package com.amazon.bundle.store.internal.security;

import android.net.http.SslCertificate;
import android.util.Base64;
import com.amazon.mShop.util.MShopIOUtils;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.zip.GZIPInputStream;

/* loaded from: classes.dex */
public final class A2ZCertificateValidator implements CertificateValidator {
    private static final char[] BOUNCY_CASTLE_PASSWORD = "dontcare".toCharArray();
    private CertPathValidator certPathValidator;
    private CertificateFactory certificateFactory;
    private final AtomicBoolean initialized;
    private final boolean skipNameVerification;
    private CertPathParameters trustedCertPathParameters;

    public A2ZCertificateValidator() {
        this(false);
    }

    public A2ZCertificateValidator(boolean z) {
        this.skipNameVerification = z;
        this.initialized = new AtomicBoolean(false);
    }

    private void checkCertificateChainTrust(CertPath certPath) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        this.certPathValidator.validate(certPath, this.trustedCertPathParameters);
    }

    private void checkCertificateExpiration(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException {
        x509Certificate.checkValidity();
    }

    private void checkCommonName(X509Certificate x509Certificate) throws CertPathValidatorException {
        String parseCommonName = parseCommonName(x509Certificate);
        if (parseCommonName == null || !parseCommonName.endsWith("-bundlestore.a2z.com")) {
            throw new CertPathValidatorException("Unrecognized common name");
        }
    }

    private static KeyStore getKeyStore() throws Exception {
        byte[] decode = Base64.decode("H4sIAAAAAAAAAGNgYGBkYGAQKeeYwrU/a3EGi1JJnp8rv3X9gYk1DAxsQYwMjAZAJUUzeuWWMIAAa4SeqYElAwOLsEETC79BE9P3BcxMjExMjAwGvGycWm0ebd95GRlZWRkMMgy5DTjZmENZ2ISZQoMNVQ2UQRwuYZngksSitMzUnBSFkNTkjLz8nPz0zNRiHQXPvGQ9QyMDA5AybmFNhDLnnMTiYgUjBefUopLMtMzkxJLM/DwFx9KSjPyizJJKAzlxXgMTAzMjS0NzY0tDsyhxXmNkLh1d0sSogBwMjKwMzE2MvAxAcQ6mJkZGhu1GJ/69LFzG0rqWRzDl/jnf9yeYJdrtF67+bbNs/ofDC29duZGnHTzht8oSu5YP817Ev3mq7vJVY5l99b0HWh9OrA/Wn3eKlXGyXH+ajOVy319R24pZVNNel9c/jzzmNVNVJOS12vHP9ZJXDQr6129w0/q/9rXm2+vzV7G0L77ys3OpSfxt54lNZjfTbDbu2Nn0d46VncAJ6/dsqWlVsyUlbP8XBtoY6MXvsy0v3hTLlnNYOWyWdqvaJJnlTJuf2POu56hs2mFm+2rOZdPNezJPfT0z98XflF7xBuO8OK/YmSfl2rfMlTpwNU/YVDnu/ux42/fXvpcdemW3u4JXxik9m+XGj2u38rs/uSxgXM3EyLy48ahB4yEDWWDYyvKxiLGI7I/ffvHcXfm2L9Gha+5cFzjEt7LjuUHjJJC8Mktjl0FjewNWNQtzlmTRL2qbgAmcB+QmYRZWA2ZGxv9oyZ0ZFL2sc+075l48KRW6cE3m58+Rt2Yztkv5h69cWMmpdfu7/ia5M8fjsm40ty+c/t7T1K6czTEiaX9fxA6udPs3m+8qpsmfDPlVdMbWx+FG4/ryec1Vuxcd/2oi3ndT0OHLHx0tX9H65UmxeqqXGbgVpGQzforv+LK3+61G5F1fsW7x5hObUo/rVi1dtSe4Lfdu+JJTPxQcuTM+fPldsi8stqry60/Z1se6U/d9LZzgfKZXfhYDV7vmy1ClCAblV4+FnDWj3Tnu9jhmpbKteKq4ynHLVMWpO2svmqwWvrZ2z51HtpZn99qVFiyUiGQ+qbSlf87VOK3rS7dd4cr9sd1B0G2WfCVf0n7+6W8e6MuLT2E4Esm85Uhc3pW2qZ9V7ljc89rQ45YMAHNf4yljBAAA", 0);
        KeyStore keyStore = KeyStore.getInstance("BKS");
        GZIPInputStream gZIPInputStream = new GZIPInputStream(new ByteArrayInputStream(decode));
        try {
            keyStore.load(gZIPInputStream, BOUNCY_CASTLE_PASSWORD);
            gZIPInputStream.close();
            return keyStore;
        } catch (Throwable th) {
            try {
                throw th;
            } catch (Throwable th2) {
                try {
                    gZIPInputStream.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
                throw th2;
            }
        }
    }

    private CertPath parseCertificateChain(InputStream inputStream) throws CertificateException {
        Collection<? extends Certificate> generateCertificates = this.certificateFactory.generateCertificates(new BufferedInputStream(inputStream, MShopIOUtils.BUFFER_SIZE_DEFAULT_FOR_FILE));
        if (generateCertificates.isEmpty()) {
            throw new CertificateException("Cert Chain error");
        }
        return this.certificateFactory.generateCertPath(new ArrayList(generateCertificates));
    }

    private String parseCommonName(X509Certificate x509Certificate) {
        return new SslCertificate(x509Certificate).getIssuedTo().getCName();
    }

    public void initialize() throws GeneralSecurityException {
        try {
            if (this.initialized.compareAndSet(false, true)) {
                this.certificateFactory = CertificateFactory.getInstance("X.509");
                this.certPathValidator = CertPathValidator.getInstance("PKIX");
                PKIXParameters pKIXParameters = new PKIXParameters(getKeyStore());
                pKIXParameters.setRevocationEnabled(false);
                this.trustedCertPathParameters = pKIXParameters;
            }
        } catch (Exception e) {
            throw new GeneralSecurityException("Root certificate initialization Error", e);
        }
    }

    @Override // com.amazon.bundle.store.internal.security.CertificateValidator
    public void validate(InputStream inputStream) throws GeneralSecurityException {
        initialize();
        CertPath parseCertificateChain = parseCertificateChain(inputStream);
        X509Certificate x509Certificate = (X509Certificate) parseCertificateChain.getCertificates().get(0);
        checkCertificateExpiration(x509Certificate);
        if (!this.skipNameVerification) {
            checkCommonName(x509Certificate);
        }
        checkCertificateChainTrust(parseCertificateChain);
    }
}
