package com.microsoft.omadm.apppolicy;

import android.net.http.X509TrustManagerExtensions;
import com.microsoft.identity.broker4j.broker.prtv2.SessionKeyUtil;
import com.microsoft.identity.common.java.providers.microsoft.MicrosoftIdToken;
import com.microsoft.omadm.apppolicy.data.MAMKeyTable;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.proc.SimpleSecurityContext;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.NoSuchElementException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.collections.SetsKt;
import kotlin.jvm.internal.Intrinsics;
import org.json.JSONObject;

@Metadata(d1 = {"\u0000F\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010\u000b\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u000e\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0018\u0002\n\u0000\n\u0002\u0010\u0002\n\u0002\b\u0003\n\u0002\u0010 \n\u0002\b\u0005\u0018\u0000 \u001c2\u00020\u0001:\u0001\u001cB\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0010\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\nH\u0002J\u000e\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eJ\u0010\u0010\u000f\u001a\u00020\u00102\u0006\u0010\u0011\u001a\u00020\u0012H\u0002J\u0010\u0010\u0013\u001a\u00020\u00142\u0006\u0010\u0011\u001a\u00020\u0012H\u0002J\u0010\u0010\u0015\u001a\u00020\u00142\u0006\u0010\u0011\u001a\u00020\u0012H\u0002J\u0016\u0010\u0016\u001a\u00020\u00142\f\u0010\u0017\u001a\b\u0012\u0004\u0012\u00020\n0\u0018H\u0002J\u0010\u0010\u0019\u001a\u00020\u00142\u0006\u0010\u001a\u001a\u00020\fH\u0002J\u0010\u0010\u001b\u001a\u00020\u00142\u0006\u0010\u0011\u001a\u00020\u0012H\u0002R\u0011\u0010\u0002\u001a\u00020\u0003¢\u0006\b\n\u0000\u001a\u0004\b\u0005\u0010\u0006¨\u0006\u001d"}, d2 = {"Lcom/microsoft/omadm/apppolicy/SignedDataValidator;", "", "validationParams", "Lcom/microsoft/omadm/apppolicy/ValidationParams;", "(Lcom/microsoft/omadm/apppolicy/ValidationParams;)V", "getValidationParams", "()Lcom/microsoft/omadm/apppolicy/ValidationParams;", "isCertificatePinned", "", "cert", "Ljava/security/cert/X509Certificate;", "parseAndValidateJwt", "Lorg/json/JSONObject;", "jwt", "", "validateCertificateChain", "Ljava/security/interfaces/RSAPublicKey;", "signedJWT", "Lcom/nimbusds/jwt/SignedJWT;", "validateClaims", "", "validateJwt", "validatePins", "certChain", "", "validateResult", "result", "validateSignature", "Companion", "OMADMClient_officialProductionRelease"}, k = 1, mv = {1, 5, 1}, xi = 48)
/* loaded from: classes2.dex */
public final class SignedDataValidator {
    private final ValidationParams validationParams;
    private static final String RESPONSE_BODY_CLAIM = "responseBody";
    private static final String NONCE_CLAIM = "nonce";
    private static final String ISSUER_CLAIM_VALUE_PREFIX = "https://mam.intune.microsoft.com/";
    private static final String APPINSTANCE_PROPERTY = "AppInstanceId";
    private static final String KEY_PROPERTY = MAMKeyTable.COLUMN_KEY_DATA;
    private static final int MAX_CLOCK_SKEW_SECONDS = 300;

    public SignedDataValidator(ValidationParams validationParams) {
        Intrinsics.checkNotNullParameter(validationParams, "validationParams");
        this.validationParams = validationParams;
    }

    private final boolean isCertificatePinned(X509Certificate cert) {
        byte[] encoded = cert.getPublicKey().getEncoded();
        for (byte[] bArr : this.validationParams.getSigningCertPins()) {
            if (Arrays.equals(encoded, bArr)) {
                return true;
            }
        }
        return false;
    }

