package r4;

import android.content.Context;
import com.huawei.wisesecurity.ucs.common.exception.UcsErrorCode;
import com.huawei.wisesecurity.ucs.common.exception.UcsException;
import com.huawei.wisesecurity.ucs.common.log.LogUcs;
import com.huawei.wisesecurity.ucs.common.utils.StringUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

/* loaded from: classes2.dex */
public final class j {

    /* renamed from: a, reason: collision with root package name */
    public static volatile X509Certificate f17417a;

    public static X509Certificate a(Context context) throws UcsException {
        try {
            InputStream open = context.getAssets().open("cbg_root.cer");
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(open);
                if (open != null) {
                    open.close();
                }
                return x509Certificate;
            } catch (Throwable th) {
                if (open != null) {
                    try {
                        open.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException | CertificateException e9) {
            String a9 = c2.k.a(e9, a7.i.c("Read root cert error "));
            throw a7.i.b("CertVerifier", a9, new Object[0], UcsErrorCode.VERIFY_JWS_ERROR, a9);
        }
    }

    public static X509Certificate b(String str) throws UcsException {
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(StringUtil.base64Decode(str, 0));
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                byteArrayInputStream.close();
                return x509Certificate;
            } catch (Throwable th) {
                try {
                    byteArrayInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (IOException | CertificateException e9) {
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, e9.getMessage());
        }
    }

    public static void c(Context context, a0 a0Var) throws UcsException {
        int i3;
        boolean z8;
        if (f17417a == null) {
            synchronized (j.class) {
                if (f17417a == null) {
                    f17417a = a(context);
                }
            }
        }
        String[] strArr = a0Var.f17394a.f17398b;
        if (strArr == null || strArr.length == 0) {
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "verify cert chain failed , certs is empty..");
        }
        int length = strArr.length;
        X509Certificate[] x509CertificateArr = new X509Certificate[length];
        for (int i9 = 0; i9 < strArr.length; i9++) {
            x509CertificateArr[i9] = b(strArr[i9]);
        }
        StringBuilder c = a7.i.c("Start verify cert chain using root ca: ");
        c.append(f17417a.getSubjectDN().getName());
        LogUcs.i("CertVerifier", c.toString(), new Object[0]);
        int i10 = 0;
        while (true) {
            i3 = length - 1;
            if (i10 >= i3) {
                break;
            }
            try {
                LogUcs.i("CertVerifier", "verify cert " + x509CertificateArr[i10].getSubjectDN().getName(), new Object[0]);
                StringBuilder sb = new StringBuilder();
                sb.append("using ");
                int i11 = i10 + 1;
                sb.append(x509CertificateArr[i11].getSubjectDN().getName());
                LogUcs.i("CertVerifier", sb.toString(), new Object[0]);
                x509CertificateArr[i10].checkValidity();
                x509CertificateArr[i10].verify(x509CertificateArr[i11].getPublicKey());
                i10 = i11;
            } catch (RuntimeException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e9) {
                String a9 = c2.k.a(e9, a7.i.c("verify cert chain failed , exception "));
                throw a7.i.b("CertVerifier", a9, new Object[0], UcsErrorCode.VERIFY_JWS_ERROR, a9);
            }
            String a92 = c2.k.a(e9, a7.i.c("verify cert chain failed , exception "));
            throw a7.i.b("CertVerifier", a92, new Object[0], UcsErrorCode.VERIFY_JWS_ERROR, a92);
        }
        x509CertificateArr[i3].verify(f17417a.getPublicKey());
        String[] split = x509CertificateArr[0].getSubjectDN().getName().split(",");
        int length2 = split.length;
        int i12 = 0;
        while (true) {
            if (i12 >= length2) {
                z8 = false;
                break;
            }
            String str = split[i12];
            if (str.startsWith("OU=") && "Huawei CBG Cloud Security Signer".equals(str.substring(3))) {
                z8 = true;
                break;
            }
            i12++;
        }
        if (!z8) {
            throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "Subject OU not verify");
        }
        X509Certificate x509Certificate = x509CertificateArr[0];
        try {
            Signature signature = Signature.getInstance("RS256".equals(a0Var.f17394a.f17397a) ? "SHA256WithRSA" : "SHA256WithRSA/PSS");
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(a0Var.f17396d.getBytes(StandardCharsets.UTF_8));
            if (!signature.verify(a0Var.c)) {
                throw new UcsException(UcsErrorCode.VERIFY_JWS_ERROR, "signature not verify");
            }
        } catch (RuntimeException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e10) {
            String a10 = c2.k.a(e10, a7.i.c("verify signature of c1 failed, exception "));
            throw a7.i.b("CertVerifier", a10, new Object[0], UcsErrorCode.VERIFY_JWS_ERROR, a10);
        }
    }
}
