package com.nordvpn.android.communication.certificates;

import android.util.Base64;
import com.nordvpn.android.communication.exceptions.ResponseAuthenticationException;
import d20.d0;
import java.security.PublicKey;
import java.security.Signature;
import java.util.Arrays;
import java.util.Collection;
import javax.inject.Inject;
import ne.a;

/* loaded from: classes3.dex */
public class ResponseSignatureChecker {
    private final CertificateFileManager certificateFileManager;
    private final a logger;
    private PublicKey publicKey;
    private static final String HEADER_AUTHORIZATION = "X-Authorization";
    private static final String HEADER_ACCEPT_BEFORE = "X-Accept-Before";
    private static final String HEADER_DIGEST = "X-Digest";
    private static final String HEADER_SIGNATURE = "X-Signature";
    private static final Collection<String> REGULAR_HEADER_KEYS = Arrays.asList(HEADER_AUTHORIZATION, HEADER_ACCEPT_BEFORE, HEADER_DIGEST, HEADER_SIGNATURE);

    @Inject
    public ResponseSignatureChecker(CertificateFileManager certificateFileManager, a aVar) {
        this.certificateFileManager = certificateFileManager;
        this.logger = aVar;
        this.publicKey = certificateFileManager.getPublicKey();
    }

    private boolean authenticate(d0 d0Var, String str, String str2) throws ResponseAuthenticationException {
        if (isSignatureValid(str, str2)) {
            return true;
        }
        PublicKey loadNewPublicKey = this.certificateFileManager.loadNewPublicKey(d0Var.getF9706a().getF9670a().getF9882d());
        if (loadNewPublicKey == null) {
            throw new ResponseAuthenticationException(d0Var, "Invalid signature");
        }
        this.publicKey = loadNewPublicKey;
        if (isSignatureValid(str, str2)) {
            return true;
        }
        throw new ResponseAuthenticationException(d0Var, "Invalid signature with new public key");
    }

    private boolean authenticateRegular(d0 d0Var) throws ResponseAuthenticationException {
        String f11 = d0Var.getF9710f().f(HEADER_ACCEPT_BEFORE);
        String f12 = d0Var.getF9710f().f(HEADER_DIGEST);
        return authenticate(d0Var, d0Var.getF9710f().f(HEADER_SIGNATURE), f11 + f12);
    }

    private boolean hasAdditionalHeaders(d0 d0Var) throws ResponseAuthenticationException {
        if (d0Var.getF9710f().u().keySet().containsAll(REGULAR_HEADER_KEYS)) {
            return true;
        }
        throw new ResponseAuthenticationException(d0Var, "Additional headers not found");
    }

    private boolean isSignatureValid(String str, String str2) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(this.publicKey);
            signature.update(str2.getBytes());
            return signature.verify(Base64.decode(str, 0));
        } catch (Exception e11) {
            this.logger.e("isSignatureValid", e11);
            return false;
        }
    }

    public boolean isResponseSigned(d0 d0Var) throws ResponseAuthenticationException {
        return hasAdditionalHeaders(d0Var) && authenticateRegular(d0Var);
    }
}
