package com.stripe.android.stripe3ds2.transaction;

import F.d;
import W.a;
import W.g;
import W.h;
import W.q;
import W.r;
import W.s;
import W.t;
import W.u;
import X.f;
import Z.e;
import Z.i;
import a.AbstractC0289a;
import androidx.annotation.VisibleForTesting;
import b0.C0302a;
import com.google.common.primitives.UnsignedBytes;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.crypto.SecretKey;
import k2.C0539A;
import k2.m;
import k2.n;
import kotlin.jvm.internal.AbstractC0549h;
import kotlin.jvm.internal.p;
import l2.AbstractC0568G;
import l2.AbstractC0577e;
import l2.AbstractC0590r;
import l2.AbstractC0591s;
import l2.C0574b;
import m0.AbstractC0608f;
import m0.C0603a;
import m0.C0604b;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.json.JSONException;
import org.json.JSONObject;
import w2.C0855a;
import w2.b;
import w2.c;

/* loaded from: classes4.dex */
public final class DefaultJwsValidator implements JwsValidator {

    @NotNull
    public static final Companion Companion = new Companion(null);

    @NotNull
    private final ErrorReporter errorReporter;
    private final boolean isLiveMode;

    @NotNull
    private final List<X509Certificate> rootCerts;

    /* loaded from: classes4.dex */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(AbstractC0549h abstractC0549h) {
            this();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public final void validateChain(List<? extends C0603a> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
            LinkedList q3 = AbstractC0289a.q(list);
            KeyStore createKeyStore = createKeyStore(list2);
            X509CertSelector x509CertSelector = new X509CertSelector();
            x509CertSelector.setCertificate((X509Certificate) q3.get(0));
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
            pKIXBuilderParameters.setRevocationEnabled(false);
            pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(q3)));
            CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
        }

        @VisibleForTesting
        @NotNull
        public final KeyStore createKeyStore(@NotNull List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
            p.f(rootCerts, "rootCerts");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            int i = 0;
            for (Object obj : rootCerts) {
                int i3 = i + 1;
                if (i < 0) {
                    AbstractC0591s.M();
                    throw null;
                }
                keyStore.setCertificateEntry(String.format(Locale.ROOT, "ca_%d", Arrays.copyOf(new Object[]{Integer.valueOf(i)}, 1)), rootCerts.get(i));
                i = i3;
            }
            return keyStore;
        }

        @NotNull
        public final q sanitizedJwsHeader$3ds2sdk_release(@NotNull q jwsHeader) {
            p.f(jwsHeader, "jwsHeader");
            W.p pVar = (W.p) jwsHeader.f1393a;
            if (pVar.f1391a.equals(a.f1390b.f1391a)) {
                throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
            }
            return new q(pVar, jwsHeader.f1394b, jwsHeader.c, jwsHeader.d, jwsHeader.g, null, jwsHeader.j, jwsHeader.k, jwsHeader.f1395l, jwsHeader.f1396m, jwsHeader.f1397n, jwsHeader.f1442p, jwsHeader.e, null);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public DefaultJwsValidator(boolean z, @NotNull List<? extends X509Certificate> rootCerts, @NotNull ErrorReporter errorReporter) {
        p.f(rootCerts, "rootCerts");
        p.f(errorReporter, "errorReporter");
        this.isLiveMode = z;
        this.rootCerts = rootCerts;
        this.errorReporter = errorReporter;
    }

