package com.amazon.pay.impl.ipn;

import com.amazon.pay.exceptions.AmazonClientException;
import com.amazon.pay.response.ipn.model.Notification;
import com.amazon.pay.types.ServiceConstants;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Map;
import java.util.regex.Pattern;
import javax.xml.bind.DatatypeConverter;

/* loaded from: input_file:com/amazon/pay/impl/ipn/NotificationVerification.class */
public class NotificationVerification {
    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyHeaders(Map<String, String> map) {
        if (map == null || !map.containsKey("x-amz-sns-message-type")) {
            throw new AmazonClientException("Error with SNS message, missing header x-amz-sns-message-type");
        }
        if (!"Notification".equalsIgnoreCase(map.get("x-amz-sns-message-type"))) {
            throw new AmazonClientException("Error with SNS message, header x-amz-sns-message-type has unexpected value ");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean verifyMessage(Notification notification) {
        if (notification == null || notification.getNotificationMetadata() == null || !"Notification".equals(notification.getNotificationMetadata().getType())) {
            throw new AmazonClientException("Unable to parse notification, invalid notification");
        }
        try {
            URL url = new URL(notification.toMap().get("SigningCertURL"));
            isValidSigningCertURL(url);
            InputStream openStream = url.openStream();
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(openStream);
            openStream.close();
            Signature signature = Signature.getInstance("SHA1withRSA");
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(getMessageBytesToSign(notification));
            if (signature.verify(DatatypeConverter.parseBase64Binary(notification.toMap().get(ServiceConstants.SIGNATURE)))) {
                return true;
            }
            throw new SecurityException("Message signature calculation failed");
        } catch (IOException e) {
            throw new SecurityException("Encountered IOException, notification verification failed: ", e);
        } catch (InvalidKeyException e2) {
            throw new SecurityException("Encountered InvalidKeyException, notification verification failed: ", e2);
        } catch (NoSuchAlgorithmException e3) {
            throw new SecurityException("Encountered NoSuchAlgorithmException, notification verification failed: ", e3);
        } catch (SignatureException e4) {
            throw new SecurityException("Encountered SignatureException, notification verification failed: ", e4);
        } catch (CertificateException e5) {
            throw new SecurityException("Encountered CertificateException, notification verification failed: ", e5);
        }
    }

    private void isValidSigningCertURL(URL url) throws MalformedURLException {
        Pattern compile = Pattern.compile("^sns\\.[a-zA-Z0-9\\-]{3,}\\.amazonaws\\.com(\\.cn)?$");
        String host = url.getHost();
        if (!"https".equals(url.getProtocol()) || url.getPath() == null || !url.getPath().endsWith(".pem") || !compile.matcher(host).matches()) {
            throw new SecurityException("Illegal SigningCertURL parameter: ");
        }
    }

    private byte[] getMessageBytesToSign(Notification notification) {
        return ((((((((("Message\n" + notification.toMap().get("Message") + "\n") + "MessageId\n") + notification.toMap().get("MessageId") + "\n") + "Timestamp\n") + notification.toMap().get(ServiceConstants.TIMESTAMP) + "\n") + "TopicArn\n") + notification.toMap().get("TopicArn") + "\n") + "Type\n") + notification.toMap().get("Type") + "\n").getBytes();
    }
}
