package mozilla.components.service.fretboard.source.kinto;

import android.util.Base64;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.StringReader;
import java.math.BigInteger;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import kotlin.TypeCastException;
import kotlin.collections.ArraysKt;
import kotlin.collections.CollectionsKt;
import kotlin.comparisons.ComparisonsKt;
import kotlin.io.TextStreamsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.StringsKt;
import mozilla.components.service.fretboard.Experiment;
import mozilla.components.service.fretboard.ExperimentDownloadException;
import mozilla.components.service.fretboard.JSONExperimentParser;
import mozilla.components.service.fretboard.source.kinto.HttpClient;
import org.json.JSONArray;
import org.json.JSONObject;

/* compiled from: SignatureVerifier.kt */
/* loaded from: classes2.dex */
public final class SignatureVerifier {
    public static final Companion Companion = new Companion(null);
    private final HttpClient client;
    private final Date currentDate;
    private final KintoClient kintoClient;

    /* compiled from: SignatureVerifier.kt */
    /* loaded from: classes2.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public SignatureVerifier(HttpClient client, KintoClient kintoClient, Date currentDate) {
        Intrinsics.checkParameterIsNotNull(client, "client");
        Intrinsics.checkParameterIsNotNull(kintoClient, "kintoClient");
        Intrinsics.checkParameterIsNotNull(currentDate, "currentDate");
        this.client = client;
        this.kintoClient = kintoClient;
        this.currentDate = currentDate;
    }

    public /* synthetic */ SignatureVerifier(HttpClient httpClient, KintoClient kintoClient, Date date, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this(httpClient, kintoClient, (i & 4) != 0 ? new Date() : date);
    }

    private final PublicKey getX5U(URL url) {
        ArrayList arrayList = new ArrayList();
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        BufferedReader bufferedReader = new BufferedReader(new StringReader(HttpClient.DefaultImpls.get$default(this.client, url, null, 2, null)));
        String readLine = bufferedReader.readLine();
        if (!Intrinsics.areEqual(readLine, "-----BEGIN CERTIFICATE-----")) {
            throw new ExperimentDownloadException("");
        }
        String certPem = readLine + '\n';
        for (String str : TextStreamsKt.readLines(bufferedReader)) {
            certPem = (certPem + str) + '\n';
            if (Intrinsics.areEqual(str, "-----END CERTIFICATE-----")) {
                Intrinsics.checkExpressionValueIsNotNull(certPem, "certPem");
                Charset charset = Charsets.UTF_8;
                if (certPem == null) {
                    throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
                }
                byte[] bytes = certPem.getBytes(charset);
                Intrinsics.checkExpressionValueIsNotNull(bytes, "(this as java.lang.String).getBytes(charset)");
                Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(bytes));
                if (generateCertificate == null) {
                    throw new TypeCastException("null cannot be cast to non-null type java.security.cert.X509Certificate");
                }
                arrayList.add((X509Certificate) generateCertificate);
                certPem = "";
            }
        }
        if (arrayList.size() < 2) {
            throw new ExperimentDownloadException("The chain must contain at least 2 certificates");
        }
        verifyCertChain(arrayList);
        Object obj = arrayList.get(0);
        Intrinsics.checkExpressionValueIsNotNull(obj, "certs[0]");
        PublicKey publicKey = ((X509Certificate) obj).getPublicKey();
        Intrinsics.checkExpressionValueIsNotNull(publicKey, "certs[0].publicKey");
        return publicKey;
    }

    private final void invalidCertChain(Exception exc) {
        throw new ExperimentDownloadException(exc);
    }

    private final boolean isCertValid(X509Certificate x509Certificate) {
        Date notBefore = x509Certificate.getNotBefore();
        Date notAfter = x509Certificate.getNotAfter();
        long time = this.currentDate.getTime();
        Intrinsics.checkExpressionValueIsNotNull(notBefore, "notBefore");
        long time2 = notBefore.getTime();
        TimeUnit timeUnit = TimeUnit.DAYS;
        if (time < time2 - timeUnit.toMillis(30L)) {
            return false;
        }
        Intrinsics.checkExpressionValueIsNotNull(notAfter, "notAfter");
        return notAfter.getTime() + timeUnit.toMillis(30L) >= this.currentDate.getTime();
    }

    private final byte[] signatureToASN1(byte[] bArr) {
        if (bArr.length == 0 || bArr.length % 2 != 0) {
            throw new ExperimentDownloadException("Invalid signature");
        }
        byte[] bArr2 = new byte[bArr.length / 2];
        int length = bArr.length / 2;
        for (int i = 0; i < length; i++) {
            bArr2 = ArraysKt.plus(bArr2, bArr[i]);
        }
        byte[] bArr3 = new byte[bArr.length / 2];
        int length2 = bArr.length;
        for (int length3 = bArr.length / 2; length3 < length2; length3++) {
            bArr3 = ArraysKt.plus(bArr3, bArr[length3]);
        }
        BigInteger bigInteger = new BigInteger(bArr2);
        BigInteger bigInteger2 = new BigInteger(bArr3);
        byte[] byteArray = bigInteger.toByteArray();
        Intrinsics.checkExpressionValueIsNotNull(byteArray, "r.toByteArray()");
        byte[] byteArray2 = bigInteger2.toByteArray();
        Intrinsics.checkExpressionValueIsNotNull(byteArray2, "s.toByteArray()");
        byte[] bArr4 = new byte[byteArray.length + 6 + byteArray2.length];
        bArr4[0] = 48;
        bArr4[1] = (byte) (byteArray.length + 4 + byteArray2.length);
        bArr4[2] = 2;
        bArr4[3] = (byte) byteArray.length;
        System.arraycopy(byteArray, 0, bArr4, 4, byteArray.length);
        bArr4[byteArray.length + 4] = 2;
        bArr4[byteArray.length + 5] = (byte) byteArray2.length;
        System.arraycopy(byteArray2, 0, bArr4, byteArray.length + 6, byteArray2.length);
        return bArr4;
    }

