package io.grpc.internal;

import androidx.compose.ui.platform.i;
import com.android.billingclient.api.d0;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import k5.m;
import k5.t;
import l5.g;
import l5.j;
import m5.k;

/* loaded from: classes2.dex */
public final class SpiffeUtil {
    static final /* synthetic */ boolean $assertionsDisabled = false;
    private static final String CERTIFICATE_PREFIX = "-----BEGIN CERTIFICATE-----\n";
    private static final String CERTIFICATE_SUFFIX = "-----END CERTIFICATE-----";
    private static final String KTY_PARAMETER_VALUE = "RSA";
    private static final String PREFIX = "spiffe://";
    private static final Integer URI_SAN_TYPE = 6;
    private static final String USE_PARAMETER_VALUE = "x509-svid";

    /* loaded from: classes2.dex */
    public static final class SpiffeBundle {
        private final j bundleMap;
        private final j sequenceNumbers;

        private SpiffeBundle(Map<String, Long> map, Map<String, List<X509Certificate>> map2) {
            j d7;
            if (!(map instanceof j) || (map instanceof SortedMap)) {
                Set<Map.Entry<String, Long>> entrySet = map.entrySet();
                d0 d0Var = new d0(entrySet instanceof Collection ? entrySet.size() : 4);
                d0Var.h(entrySet);
                d7 = d0Var.d();
            } else {
                d7 = (j) map;
                d7.getClass();
            }
            this.sequenceNumbers = d7;
            d0 d0Var2 = new d0(4);
            for (Map.Entry<String, List<X509Certificate>> entry : map2.entrySet()) {
                d0Var2.g(entry.getKey(), g.n(entry.getValue()));
            }
            this.bundleMap = d0Var2.d();
        }

        public j getBundleMap() {
            return this.bundleMap;
        }

        public j getSequenceNumbers() {
            return this.sequenceNumbers;
        }
    }

    /* loaded from: classes2.dex */
    public static class SpiffeId {
        private final String path;
        private final String trustDomain;

        private SpiffeId(String str, String str2) {
            this.trustDomain = str;
            this.path = str2;
        }

        public String getPath() {
            return this.path;
        }

        public String getTrustDomain() {
            return this.trustDomain;
        }
    }

    private SpiffeUtil() {
    }

    private static void checkJwkEntry(Map<String, ?> map, String str) {
        String string = JsonUtil.getString(map, "kty");
        if (string == null || !string.equals(KTY_PARAMETER_VALUE)) {
            throw new IllegalArgumentException(i.l("'kty' parameter must be 'RSA' but '", string, "' found. Certificate loading for trust domain '", str, "' failed."));
        }
        if (map.containsKey("kid")) {
            throw new IllegalArgumentException(androidx.compose.foundation.b.r("'kid' parameter must not be set. Certificate loading for trust domain '", str, "' failed."));
        }
        String string2 = JsonUtil.getString(map, "use");
        if (string2 == null || !string2.equals(USE_PARAMETER_VALUE)) {
            throw new IllegalArgumentException(i.l("'use' parameter must be 'x509-svid' but '", string2, "' found. Certificate loading for trust domain '", str, "' failed."));
        }
    }

    private static void doInitialUriValidation(String str) {
        n.a.j(str, "uri");
        n.a.f(str.length() > 0, "Spiffe Id can't be empty");
        n.a.f(str.length() <= 2048, "Spiffe Id maximum length is 2048 characters");
        n.a.f(!str.contains("#"), "Spiffe Id must not contain query fragments");
        n.a.f(!str.contains("?"), "Spiffe Id must not contain query parameters");
    }

    private static List<X509Certificate> extractCert(List<Map<String, ?>> list, String str) {
        ArrayList arrayList = new ArrayList();
        for (Map<String, ?> map : list) {
            checkJwkEntry(map, str);
            List<String> listOfStrings = JsonUtil.getListOfStrings(map, "x5c");
            if (listOfStrings == null) {
                break;
            }
            if (listOfStrings.size() != 1) {
                throw new IllegalArgumentException("Exactly 1 certificate is expected, but " + listOfStrings.size() + " found. Certificate loading for trust domain '" + str + "' failed.");
            }
            try {
                arrayList.add(((X509Certificate[]) CertificateFactory.getInstance("X509").generateCertificates(new ByteArrayInputStream(androidx.compose.foundation.b.u(new StringBuilder(CERTIFICATE_PREFIX), listOfStrings.get(0), "\n-----END CERTIFICATE-----").getBytes(StandardCharsets.UTF_8))).toArray(new X509Certificate[0]))[0]);
            } catch (CertificateException e10) {
                throw new IllegalArgumentException(androidx.compose.foundation.b.r("Certificate can't be parsed. Certificate loading for trust domain '", str, "' failed."), e10);
            }
        }
        return arrayList;
    }

