != -6) {
                    if (i21 != -4) {
                        if (i21 != -2) {
                            throw new IllegalStateException("Unreachable");
                        }
                    } else {
                        if (bVar == b.ABSENT) {
                            throw new IllegalArgumentException(a0.f.g(i19, "The padding option is set to ABSENT, but the input has a pad character at index "));
                        }
                        int i28 = i19 + 1;
                        if (z10) {
                            while (i28 < length3) {
                                if (d.f9653a[bytes[i28] & UnsignedBytes.MAX_VALUE] != -1) {
                                    break;
                                }
                                i28++;
                            }
                        }
                        if (i28 == length3 || bytes[i28] != 61) {
                            throw new IllegalArgumentException(a0.f.g(i28, "Missing one pad character at index "));
                        }
                        i19 = i28 + 1;
                        i13 = -2;
                        z9 = true;
                    }
                } else if (bVar == b.ABSENT) {
                    throw new IllegalArgumentException(a0.f.g(i19, "The padding option is set to ABSENT, but the input has a pad character at index "));
                }
                i19++;
                i13 = -2;
                z9 = true;
            }
            i11 = i12;
            aVar2 = aVar;
            i18 = -8;
        }
        if (i21 == i13) {
            throw new IllegalArgumentException("The last unit of input does not have enough bits");
        }
        if (i21 != -8 && !z9 && bVar == b.PRESENT) {
            throw new IllegalArgumentException("The padding option is set to PRESENT, but the input is not properly padded");
        }
        if (i20 != 0) {
            throw new IllegalArgumentException("The pad bits must be zeros");
        }
        if (z10) {
            while (i19 < length3) {
                if (d.f9653a[bytes[i19] & UnsignedBytes.MAX_VALUE] != -1) {
                    break;
                }
                i19++;
            }
        }
        if (i19 >= length3) {
            if (i15 != i12) {
                throw new IllegalStateException("Check failed.");
            }
            Certificate generateCertificate = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
            if (generateCertificate instanceof X509Certificate) {
                return (X509Certificate) generateCertificate;
            }
            return null;
        }
        int i29 = bytes[i19] & UnsignedBytes.MAX_VALUE;
        StringBuilder sb3 = new StringBuilder("Symbol '");
        sb3.append((char) i29);
        sb3.append("'(");
        h.c(8);
        String num2 = Integer.toString(i29, 8);
        l.e(num2, "toString(...)");
        sb3.append(num2);
        sb3.append(") at index ");
        throw new IllegalArgumentException(f1.a.g(i19 - 1, " is prohibited after the pad character", sb3));
    }

    private final PublicKey getPublicKeyFromHeader(v jwsHeader) {
        List x509CertChain = jwsHeader.getX509CertChain();
        l.e(x509CertChain, "getX509CertChain(...)");
        PublicKey publicKey = io.reactivex.exceptions.b.o(((a) s.d0(x509CertChain)).decode()).getPublicKey();
        l.e(publicKey, "getPublicKey(...)");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r5v12, types: [be.d] */
    /* JADX WARN: Type inference failed for: r5v8, types: [be.f] */
    private final z getVerifier(v jwsHeader) {
        be.c cVar;
        ge.a aVar = new de.a().f55464a;
        if (g0.f60741a == null) {
            g0.f60741a = new am.d();
        }
        aVar.f56580a = g0.f60741a;
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(jwsHeader);
        if (ee.f.f55897d.contains(jwsHeader.getAlgorithm())) {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new c0(SecretKey.class);
            }
            cVar = new be.d((SecretKey) publicKeyFromHeader);
        } else if (ee.h.f55901c.contains(jwsHeader.getAlgorithm())) {
            if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                throw new c0(RSAPublicKey.class);
            }
            cVar = new be.f((RSAPublicKey) publicKeyFromHeader);
        } else {
            if (!ee.d.f55891c.contains(jwsHeader.getAlgorithm())) {
                throw new ae.h("Unsupported JWS algorithm: " + jwsHeader.getAlgorithm());
            }
            if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                throw new c0(ECPublicKey.class);
            }
            cVar = new be.c((ECPublicKey) publicKeyFromHeader);
        }
        ((ge.a) cVar.f894b).f56580a = aVar.f56580a;
        return cVar;
    }

    private final boolean isValid(x jwsObject, List<? extends X509Certificate> rootCerts) {
        if (jwsObject.getHeader().getJWK() != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + jwsObject.getHeader()));
        }
        Companion companion = INSTANCE;
        v header = jwsObject.getHeader();
        l.e(header, "getHeader(...)");
        v sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(header);
        if (isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.getX509CertChain(), rootCerts)) {
            return jwsObject.verify(getVerifier(sanitizedJwsHeader$3ds2sdk_release));
        }
        return false;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    public JSONObject getPayload(String jws) {
        l.f(jws, "jws");
        x parse = x.parse(jws);
        if (this.isLiveMode) {
            l.c(parse);
            if (isValid(parse, this.rootCerts)) {
                return new JSONObject(parse.getPayload().toString());
            }
            throw new IllegalStateException("Could not validate JWS");
        }
        List x509CertChain = parse.getHeader().getX509CertChain();
        if (x509CertChain == null || x509CertChain.isEmpty()) {
            return new JSONObject(parse.getPayload().toString());
        }
        List x509CertChain2 = parse.getHeader().getX509CertChain();
        l.e(x509CertChain2, "getX509CertChain(...)");
        ArrayList arrayList = new ArrayList();
        Iterator it = x509CertChain2.iterator();
        while (it.hasNext()) {
            String aVar = ((a) it.next()).toString();
            l.e(aVar, "toString(...)");
            X509Certificate certificateFromString = certificateFromString(aVar);
            if (certificateFromString != null) {
                arrayList.add(certificateFromString);
            }
        }
        if (arrayList.isEmpty() || !isValid(parse, arrayList)) {
            throw new IllegalStateException("Could not validate JWS");
        }
        return new JSONObject(parse.getPayload().toString());
    }

    public final boolean isCertificateChainValid(List<? extends a> encodedChainCerts, List<? extends X509Certificate> rootCerts) {
        Object m881constructorimpl;
        List<? extends a> list;
        l.f(rootCerts, "rootCerts");
        try {
            list = encodedChainCerts;
        } catch (Throwable th2) {
            m881constructorimpl = th.s.m881constructorimpl(g.p(th2));
        }
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("JWSHeader's X.509 certificate chain is null or empty");
        }
        if (rootCerts.isEmpty()) {
            throw new IllegalArgumentException("Root certificates are empty");
        }
        INSTANCE.validateChain(encodedChainCerts, rootCerts);
        m881constructorimpl = th.s.m881constructorimpl(i0.f64238a);
        Throwable m884exceptionOrNullimpl = th.s.m884exceptionOrNullimpl(m881constructorimpl);
        if (m884exceptionOrNullimpl != null) {
            this.errorReporter.reportError(m884exceptionOrNullimpl);
        }
        return th.s.m887isSuccessimpl(m881constructorimpl);
    }
}