    private final RSAPublicKey validateCertificateChain(SignedJWT signedJWT) {
        List x509CertChain = signedJWT.getHeader().getX509CertChain();
        Intrinsics.checkNotNullExpressionValue(x509CertChain, "signedJWT.header.x509CertChain");
        List list = x509CertChain;
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(list, 10));
        Iterator it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(X509CertUtils.parse(((Base64) it.next()).decode()));
        }
        ArrayList arrayList2 = arrayList;
        if (arrayList2.isEmpty()) {
            throw new SignedDataException("x5c certificate chain missing from JWT");
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        Intrinsics.checkNotNullExpressionValue(trustManagers, "factory.trustManagers");
        for (TrustManager trustManager : trustManagers) {
            if (trustManager instanceof X509TrustManager) {
                if (trustManager == null) {
                    throw new NullPointerException("null cannot be cast to non-null type javax.net.ssl.X509TrustManager");
                }
                X509TrustManagerExtensions x509TrustManagerExtensions = new X509TrustManagerExtensions((X509TrustManager) trustManager);
                Object[] array = arrayList2.toArray(new X509Certificate[0]);
                if (array == null) {
                    throw new NullPointerException("null cannot be cast to non-null type kotlin.Array<T>");
                }
                List<X509Certificate> resolvedChain = x509TrustManagerExtensions.checkServerTrusted((X509Certificate[]) array, SessionKeyUtil.DERIVED_KEY_ALGORITHM, "");
                Intrinsics.checkNotNullExpressionValue(resolvedChain, "resolvedChain");
                validatePins(resolvedChain);
                PublicKey publicKey = resolvedChain.get(0).getPublicKey();
                if (publicKey != null) {
                    return (RSAPublicKey) publicKey;
                }
                throw new NullPointerException("null cannot be cast to non-null type java.security.interfaces.RSAPublicKey");
            }
        }
        throw new NoSuchElementException("Array contains no element matching the predicate.");
    }

    private final void validateClaims(SignedJWT signedJWT) {
        HashSet hashSetOf = SetsKt.hashSetOf("exp", MicrosoftIdToken.ISSUER, "sub", NONCE_CLAIM);
        JWTClaimsSet.Builder claim = new JWTClaimsSet.Builder().claim(NONCE_CLAIM, this.validationParams.getNonce());
        String aadId = this.validationParams.getIdentity().aadId();
        Intrinsics.checkNotNullExpressionValue(aadId, "validationParams.identity.aadId()");
        Locale US = Locale.US;
        Intrinsics.checkNotNullExpressionValue(US, "US");
        String lowerCase = aadId.toLowerCase(US);
        Intrinsics.checkNotNullExpressionValue(lowerCase, "(this as java.lang.String).toLowerCase(locale)");
        JWTClaimsSet.Builder subject = claim.subject(lowerCase);
        String tenantId = this.validationParams.getTenantId();
        if (!(tenantId == null || tenantId.length() == 0)) {
            String str = ISSUER_CLAIM_VALUE_PREFIX;
            String tenantId2 = this.validationParams.getTenantId();
            Locale US2 = Locale.US;
            Intrinsics.checkNotNullExpressionValue(US2, "US");
            if (tenantId2 == null) {
                throw new NullPointerException("null cannot be cast to non-null type java.lang.String");
            }
            String lowerCase2 = tenantId2.toLowerCase(US2);
            Intrinsics.checkNotNullExpressionValue(lowerCase2, "(this as java.lang.String).toLowerCase(locale)");
            subject.issuer(Intrinsics.stringPlus(str, lowerCase2));
        }
        MAMJWTClaimsVerifier mAMJWTClaimsVerifier = new MAMJWTClaimsVerifier(this.validationParams.getDeviceId(), subject.build(), hashSetOf);
        mAMJWTClaimsVerifier.setMaxClockSkew(MAX_CLOCK_SKEW_SECONDS);
        try {
            mAMJWTClaimsVerifier.verify(signedJWT.getJWTClaimsSet(), (SimpleSecurityContext) null);
        } catch (BadJWTException e) {
            throw new SignedDataException("JWT failed claims validation.", e);
        }
    }

