package com.nordvpn.android.communication.certificates;

import android.util.Base64;
import androidx.compose.ui.graphics.colorspace.c;
import c50.h0;
import c50.v;
import com.nordvpn.android.communication.exceptions.ResponseAuthenticationException;
import java.security.PublicKey;
import java.security.Signature;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.List;
import java.util.Locale;
import java.util.TreeMap;
import javax.inject.Inject;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.i0;
import re.a;

/* loaded from: classes3.dex */
public class ResponseSignatureChecker {
    private final CertificateFileManager certificateFileManager;
    private final a logger;
    private PublicKey publicKey;
    private static final String HEADER_AUTHORIZATION = "X-Authorization";
    private static final String HEADER_ACCEPT_BEFORE = "X-Accept-Before";
    private static final String HEADER_DIGEST = "X-Digest";
    private static final String HEADER_SIGNATURE = "X-Signature";
    private static final Collection<String> REGULAR_HEADER_KEYS = Arrays.asList(HEADER_AUTHORIZATION, HEADER_ACCEPT_BEFORE, HEADER_DIGEST, HEADER_SIGNATURE);

    @Inject
    public ResponseSignatureChecker(CertificateFileManager certificateFileManager, a aVar) {
        this.certificateFileManager = certificateFileManager;
        this.logger = aVar;
        this.publicKey = certificateFileManager.getPublicKey();
    }

    private boolean authenticate(h0 h0Var, String str, String str2) throws ResponseAuthenticationException {
        if (isSignatureValid(str, str2)) {
            return true;
        }
        PublicKey loadNewPublicKey = this.certificateFileManager.loadNewPublicKey(h0Var.f3752a.f3712a.f3847d);
        if (loadNewPublicKey == null) {
            throw new ResponseAuthenticationException(h0Var, "Invalid signature");
        }
        this.publicKey = loadNewPublicKey;
        if (isSignatureValid(str, str2)) {
            return true;
        }
        throw new ResponseAuthenticationException(h0Var, "Invalid signature with new public key");
    }

    private boolean authenticateRegular(h0 h0Var) throws ResponseAuthenticationException {
        String b11 = h0Var.f.b(HEADER_ACCEPT_BEFORE);
        v vVar = h0Var.f;
        return authenticate(h0Var, vVar.b(HEADER_SIGNATURE), c.a(b11, vVar.b(HEADER_DIGEST)));
    }

    private boolean hasAdditionalHeaders(h0 h0Var) throws ResponseAuthenticationException {
        v vVar = h0Var.f;
        vVar.getClass();
        Intrinsics.checkNotNullParameter(i0.f16790a, "<this>");
        Comparator CASE_INSENSITIVE_ORDER = String.CASE_INSENSITIVE_ORDER;
        Intrinsics.checkNotNullExpressionValue(CASE_INSENSITIVE_ORDER, "CASE_INSENSITIVE_ORDER");
        TreeMap treeMap = new TreeMap(CASE_INSENSITIVE_ORDER);
        int length = vVar.f3841a.length / 2;
        int i = 0;
        while (i < length) {
            int i7 = i + 1;
            String m11 = vVar.m(i);
            Locale US = Locale.US;
            Intrinsics.checkNotNullExpressionValue(US, "US");
            String lowerCase = m11.toLowerCase(US);
            Intrinsics.checkNotNullExpressionValue(lowerCase, "this as java.lang.String).toLowerCase(locale)");
            List list = (List) treeMap.get(lowerCase);
            if (list == null) {
                list = new ArrayList(2);
                treeMap.put(lowerCase, list);
            }
            list.add(vVar.r(i));
            i = i7;
        }
        if (treeMap.keySet().containsAll(REGULAR_HEADER_KEYS)) {
            return true;
        }
        throw new ResponseAuthenticationException(h0Var, "Additional headers not found");
    }

    private boolean isSignatureValid(String str, String str2) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(this.publicKey);
            signature.update(str2.getBytes());
            return signature.verify(Base64.decode(str, 0));
        } catch (Exception e) {
            this.logger.c("isSignatureValid", e);
            return false;
        }
    }

    public boolean isResponseSigned(h0 h0Var) throws ResponseAuthenticationException {
        return hasAdditionalHeaders(h0Var) && authenticateRegular(h0Var);
    }
}
