package com.stripe.android.stripe3ds2.transaction;

import a0.l0;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.KeyTypeException;
import com.stripe.android.stripe3ds2.observability.ErrorReporter;
import cu0.a;
import cu0.b;
import cu0.e;
import cu0.f;
import cu0.g;
import h41.k;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
import java.security.cert.CertificateException;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.crypto.SecretKey;
import kotlin.Metadata;
import kotlin.jvm.internal.DefaultConstructorMarker;
import md0.w9;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONException;
import org.json.JSONObject;
import tt0.n;
import tt0.o;
import tt0.p;
import tt0.q;
import ut0.c;
import ut0.d;
import v31.a0;
import wt0.l;

/* compiled from: JwsValidator.kt */
@Metadata(bv = {1, 0, 3}, d1 = {"\u0000(\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0002\b\u0002\b`\u0018\u00002\u00020\u0001:\u0001\u000bJ&\u0010\u0002\u001a\u00020\u00032\u0006\u0010\u0004\u001a\u00020\u00052\u0006\u0010\u0006\u001a\u00020\u00072\f\u0010\b\u001a\b\u0012\u0004\u0012\u00020\n0\tH&¨\u0006\f"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/JwsValidator;", "", "getPayload", "Lorg/json/JSONObject;", "jws", "", "isLiveMode", "", "rootCerts", "", "Ljava/security/cert/X509Certificate;", "Default", "3ds2sdk_release"}, k = 1, mv = {1, 4, 2})
/* loaded from: classes14.dex */
public interface JwsValidator {

    /* compiled from: JwsValidator.kt */
    @Metadata(bv = {}, d1 = {"\u0000N\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0006\u0018\u0000 \u001c2\u00020\u0001:\u0001\u001cB\u000f\u0012\u0006\u0010\u0018\u001a\u00020\u0017¢\u0006\u0004\b\u001a\u0010\u001bJ\u001e\u0010\b\u001a\u00020\u00072\u0006\u0010\u0003\u001a\u00020\u00022\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0002J\u0010\u0010\f\u001a\u00020\u000b2\u0006\u0010\n\u001a\u00020\tH\u0002J\u0010\u0010\u000e\u001a\u00020\r2\u0006\u0010\n\u001a\u00020\tH\u0002J&\u0010\u0013\u001a\u00020\u00122\u0006\u0010\u0010\u001a\u00020\u000f2\u0006\u0010\u0011\u001a\u00020\u00072\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0016J&\u0010\u0016\u001a\u00020\u00072\u000e\u0010\u0015\u001a\n\u0012\u0004\u0012\u00020\u0014\u0018\u00010\u00042\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0004H\u0007R\u0014\u0010\u0018\u001a\u00020\u00178\u0002X\u0082\u0004¢\u0006\u0006\n\u0004\b\u0018\u0010\u0019¨\u0006\u001d"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/JwsValidator$Default;", "Lcom/stripe/android/stripe3ds2/transaction/JwsValidator;", "Ltt0/p;", "jwsObject", "", "Ljava/security/cert/X509Certificate;", "rootCerts", "", "isValid", "Ltt0/o;", "jwsHeader", "Ltt0/q;", "getVerifier", "Ljava/security/PublicKey;", "getPublicKeyFromHeader", "", "jws", "isLiveMode", "Lorg/json/JSONObject;", "getPayload", "Lcu0/a;", "encodedChainCerts", "isCertificateChainValid", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "errorReporter", "Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;", "<init>", "(Lcom/stripe/android/stripe3ds2/observability/ErrorReporter;)V", "Companion", "3ds2sdk_release"}, k = 1, mv = {1, 4, 2})
    /* loaded from: classes14.dex */
    public static final class Default implements JwsValidator {

        /* renamed from: Companion, reason: from kotlin metadata */
        public static final Companion INSTANCE = new Companion(null);
        private final ErrorReporter errorReporter;

