package com.amazon.identity.auth.device.appid;

import android.content.Context;
import android.content.pm.PackageInfo;
import android.content.pm.PackageManager;
import android.content.pm.Signature;
import android.util.Base64;
import com.amazon.identity.auth.device.dataobject.AppInfo;
import com.amazon.identity.auth.device.utils.MAPLog;
import com.amazon.identity.auth.device.utils.MAPUtils;
import com.amazon.identity.auth.device.utils.ThirdPartyResourceParser;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes.dex */
public final class APIKeyDecoder {
    static final /* synthetic */ boolean $assertionsDisabled;
    private static final String AMAZON_PUBLIC_CERT = "-----BEGIN CERTIFICATE-----\nMIIEiTCCA3GgAwIBAgIJANVIFteXvjkPMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYD\nVQQGEwJVUzEQMA4GA1UEBxMHU2VhdHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEZ\nMBcGA1UECxMQSWRlbnRpdHkgYW5kIFRheDETMBEGA1UEAxMKQW1hem9uLmNvbTEj\nMCEGCSqGSIb3DQEJARYUYXV0aC10ZWFtQGFtYXpvbi5jb20wHhcNMTIwODE0MDY1\nMDM5WhcNNzYwNjE0MDAyMjIzWjCBiTELMAkGA1UEBhMCVVMxEDAOBgNVBAcTB1Nl\nYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20xGTAXBgNVBAsTEElkZW50aXR5IGFu\nZCBUYXgxEzARBgNVBAMTCkFtYXpvbi5jb20xIzAhBgkqhkiG9w0BCQEWFGF1dGgt\ndGVhbUBhbWF6b24uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\nr4LlDpmlK1+mYGXqhvY3Kcd093eUwOQhQM0cb5Y9FjkXvJiCCoLSR9L8QYm2Jz06\nL/546eF/eMegvej93VGjz9JsW+guUIGkDuyCPwBn3u/PvTVKZD67Cep66qT3xnB3\nLfMFt5ln4T5LuoqJ95s8t9P0fULBU52kPR1hwdSo7G4KRVgyXtMmqjp3PK4EbrPB\ndvXCYxVeR31yDPS0BRENC3SGrzlVzrSWYFhxuxRcfyoMJYsOt/9T5QlO2KmJoTy2\nJQtqo7rlc6rORiJH7i2x+QW14bV3miJe/p4ZHWpOT5Z4hAqMBldc0FufaED1YH/Y\nnNCethI/GrXkgzCJRU5asQIDAQABo4HxMIHuMB0GA1UdDgQWBBQBvx8zbG7Sg/MZ\nOuZ31GeYDkhqozCBvgYDVR0jBIG2MIGzgBQBvx8zbG7Sg/MZOuZ31GeYDkhqo6GB\nj6SBjDCBiTELMAkGA1UEBhMCVVMxEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoT\nCkFtYXpvbi5jb20xGTAXBgNVBAsTEElkZW50aXR5IGFuZCBUYXgxEzARBgNVBAMT\nCkFtYXpvbi5jb20xIzAhBgkqhkiG9w0BCQEWFGF1dGgtdGVhbUBhbWF6b24uY29t\nggkA1UgW15e+OQ8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAjOV/\nVDxeAuBqdPgoBGz8AyDtMR4Qyxpe7P0M9umtr8S0PmvYOVs5YuMbEAPUYGsBnWVJ\nn7ErwCF20bkd4x0gHzkOpEzQJnjlO9vJzJcnZH4ZwhVs5jF4IkPN8N68jawPvh5/\nLyWJuwyNY5nGvN5nEecTdUQqT1aa7+Vv3Y1ZQlTEKQtdaoXUjLG86jq9xpanNj/G\nX4VYW+m7mY7Kv7mdfAE4zeECqOY5yAqSfP1M/a5fSfHLQiCTt3mrZfOuj8Hd3Pp5\nVn1e4/UxQQCwZcvAFljEYie6CXD3U1AgzIFiv4/r2M+rDo0T7eqIqCsyG6VCgRAb\ndry4esK8/BdPhyuiZg==\n-----END CERTIFICATE-----\n";
    private static Certificate CERTIFICATE = null;
    public static final String CERTIFICATE_TYPE = "X.509";
    private static final String CHAR_SET = "UTF-8";
    private static final String ENCRYPTION_SCHEME = "RSA-SHA256";
    private static final String EXPECTED_ISSUER = "Amazon";
    private static final String FAILED_TO_DECODE = "Failed to decode: ";
    private static final String HASH_ALGORITHM = "MD5";
    private static final char HASH_SEPARATOR = ':';
    private static final int HEADER_LOC = 0;
    private static final String KEY_ALGORITHM = "alg";
    private static final String KEY_API_KEY_VER = "ver";
    private static final String KEY_APP_FAMILY_ID = "appFamilyId";
    private static final String KEY_APP_ID = "appId";
    private static final String KEY_APP_VARIANT_ID = "appVariantId";
    private static final String KEY_CLIENT_ID = "clientId";
    private static final String KEY_ISSUER = "iss";
    private static final String KEY_PACKAGE_NAME = "pkg";
    private static final String KEY_PERMISSIONS = "perm";
    private static final String KEY_SCOPES = "scopes";
    private static final String KEY_SIGNATURE = "appsig";
    private static final String KEY_SPLITTER = "[.]";
    private static final String LOG_TAG;
    private static final int PAYLOD_LOC = 1;
    private static final String VER_1 = "1";

