package io.grpc.internal;

import com.unity3d.services.UnityAdsConstants;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import o1.AbstractC3439j;
import o1.AbstractC3453x;
import o1.C3430a;
import o1.C3442m;
import o1.C3443n;
import o1.C3446q;
import p1.J;
import p1.L;
import q1.g;
import q1.i;

/* loaded from: classes2.dex */
public final class SpiffeUtil {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static final String CERTIFICATE_PREFIX = "-----BEGIN CERTIFICATE-----\n";
    private static final String CERTIFICATE_SUFFIX = "-----END CERTIFICATE-----";
    private static final String KTY_PARAMETER_VALUE = "RSA";
    private static final String PREFIX = "spiffe://";
    private static final Integer URI_SAN_TYPE = 6;
    private static final String USE_PARAMETER_VALUE = "x509-svid";

    /* loaded from: classes2.dex */
    public static final class SpiffeBundle {
        private final L bundleMap;
        private final L sequenceNumbers;

        private SpiffeBundle(Map<String, Long> map, Map<String, List<X509Certificate>> map2) {
            this.sequenceNumbers = L.b(map);
            k2.b a3 = L.a();
            for (Map.Entry<String, List<X509Certificate>> entry : map2.entrySet()) {
                a3.d(entry.getKey(), J.q(entry.getValue()));
            }
            this.bundleMap = a3.b();
        }

        public L getBundleMap() {
            return this.bundleMap;
        }

        public L getSequenceNumbers() {
            return this.sequenceNumbers;
        }
    }

    /* loaded from: classes2.dex */
    public static class SpiffeId {
        private final String path;
        private final String trustDomain;

        private SpiffeId(String str, String str2) {
            this.trustDomain = str;
            this.path = str2;
        }

        public String getPath() {
            return this.path;
        }

        public String getTrustDomain() {
            return this.trustDomain;
        }
    }

    private SpiffeUtil() {
    }

    private static void checkJwkEntry(Map<String, ?> map, String str) {
        String string = JsonUtil.getString(map, "kty");
        if (string == null || !string.equals(KTY_PARAMETER_VALUE)) {
            throw new IllegalArgumentException(androidx.appcompat.widget.a.m("'kty' parameter must be 'RSA' but '", string, "' found. Certificate loading for trust domain '", str, "' failed."));
        }
        if (map.containsKey("kid")) {
            throw new IllegalArgumentException(androidx.appcompat.widget.a.C("'kid' parameter must not be set. Certificate loading for trust domain '", str, "' failed."));
        }
        String string2 = JsonUtil.getString(map, "use");
        if (string2 == null || !string2.equals(USE_PARAMETER_VALUE)) {
            throw new IllegalArgumentException(androidx.appcompat.widget.a.m("'use' parameter must be 'x509-svid' but '", string2, "' found. Certificate loading for trust domain '", str, "' failed."));
        }
    }

    private static void doInitialUriValidation(String str) {
        S.a.m(str, "uri");
        S.a.f("Spiffe Id can't be empty", str.length() > 0);
        S.a.f("Spiffe Id maximum length is 2048 characters", str.length() <= 2048);
        S.a.f("Spiffe Id must not contain query fragments", !str.contains("#"));
        S.a.f("Spiffe Id must not contain query parameters", !str.contains("?"));
    }

    private static List<X509Certificate> extractCert(List<Map<String, ?>> list, String str) {
        ArrayList arrayList = new ArrayList();
        for (Map<String, ?> map : list) {
            checkJwkEntry(map, str);
            List<String> listOfStrings = JsonUtil.getListOfStrings(map, "x5c");
            if (listOfStrings == null) {
                break;
            }
            if (listOfStrings.size() != 1) {
                throw new IllegalArgumentException("Exactly 1 certificate is expected, but " + listOfStrings.size() + " found. Certificate loading for trust domain '" + str + "' failed.");
            }
            try {
                arrayList.add(((X509Certificate[]) CertificateFactory.getInstance("X509").generateCertificates(new ByteArrayInputStream(A2.a.m(new StringBuilder(CERTIFICATE_PREFIX), listOfStrings.get(0), "\n-----END CERTIFICATE-----").getBytes(StandardCharsets.UTF_8))).toArray(new X509Certificate[0]))[0]);
            } catch (CertificateException e) {
                throw new IllegalArgumentException(androidx.appcompat.widget.a.C("Certificate can't be parsed. Certificate loading for trust domain '", str, "' failed."), e);
            }
        }
        return arrayList;
    }

    public static AbstractC3439j extractSpiffeId(X509Certificate[] x509CertificateArr) throws CertificateParsingException {
        S.a.m(x509CertificateArr, "certChain");
        S.a.f("certChain can't be empty", x509CertificateArr.length > 0);
        Collection<List<?>> subjectAlternativeNames = x509CertificateArr[0].getSubjectAlternativeNames();
        C3430a c3430a = C3430a.f64852b;
        if (subjectAlternativeNames == null) {
            return c3430a;
        }
        String str = null;
        for (List<?> list : subjectAlternativeNames) {
            if (list.size() >= 2 && URI_SAN_TYPE.equals(list.get(0))) {
                if (str != null) {
                    throw new IllegalArgumentException("Multiple URI SAN values found in the leaf cert.");
                }
                str = (String) list.get(1);
            }
        }
        if (str == null) {
            return c3430a;
        }
        SpiffeId parse = parse(str);
        parse.getClass();
        return new C3442m(parse);
    }

