package nt;

import com.lookout.javacommons.util.HashUtils;
import com.lookout.restclient.LookoutRestRequest;
import com.lookout.shaded.slf4j.Logger;
import com.nimbusds.jose.util.Base64URL;
import java.io.IOException;
import java.net.URL;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;

/* loaded from: classes3.dex */
public final class h {

    /* renamed from: a, reason: collision with root package name */
    final com.lookout.restclient.d f42599a;

    /* renamed from: b, reason: collision with root package name */
    final a f42600b;

    /* renamed from: c, reason: collision with root package name */
    final Logger f42601c;

    public h(com.lookout.restclient.d dVar) {
        this(dVar, new a());
    }

    private h(com.lookout.restclient.d dVar, a aVar) {
        this.f42601c = dz.b.g(h.class);
        this.f42599a = dVar;
        this.f42600b = aVar;
    }

    public final k a(URL url, Base64URL base64URL, X509Certificate x509Certificate) {
        if (url == null) {
            throw new com.lookout.micropush.d("Empty certURL in jws, can't fetch certificate.");
        }
        url.toString();
        byte[] a11 = base64URL.a();
        try {
            byte[] a12 = this.f42600b.a(this.f42599a.c(new LookoutRestRequest.b(null).c(url.toString()).e()).a());
            try {
                if (!Arrays.equals(a11, HashUtils.c(a12))) {
                    throw new SecurityException("The retrieved certificate hash doesn't match the one in the jws, means there was a server error.");
                }
                X509Certificate b11 = this.f42600b.b(a12);
                if (this.f42600b.f(x509Certificate, b11)) {
                    byte[] c11 = this.f42600b.c((RSAPublicKey) b11.getPublicKey());
                    if (c11 != null) {
                        return new k(c11, a11, a12);
                    }
                    throw new SecurityException("Couldn't get public key modulus from fetched certificate.");
                }
                throw new SecurityException("Couldn't verify fetched certificate. {Domain Name:} " + b11.getIssuerDN().getName() + " {Issuer Name:} " + b11.getIssuerX500Principal().getName());
            } catch (IOException | NoSuchAlgorithmException e11) {
                throw new IllegalStateException("Couldn't verify that retrieved certificate thumbprint matches the one from the jws", e11);
            }
        } catch (IllegalArgumentException e12) {
            throw new com.lookout.micropush.d("Fetched certificate not base64 encoded", e12);
        }
    }
}
