package in.juspay.trident.security;

import android.util.Base64;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.SignedJWT;
import in.juspay.hyper.constants.LogSubCategory;
import in.juspay.trident.exception.InvalidInputException;
import java.io.ByteArrayInputStream;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import kotlin.Unit;
import kotlin.jvm.internal.Intrinsics;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONObject;

/* loaded from: classes8.dex */
public final class k {

    /* renamed from: a, reason: collision with root package name */
    public static final k f7744a = new k();

    private k() {
    }

    private final Certificate a(String str) {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Intrinsics.checkNotNullExpressionValue(certificateFactory, "getInstance(\"X.509\")");
        byte[] decode = Base64.decode(str, 2);
        Intrinsics.checkNotNullExpressionValue(decode, "decode(certStr, Base64.NO_WRAP)");
        Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(decode));
        Intrinsics.checkNotNullExpressionValue(generateCertificate, "cf.generateCertificate(`is`)");
        return generateCertificate;
    }

    private final ECPublicKey a(Certificate certificate) {
        PublicKey publicKey = certificate.getPublicKey();
        if (publicKey instanceof ECPublicKey) {
            return (ECPublicKey) publicKey;
        }
        return null;
    }

    private final JSONObject a(SignedJWT signedJWT) {
        String base64 = ((com.nimbusds.jose.util.Base64) signedJWT.getHeader().getX509CertChain().get(0)).toString();
        Intrinsics.checkNotNullExpressionValue(base64, "signedJWT.header.x509CertChain[0].toString()");
        if (signedJWT.verify(new ECDSAVerifier(a(a(base64))))) {
            return new JSONObject(signedJWT.getPayload().toString());
        }
        throw new InvalidInputException();
    }

    private final void a(List list, String str) {
        Certificate a2 = a(str);
        Intrinsics.checkNotNull(a2, "null cannot be cast to non-null type java.security.cert.X509Certificate");
        a(list, (X509Certificate) a2);
    }

    private final void a(List list, X509Certificate x509Certificate) {
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            X509Certificate parsed = X509CertUtils.parse(((com.nimbusds.jose.util.Base64) it.next()).decode());
            parsed.checkValidity();
            Intrinsics.checkNotNullExpressionValue(parsed, "parsed");
            arrayList.add(parsed);
        }
        arrayList.add(x509Certificate);
        int i2 = 0;
        int size = arrayList.size() - 1;
        while (i2 < size) {
            X509Certificate x509Certificate2 = (X509Certificate) arrayList.get(i2);
            i2++;
            x509Certificate2.verify(((X509Certificate) arrayList.get(i2)).getPublicKey());
        }
    }

    private final JSONObject b(SignedJWT signedJWT) {
        byte[] decode = signedJWT.getSignature().decode();
        byte[] decode2 = ((com.nimbusds.jose.util.Base64) signedJWT.getHeader().getX509CertChain().get(0)).decode();
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Intrinsics.checkNotNullExpressionValue(certificateFactory, "getInstance(\"X.509\")");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decode2);
        Signature signature = Signature.getInstance("SHA256withRSAandMGF1", new BouncyCastleProvider());
        signature.initVerify(certificateFactory.generateCertificate(byteArrayInputStream));
        signature.update(signedJWT.getSigningInput());
        if (signature.verify(decode)) {
            return new JSONObject(signedJWT.getPayload().toString());
        }
        throw new InvalidInputException();
    }

    public final JSONObject a(String rootCert, String jwtS, in.juspay.trident.analytics.a tracker) {
        Intrinsics.checkNotNullParameter(rootCert, "rootCert");
        Intrinsics.checkNotNullParameter(jwtS, "jwtS");
        Intrinsics.checkNotNullParameter(tracker, "tracker");
        in.juspay.trident.utils.a.f8014a.b(jwtS);
        SignedJWT signedJWT = SignedJWT.parse(jwtS);
        try {
            List x509CertChain = signedJWT.getHeader().getX509CertChain();
            Intrinsics.checkNotNullExpressionValue(x509CertChain, "signedJWT.header.x509CertChain");
            a(x509CertChain, rootCert);
            JSONObject jSONObject = new JSONObject();
            jSONObject.put("certificate_validation", "success");
            Unit unit = Unit.INSTANCE;
            tracker.c("trident", "certificate_validation", "info", jSONObject);
        } catch (Exception e2) {
            tracker.a("lifecycle", "trident", "certificate_validation", "certificate chain validation failed", e2);
        }
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        JSONObject jSONObject2 = new JSONObject();
        jSONObject2.put("signature_algorithm", algorithm.toString());
        Unit unit2 = Unit.INSTANCE;
        tracker.b(LogSubCategory.Context.DEVICE, "info", "signature_algorithm", jSONObject2);
        if (Intrinsics.areEqual(algorithm.toString(), "ES256")) {
            Intrinsics.checkNotNullExpressionValue(signedJWT, "signedJWT");
            return a(signedJWT);
        }
        if (Intrinsics.areEqual(algorithm.toString(), "PS256")) {
            Intrinsics.checkNotNullExpressionValue(signedJWT, "signedJWT");
            return b(signedJWT);
        }
        RuntimeException runtimeException = new RuntimeException("ALGORITHM NOT SUPPORTED");
        tracker.a("lifecycle", "trident", "encryption_algorithm", "algorithm not supported", runtimeException);
        throw runtimeException;
    }
}