    static {
        $assertionsDisabled = !APIKeyDecoder.class.desiredAssertionStatus();
        LOG_TAG = APIKeyDecoder.class.getName();
        CERTIFICATE = null;
    }

    private APIKeyDecoder() throws Exception {
        throw new Exception("This class is not instantiable!");
    }

    public static AppInfo decode(String str, String str2, Context context) {
        return doDecode(str, str2, true, context);
    }

    private static byte[] decodeBase64ToBytes(String str) throws UnsupportedEncodingException {
        return Base64.decode(str.trim().getBytes("UTF-8"), 0);
    }

    private static String decodeBase64ToString(String str) throws UnsupportedEncodingException {
        return new String(decodeBase64ToBytes(str), "UTF-8");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AppInfo doDecode(String str, String str2, boolean z, Context context) {
        MAPLog.i(LOG_TAG, "Begin decoding API Key for packageName=" + str);
        if (!$assertionsDisabled && (str == null || str2 == null)) {
            throw new AssertionError();
        }
        if (str2 == null || str == null) {
            MAPLog.pii(LOG_TAG, "ApiKey/PackageName is null. pkg=" + str, "apiKey=" + str2 + "");
        } else {
            try {
                String[] keyParts = getKeyParts(str2);
                JSONObject jSONObject = new JSONObject(decodeBase64ToString(keyParts[0]));
                JSONObject jSONObject2 = new JSONObject(decodeBase64ToString(keyParts[1]));
                verifySignature(keyParts, jSONObject.getString(KEY_ALGORITHM), context);
                MAPLog.pii(LOG_TAG, ThirdPartyResourceParser.KEY_API_KEY, "payload=" + jSONObject2);
                if (z) {
                    verifyPayload(str, jSONObject2, context);
                }
                return extractAppInfo(jSONObject2);
            } catch (PackageManager.NameNotFoundException e) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e.getMessage(), e);
            } catch (UnsupportedEncodingException e2) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e2.getMessage(), e2);
            } catch (IOException e3) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e3.getMessage(), e3);
            } catch (IllegalArgumentException e4) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e4.getMessage(), e4);
            } catch (SecurityException e5) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e5.getMessage(), e5);
            } catch (InvalidKeyException e6) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e6.getMessage(), e6);
            } catch (NoSuchAlgorithmException e7) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e7.getMessage(), e7);
            } catch (NoSuchProviderException e8) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e8.getMessage(), e8);
            } catch (SignatureException e9) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e9.getMessage(), e9);
            } catch (CertificateException e10) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e10.getMessage(), e10);
            } catch (JSONException e11) {
                MAPLog.w(LOG_TAG, FAILED_TO_DECODE + e11.getMessage(), e11);
            }
        }
        return null;
    }

    private static AppInfo extractAppInfo(JSONObject jSONObject) throws JSONException {
        String string;
        String string2;
        String str;
        if (jSONObject.getString(KEY_API_KEY_VER).equals("1")) {
            string = jSONObject.getString("appId");
            string2 = string;
        } else {
            string = jSONObject.getString(KEY_APP_FAMILY_ID);
            string2 = jSONObject.getString(KEY_APP_VARIANT_ID);
        }
        String string3 = jSONObject.getString(KEY_PACKAGE_NAME);
        String[] stringArray = getStringArray(jSONObject, KEY_SCOPES);
        try {
            str = jSONObject.getString("clientId");
        } catch (JSONException e) {
            MAPLog.w(LOG_TAG, "APIKey does not contain a client id", e);
            str = null;
        }
        return new AppInfo(string, string2, string3, stringArray, getStringArray(jSONObject, KEY_PERMISSIONS), str, jSONObject);
    }

    private static synchronized Certificate getCertificate(Context context) throws CertificateException, IOException {
        Certificate certificate;
        synchronized (APIKeyDecoder.class) {
            if (CERTIFICATE == null) {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(AMAZON_PUBLIC_CERT.getBytes("UTF-8"));
                CERTIFICATE = getCertificate(CERTIFICATE_TYPE, byteArrayInputStream);
                byteArrayInputStream.close();
            }
            certificate = CERTIFICATE;
        }
        return certificate;
    }

