package com.amazon.ask.servlet.verifiers;

import com.amazon.ask.servlet.ServletConstants;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Signature;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;

/* loaded from: input_file:com/amazon/ask/servlet/verifiers/SkillRequestSignatureVerifier.class */
public final class SkillRequestSignatureVerifier implements SkillServletVerifier {
    private static final Map<String, X509Certificate> CERTIFICATE_CACHE = new ConcurrentHashMap();
    private static final Integer DOMAIN_NAME_SUBJECT_ALTERNATIVE_NAME_ENTRY = 2;
    private static final String VALID_SIGNING_CERT_CHAIN_PROTOCOL = "https";
    private static final String VALID_SIGNING_CERT_CHAIN_URL_HOST_NAME = "s3.amazonaws.com";
    private static final String VALID_SIGNING_CERT_CHAIN_URL_PATH_PREFIX = "/echo.api/";
    private static final int UNSPECIFIED_SIGNING_CERT_CHAIN_URL_PORT_VALUE = -1;
    private static final int CERT_RETRIEVAL_RETRY_COUNT = 5;
    private static final int DELAY_BETWEEN_RETRIES_MS = 500;
    private static final int HTTP_OK_RESPONSE_CODE = 200;
    private final Proxy proxy;

    public SkillRequestSignatureVerifier() {
        this.proxy = null;
    }

    public SkillRequestSignatureVerifier(Proxy proxy) {
        this.proxy = proxy;
    }

    @Override // com.amazon.ask.servlet.verifiers.SkillServletVerifier
    public void verify(AlexaHttpRequest alexaHttpRequest) {
        String baseEncoded64Signature = alexaHttpRequest.getBaseEncoded64Signature();
        String signingCertificateChainUrl = alexaHttpRequest.getSigningCertificateChainUrl();
        if (baseEncoded64Signature == null || signingCertificateChainUrl == null) {
            throw new SecurityException("Missing signature/certificate for the provided skill request");
        }
        try {
            X509Certificate x509Certificate = CERTIFICATE_CACHE.get(signingCertificateChainUrl);
            if (x509Certificate == null || !x509Certificate.getNotAfter().after(new Date())) {
                x509Certificate = retrieveAndVerifyCertificateChain(signingCertificateChainUrl);
                CERTIFICATE_CACHE.put(signingCertificateChainUrl, x509Certificate);
            } else {
                x509Certificate.checkValidity();
            }
            Signature signature = Signature.getInstance(ServletConstants.SIGNATURE_ALGORITHM);
            signature.initVerify(x509Certificate.getPublicKey());
            signature.update(alexaHttpRequest.getSerializedRequestEnvelope());
            if (signature.verify(Base64.decodeBase64(baseEncoded64Signature.getBytes(ServletConstants.CHARACTER_ENCODING)))) {
            } else {
                throw new SecurityException("Failed to verify the signature/certificate for the provided skill request");
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new SecurityException("Failed to verify the signature/certificate for the provided skill request", e);
        }
    }

