package com.amazon.bundle.store.internal.security;

import android.net.http.SslCertificate;
import android.util.Base64;
import com.amazon.mShop.util.MShopIOUtils;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.cert.CertPath;
import java.security.cert.CertPathParameters;
import java.security.cert.CertPathValidator;
import java.security.cert.CertPathValidatorException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.zip.GZIPInputStream;

/* loaded from: classes.dex */
public final class A2ZCertificateValidator implements CertificateValidator {
    private static final char[] BOUNCY_CASTLE_PASSWORD = "dontcare".toCharArray();
    private CertPathValidator certPathValidator;
    private CertificateFactory certificateFactory;
    private final AtomicBoolean initialized;
    private final boolean skipNameVerification;
    private CertPathParameters trustedCertPathParameters;

    public A2ZCertificateValidator() {
        this(false);
    }

    public A2ZCertificateValidator(boolean z) {
        this.skipNameVerification = z;
        this.initialized = new AtomicBoolean(false);
    }

    private void checkCertificateChainTrust(CertPath certPath) throws CertPathValidatorException, InvalidAlgorithmParameterException {
        this.certPathValidator.validate(certPath, this.trustedCertPathParameters);
    }

    private void checkCertificateExpiration(X509Certificate x509Certificate) throws CertificateExpiredException, CertificateNotYetValidException {
        x509Certificate.checkValidity();
    }

    private void checkCommonName(X509Certificate x509Certificate) throws CertPathValidatorException {
        String parseCommonName = parseCommonName(x509Certificate);
        if (parseCommonName == null || !parseCommonName.endsWith("-bundlestore.a2z.com")) {
            throw new CertPathValidatorException("Unrecognized common name");
        }
    }

    private static KeyStore getKeyStore() throws Exception {
        byte[] decode = Base64.decode("H4sIAAAAAAAAAGNgYGBkYGAQmbTjRXxz5PfXMxeybLa63it0+USyAgMDmwgjA6MBUEn5xeNhZgwgwBqhZ2pgycDAImzQxMJv0MT0fQEzEyMTEyODAS8bp1abR9t3XkZGVlYGgwxDbgNONuZQFjZhptBgQ1UDZRCHS1gmuCSxKC0zNSdFISQ1OSMvPyc/PTO1WEfBMy9Zz9DIwACkjFtYE6HMOSexuFjBSME5tagkMy0zObEkMz9PwbG0JCO/KLOk0kBOnNfAxMDMyNLQ3NjS0CxKnNcYmUtHlzQxKiAHAyMrA3MTIy8DUJyDqYmRkWG70Yl/LwuXsbSu5RFMuX/O9/0JZol2+4Wrf9ssm//h8MJbV27kaQdP+K2yxK7lw7wX8W+eqrt81VhmX33vgdaHE+uD9eedYmWcLNefJmO53PdX1LZiFtW01+X1zyOPec1UFQl5rXb8c73kVYOC/vUb3LT+r32t+fb6/FUs7Yuv/OxcahJ/23lik9nNNJuNO3Y2/Z1jZSdwwvo9W2pa1WxJCdv/hYE2Bnrx+2zLizfFsuUcVg6bpd2qNklmOdPmJ/a86zkqm3aY2b6ac9l0857MU1/PzH3xN6VXvME4L84rduZJufYtc6UOXM0TNlWOuz873vb9te9lh17Z7a7glXFKz2a58eParfzuTy4LGFczMTIvbjxq0HjIQBYYtrJ8LGIsIvvjt188d1e+7Ut06Jo71wUO8a3seG7QOAkkr8zS2GXQ2N6AVc3CnCVZ9IvaJmAC5wG5SZiF1YCZkfE/WnJnBkUv61z7jrkXT0qFLlyT+flz5K3ZjO1S/uErF1Zyat3+rr9J7szxuKwbze0Lp7/3NLUrZ3OMSNrfF7GDK93+zea7imnyJ0N+FZ2x9XG40bi+fF5z1e5Fx7+aiPfdFHT48kdHy1e0fnlSrJ7qZQZuBSnZjJ/iO77s7X6rEXnXV6xbvPnEptTjulVLV+0Jbsu9G77k1A8FR+6MD19+l+wLi62q/PpTtvWx7tR9XwsnOJ/plZ/FwNWu+TJUKYJB+dVjIWfNaHeOuz2OWalsK54qrnLcMlVx6s7aiyarha+t3XPnka3l2b12pQULJSKZTypt6Z9zNU7r+tJtV7hyf2x3EHSbJV/Jl7Sff/qbB/ry4lMYlN8W1W0+/fHhHbl7hy/8uvtzXnY1FwCER93PYwQAAA==", 0);
        KeyStore keyStore = KeyStore.getInstance("BKS");
        GZIPInputStream gZIPInputStream = new GZIPInputStream(new ByteArrayInputStream(decode));
        try {
            keyStore.load(gZIPInputStream, BOUNCY_CASTLE_PASSWORD);
            gZIPInputStream.close();
            return keyStore;
        } catch (Throwable th) {
            try {
                throw th;
            } catch (Throwable th2) {
                try {
                    gZIPInputStream.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
                throw th2;
            }
        }
    }

    private CertPath parseCertificateChain(InputStream inputStream) throws CertificateException {
        Collection<? extends Certificate> generateCertificates = this.certificateFactory.generateCertificates(new BufferedInputStream(inputStream, MShopIOUtils.BUFFER_SIZE_DEFAULT_FOR_FILE));
        if (generateCertificates.isEmpty()) {
            throw new CertificateException("Cert Chain error");
        }
        return this.certificateFactory.generateCertPath(new ArrayList(generateCertificates));
    }

    private String parseCommonName(X509Certificate x509Certificate) {
        return new SslCertificate(x509Certificate).getIssuedTo().getCName();
    }

    public void initialize() throws GeneralSecurityException {
        try {
            if (this.initialized.compareAndSet(false, true)) {
                this.certificateFactory = CertificateFactory.getInstance("X.509");
                this.certPathValidator = CertPathValidator.getInstance("PKIX");
                PKIXParameters pKIXParameters = new PKIXParameters(getKeyStore());
                pKIXParameters.setRevocationEnabled(false);
                this.trustedCertPathParameters = pKIXParameters;
            }
        } catch (Exception e) {
            throw new GeneralSecurityException("Root certificate initialization Error", e);
        }
    }

    @Override // com.amazon.bundle.store.internal.security.CertificateValidator
    public void validate(InputStream inputStream) throws GeneralSecurityException {
        initialize();
        CertPath parseCertificateChain = parseCertificateChain(inputStream);
        X509Certificate x509Certificate = (X509Certificate) parseCertificateChain.getCertificates().get(0);
        checkCertificateExpiration(x509Certificate);
        if (!this.skipNameVerification) {
            checkCommonName(x509Certificate);
        }
        checkCertificateChainTrust(parseCertificateChain);
    }
}
