package in.juspay.trident.security;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.SignedJWT;
import in.juspay.hyper.constants.LogCategory;
import in.juspay.trident.exception.InvalidInputException;
import java.io.ByteArrayInputStream;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import kotlin.Unit;
import kotlin.jvm.internal.Intrinsics;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.json.JSONObject;

/* loaded from: classes7.dex */
public abstract class h {
    public static JSONObject a(String rootCert, String jwtS, in.juspay.trident.analytics.a tracker) {
        Intrinsics.checkNotNullParameter(rootCert, "rootCert");
        Intrinsics.checkNotNullParameter(jwtS, "jwtS");
        Intrinsics.checkNotNullParameter(tracker, "tracker");
        Security.removeProvider("BC");
        Security.insertProviderAt(new BouncyCastleProvider(), 1);
        in.juspay.trident.utils.a.b(jwtS);
        SignedJWT parse = SignedJWT.parse(jwtS);
        try {
            List x509CertChain = parse.getHeader().getX509CertChain();
            Intrinsics.checkNotNullExpressionValue(x509CertChain, "getX509CertChain(...)");
            a(x509CertChain, rootCert);
        } catch (Exception e) {
            tracker.a(LogCategory.LIFECYCLE, "trident", "certificate_validation", "certificate chain validation failed", e);
        }
        JWSAlgorithm algorithm = parse.getHeader().getAlgorithm();
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("signature_algorithm", algorithm.toString());
        Unit unit = Unit.INSTANCE;
        tracker.a("signature_algorithm", jSONObject);
        if (Intrinsics.areEqual(algorithm.toString(), "ES256")) {
            Intrinsics.checkNotNull(parse);
            Security.removeProvider("BC");
            Security.addProvider(new BouncyCastleProvider());
            String base64 = ((Base64) parse.getHeader().getX509CertChain().get(0)).toString();
            Intrinsics.checkNotNullExpressionValue(base64, "toString(...)");
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Intrinsics.checkNotNullExpressionValue(certificateFactory, "getInstance(...)");
            byte[] decode = android.util.Base64.decode(base64, 2);
            Intrinsics.checkNotNullExpressionValue(decode, "decode(...)");
            Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(decode));
            Intrinsics.checkNotNullExpressionValue(generateCertificate, "generateCertificate(...)");
            PublicKey publicKey = generateCertificate.getPublicKey();
            if (parse.verify(new ECDSAVerifier(publicKey instanceof ECPublicKey ? (ECPublicKey) publicKey : null))) {
                return new JSONObject(parse.getPayload().toString());
            }
            throw new InvalidInputException();
        }
        if (!Intrinsics.areEqual(algorithm.toString(), "PS256")) {
            RuntimeException runtimeException = new RuntimeException("ALGORITHM NOT SUPPORTED");
            tracker.a(LogCategory.LIFECYCLE, "trident", "encryption_algorithm", "algorithm not supported", runtimeException);
            throw runtimeException;
        }
        Intrinsics.checkNotNull(parse);
        byte[] decode2 = parse.getSignature().decode();
        byte[] decode3 = ((Base64) parse.getHeader().getX509CertChain().get(0)).decode();
        CertificateFactory certificateFactory2 = CertificateFactory.getInstance("X.509");
        Intrinsics.checkNotNullExpressionValue(certificateFactory2, "getInstance(...)");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decode3);
        Signature signature = Signature.getInstance("SHA256withRSAandMGF1", "BC");
        signature.initVerify(certificateFactory2.generateCertificate(byteArrayInputStream));
        signature.update(parse.getSigningInput());
        if (signature.verify(decode2)) {
            return new JSONObject(parse.getPayload().toString());
        }
        throw new InvalidInputException();
    }

    public static void a(List list, String str) {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Intrinsics.checkNotNullExpressionValue(certificateFactory, "getInstance(...)");
        byte[] decode = android.util.Base64.decode(str, 2);
        Intrinsics.checkNotNullExpressionValue(decode, "decode(...)");
        Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(decode));
        Intrinsics.checkNotNullExpressionValue(generateCertificate, "generateCertificate(...)");
        Intrinsics.checkNotNull(generateCertificate, "null cannot be cast to non-null type java.security.cert.X509Certificate");
        X509Certificate x509Certificate = (X509Certificate) generateCertificate;
        ArrayList arrayList = new ArrayList();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            X509Certificate parse = X509CertUtils.parse(((Base64) it.next()).decode());
            parse.checkValidity();
            Intrinsics.checkNotNull(parse);
            arrayList.add(parse);
        }
        arrayList.add(x509Certificate);
        int size = arrayList.size() - 1;
        int i = 0;
        while (i < size) {
            X509Certificate x509Certificate2 = (X509Certificate) arrayList.get(i);
            i++;
            x509Certificate2.verify(((X509Certificate) arrayList.get(i)).getPublicKey());
        }
    }
}
