package com.google.api.client.auth.openidconnect;

import com.google.api.client.http.w;
import com.google.api.client.json.webtoken.JsonWebSignature$Header;
import com.google.api.client.util.j;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import u4.y;
import v4.d0;
import y4.u;

/* loaded from: classes2.dex */
public abstract class g {
    public static final long DEFAULT_TIME_SKEW_SECONDS = 300;
    private static final String FEDERATED_SIGNON_CERT_URL = "https://www.googleapis.com/oauth2/v3/certs";
    private static final String IAP_CERT_URL = "";
    private static final String NOT_SUPPORTED_ALGORITHM = "Unexpected signing algorithm %s: expected either RS256 or ES256";
    static final String SKIP_SIGNATURE_ENV_VAR = "OAUTH_CLIENT_SKIP_SIGNATURE";
    private final long acceptableTimeSkewSeconds;
    private final Collection<String> audience;
    private final String certificatesLocation;
    private final j clock;
    private final a environment;
    private final Collection<String> issuers;
    private final com.google.common.cache.f publicKeyCache;
    private static final Logger LOGGER = Logger.getLogger(g.class.getName());
    private static final Set<String> SUPPORTED_ALGORITHMS = d0.m(new Object[]{"RS256", "ES256"}, 2, 2);
    static final w HTTP_TRANSPORT = new l4.d();

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v2, types: [com.google.common.cache.e, java.lang.Object] */
    public g(d dVar) {
        this.certificatesLocation = dVar.certificatesLocation;
        this.clock = dVar.clock;
        this.acceptableTimeSkewSeconds = dVar.acceptableTimeSkewSeconds;
        Collection<String> collection = dVar.issuers;
        this.issuers = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection2 = dVar.audience;
        this.audience = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        b bVar = dVar.httpTransportFactory;
        bVar = bVar == null ? new androidx.customview.widget.a(24) : bVar;
        ?? obj = new Object();
        obj.f8038a = -1L;
        y yVar = com.google.common.cache.e.f8036b;
        obj.f8038a = TimeUnit.HOURS.toNanos(1L);
        this.publicKeyCache = new com.google.common.cache.d0(obj, new e(bVar));
        a aVar = dVar.environment;
        this.environment = aVar == null ? new Object() : aVar;
    }

    public static /* synthetic */ Logger access$000() {
        return LOGGER;
    }

    public final String a(JsonWebSignature$Header jsonWebSignature$Header) {
        String str = this.certificatesLocation;
        if (str != null) {
            return str;
        }
        String algorithm = jsonWebSignature$Header.getAlgorithm();
        algorithm.getClass();
        if (algorithm.equals("ES256")) {
            return "";
        }
        if (algorithm.equals("RS256")) {
            return FEDERATED_SIGNON_CERT_URL;
        }
        throw new Exception(j2.a.i("Unexpected signing algorithm ", jsonWebSignature$Header.getAlgorithm(), ": expected either RS256 or ES256"));
    }

    public final long getAcceptableTimeSkewSeconds() {
        return this.acceptableTimeSkewSeconds;
    }

    public final Collection<String> getAudience() {
        return this.audience;
    }

    public final j getClock() {
        return this.clock;
    }

    public final String getIssuer() {
        Collection<String> collection = this.issuers;
        if (collection == null) {
            return null;
        }
        return collection.iterator().next();
    }

    public final Collection<String> getIssuers() {
        return this.issuers;
    }

    public boolean verify(c cVar) {
        if (!verifyPayload(cVar)) {
            return false;
        }
        try {
            return verifySignature(cVar);
        } catch (f e3) {
            LOGGER.log(Level.SEVERE, "id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options", (Throwable) e3);
            return false;
        }
    }

    public boolean verifyPayload(c cVar) {
        Collection<String> collection;
        Collection<String> collection2 = this.issuers;
        if ((collection2 == null || cVar.verifyIssuer(collection2)) && ((collection = this.audience) == null || cVar.verifyAudience(collection))) {
            ((androidx.customview.widget.a) this.clock).getClass();
            if (cVar.verifyTime(System.currentTimeMillis(), this.acceptableTimeSkewSeconds)) {
                return true;
            }
        }
        return false;
    }

    public boolean verifySignature(c cVar) {
        this.environment.getClass();
        if (Boolean.parseBoolean(System.getenv(SKIP_SIGNATURE_ENV_VAR))) {
            return true;
        }
        if (!SUPPORTED_ALGORITHMS.contains(cVar.getHeader().getAlgorithm())) {
            throw new Exception(j2.a.i("Unexpected signing algorithm ", cVar.getHeader().getAlgorithm(), ": expected either RS256 or ES256"));
        }
        try {
            PublicKey publicKey = (PublicKey) ((Map) ((com.google.common.cache.d0) this.publicKeyCache).a(a(cVar.getHeader()))).get(cVar.getHeader().getKeyId());
            if (publicKey == null) {
                throw new Exception("Could not find public key for provided keyId: " + cVar.getHeader().getKeyId());
            }
            try {
                if (cVar.verifySignature(publicKey)) {
                    return true;
                }
                throw new Exception("Invalid signature");
            } catch (GeneralSecurityException e3) {
                throw new Exception("Error validating token", e3);
            }
        } catch (ExecutionException | u e5) {
            throw new Exception("Error fetching public key from certificate location " + this.certificatesLocation, e5);
        }
    }
}