        /* compiled from: JwsValidator.kt */
        @Metadata(bv = {}, d1 = {"\u0000,\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0002\u0010 \n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0007\b\u0086\u0003\u0018\u00002\u00020\u0001B\t\b\u0002¢\u0006\u0004\b\u0010\u0010\u0011J$\u0010\b\u001a\u00020\u00072\f\u0010\u0004\u001a\b\u0012\u0004\u0012\u00020\u00030\u00022\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0002H\u0002J\u0016\u0010\n\u001a\u00020\t2\f\u0010\u0006\u001a\b\u0012\u0004\u0012\u00020\u00050\u0002H\u0007J\u0017\u0010\u000f\u001a\u00020\u000b2\u0006\u0010\f\u001a\u00020\u000bH\u0000¢\u0006\u0004\b\r\u0010\u000e¨\u0006\u0012"}, d2 = {"Lcom/stripe/android/stripe3ds2/transaction/JwsValidator$Default$Companion;", "", "", "Lcu0/a;", "encodedChainCerts", "Ljava/security/cert/X509Certificate;", "rootCerts", "Lu31/u;", "validateChain", "Ljava/security/KeyStore;", "createKeyStore", "Ltt0/o;", "jwsHeader", "sanitizedJwsHeader$3ds2sdk_release", "(Ltt0/o;)Ltt0/o;", "sanitizedJwsHeader", "<init>", "()V", "3ds2sdk_release"}, k = 1, mv = {1, 4, 2})
        /* loaded from: classes14.dex */
        public static final class Companion {
            private Companion() {
            }

            public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
                this();
            }

            /* JADX INFO: Access modifiers changed from: private */
            public final void validateChain(List<? extends a> list, List<? extends X509Certificate> list2) throws GeneralSecurityException, IOException, ParseException {
                LinkedList a12 = f.a(list);
                KeyStore createKeyStore = createKeyStore(list2);
                X509CertSelector x509CertSelector = new X509CertSelector();
                x509CertSelector.setCertificate((X509Certificate) a12.get(0));
                PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(createKeyStore, x509CertSelector);
                pKIXBuilderParameters.setRevocationEnabled(false);
                pKIXBuilderParameters.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(a12)));
                CertPathBuilder.getInstance("PKIX").build(pKIXBuilderParameters);
            }

            public final KeyStore createKeyStore(List<? extends X509Certificate> rootCerts) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
                k.f(rootCerts, "rootCerts");
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                int i12 = 0;
                for (Object obj : rootCerts) {
                    int i13 = i12 + 1;
                    if (i12 < 0) {
                        ia.a.m();
                        throw null;
                    }
                    keyStore.setCertificateEntry(l0.j(new Object[]{Integer.valueOf(i12)}, 1, Locale.ROOT, "ca_%d", "java.lang.String.format(locale, format, *args)"), rootCerts.get(i12));
                    i12 = i13;
                }
                return keyStore;
            }

            public final o sanitizedJwsHeader$3ds2sdk_release(o jwsHeader) {
                k.f(jwsHeader, "jwsHeader");
                n nVar = (n) jwsHeader.f107207c;
                if (nVar.f107200c.equals(tt0.a.f107199d.f107200c)) {
                    throw new IllegalArgumentException("The JWS algorithm \"alg\" cannot be \"none\"");
                }
                return new o(nVar, jwsHeader.f107208d, jwsHeader.f107209q, jwsHeader.f107210t, jwsHeader.Y, null, jwsHeader.P1, jwsHeader.Q1, jwsHeader.R1, jwsHeader.S1, jwsHeader.T1, jwsHeader.U1, jwsHeader.f107211x, null);
            }
        }

        public Default(ErrorReporter errorReporter) {
            k.f(errorReporter, "errorReporter");
            this.errorReporter = errorReporter;
        }