    private final void validateJwt(SignedJWT signedJWT) throws SignedDataException {
        validateSignature(signedJWT);
        validateClaims(signedJWT);
    }

    private final void validatePins(List<? extends X509Certificate> certChain) {
        boolean z;
        List<? extends X509Certificate> list = certChain;
        if (!(list instanceof Collection) || !list.isEmpty()) {
            Iterator<T> it = list.iterator();
            while (it.hasNext()) {
                if (isCertificatePinned((X509Certificate) it.next())) {
                    z = false;
                    break;
                }
            }
        }
        z = true;
        if (z) {
            throw new SignedDataException("Signed JWT cert chain is invalid.");
        }
    }

    private final void validateResult(JSONObject result) {
        String appInstanceId = this.validationParams.getAppInstanceId();
        boolean z = true;
        if (appInstanceId == null || appInstanceId.length() == 0) {
            return;
        }
        String string = result.has(APPINSTANCE_PROPERTY) ? result.getString(APPINSTANCE_PROPERTY) : result.has(KEY_PROPERTY) ? result.getString(KEY_PROPERTY) : null;
        String str = string;
        if (str != null && str.length() != 0) {
            z = false;
        }
        if (z) {
            throw new SignedDataException("JWT failed validation; AppInstanceId missing from response.");
        }
        String appInstanceId2 = this.validationParams.getAppInstanceId();
        Locale US = Locale.US;
        Intrinsics.checkNotNullExpressionValue(US, "US");
        if (appInstanceId2 == null) {
            throw new NullPointerException("null cannot be cast to non-null type java.lang.String");
        }
        String lowerCase = appInstanceId2.toLowerCase(US);
        Intrinsics.checkNotNullExpressionValue(lowerCase, "(this as java.lang.String).toLowerCase(locale)");
        Locale US2 = Locale.US;
        Intrinsics.checkNotNullExpressionValue(US2, "US");
        if (string == null) {
            throw new NullPointerException("null cannot be cast to non-null type java.lang.String");
        }
        String lowerCase2 = string.toLowerCase(US2);
        Intrinsics.checkNotNullExpressionValue(lowerCase2, "(this as java.lang.String).toLowerCase(locale)");
        if (!lowerCase.equals(lowerCase2)) {
            throw new SignedDataException("JWT failed validation; wrong AppInstanceId found in response.");
        }
    }

    private final void validateSignature(SignedJWT signedJWT) {
        try {
            if (signedJWT.verify(new RSASSAVerifier(validateCertificateChain(signedJWT)))) {
            } else {
                throw new SignedDataException("JWT failed signature validation.");
            }
        } catch (JOSEException e) {
            throw new SignedDataException("JWT failed signature validation.", e);
        }
    }

    public final ValidationParams getValidationParams() {
        return this.validationParams;
    }

