package com.huawei.wisesecurity.ucs_credential;

import android.content.Context;
import com.huawei.hms.network.embedded.q2;
import com.huawei.wisesecurity.ucs.common.exception.UcsErrorCode;
import com.huawei.wisesecurity.ucs.common.exception.UcsException;
import com.huawei.wisesecurity.ucs.common.log.LogUcs;
import com.huawei.wisesecurity.ucs.common.utils.StringUtil;
import com.mbridge.msdk.foundation.entity.CampaignEx;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

/* loaded from: classes7.dex */
public class q {

    /* renamed from: a, reason: collision with root package name */
    private static volatile X509Certificate f16387a;

    private static X509Certificate a(Context context, String str) {
        try {
            InputStream open = context.getAssets().open(str);
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(open);
                if (open != null) {
                    open.close();
                }
                return x509Certificate;
            } catch (Throwable th2) {
                try {
                    throw th2;
                } catch (Throwable th3) {
                    if (open != null) {
                        try {
                            open.close();
                        } catch (Throwable th4) {
                            th2.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            }
        } catch (IOException | CertificateException e10) {
            LogUcs.e(CampaignEx.JSON_KEY_AD_Q, androidx.recyclerview.widget.a.d(e10, android.support.v4.media.c.b("Read root cert error ")), new Object[0]);
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, androidx.recyclerview.widget.a.d(e10, android.support.v4.media.c.b("Read root cert error ")));
        }
    }

    public static void a(Context context, a aVar) {
        boolean z10;
        int i;
        if (f16387a == null) {
            synchronized (q.class) {
                if (f16387a == null) {
                    f16387a = a(context, "cbg_root.cer");
                }
            }
        }
        String[] b7 = aVar.b().b();
        if (b7 == null || b7.length == 0) {
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "verify cert chain failed , certs is empty..");
        }
        int length = b7.length;
        X509Certificate[] x509CertificateArr = new X509Certificate[length];
        for (int i10 = 0; i10 < b7.length; i10++) {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(StringUtil.base64Decode(b7[i10], 0));
                try {
                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                    byteArrayInputStream.close();
                    x509CertificateArr[i10] = x509Certificate;
                } finally {
                }
            } catch (IOException | CertificateException e10) {
                throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, e10.getMessage());
            }
        }
        StringBuilder b10 = android.support.v4.media.c.b("Start verify cert chain using root ca: ");
        b10.append(f16387a.getSubjectDN().getName());
        LogUcs.i(CampaignEx.JSON_KEY_AD_Q, b10.toString(), new Object[0]);
        int i11 = 0;
        while (true) {
            z10 = true;
            i = length - 1;
            if (i11 >= i) {
                break;
            }
            try {
                LogUcs.i(CampaignEx.JSON_KEY_AD_Q, "verify cert " + x509CertificateArr[i11].getSubjectDN().getName(), new Object[0]);
                StringBuilder sb2 = new StringBuilder();
                sb2.append("using ");
                int i12 = i11 + 1;
                sb2.append(x509CertificateArr[i12].getSubjectDN().getName());
                LogUcs.i(CampaignEx.JSON_KEY_AD_Q, sb2.toString(), new Object[0]);
                x509CertificateArr[i11].checkValidity();
                x509CertificateArr[i11].verify(x509CertificateArr[i12].getPublicKey());
                i11 = i12;
            } catch (RuntimeException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e11) {
                LogUcs.e(CampaignEx.JSON_KEY_AD_Q, androidx.recyclerview.widget.a.d(e11, android.support.v4.media.c.b("verify cert chain failed , exception ")), new Object[0]);
                throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, androidx.recyclerview.widget.a.d(e11, android.support.v4.media.c.b("verify cert chain failed , exception ")));
            }
            LogUcs.e(CampaignEx.JSON_KEY_AD_Q, androidx.recyclerview.widget.a.d(e11, android.support.v4.media.c.b("verify cert chain failed , exception ")), new Object[0]);
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, androidx.recyclerview.widget.a.d(e11, android.support.v4.media.c.b("verify cert chain failed , exception ")));
        }
        x509CertificateArr[i].verify(f16387a.getPublicKey());
        String[] split = x509CertificateArr[0].getSubjectDN().getName().split(q2.f14074e);
        int length2 = split.length;
        int i13 = 0;
        while (true) {
            if (i13 >= length2) {
                z10 = false;
                break;
            }
            String str = split[i13];
            if (str.startsWith("OU=") && "Huawei CBG Cloud Security Signer".equals(str.substring(3))) {
                break;
            } else {
                i13++;
            }
        }
        if (!z10) {
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "Subject OU not verify");
        }
        X509Certificate x509Certificate2 = x509CertificateArr[0];
        try {
            Signature signature = Signature.getInstance("RS256".equals(aVar.b().a()) ? "SHA256WithRSA" : "SHA256WithRSA/PSS");
            signature.initVerify(x509Certificate2.getPublicKey());
            signature.update(aVar.a().getBytes(StandardCharsets.UTF_8));
            if (!signature.verify(aVar.c())) {
                throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "signature not verify");
            }
        } catch (RuntimeException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e12) {
            LogUcs.e(CampaignEx.JSON_KEY_AD_Q, androidx.recyclerview.widget.a.d(e12, android.support.v4.media.c.b("verify signature failed , exception ")), new Object[0]);
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "verify signature of c1 failed!");
        }
    }
}