        private final PublicKey getPublicKeyFromHeader(o jwsHeader) throws CertificateException {
            List<a> list = jwsHeader.S1;
            k.e(list, "jwsHeader.x509CertChain");
            X509Certificate a12 = g.a(((a) a0.P(list)).a());
            k.e(a12, "X509CertUtils.parseWithE…().decode()\n            )");
            PublicKey publicKey = a12.getPublicKey();
            k.e(publicKey, "X509CertUtils.parseWithE…)\n            ).publicKey");
            return publicKey;
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r5v13, types: [ut0.d] */
        /* JADX WARN: Type inference failed for: r5v9, types: [ut0.f] */
        private final q getVerifier(o jwsHeader) throws JOSEException, CertificateException {
            c cVar;
            vt0.a aVar = new vt0.a();
            xt0.a aVar2 = aVar.f112970a;
            k.e(aVar2, "verifierFactory.jcaContext");
            if (w9.f76494d == null) {
                w9.f76494d = new BouncyCastleProvider();
            }
            aVar2.f120125a = w9.f76494d;
            PublicKey publicKeyFromHeader = getPublicKeyFromHeader(jwsHeader);
            if (wt0.o.f115768d.contains((n) jwsHeader.f107207c)) {
                if (!(publicKeyFromHeader instanceof SecretKey)) {
                    throw new KeyTypeException(SecretKey.class);
                }
                cVar = new d((SecretKey) publicKeyFromHeader);
            } else if (wt0.q.f115772c.contains((n) jwsHeader.f107207c)) {
                if (!(publicKeyFromHeader instanceof RSAPublicKey)) {
                    throw new KeyTypeException(RSAPublicKey.class);
                }
                cVar = new ut0.f((RSAPublicKey) publicKeyFromHeader);
            } else {
                if (!l.f115763c.contains((n) jwsHeader.f107207c)) {
                    StringBuilder g12 = android.support.v4.media.c.g("Unsupported JWS algorithm: ");
                    g12.append((n) jwsHeader.f107207c);
                    throw new JOSEException(g12.toString());
                }
                if (!(publicKeyFromHeader instanceof ECPublicKey)) {
                    throw new KeyTypeException(ECPublicKey.class);
                }
                cVar = new c((ECPublicKey) publicKeyFromHeader);
            }
            ((xt0.a) cVar.f115758b).f120125a = aVar.f112970a.f120125a;
            return cVar;
        }

        private final boolean isValid(p jwsObject, List<? extends X509Certificate> rootCerts) throws JOSEException, CertificateException {
            boolean c12;
            o oVar = jwsObject.f107237d;
            k.e(oVar, "jwsObject.header");
            if (oVar.Z != null) {
                ErrorReporter errorReporter = this.errorReporter;
                StringBuilder g12 = android.support.v4.media.c.g("Encountered a JWK in ");
                g12.append(jwsObject.f107237d);
                errorReporter.reportError(new IllegalArgumentException(g12.toString()));
            }
            Companion companion = INSTANCE;
            o oVar2 = jwsObject.f107237d;
            k.e(oVar2, "jwsObject.header");
            o sanitizedJwsHeader$3ds2sdk_release = companion.sanitizedJwsHeader$3ds2sdk_release(oVar2);
            if (!isCertificateChainValid(sanitizedJwsHeader$3ds2sdk_release.S1, rootCerts)) {
                return false;
            }
            q verifier = getVerifier(sanitizedJwsHeader$3ds2sdk_release);
            synchronized (jwsObject) {
                jwsObject.b();
                try {
                    c12 = verifier.c(jwsObject.f107237d, jwsObject.f107238q.getBytes(e.f41181a), jwsObject.f107239t);
                    if (c12) {
                        jwsObject.f107240x.set(p.a.VERIFIED);
                    }
                } catch (JOSEException e12) {
                    throw e12;
                } catch (Exception e13) {
                    throw new JOSEException(e13.getMessage(), e13);
                }
            }
            return c12;
        }

        @Override // com.stripe.android.stripe3ds2.transaction.JwsValidator
        public JSONObject getPayload(String jws, boolean isLiveMode, List<? extends X509Certificate> rootCerts) throws JSONException, ParseException, JOSEException, CertificateException {
            k.f(jws, "jws");
            k.f(rootCerts, "rootCerts");
            b[] a12 = tt0.f.a(jws);
            if (a12.length != 3) {
                throw new ParseException("Unexpected number of Base64URL parts, must be three", 0);
            }
            p pVar = new p(a12[0], a12[1], a12[2]);
            if (!isLiveMode || isValid(pVar, rootCerts)) {
                return new JSONObject(pVar.f107213c.toString());
            }
            throw new IllegalStateException("Could not validate JWS");
        }