    /* JADX WARN: Removed duplicated region for block: B:10:0x002b A[Catch: Exception -> 0x0050, SignedDataException -> 0x005b, JSONException -> 0x005d, ParseException -> 0x007c, TryCatch #2 {SignedDataException -> 0x005b, ParseException -> 0x007c, JSONException -> 0x005d, Exception -> 0x0050, blocks: (B:3:0x0007, B:5:0x001f, B:10:0x002b, B:13:0x0034, B:14:0x004f), top: B:2:0x0007 }] */
    /* JADX WARN: Removed duplicated region for block: B:13:0x0034 A[Catch: Exception -> 0x0050, SignedDataException -> 0x005b, JSONException -> 0x005d, ParseException -> 0x007c, TryCatch #2 {SignedDataException -> 0x005b, ParseException -> 0x007c, JSONException -> 0x005d, Exception -> 0x0050, blocks: (B:3:0x0007, B:5:0x001f, B:10:0x002b, B:13:0x0034, B:14:0x004f), top: B:2:0x0007 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final org.json.JSONObject parseAndValidateJwt(java.lang.String r4) throws com.microsoft.omadm.apppolicy.SignedDataException {
        /*
            r3 = this;
            java.lang.String r0 = "jwt"
            kotlin.jvm.internal.Intrinsics.checkNotNullParameter(r4, r0)
            r0 = 39
            com.nimbusds.jwt.SignedJWT r4 = com.nimbusds.jwt.SignedJWT.parse(r4)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.lang.String r1 = "signedJWT"
            kotlin.jvm.internal.Intrinsics.checkNotNullExpressionValue(r4, r1)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r3.validateJwt(r4)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            com.nimbusds.jwt.JWTClaimsSet r4 = r4.getJWTClaimsSet()     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.lang.String r1 = com.microsoft.omadm.apppolicy.SignedDataValidator.RESPONSE_BODY_CLAIM     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.util.Map r4 = r4.getJSONObjectClaim(r1)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            if (r4 == 0) goto L28
            boolean r1 = r4.isEmpty()     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            if (r1 == 0) goto L26
            goto L28
        L26:
            r1 = 0
            goto L29
        L28:
            r1 = 1
        L29:
            if (r1 != 0) goto L34
            org.json.JSONObject r1 = new org.json.JSONObject     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r1.<init>(r4)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r3.validateResult(r1)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            return r1
        L34:
            com.microsoft.omadm.apppolicy.SignedDataException r4 = new com.microsoft.omadm.apppolicy.SignedDataException     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.lang.StringBuilder r1 = new java.lang.StringBuilder     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r1.<init>()     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r1.append(r0)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.lang.String r2 = com.microsoft.omadm.apppolicy.SignedDataValidator.RESPONSE_BODY_CLAIM     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r1.append(r2)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.lang.String r2 = "' claim not found in JWT."
            r1.append(r2)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            java.lang.String r1 = r1.toString()     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            r4.<init>(r1)     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
            throw r4     // Catch: java.lang.Exception -> L50 com.microsoft.omadm.apppolicy.SignedDataException -> L5b org.json.JSONException -> L5d java.text.ParseException -> L7c
        L50:
            r4 = move-exception
            com.microsoft.omadm.apppolicy.SignedDataException r0 = new com.microsoft.omadm.apppolicy.SignedDataException
            java.lang.Throwable r4 = (java.lang.Throwable) r4
            java.lang.String r1 = "An error occurred while validating JWT"
            r0.<init>(r1, r4)
            throw r0
        L5b:
            r4 = move-exception
            throw r4
        L5d:
            r4 = move-exception
            java.lang.StringBuilder r1 = new java.lang.StringBuilder
            r1.<init>()
            r1.append(r0)
            java.lang.String r0 = com.microsoft.omadm.apppolicy.SignedDataValidator.RESPONSE_BODY_CLAIM
            r1.append(r0)
            java.lang.String r0 = "' claim from JWT could not be parsed as JSON"
            r1.append(r0)
            java.lang.String r0 = r1.toString()
            java.lang.Throwable r4 = (java.lang.Throwable) r4
            com.microsoft.omadm.apppolicy.SignedDataException r1 = new com.microsoft.omadm.apppolicy.SignedDataException
            r1.<init>(r0, r4)
            throw r1
        L7c:
            r4 = move-exception
            com.microsoft.omadm.apppolicy.SignedDataException r0 = new com.microsoft.omadm.apppolicy.SignedDataException
            java.lang.Throwable r4 = (java.lang.Throwable) r4
            java.lang.String r1 = "JWT could not be parsed"
            r0.<init>(r1, r4)
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: com.microsoft.omadm.apppolicy.SignedDataValidator.parseAndValidateJwt(java.lang.String):org.json.JSONObject");
    }
}
