package ch.admin.bag.covidcertificate.sdk.android.net.interceptor;

import android.util.Base64;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.security.SignatureException;
import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.StringsKt;

/* compiled from: JwsKeyResolver.kt */
@Metadata(d1 = {"\u0000*\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\b\u0000\u0018\u00002\u00020\u0001B\u0015\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005¢\u0006\u0002\u0010\u0006J\u001c\u0010\u0007\u001a\u00020\b2\n\u0010\t\u001a\u0006\u0012\u0002\b\u00030\n2\u0006\u0010\u000b\u001a\u00020\fH\u0016R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n\u0000R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\r"}, d2 = {"Lch/admin/bag/covidcertificate/sdk/android/net/interceptor/JwsKeyResolver;", "Lio/jsonwebtoken/SigningKeyResolverAdapter;", "rootCA", "Ljava/security/cert/X509Certificate;", "expectedCommonName", "", "(Ljava/security/cert/X509Certificate;Ljava/lang/String;)V", "resolveSigningKey", "Ljava/security/Key;", "jwsHeader", "Lio/jsonwebtoken/JwsHeader;", "claims", "Lio/jsonwebtoken/Claims;", "sdk_prodRelease"}, k = 1, mv = {1, 6, 0}, xi = 48)
/* loaded from: classes.dex */
public final class JwsKeyResolver extends SigningKeyResolverAdapter {
    private final String expectedCommonName;
    private final X509Certificate rootCA;

    public JwsKeyResolver(X509Certificate rootCA, String expectedCommonName) {
        Intrinsics.checkNotNullParameter(rootCA, "rootCA");
        Intrinsics.checkNotNullParameter(expectedCommonName, "expectedCommonName");
        this.rootCA = rootCA;
        this.expectedCommonName = expectedCommonName;
    }

    @Override // io.jsonwebtoken.SigningKeyResolverAdapter, io.jsonwebtoken.SigningKeyResolver
    public Key resolveSigningKey(JwsHeader<?> jwsHeader, Claims claims) {
        Intrinsics.checkNotNullParameter(jwsHeader, "jwsHeader");
        Intrinsics.checkNotNullParameter(claims, "claims");
        Object obj = jwsHeader.get(JwsHeader.X509_CERT_CHAIN);
        List list = obj instanceof List ? (List) obj : null;
        if (list == null) {
            throw new SignatureException("JWS is missing the required certificate chain");
        }
        ArrayList arrayList = new ArrayList();
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Iterator it = list.iterator();
        while (it.hasNext()) {
            try {
                Certificate generateCertificate = certificateFactory.generateCertificate(new ByteArrayInputStream(Base64.decode((String) it.next(), 0)));
                if (generateCertificate == null) {
                    throw new NullPointerException("null cannot be cast to non-null type java.security.cert.X509Certificate");
                }
                X509Certificate x509Certificate = (X509Certificate) generateCertificate;
                if (!arrayList.isEmpty()) {
                    try {
                        ((X509Certificate) CollectionsKt.last((List) arrayList)).verify(x509Certificate.getPublicKey());
                    } catch (Exception unused) {
                        throw new SignatureException("Certificate chain cannot be verified");
                    }
                }
                arrayList.add(x509Certificate);
            } catch (Exception unused2) {
                throw new SignatureException("x5c is not a x509 certificate");
            }
        }
        if (arrayList.isEmpty()) {
            throw new SignatureException("Empty parsed certificate chain");
        }
        try {
            ((X509Certificate) CollectionsKt.last((List) arrayList)).verify(this.rootCA.getPublicKey());
            X509Certificate x509Certificate2 = (X509Certificate) CollectionsKt.first((List) arrayList);
            String subjectName = x509Certificate2.getSubjectX500Principal().getName();
            Intrinsics.checkNotNullExpressionValue(subjectName, "subjectName");
            String str = subjectName;
            int max = Math.max(0, StringsKt.indexOf$default((CharSequence) str, "CN=", 0, false, 6, (Object) null));
            int indexOf$default = StringsKt.indexOf$default((CharSequence) str, ",", max, false, 4, (Object) null);
            if (indexOf$default < max) {
                indexOf$default = subjectName.length();
            }
            String substring = subjectName.substring(max + 3, indexOf$default);
            Intrinsics.checkNotNullExpressionValue(substring, "this as java.lang.String…ing(startIndex, endIndex)");
            if (Intrinsics.areEqual(substring, this.expectedCommonName)) {
                PublicKey publicKey = x509Certificate2.getPublicKey();
                Intrinsics.checkNotNullExpressionValue(publicKey, "signingCertificate.publicKey");
                return publicKey;
            }
            throw new SignatureException("Wrong CN! Got " + substring + " but expected " + this.expectedCommonName);
        } catch (Exception unused3) {
            throw new SignatureException("Certificate chain cannot be verified");
        }
    }
}