        /* JADX WARN: Removed duplicated region for block: B:17:0x0032 A[Catch: all -> 0x0011, TryCatch #0 {all -> 0x0011, blocks: (B:20:0x0008, B:4:0x0014, B:6:0x0017, B:8:0x001e, B:15:0x0026, B:16:0x0031, B:17:0x0032, B:18:0x003d), top: B:19:0x0008 }] */
        /* JADX WARN: Removed duplicated region for block: B:6:0x0017 A[Catch: all -> 0x0011, TryCatch #0 {all -> 0x0011, blocks: (B:20:0x0008, B:4:0x0014, B:6:0x0017, B:8:0x001e, B:15:0x0026, B:16:0x0031, B:17:0x0032, B:18:0x003d), top: B:19:0x0008 }] */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        public final boolean isCertificateChainValid(java.util.List<? extends cu0.a> r3, java.util.List<? extends java.security.cert.X509Certificate> r4) {
            /*
                r2 = this;
                java.lang.String r0 = "rootCerts"
                h41.k.f(r4, r0)
                r0 = 1
                if (r3 == 0) goto L13
                boolean r1 = r3.isEmpty()     // Catch: java.lang.Throwable -> L11
                if (r1 == 0) goto Lf
                goto L13
            Lf:
                r1 = 0
                goto L14
            L11:
                r3 = move-exception
                goto L3e
            L13:
                r1 = 1
            L14:
                r1 = r1 ^ r0
                if (r1 == 0) goto L32
                boolean r1 = r4.isEmpty()     // Catch: java.lang.Throwable -> L11
                r1 = r1 ^ r0
                if (r1 == 0) goto L26
                com.stripe.android.stripe3ds2.transaction.JwsValidator$Default$Companion r1 = com.stripe.android.stripe3ds2.transaction.JwsValidator.Default.INSTANCE     // Catch: java.lang.Throwable -> L11
                com.stripe.android.stripe3ds2.transaction.JwsValidator.Default.Companion.access$validateChain(r1, r3, r4)     // Catch: java.lang.Throwable -> L11
                u31.u r3 = u31.u.f108088a     // Catch: java.lang.Throwable -> L11
                goto L42
            L26:
                java.lang.String r3 = "Root certificates are empty"
                java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L11
                java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L11
                r4.<init>(r3)     // Catch: java.lang.Throwable -> L11
                throw r4     // Catch: java.lang.Throwable -> L11
            L32:
                java.lang.String r3 = "JWSHeader's X.509 certificate chain is null or empty"
                java.lang.IllegalArgumentException r4 = new java.lang.IllegalArgumentException     // Catch: java.lang.Throwable -> L11
                java.lang.String r3 = r3.toString()     // Catch: java.lang.Throwable -> L11
                r4.<init>(r3)     // Catch: java.lang.Throwable -> L11
                throw r4     // Catch: java.lang.Throwable -> L11
            L3e:
                u31.i$a r3 = ae0.c1.K(r3)
            L42:
                java.lang.Throwable r4 = u31.i.a(r3)
                if (r4 == 0) goto L4d
                com.stripe.android.stripe3ds2.observability.ErrorReporter r1 = r2.errorReporter
                r1.reportError(r4)
            L4d:
                boolean r3 = r3 instanceof u31.i.a
                r3 = r3 ^ r0
                return r3
            */
            throw new UnsupportedOperationException("Method not decompiled: com.stripe.android.stripe3ds2.transaction.JwsValidator.Default.isCertificateChainValid(java.util.List, java.util.List):boolean");
        }
    }

    JSONObject getPayload(String jws, boolean isLiveMode, List<? extends X509Certificate> rootCerts);
}
