package com.google.auth.oauth2;

import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Clock;
import com.google.auth.http.HttpTransportFactory;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: classes2.dex */
public class TokenVerifier {

    /* renamed from: g, reason: collision with root package name */
    public static final ImmutableSet f22752g = ImmutableSet.of("RS256", "ES256");

    /* renamed from: a, reason: collision with root package name */
    public final String f22753a;
    public final String b;

    /* renamed from: c, reason: collision with root package name */
    public final String f22754c;

    /* renamed from: d, reason: collision with root package name */
    public final PublicKey f22755d;

    /* renamed from: e, reason: collision with root package name */
    public final Clock f22756e;

    /* renamed from: f, reason: collision with root package name */
    public final LoadingCache f22757f;

    /* loaded from: classes2.dex */
    public static class Builder {

        /* renamed from: a, reason: collision with root package name */
        public String f22758a;
        public String b;

        /* renamed from: c, reason: collision with root package name */
        public String f22759c;

        /* renamed from: d, reason: collision with root package name */
        public PublicKey f22760d;

        /* renamed from: e, reason: collision with root package name */
        public Clock f22761e;

        /* renamed from: f, reason: collision with root package name */
        public HttpTransportFactory f22762f;

        public TokenVerifier build() {
            return new TokenVerifier(this);
        }

        public Builder setAudience(String str) {
            this.f22758a = str;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.b = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.f22761e = clock;
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.f22762f = httpTransportFactory;
            return this;
        }

        public Builder setIssuer(String str) {
            this.f22759c = str;
            return this;
        }

        public Builder setPublicKey(PublicKey publicKey) {
            this.f22760d = publicKey;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    public TokenVerifier(Builder builder) {
        this.f22753a = builder.f22758a;
        this.b = builder.b;
        this.f22754c = builder.f22759c;
        this.f22755d = builder.f22760d;
        this.f22756e = builder.f22761e;
        this.f22757f = CacheBuilder.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build(new j0(builder.f22762f));
    }

    public static Builder newBuilder() {
        return new Builder().setClock(Clock.SYSTEM).setHttpTransportFactory(y.f22853e);
    }

    public final String a(JsonWebSignature jsonWebSignature) {
        String str = this.b;
        if (str != null) {
            return str;
        }
        String algorithm = jsonWebSignature.getHeader().getAlgorithm();
        algorithm.getClass();
        if (algorithm.equals("ES256")) {
            return "https://www.gstatic.com/iap/verify/public_key-jwk";
        }
        if (algorithm.equals("RS256")) {
            return "https://www.googleapis.com/oauth2/v3/certs";
        }
        throw new VerificationException("Unknown algorithm");
    }

    public JsonWebSignature verify(String str) throws VerificationException {
        try {
            JsonWebSignature parse = JsonWebSignature.parse(y.f22854f, str);
            String str2 = this.f22753a;
            if (str2 != null && !str2.equals(parse.getPayload().getAudience())) {
                throw new VerificationException("Expected audience does not match");
            }
            String str3 = this.f22754c;
            if (str3 != null && !str3.equals(parse.getPayload().getIssuer())) {
                throw new VerificationException("Expected issuer does not match");
            }
            Long expirationTimeSeconds = parse.getPayload().getExpirationTimeSeconds();
            if (expirationTimeSeconds != null && expirationTimeSeconds.longValue() <= this.f22756e.currentTimeMillis() / 1000) {
                throw new VerificationException("Token is expired");
            }
            if (!f22752g.contains(parse.getHeader().getAlgorithm())) {
                throw new VerificationException("Unexpected signing algorithm: expected either RS256 or ES256");
            }
            PublicKey publicKey = this.f22755d;
            if (publicKey == null) {
                try {
                    publicKey = (PublicKey) ((Map) this.f22757f.get(a(parse))).get(parse.getHeader().getKeyId());
                } catch (UncheckedExecutionException | ExecutionException e10) {
                    throw new VerificationException("Error fetching PublicKey from certificate location", e10);
                }
            }
            if (publicKey == null) {
                throw new VerificationException("Could not find PublicKey for provided keyId: " + parse.getHeader().getKeyId());
            }
            try {
                if (parse.verifySignature(publicKey)) {
                    return parse;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e11) {
                throw new VerificationException("Error validating token", e11);
            }
        } catch (IOException e12) {
            throw new VerificationException("Error parsing JsonWebSignature token", e12);
        }
    }
}
