package in.juspay.trident.security;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.StandardCharset;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.SignedJWT;
import in.juspay.hyper.constants.LogCategory;
import in.juspay.trident.exception.InvalidInputException;
import java.io.ByteArrayInputStream;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import kotlin.jvm.internal.Intrinsics;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONObject;

/* loaded from: classes2.dex */
public abstract class h {
    public static JSONObject a(String rootCert, String jwtS, in.juspay.trident.analytics.a tracker) {
        Base64URL[] base64URLArr;
        int i;
        boolean a5;
        Intrinsics.h(rootCert, "rootCert");
        Intrinsics.h(jwtS, "jwtS");
        Intrinsics.h(tracker, "tracker");
        Security.removeProvider("BC");
        Security.insertProviderAt(new BouncyCastleProvider(), 1);
        in.juspay.trident.utils.a.b(jwtS);
        String trim = jwtS.trim();
        int indexOf = trim.indexOf(".");
        if (indexOf == -1) {
            throw new ParseException("Invalid serialized unsecured/JWS/JWE object: Missing part delimiters", 0);
        }
        int i7 = indexOf + 1;
        int indexOf2 = trim.indexOf(".", i7);
        if (indexOf2 == -1) {
            throw new ParseException("Invalid serialized unsecured/JWS/JWE object: Missing second delimiter", 0);
        }
        int i8 = indexOf2 + 1;
        int indexOf3 = trim.indexOf(".", i8);
        if (indexOf3 == -1) {
            base64URLArr = new Base64URL[]{new Base64URL(trim.substring(0, indexOf)), new Base64URL(trim.substring(i7, indexOf2)), new Base64URL(trim.substring(i8))};
            i = 3;
        } else {
            int i9 = indexOf3 + 1;
            int indexOf4 = trim.indexOf(".", i9);
            if (indexOf4 == -1) {
                throw new ParseException("Invalid serialized JWE object: Missing fourth delimiter", 0);
            }
            if (indexOf4 != -1 && trim.indexOf(".", indexOf4 + 1) != -1) {
                throw new ParseException("Invalid serialized unsecured/JWS/JWE object: Too many part delimiters", 0);
            }
            i = 3;
            base64URLArr = new Base64URL[]{new Base64URL(trim.substring(0, indexOf)), new Base64URL(trim.substring(i7, indexOf2)), new Base64URL(trim.substring(i8, indexOf3)), new Base64URL(trim.substring(i9, indexOf4)), new Base64URL(trim.substring(indexOf4 + 1))};
        }
        if (base64URLArr.length != i) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        SignedJWT signedJWT = new SignedJWT(base64URLArr[0], base64URLArr[1], base64URLArr[2]);
        try {
            List c7 = signedJWT.b.c();
            Intrinsics.g(c7, "getX509CertChain(...)");
            a(c7, rootCert);
        } catch (Exception e) {
            tracker.a(LogCategory.LIFECYCLE, "trident", "certificate_validation", "certificate chain validation failed", e);
        }
        JWSAlgorithm jWSAlgorithm = (JWSAlgorithm) signedJWT.b.f9667a;
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("signature_algorithm", jWSAlgorithm.f9663a);
        tracker.a("signature_algorithm", jSONObject);
        if (!Intrinsics.c(jWSAlgorithm.f9663a, "ES256")) {
            if (!Intrinsics.c(jWSAlgorithm.f9663a, "PS256")) {
                RuntimeException runtimeException = new RuntimeException("ALGORITHM NOT SUPPORTED");
                tracker.a(LogCategory.LIFECYCLE, "trident", "encryption_algorithm", "algorithm not supported", runtimeException);
                throw runtimeException;
            }
            byte[] a7 = signedJWT.d.a();
            byte[] a8 = ((Base64) signedJWT.b.c().get(0)).a();
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Intrinsics.g(certificateFactory, "getInstance(...)");
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(a8);
            Signature signature = Signature.getInstance("SHA256withRSAandMGF1", "BC");
            signature.initVerify(certificateFactory.generateCertificate(byteArrayInputStream));
            signature.update(signedJWT.f9691c.getBytes(StandardCharset.f9755a));
            if (signature.verify(a7)) {
                return new JSONObject(signedJWT.f9669a.toString());
            }
            throw new InvalidInputException();
        }
        Security.removeProvider("BC");
        Security.addProvider(new BouncyCastleProvider());
        String base64 = ((Base64) signedJWT.b.c().get(0)).toString();
        Intrinsics.g(base64, "toString(...)");
        CertificateFactory certificateFactory2 = CertificateFactory.getInstance("X.509");
        Intrinsics.g(certificateFactory2, "getInstance(...)");
        byte[] decode = android.util.Base64.decode(base64, 2);
        Intrinsics.g(decode, "decode(...)");
        Certificate generateCertificate = certificateFactory2.generateCertificate(new ByteArrayInputStream(decode));
        Intrinsics.g(generateCertificate, "generateCertificate(...)");
        PublicKey publicKey = generateCertificate.getPublicKey();
        ECDSAVerifier eCDSAVerifier = new ECDSAVerifier(publicKey instanceof ECPublicKey ? (ECPublicKey) publicKey : null);
        synchronized (signedJWT) {
            JWSObject.State state = signedJWT.e;
            if (state != JWSObject.State.SIGNED && state != JWSObject.State.VERIFIED) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                a5 = eCDSAVerifier.a(signedJWT.b, signedJWT.f9691c.getBytes(StandardCharset.f9755a), signedJWT.d);
                if (a5) {
                    signedJWT.e = JWSObject.State.VERIFIED;
                }
            } catch (JOSEException e2) {
                throw e2;
            } catch (Exception e6) {
                throw new JOSEException(e6.getMessage(), e6);
            }
        }
        if (a5) {
            return new JSONObject(signedJWT.f9669a.toString());
        }
        throw new InvalidInputException();
    }

    public static void a(List list, String str) {
        X509Certificate x509Certificate;
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Intrinsics.g(certificateFactory, "getInstance(...)");
        byte[] decode = android.util.Base64.decode(str, 2);
        Intrinsics.g(decode, "decode(...)");
        Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(decode));
        Intrinsics.g(generateCertificate, "generateCertificate(...)");
        X509Certificate x509Certificate2 = (X509Certificate) generateCertificate;
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            try {
                x509Certificate = X509CertUtils.a(((Base64) it.next()).a());
            } catch (CertificateException unused) {
                x509Certificate = null;
            }
            x509Certificate.checkValidity();
            arrayList.add(x509Certificate);
        }
        arrayList.add(x509Certificate2);
        int size = arrayList.size() - 1;
        int i = 0;
        while (i < size) {
            X509Certificate x509Certificate3 = (X509Certificate) arrayList.get(i);
            i++;
            x509Certificate3.verify(((X509Certificate) arrayList.get(i)).getPublicKey());
        }
    }
}