    private final X509Certificate certificateFromString(String str) {
        int i;
        int i3;
        int i4;
        boolean z;
        int i5;
        int i6 = 8;
        int i7 = -2;
        C0855a c0855a = c.c;
        int length = str.length();
        c0855a.getClass();
        int length2 = str.length();
        C0574b c0574b = AbstractC0577e.Companion;
        c0574b.getClass();
        C0574b.a(0, length, length2);
        String substring = str.substring(0, length);
        p.e(substring, "substring(...)");
        byte[] bytes = substring.getBytes(I2.a.d);
        p.e(bytes, "getBytes(...)");
        int length3 = bytes.length;
        int length4 = bytes.length;
        c0574b.getClass();
        C0574b.a(0, length3, length4);
        boolean z3 = c0855a.f5508b;
        if (length3 == 0) {
            i3 = 0;
        } else {
            if (length3 == 1) {
                throw new IllegalArgumentException(d.g(length3, "Input should have at least 2 symbols for Base64 decoding, startIndex: 0, endIndex: "));
            }
            if (z3) {
                i = length3;
                int i8 = 0;
                while (true) {
                    if (i8 >= length3) {
                        break;
                    }
                    int i9 = w2.d.f5509a[bytes[i8] & UnsignedBytes.MAX_VALUE];
                    if (i9 < 0) {
                        if (i9 == -2) {
                            i -= length3 - i8;
                            break;
                        }
                        i--;
                    }
                    i8++;
                }
            } else if (bytes[length3 - 1] == 61) {
                i = length3 - 1;
                if (bytes[length3 - 2] == 61) {
                    i = length3 - 2;
                }
            } else {
                i = length3;
            }
            i3 = (int) ((i * 6) / 8);
        }
        byte[] bArr = new byte[i3];
        int[] iArr = c0855a.f5507a ? w2.d.f5510b : w2.d.f5509a;
        int i10 = -8;
        int i11 = 0;
        int i12 = 0;
        int i13 = 0;
        int i14 = -8;
        while (true) {
            int i15 = i6;
            if (i12 >= length3) {
                i4 = i7;
                z = false;
                break;
            }
            if (i14 == i10 && (i5 = i12 + 3) < length3) {
                int i16 = i12 + 4;
                int i17 = (iArr[bytes[i12] & UnsignedBytes.MAX_VALUE] << 18) | (iArr[bytes[i12 + 1] & UnsignedBytes.MAX_VALUE] << 12) | (iArr[bytes[i12 + 2] & UnsignedBytes.MAX_VALUE] << 6) | iArr[bytes[i5] & UnsignedBytes.MAX_VALUE];
                if (i17 >= 0) {
                    bArr[i11] = (byte) (i17 >> 16);
                    int i18 = i11 + 2;
                    bArr[i11 + 1] = (byte) (i17 >> 8);
                    i11 += 3;
                    bArr[i18] = (byte) i17;
                    i6 = i15;
                    i12 = i16;
                    i7 = -2;
                    i10 = -8;
                }
            }
            int i19 = bytes[i12] & UnsignedBytes.MAX_VALUE;
            int i20 = iArr[i19];
            if (i20 >= 0) {
                i12++;
                i13 = (i13 << 6) | i20;
                int i21 = i14 + 6;
                if (i21 >= 0) {
                    bArr[i11] = (byte) (i13 >>> i21);
                    i13 &= (1 << i21) - 1;
                    i14 -= 2;
                    i11++;
                    i7 = -2;
                    i6 = 8;
                    i10 = -8;
                } else {
                    i14 = i21;
                    i6 = 8;
                }
            } else if (i20 == -2) {
                if (i14 == -8) {
                    throw new IllegalArgumentException(d.g(i12, "Redundant pad character at index "));
                }
                if (i14 == -6) {
                    b[] bVarArr = b.f5506a;
                } else if (i14 == -4) {
                    b[] bVarArr2 = b.f5506a;
                    i12++;
                    if (z3) {
                        while (i12 < length3) {
                            if (w2.d.f5509a[bytes[i12] & UnsignedBytes.MAX_VALUE] != -1) {
                                break;
                            }
                            i12++;
                        }
                    }
                    if (i12 == length3 || bytes[i12] != 61) {
                        throw new IllegalArgumentException(d.g(i12, "Missing one pad character at index "));
                    }
                } else if (i14 != -2) {
                    throw new IllegalStateException("Unreachable");
                }
                i12++;
                z = true;
                i4 = -2;
            } else {
                if (!z3) {
                    StringBuilder sb = new StringBuilder("Invalid symbol '");
                    sb.append((char) i19);
                    sb.append("'(");
                    com.bumptech.glide.c.l(i15);
                    String num = Integer.toString(i19, i15);
                    p.e(num, "toString(...)");
                    sb.append(num);
                    sb.append(") at index ");
                    sb.append(i12);
                    throw new IllegalArgumentException(sb.toString());
                }
                i12++;
                i6 = i15;
            }
            i7 = -2;
            i10 = -8;
        }
        if (i14 == i4) {
            throw new IllegalArgumentException("The last unit of input does not have enough bits");
        }
        if (i14 != -8 && !z) {
            b[] bVarArr3 = b.f5506a;
            throw new IllegalArgumentException("The padding option is set to PRESENT, but the input is not properly padded");
        }
        if (i13 != 0) {
            throw new IllegalArgumentException("The pad bits must be zeros");
        }
        if (z3) {
            while (i12 < length3) {
                if (w2.d.f5509a[bytes[i12] & UnsignedBytes.MAX_VALUE] != -1) {
                    break;
                }
                i12++;
            }
        }
        if (i12 >= length3) {
            if (i11 != i3) {
                throw new IllegalStateException("Check failed.");
            }
            Certificate generateCertificate = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
            if (generateCertificate instanceof X509Certificate) {
                return (X509Certificate) generateCertificate;
            }
            return null;
        }
        int i22 = bytes[i12] & UnsignedBytes.MAX_VALUE;
        StringBuilder sb2 = new StringBuilder("Symbol '");
        sb2.append((char) i22);
        sb2.append("'(");
        com.bumptech.glide.c.l(8);
        String num2 = Integer.toString(i22, 8);
        p.e(num2, "toString(...)");
        sb2.append(num2);
        sb2.append(") at index ");
        throw new IllegalArgumentException(androidx.compose.animation.c.u(sb2, " is prohibited after the pad character", i12 - 1));
    }