    private X509Certificate retrieveAndVerifyCertificateChain(String str) throws CertificateException {
        HttpURLConnection httpURLConnection;
        for (int i = 0; i <= CERT_RETRIEVAL_RETRY_COUNT; i++) {
            try {
                try {
                    httpURLConnection = this.proxy != null ? (HttpURLConnection) getAndVerifySigningCertificateChainUrl(str).openConnection(this.proxy) : (HttpURLConnection) getAndVerifySigningCertificateChainUrl(str).openConnection();
                } catch (IOException e) {
                    if (!waitForRetry(i)) {
                        throw new CertificateException("Unable to retrieve certificate from URL: " + str, e);
                    }
                    if (0 != 0) {
                        IOUtils.closeQuietly((InputStream) null);
                    }
                } catch (Exception e2) {
                    throw new CertificateException("Unable to verify certificate at URL: " + str, e2);
                }
                if (httpURLConnection.getResponseCode() == HTTP_OK_RESPONSE_CODE) {
                    InputStream inputStream = httpURLConnection.getInputStream();
                    Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance(ServletConstants.SIGNATURE_CERTIFICATE_TYPE).generateCertificates(inputStream);
                    X509Certificate x509Certificate = (X509Certificate) generateCertificates.iterator().next();
                    x509Certificate.checkValidity();
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init((KeyStore) null);
                    X509TrustManager x509TrustManager = null;
                    for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                        if (trustManager instanceof X509TrustManager) {
                            x509TrustManager = (X509TrustManager) trustManager;
                        }
                    }
                    if (x509TrustManager == null) {
                        throw new IllegalStateException("No X509 TrustManager available. Unable to check certificate chain");
                    }
                    x509TrustManager.checkServerTrusted((X509Certificate[]) generateCertificates.toArray(new X509Certificate[generateCertificates.size()]), ServletConstants.SIGNATURE_TYPE);
                    if (!subjectAlernativeNameListContainsEchoSdkDomainName(x509Certificate.getSubjectAlternativeNames())) {
                        throw new CertificateException("The provided certificate is not valid for the ASK SDK");
                    }
                    if (inputStream != null) {
                        IOUtils.closeQuietly(inputStream);
                    }
                    return x509Certificate;
                }
                if (!waitForRetry(i)) {
                    throw new CertificateException("Got a non-200 status code when retrieving certificate at URL: " + str);
                }
                if (0 != 0) {
                    IOUtils.closeQuietly((InputStream) null);
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    IOUtils.closeQuietly((InputStream) null);
                }
                throw th;
            }
        }
        throw new RuntimeException("Unable to retrieve signing certificate due to an unhandled exception");
    }

    private boolean waitForRetry(int i) {
        if (i >= CERT_RETRIEVAL_RETRY_COUNT) {
            return false;
        }
        try {
            Thread.sleep(500L);
            return true;
        } catch (InterruptedException e) {
            throw new RuntimeException("Interrupted while waiting for certificate retrieval retry attempt", e);
        }
    }

    private boolean subjectAlernativeNameListContainsEchoSdkDomainName(Collection<List<?>> collection) {
        for (List<?> list : collection) {
            if ((list.get(0) instanceof Integer) && (list.get(1) instanceof String) && DOMAIN_NAME_SUBJECT_ALTERNATIVE_NAME_ENTRY.equals(list.get(0)) && ServletConstants.ECHO_API_DOMAIN_NAME.equals(list.get(1))) {
                return true;
            }
        }
        return false;
    }

    static URL getAndVerifySigningCertificateChainUrl(String str) throws CertificateException {
        try {
            URL url = new URI(str).normalize().toURL();
            if (!VALID_SIGNING_CERT_CHAIN_URL_HOST_NAME.equalsIgnoreCase(url.getHost())) {
                throw new CertificateException(String.format("SigningCertificateChainUrl [%s] does not contain the required hostname of [%s]", str, VALID_SIGNING_CERT_CHAIN_URL_HOST_NAME));
            }
            if (!url.getPath().startsWith(VALID_SIGNING_CERT_CHAIN_URL_PATH_PREFIX)) {
                throw new CertificateException(String.format("SigningCertificateChainUrl path [%s] is invalid. Expecting path to start with [%s]", str, VALID_SIGNING_CERT_CHAIN_URL_PATH_PREFIX));
            }
            String protocol = url.getProtocol();
            if (!VALID_SIGNING_CERT_CHAIN_PROTOCOL.equalsIgnoreCase(protocol)) {
                throw new CertificateException(String.format("SigningCertificateChainUrl [%s] contains an unsupported protocol [%s]", str, protocol));
            }
            int port = url.getPort();
            if (port == UNSPECIFIED_SIGNING_CERT_CHAIN_URL_PORT_VALUE || port == url.getDefaultPort()) {
                return url;
            }
            throw new CertificateException(String.format("SigningCertificateChainUrl [%s] contains an invalid port [%d]", str, Integer.valueOf(port)));
        } catch (IllegalArgumentException | MalformedURLException | URISyntaxException e) {
            throw new CertificateException(String.format("SigningCertificateChainUrl [%s] is malformed", str), e);
        }
    }
}