    private final boolean validSignature(String str, String str2, PublicKey publicKey) {
        Signature signature = Signature.getInstance("SHA384withECDSA");
        signature.initVerify(publicKey);
        Charset charset = StandardCharsets.UTF_8;
        Intrinsics.checkExpressionValueIsNotNull(charset, "StandardCharsets.UTF_8");
        if (str == null) {
            throw new TypeCastException("null cannot be cast to non-null type java.lang.String");
        }
        byte[] bytes = str.getBytes(charset);
        Intrinsics.checkExpressionValueIsNotNull(bytes, "(this as java.lang.String).getBytes(charset)");
        signature.update(bytes);
        byte[] signatureBytes = Base64.decode(StringsKt.replace$default(StringsKt.replace$default(str2, "-", "+", false, 4, (Object) null), "_", "/", false, 4, (Object) null), 0);
        Intrinsics.checkExpressionValueIsNotNull(signatureBytes, "signatureBytes");
        return signature.verify(signatureToASN1(signatureBytes));
    }

    private final void verifyCertChain(List list) {
        int size = list.size();
        int i = 0;
        while (i < size) {
            X509Certificate x509Certificate = (X509Certificate) list.get(i);
            if (!isCertValid(x509Certificate)) {
                throw new ExperimentDownloadException("Certificate expired or not yet valid");
            }
            int i2 = i + 1;
            if (i2 == list.size()) {
                verifyRoot(x509Certificate);
            } else {
                verifyCertSignedByParent(x509Certificate, i, list);
            }
            i = i2;
        }
    }

    private final void verifyCertSignedByParent(X509Certificate x509Certificate, int i, List list) {
        try {
            x509Certificate.verify(((X509Certificate) list.get(i + 1)).getPublicKey());
        } catch (InvalidKeyException e) {
            invalidCertChain(e);
        } catch (NoSuchAlgorithmException e2) {
            invalidCertChain(e2);
        } catch (NoSuchProviderException e3) {
            invalidCertChain(e3);
        } catch (SignatureException e4) {
            invalidCertChain(e4);
        } catch (CertificateException e5) {
            invalidCertChain(e5);
        }
    }

    private final void verifyRoot(X509Certificate x509Certificate) {
        Principal subjectDN = x509Certificate.getSubjectDN();
        Intrinsics.checkExpressionValueIsNotNull(subjectDN, "certificate.subjectDN");
        String name = subjectDN.getName();
        Principal issuerDN = x509Certificate.getIssuerDN();
        Intrinsics.checkExpressionValueIsNotNull(issuerDN, "certificate.issuerDN");
        if (!Intrinsics.areEqual(name, issuerDN.getName())) {
            throw new ExperimentDownloadException("subject does not match issuer");
        }
    }

    public final boolean validSignature$service_fretboard_release(List experiments, Long l) {
        Intrinsics.checkParameterIsNotNull(experiments, "experiments");
        List sortedWith = CollectionsKt.sortedWith(experiments, new Comparator() { // from class: mozilla.components.service.fretboard.source.kinto.SignatureVerifier$validSignature$$inlined$sortedBy$1
            @Override // java.util.Comparator
            public final int compare(Object obj, Object obj2) {
                return ComparisonsKt.compareValues(((Experiment) obj).getId$service_fretboard_release(), ((Experiment) obj2).getId$service_fretboard_release());
            }
        });
        JSONArray jSONArray = new JSONArray();
        JSONExperimentParser jSONExperimentParser = new JSONExperimentParser();
        Iterator it = sortedWith.iterator();
        while (it.hasNext()) {
            jSONArray.put(jSONExperimentParser.toJson((Experiment) it.next()));
        }
        String metadata = this.kintoClient.getMetadata();
        if (metadata == null) {
            return true;
        }
        JSONObject jSONObject = new JSONObject(metadata).getJSONObject("data").getJSONObject("signature");
        String signature = jSONObject.getString("signature");
        PublicKey x5u = getX5U(new URL(jSONObject.getString("x5u")));
        String jSONArray2 = jSONArray.toString();
        Intrinsics.checkExpressionValueIsNotNull(jSONArray2, "resultJson.toString()");
        String str = "Content-Signature:\u0000{\"data\":" + StringsKt.replace$default(jSONArray2, "\\/", "/", false, 4, (Object) null) + ",\"last_modified\":\"" + l + "\"}";
        Intrinsics.checkExpressionValueIsNotNull(signature, "signature");
        return validSignature(str, signature, x5u);
    }
}