    private final PublicKey getPublicKeyFromHeader(q qVar) throws CertificateException {
        List list = qVar.f1396m;
        p.e(list, "getX509CertChain(...)");
        PublicKey publicKey = AbstractC0568G.K(((C0603a) AbstractC0590r.l0(list)).a()).getPublicKey();
        p.e(publicKey, "getPublicKey(...)");
        return publicKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r4v13, types: [X.d] */
    /* JADX WARN: Type inference failed for: r4v9, types: [X.f] */
    private final t getVerifier(q qVar) throws g, CertificateException {
        X.c cVar;
        Y.a aVar = new Y.a();
        String str = p.a((W.p) qVar.f1393a, W.p.j) ? "SHA256withECDSA" : "SHA256withRSA";
        C0302a c0302a = aVar.f1510a;
        c0302a.f2137a = Signature.getInstance(str).getProvider();
        PublicKey publicKeyFromHeader = getPublicKeyFromHeader(qVar);
        Set set = Z.g.d;
        W.p pVar = (W.p) qVar.f1393a;
        if (set.contains(pVar)) {
            if (!(publicKeyFromHeader instanceof SecretKey)) {
                throw new u(SecretKey.class);
            }
            cVar = new X.d((SecretKey) publicKeyFromHeader);
        } else if (i.c.contains(pVar)) {
            if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                throw new u(RSAPublicKey.class);
            }
            cVar = new f((RSAPublicKey) publicKeyFromHeader);
        } else {
            if (!e.c.contains(pVar)) {
                throw new Exception("Unsupported JWS algorithm: " + pVar);
            }
            if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                throw new u(ECPublicKey.class);
            }
            cVar = new X.c((ECPublicKey) publicKeyFromHeader);
        }
        ((C0302a) cVar.f1549b).f2137a = c0302a.f2137a;
        return cVar;
    }

    private final boolean isValid(s sVar, List<? extends X509Certificate> list) throws g, CertificateException {
        boolean a4;
        if (sVar.f1445b.i != null) {
            this.errorReporter.reportError(new IllegalArgumentException("Encountered a JWK in " + sVar.f1445b));
        }
        Companion companion = Companion;
        q qVar = sVar.f1445b;
        p.e(qVar, "getHeader(...)");
        q sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(qVar);
        if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.f1396m, list)) {
            return false;
        }
        t verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
        synchronized (sVar) {
            AtomicReference atomicReference = sVar.e;
            if (atomicReference.get() != r.f1443a && atomicReference.get() != r.f1444b) {
                throw new IllegalStateException("The JWS object must be in a signed or verified state");
            }
            try {
                a4 = verifier.a(sVar.f1445b, sVar.c.getBytes(AbstractC0608f.f4706a), sVar.d);
                if (a4) {
                    sVar.e.set(r.f1444b);
                }
            } catch (g e) {
                throw e;
            } catch (Exception e4) {
                throw new Exception(e4.getMessage(), e4);
            }
        }
        return a4;
    }

    @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
    @NotNull
    public JSONObject getPayload(@NotNull String jws) throws JSONException, ParseException, g, CertificateException {
        p.f(jws, "jws");
        C0604b[] a4 = h.a(jws);
        if (a4.length != 3) {
            throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
        }
        s sVar = new s(a4[0], a4[1], a4[2]);
        if (this.isLiveMode) {
            if (isValid(sVar, this.rootCerts)) {
                return new JSONObject(sVar.f1403a.toString());
            }
            throw new IllegalStateException("Could not validate JWS");
        }
        q qVar = sVar.f1445b;
        List list = qVar.f1396m;
        if (list == null || list.isEmpty()) {
            return new JSONObject(sVar.f1403a.toString());
        }
        List list2 = qVar.f1396m;
        p.e(list2, "getX509CertChain(...)");
        ArrayList arrayList = new ArrayList();
        Iterator it = list2.iterator();
        while (it.hasNext()) {
            String str = ((C0603a) it.next()).f4703a;
            p.e(str, "toString(...)");
            X509Certificate certificateFromString = certificateFromString(str);
            if (certificateFromString != null) {
                arrayList.add(certificateFromString);
            }
        }
        if (arrayList.isEmpty() || !isValid(sVar, arrayList)) {
            throw new IllegalStateException("Could not validate JWS");
        }
        return new JSONObject(sVar.f1403a.toString());
    }

    @VisibleForTesting
    public final boolean isCertificateChainValid(@Nullable List<? extends C0603a> list, @NotNull List<? extends X509Certificate> rootCerts) {
        Object k;
        List<? extends C0603a> list2;
        p.f(rootCerts, "rootCerts");
        try {
            list2 = list;
        } catch (Throwable th) {
            k = AbstractC0289a.k(th);
        }
        if (list2 == null || list2.isEmpty()) {
            throw new IllegalArgumentException("JWSHeader's X.509 certificate chain is null or empty");
        }
        if (rootCerts.isEmpty()) {
            throw new IllegalArgumentException("Root certificates are empty");
        }
        Companion.validateChain(list, rootCerts);
        k = C0539A.f4598a;
        Throwable a4 = n.a(k);
        if (a4 != null) {
            this.errorReporter.reportError(a4);
        }
        return !(k instanceof m);
    }
}