    public static SpiffeBundle loadTrustBundleFromFile(String str) throws IOException {
        Map<String, ?> readTrustDomainsFromFile = readTrustDomainsFromFile(str);
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (String str2 : readTrustDomainsFromFile.keySet()) {
            Map<String, ?> object = JsonUtil.getObject(readTrustDomainsFromFile, str2);
            if (object.size() == 0) {
                hashMap.put(str2, Collections.emptyList());
            } else {
                Long numberAsLong = JsonUtil.getNumberAsLong(object, "spiffe_sequence");
                hashMap2.put(str2, Long.valueOf(numberAsLong == null ? -1L : numberAsLong.longValue()));
                List<Map<String, ?>> listOfObjects = JsonUtil.getListOfObjects(object, "keys");
                if (listOfObjects == null || listOfObjects.size() == 0) {
                    hashMap.put(str2, Collections.emptyList());
                } else {
                    hashMap.put(str2, extractCert(listOfObjects, str2));
                }
            }
        }
        return new SpiffeBundle(hashMap2, hashMap);
    }

    public static SpiffeId parse(String str) {
        String str2;
        doInitialUriValidation(str);
        S.a.f("Spiffe Id must start with spiffe://", str.toLowerCase(Locale.US).startsWith(PREFIX));
        String substring = str.substring(9);
        if (substring.contains(UnityAdsConstants.DefaultUrls.AD_ASSET_PATH)) {
            String[] split = substring.split(UnityAdsConstants.DefaultUrls.AD_ASSET_PATH, 2);
            String str3 = split[0];
            String str4 = split[1];
            S.a.f("Path must not include a trailing '/'", true ^ str4.isEmpty());
            str2 = str4;
            substring = str3;
        } else {
            str2 = "";
        }
        validateTrustDomain(substring);
        validatePath(str2);
        if (!str2.isEmpty()) {
            str2 = UnityAdsConstants.DefaultUrls.AD_ASSET_PATH.concat(str2);
        }
        return new SpiffeId(substring, str2);
    }

    private static Map<String, ?> readTrustDomainsFromFile(String str) throws IOException {
        S.a.m(str, "trustBundleFile");
        File file = new File(str);
        i iVar = new i();
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            iVar.f65485c.addFirst(fileInputStream);
            byte[] b10 = g.b(fileInputStream, fileInputStream.getChannel().size());
            iVar.close();
            Object parse = JsonParser.parse(new String(b10, StandardCharsets.UTF_8));
            if (!(parse instanceof Map)) {
                StringBuilder sb2 = new StringBuilder("SPIFFE Trust Bundle should be a JSON object. Found: ");
                sb2.append(parse == null ? null : parse.getClass());
                throw new IllegalArgumentException(sb2.toString());
            }
            Map<String, ?> object = JsonUtil.getObject((Map) parse, "trust_domains");
            S.a.m(object, "Mandatory trust_domains element is missing");
            S.a.f("Mandatory trust_domains element is missing", object.size() > 0);
            return object;
        } catch (Throwable th) {
            try {
                iVar.f65486d = th;
                Object obj = AbstractC3453x.f64886a;
                if (IOException.class.isInstance(th)) {
                    throw ((Throwable) IOException.class.cast(th));
                }
                AbstractC3453x.a(th);
                throw new RuntimeException(th);
            } catch (Throwable th2) {
                iVar.close();
                throw th2;
            }
        }
    }

    private static void validatePath(String str) {
        if (str.isEmpty()) {
            return;
        }
        S.a.f("Path must not include a trailing '/'", !str.endsWith(UnityAdsConstants.DefaultUrls.AD_ASSET_PATH));
        C3446q a3 = C3446q.a(UnityAdsConstants.DefaultUrls.AD_ASSET_PATH.charAt(0));
        Iterator d10 = a3.f64872b.d(a3, str);
        while (true) {
            C3443n c3443n = (C3443n) d10;
            if (!c3443n.hasNext()) {
                return;
            } else {
                validatePathSegment((String) c3443n.next());
            }
        }
    }

    private static void validatePathSegment(String str) {
        S.a.f("Individual path segments must not be empty", !str.isEmpty());
        S.a.f("Individual path segments must not be relative path modifiers (i.e. ., ..)", (str.equals(".") || str.equals("..")) ? false : true);
        S.a.f("Individual path segments must contain only letters, numbers, dots, dashes, and underscores ([a-zA-Z0-9.-_])", str.matches("[a-zA-Z0-9._-]+"));
    }

    private static void validateTrustDomain(String str) {
        S.a.f("Trust Domain can't be empty", !str.isEmpty());
        S.a.f("Trust Domain maximum length is 255 characters", str.length() < 256);
        S.a.f("Trust Domain must contain only letters, numbers, dots, dashes, and underscores ([a-z0-9.-_])", str.matches("[a-z0-9._-]+"));
    }
}
