package com.amazon.identity.auth.device.appid;

import android.content.Context;
import android.content.pm.PackageManager;
import com.amazon.cloud9.kids.Cloud9KidsConstants;
import com.amazon.identity.auth.device.AuthError;
import com.amazon.identity.auth.device.dataobject.AppInfo;
import com.amazon.identity.auth.device.utils.HashAlgorithm;
import com.amazon.identity.auth.device.utils.JSONUtils;
import com.amazon.identity.auth.device.utils.JWTDecoder;
import com.amazon.identity.auth.device.utils.PackageSignatureUtil;
import com.amazon.identity.auth.map.device.utils.MAPLog;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.List;
import java.util.Locale;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes.dex */
public final class APIKeyDecoder {
    private static final String LOG_TAG = APIKeyDecoder.class.getName();

    private APIKeyDecoder() throws Exception {
        throw new Exception("This class is not instantiable!");
    }

    public static AppInfo decode(String str, String str2, Context context) {
        return doDecode$56f69207(str, str2, context);
    }

    private static AppInfo doDecode$56f69207(String str, String str2, Context context) {
        MAPLog.i(LOG_TAG, "Begin decoding API Key for packageName=" + str);
        new JWTDecoder();
        JSONObject decode = JWTDecoder.decode(str2);
        MAPLog.pii(LOG_TAG, "APIKey", "payload=" + decode);
        if (decode == null) {
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        }
        try {
            MAPLog.i(LOG_TAG, "verifyPayload for packageName=" + str);
            if (!decode.getString("iss").equals(Cloud9KidsConstants.AMAZON_CONTENT_SOURCE)) {
                throw new SecurityException("Decoding fails: issuer (" + decode.getString("iss") + ") is not = Amazon pkg=" + str);
            }
            if (str != null && !str.equals(decode.getString("pkg"))) {
                throw new SecurityException("Decoding fails: package names don't match! - " + str + " != " + decode.getString("pkg"));
            }
            if (decode.has("appsig")) {
                String string = decode.getString("appsig");
                MAPLog.pii(LOG_TAG, "Validating MD5 signature in API key", String.format("pkg = %s and signature %s", str, string));
                verifySignature(string, str, HashAlgorithm.MD5, context);
            }
            if (decode.has("appsigSha256")) {
                String string2 = decode.getString("appsigSha256");
                MAPLog.pii(LOG_TAG, "Validating SHA256 signature in API key", String.format("pkg = %s and signature %s", str, string2));
                verifySignature(string2, str, HashAlgorithm.SHA_256, context);
            }
            return extractAppInfo(decode);
        } catch (PackageManager.NameNotFoundException e) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        } catch (AuthError e2) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e2.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        } catch (IOException e3) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e3.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        } catch (SecurityException e4) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e4.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        } catch (NoSuchAlgorithmException e5) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e5.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        } catch (CertificateException e6) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e6.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        } catch (JSONException e7) {
            MAPLog.w(LOG_TAG, "Failed to decode: " + e7.getMessage());
            MAPLog.w(LOG_TAG, "Unable to decode APIKey for pkg=" + str);
            return null;
        }
    }

    private static AppInfo extractAppInfo(JSONObject jSONObject) throws JSONException, AuthError {
        String string;
        String string2;
        String str;
        String string3 = jSONObject.getString("ver");
        String str2 = null;
        String str3 = null;
        if (string3.equals("1")) {
            string = jSONObject.getString("appId");
            string2 = string;
        } else {
            string = jSONObject.getString("appFamilyId");
            string2 = jSONObject.getString("appVariantId");
        }
        if (string3.equals("3")) {
            JSONObject jSONObject2 = null;
            try {
                jSONObject2 = jSONObject.getJSONObject("endpoints");
            } catch (JSONException e) {
                MAPLog.w(LOG_TAG, "APIKey does not contain endpoints object");
            }
            if (jSONObject2 != null) {
                str2 = jSONObject2.getString("authz");
                str3 = jSONObject2.getString("tokenExchange");
                if (str2 != null && !str2.startsWith("https")) {
                    throw new AuthError("Authorization Host in APIKey is invalid", AuthError.ERROR_TYPE.ERROR_BAD_PARAM);
                }
                if (str3 != null && !str3.startsWith("https")) {
                    throw new AuthError("Exchange Host in APIKey is invalid", AuthError.ERROR_TYPE.ERROR_BAD_PARAM);
                }
            }
        }
        String string4 = jSONObject.getString("pkg");
        String[] stringArray = JSONUtils.getStringArray(jSONObject, "scopes");
        try {
            str = jSONObject.getString("clientId");
        } catch (JSONException e2) {
            MAPLog.w(LOG_TAG, "APIKey does not contain a client id");
            str = null;
        }
        return new AppInfo(string, string2, string4, stringArray, JSONUtils.getStringArray(jSONObject, "perm"), str, str2, str3, jSONObject);
    }

    private static void verifySignature(String str, String str2, HashAlgorithm hashAlgorithm, Context context) {
        if (str == null) {
            MAPLog.d(LOG_TAG, "App Signature is null. pkg=" + str2);
            throw new SecurityException("Decoding failed: certificate fingerprint can't be verified! pkg=" + str2);
        }
        String replace = str.replace(":", "");
        List<String> allSignaturesFor = PackageSignatureUtil.getAllSignaturesFor(str2, hashAlgorithm, context);
        MAPLog.i(LOG_TAG, "Number of signatures = " + allSignaturesFor.size());
        MAPLog.pii(LOG_TAG, "Fingerprint checking", allSignaturesFor.toString());
        if (!allSignaturesFor.contains(replace.toLowerCase(Locale.US))) {
            throw new SecurityException("Decoding failed: certificate fingerprint can't be verified! pkg=" + str2);
        }
    }
}