    public static k5.i extractSpiffeId(X509Certificate[] x509CertificateArr) throws CertificateParsingException {
        n.a.j(x509CertificateArr, "certChain");
        n.a.f(x509CertificateArr.length > 0, "certChain can't be empty");
        Collection<List<?>> subjectAlternativeNames = x509CertificateArr[0].getSubjectAlternativeNames();
        k5.a aVar = k5.a.f33397a;
        if (subjectAlternativeNames != null) {
            String str = null;
            for (List<?> list : subjectAlternativeNames) {
                if (list.size() >= 2 && URI_SAN_TYPE.equals(list.get(0))) {
                    if (str != null) {
                        throw new IllegalArgumentException("Multiple URI SAN values found in the leaf cert.");
                    }
                    str = (String) list.get(1);
                }
            }
            if (str != null) {
                SpiffeId parse = parse(str);
                parse.getClass();
                return new k5.j(parse);
            }
        }
        return aVar;
    }

    public static SpiffeBundle loadTrustBundleFromFile(String str) throws IOException {
        Map<String, ?> readTrustDomainsFromFile = readTrustDomainsFromFile(str);
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (String str2 : readTrustDomainsFromFile.keySet()) {
            Map<String, ?> object = JsonUtil.getObject(readTrustDomainsFromFile, str2);
            if (object.size() == 0) {
                hashMap.put(str2, Collections.EMPTY_LIST);
            } else {
                Long numberAsLong = JsonUtil.getNumberAsLong(object, "spiffe_sequence");
                hashMap2.put(str2, Long.valueOf(numberAsLong == null ? -1L : numberAsLong.longValue()));
                List<Map<String, ?>> listOfObjects = JsonUtil.getListOfObjects(object, "keys");
                if (listOfObjects == null || listOfObjects.size() == 0) {
                    hashMap.put(str2, Collections.EMPTY_LIST);
                } else {
                    hashMap.put(str2, extractCert(listOfObjects, str2));
                }
            }
        }
        return new SpiffeBundle(hashMap2, hashMap);
    }

    public static SpiffeId parse(String str) {
        String str2;
        doInitialUriValidation(str);
        n.a.f(str.toLowerCase(Locale.US).startsWith(PREFIX), "Spiffe Id must start with spiffe://");
        String substring = str.substring(9);
        if (substring.contains("/")) {
            String[] split = substring.split("/", 2);
            String str3 = split[0];
            String str4 = split[1];
            n.a.f(true ^ str4.isEmpty(), "Path must not include a trailing '/'");
            str2 = str4;
            substring = str3;
        } else {
            str2 = "";
        }
        validateTrustDomain(substring);
        validatePath(str2);
        if (!str2.isEmpty()) {
            str2 = "/".concat(str2);
        }
        return new SpiffeId(substring, str2);
    }

    private static Map<String, ?> readTrustDomainsFromFile(String str) throws IOException {
        n.a.j(str, "trustBundleFile");
        File file = new File(str);
        k kVar = new k();
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            kVar.f34135b.addFirst(fileInputStream);
            byte[] b3 = m5.i.b(fileInputStream, fileInputStream.getChannel().size());
            kVar.close();
            Object parse = JsonParser.parse(new String(b3, StandardCharsets.UTF_8));
            if (!(parse instanceof Map)) {
                StringBuilder sb2 = new StringBuilder("SPIFFE Trust Bundle should be a JSON object. Found: ");
                sb2.append(parse == null ? null : parse.getClass());
                throw new IllegalArgumentException(sb2.toString());
            }
            Map<String, ?> object = JsonUtil.getObject((Map) parse, "trust_domains");
            n.a.j(object, "Mandatory trust_domains element is missing");
            n.a.f(object.size() > 0, "Mandatory trust_domains element is missing");
            return object;
        } catch (Throwable th2) {
            try {
                kVar.f34136c = th2;
                Object obj = t.f33430a;
                if (IOException.class.isInstance(th2)) {
                    throw ((Throwable) IOException.class.cast(th2));
                }
                t.a(th2);
                throw new RuntimeException(th2);
            } catch (Throwable th3) {
                kVar.close();
                throw th3;
            }
        }
    }

    private static void validatePath(String str) {
        if (str.isEmpty()) {
            return;
        }
        n.a.f(!str.endsWith("/"), "Path must not include a trailing '/'");
        a0.a aVar = new a0.a(new k5.c("/".charAt(0)), 23);
        Iterator k = aVar.k(new m(aVar, k5.b.f33399d), str);
        while (true) {
            k5.k kVar = (k5.k) k;
            if (!kVar.hasNext()) {
                return;
            } else {
                validatePathSegment((String) kVar.next());
            }
        }
    }

    private static void validatePathSegment(String str) {
        n.a.f(!str.isEmpty(), "Individual path segments must not be empty");
        n.a.f((str.equals(".") || str.equals("..")) ? false : true, "Individual path segments must not be relative path modifiers (i.e. ., ..)");
        n.a.f(str.matches("[a-zA-Z0-9._-]+"), "Individual path segments must contain only letters, numbers, dots, dashes, and underscores ([a-zA-Z0-9.-_])");
    }

    private static void validateTrustDomain(String str) {
        n.a.f(!str.isEmpty(), "Trust Domain can't be empty");
        n.a.f(str.length() < 256, "Trust Domain maximum length is 255 characters");
        n.a.f(str.matches("[a-z0-9._-]+"), "Trust Domain must contain only letters, numbers, dots, dashes, and underscores ([a-z0-9.-_])");
    }
}