    private static Certificate getCertificate(String str, InputStream inputStream) throws CertificateException {
        return CertificateFactory.getInstance(str).generateCertificate(inputStream);
    }

    private static byte[] getFingerprint(String str, byte[] bArr) throws NoSuchAlgorithmException {
        if ($assertionsDisabled || bArr != null) {
            return MessageDigest.getInstance(str).digest(bArr);
        }
        throw new AssertionError();
    }

    private static String[] getKeyParts(String str) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        String[] split = str.split(KEY_SPLITTER);
        if (split.length != 3) {
            throw new IllegalArgumentException("Decoding fails: API Key must have 3 parts {header}.{payload}.{signature}");
        }
        return split;
    }

    public static String getSignatureFingerprint(String str, Signature signature) throws IOException, CertificateException, NoSuchAlgorithmException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(signature.toByteArray());
        Certificate certificate = getCertificate(str, byteArrayInputStream);
        byteArrayInputStream.close();
        return MAPUtils.toHexString(getFingerprint(HASH_ALGORITHM, certificate.getEncoded()));
    }

    private static String[] getStringArray(JSONObject jSONObject, String str) throws JSONException {
        try {
            JSONArray jSONArray = jSONObject.getJSONArray(str);
            String[] strArr = new String[jSONArray.length()];
            for (int i = 0; i < jSONArray.length(); i++) {
                strArr[i] = jSONArray.getString(i);
            }
            return strArr;
        } catch (JSONException e) {
            MAPLog.i(LOG_TAG, str + " has no mapping in json, returning null array");
            return null;
        }
    }

    private static void verifyPayload(String str, JSONObject jSONObject, Context context) throws SecurityException, JSONException, PackageManager.NameNotFoundException, CertificateException, NoSuchAlgorithmException, IOException {
        if (!jSONObject.getString(KEY_ISSUER).equals(EXPECTED_ISSUER)) {
            throw new SecurityException("Decoding fails: issuer (" + jSONObject.getString(KEY_ISSUER) + ") is not = " + EXPECTED_ISSUER);
        }
        if (!str.equals(jSONObject.getString(KEY_PACKAGE_NAME))) {
            throw new SecurityException("Decoding fails: package names don't match! - " + str + " != " + jSONObject.getString(KEY_PACKAGE_NAME));
        }
        PackageManager packageManager = context.getPackageManager();
        PackageInfo packageInfo = null;
        if (packageManager != null) {
            packageInfo = packageManager.getPackageInfo(str, 64);
        } else {
            MAPLog.d(LOG_TAG, " pkgMgr is null ");
        }
        if (packageInfo != null) {
            Signature[] signatureArr = packageInfo.signatures;
            if (signatureArr != null) {
                MAPLog.i(LOG_TAG, " num sigs = " + signatureArr.length);
                String string = jSONObject.getString(KEY_SIGNATURE);
                if (string != null) {
                    String replace = string.replace(":", "");
                    MAPLog.pii(LOG_TAG, "Signature checking.", "appSignature = " + replace);
                    for (Signature signature : signatureArr) {
                        String signatureFingerprint = getSignatureFingerprint(CERTIFICATE_TYPE, signature);
                        MAPLog.pii(LOG_TAG, "Fingerpirint checking", "fingerprint = " + signatureFingerprint);
                        if (replace.equalsIgnoreCase(signatureFingerprint)) {
                            return;
                        }
                    }
                } else {
                    MAPLog.d(LOG_TAG, " appSignature is null");
                }
            } else {
                MAPLog.d(LOG_TAG, " signatures is null");
            }
        }
        throw new SecurityException("Decoding fails: certificate fingerprint can't be verified!");
    }

    private static void verifySignature(String[] strArr, String str, Context context) throws InvalidKeyException, NoSuchProviderException, SignatureException, NoSuchAlgorithmException, CertificateException, IOException {
        if (!str.equalsIgnoreCase(ENCRYPTION_SCHEME)) {
            throw new NoSuchAlgorithmException("Unsupported algorithm : " + str);
        }
        if (!verifySignatureWithRsaSha256(decodeBase64ToBytes(strArr[2]), (strArr[0].trim() + "." + strArr[1].trim()).getBytes("UTF-8"), getCertificate(context))) {
            throw new SecurityException("Decoding fails: signature mismatch!");
        }
    }

    private static boolean verifySignatureWithRsaSha256(byte[] bArr, byte[] bArr2, Certificate certificate) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
        java.security.Signature signature = java.security.Signature.getInstance("SHA256withRSA", "BC");
        signature.initVerify(certificate);
        signature.update(bArr2);
        signature.verify(bArr);
        return true;
    }
}
