package com.nordvpn.android.communicator;

import android.util.Base64;
import com.nordvpn.android.certificates.CertificateFileManager;
import com.nordvpn.android.logging.GrandLogger;
import java.security.PublicKey;
import java.security.Signature;
import java.util.Arrays;
import java.util.Collection;
import javax.inject.Inject;
import okhttp3.Headers;
import okhttp3.Response;

/* loaded from: classes2.dex */
public class ResponseSignatureChecker {
    private final CertificateFileManager certificateFileManager;
    private final GrandLogger logger;
    private PublicKey publicKey;
    private static final String HEADER_AUTHORIZATION = "X-Authorization";
    private static final String HEADER_ACCEPT_BEFORE = "X-Accept-Before";
    private static final String HEADER_DIGEST = "X-Digest";
    private static final String HEADER_SIGNATURE = "X-Signature";
    private static final Collection<String> REGULAR_HEADER_KEYS = Arrays.asList(HEADER_AUTHORIZATION, HEADER_ACCEPT_BEFORE, HEADER_DIGEST, HEADER_SIGNATURE);
    private static final String HEADER_HOST_SIGNATURE = "X-Host-Signature";
    private static final Collection<String> PREFLIGHT_HEADER_KEYS = Arrays.asList(HEADER_AUTHORIZATION, HEADER_HOST_SIGNATURE);

    @Inject
    public ResponseSignatureChecker(CertificateFileManager certificateFileManager, GrandLogger grandLogger) {
        this.certificateFileManager = certificateFileManager;
        this.logger = grandLogger;
        this.publicKey = certificateFileManager.getPublicKey();
    }

    private boolean authenticate(String str, String str2, String str3) {
        if (isSignatureValid(str2, str3)) {
            return true;
        }
        PublicKey loadNewPublicKey = this.certificateFileManager.loadNewPublicKey(str);
        if (loadNewPublicKey == null) {
            return false;
        }
        this.publicKey = loadNewPublicKey;
        return isSignatureValid(str2, str3);
    }

    private boolean authenticatePreflight(Headers headers, String str) {
        return authenticate(str, headers.get(HEADER_HOST_SIGNATURE), str);
    }

    private boolean authenticateRegular(Headers headers, String str) {
        String str2 = headers.get(HEADER_ACCEPT_BEFORE);
        String str3 = headers.get(HEADER_DIGEST);
        String str4 = headers.get(HEADER_SIGNATURE);
        if (str2 == null) {
            return false;
        }
        return authenticate(str, str4, str2 + str3);
    }

    private boolean hasAdditionalHeaders(Headers headers, Collection<String> collection) {
        return headers.toMultimap().keySet().containsAll(collection);
    }

    private boolean isSignatureValid(String str, String str2) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(this.publicKey);
            signature.update(str2.getBytes());
            return signature.verify(Base64.decode(str, 0));
        } catch (Exception e) {
            this.logger.logThrowable("isSignatureValid", e);
            return false;
        }
    }

    boolean isPreflightResponseSigned(Response response) {
        Headers headers = response.headers();
        return hasAdditionalHeaders(headers, PREFLIGHT_HEADER_KEYS) && authenticatePreflight(headers, response.request().url().host());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isResponseSigned(Response response) {
        Headers headers = response.headers();
        return hasAdditionalHeaders(headers, REGULAR_HEADER_KEYS) && authenticateRegular(headers, response.request().url().host());
    }
}
