package com.lookout.micropush;

import com.lookout.javacommons.util.HashUtils;
import com.lookout.micropush.MicropushMetrics;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.math.BigInteger;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.util.Arrays;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: classes.dex */
public class CertificateVerifier {
    final MicropushMetrics a;
    final MicropushGuidProvider b;
    private static final Logger d = LoggerFactory.a(CertificateVerifier.class);
    static final byte[] c = {1, 0, 1};

    public CertificateVerifier(MicropushMetrics micropushMetrics) {
        this(micropushMetrics, null);
    }

    public CertificateVerifier(MicropushMetrics micropushMetrics, MicropushGuidProvider micropushGuidProvider) {
        this.a = micropushMetrics;
        this.b = micropushGuidProvider;
    }

    boolean a(ReadOnlyJWTClaimsSet readOnlyJWTClaimsSet) {
        if (this.b == null || StringUtils.isEmpty(this.b.getGuid())) {
            d.d("Our guid not available, skipping check.");
            return true;
        }
        String guid = this.b.getGuid();
        if (!StringUtils.isNotEmpty(guid)) {
            d.d("Our guid is not available, skipping check");
            return true;
        }
        if (readOnlyJWTClaimsSet.d().contains(guid)) {
            return true;
        }
        d.e("Guid doesn't match.");
        return false;
    }

    public boolean isCommandUpdateAvailable(CommandCertificate commandCertificate, MicropushCommandSpec micropushCommandSpec) {
        Base64URL d2 = micropushCommandSpec.getJWSHeader().d();
        if (d2 == null) {
            throw new IllegalArgumentException("Certificate thumbprint (x5t) is empty, can't verify jws");
        }
        byte[] certificateThumbprint = commandCertificate.getCertificateThumbprint();
        byte[] a = d2.a();
        if (Arrays.equals(a, certificateThumbprint)) {
            d.c("The x5t's match, we have the latest certificate.");
            return false;
        }
        d.c("The x5t's don't match, need to fetch a new certificate.  Currently stored x5t length [" + (certificateThumbprint.length == 0 ? "NULL" : HashUtils.b(certificateThumbprint)) + "] fetched [" + (a == null ? "NULL" : HashUtils.b(a)) + "] ");
        return true;
    }

    public void verifySignatureOrThrow(CommandCertificate commandCertificate, SignedJWT signedJWT, ReadOnlyJWTClaimsSet readOnlyJWTClaimsSet) {
        if (!signedJWT.a(new RSASSAVerifier((RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, commandCertificate.getPublicKey()), new BigInteger(1, c)))))) {
            throw new SecurityException("Invalid signature on jwt.");
        }
        if (!a(readOnlyJWTClaimsSet)) {
            throw new SecurityException("Invalid guid.");
        }
        this.a.sendVerboseMetric(MicropushMetrics.MicropushMetric.MICROPUSH_COMMAND_VERIFIED, commandCertificate.getSubject());
    }
}
