package com.google.api.client.auth.openidconnect;

import com.google.api.client.http.i;
import com.google.api.client.http.k;
import com.google.api.client.http.s;
import com.google.api.client.http.y;
import com.google.api.client.util.C;
import com.google.api.client.util.C5878e;
import com.google.api.client.util.C5886m;
import com.google.api.client.util.InterfaceC5882i;
import com.google.api.client.util.r;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.e;
import com.google.common.util.concurrent.UncheckedExecutionException;
import d4.C5966e;
import f4.C6196b;
import g4.C6271a;
import i4.C6394b;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import m4.o;
import n4.AbstractC7526t;
import n4.AbstractC7528v;
import org.apache.http.protocol.HTTP;

/* loaded from: classes2.dex */
public class d {
    public static final long DEFAULT_TIME_SKEW_SECONDS = 300;
    private static final String FEDERATED_SIGNON_CERT_URL = "https://www.googleapis.com/oauth2/v3/certs";
    private static final String IAP_CERT_URL = "https://www.gstatic.col/iap/verify/public_key-jwk";
    private static final String NOT_SUPPORTED_ALGORITHM = "Unexpected signing algorithm %s: expected either RS256 or ES256";
    static final String SKIP_SIGNATURE_ENV_VAR = "OAUTH_CLIENT_SKIP_SIGNATURE";
    private final long acceptableTimeSkewSeconds;
    private final Collection<String> audience;
    private final String certificatesLocation;
    private final InterfaceC5882i clock;
    private final com.google.api.client.auth.openidconnect.a environment;
    private final Collection<String> issuers;
    private final e<String, Map<String, PublicKey>> publicKeyCache;
    private static final Logger LOGGER = Logger.getLogger(d.class.getName());
    private static final Set<String> SUPPORTED_ALGORITHMS = AbstractC7528v.I("RS256", "ES256");
    static final y HTTP_TRANSPORT = new C5966e();

    /* loaded from: classes2.dex */
    public static class a {
        Collection<String> audience;
        String certificatesLocation;
        com.google.api.client.auth.openidconnect.a environment;
        com.google.api.client.auth.openidconnect.b httpTransportFactory;
        Collection<String> issuers;
        InterfaceC5882i clock = InterfaceC5882i.f37506a;
        long acceptableTimeSkewSeconds = 300;

        public d build() {
            return new d(this);
        }

        public final long getAcceptableTimeSkewSeconds() {
            return this.acceptableTimeSkewSeconds;
        }

        public final Collection<String> getAudience() {
            return this.audience;
        }

        public final InterfaceC5882i getClock() {
            return this.clock;
        }

        final com.google.api.client.auth.openidconnect.a getEnvironment() {
            return this.environment;
        }

        public final String getIssuer() {
            Collection<String> collection = this.issuers;
            if (collection == null) {
                return null;
            }
            return collection.iterator().next();
        }

        public final Collection<String> getIssuers() {
            return this.issuers;
        }

        public a setAcceptableTimeSkewSeconds(long j9) {
            C.a(j9 >= 0);
            this.acceptableTimeSkewSeconds = j9;
            return this;
        }

        public a setAudience(Collection<String> collection) {
            this.audience = collection;
            return this;
        }

        public a setCertificatesLocation(String str) {
            this.certificatesLocation = str;
            return this;
        }

        public a setClock(InterfaceC5882i interfaceC5882i) {
            this.clock = (InterfaceC5882i) C.d(interfaceC5882i);
            return this;
        }

        a setEnvironment(com.google.api.client.auth.openidconnect.a aVar) {
            this.environment = aVar;
            return this;
        }

        public a setHttpTransportFactory(com.google.api.client.auth.openidconnect.b bVar) {
            this.httpTransportFactory = bVar;
            return this;
        }

        public a setIssuer(String str) {
            return str == null ? setIssuers(null) : setIssuers(Collections.singleton(str));
        }

        public a setIssuers(Collection<String> collection) {
            C.b(collection == null || !collection.isEmpty(), "Issuers must not be empty");
            this.issuers = collection;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    static class b implements com.google.api.client.auth.openidconnect.b {
        b() {
        }

        @Override // com.google.api.client.auth.openidconnect.b
        public y a() {
            return d.HTTP_TRANSPORT;
        }
    }

    /* loaded from: classes2.dex */
    static class c extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        private final com.google.api.client.auth.openidconnect.b f37312a;

        /* loaded from: classes2.dex */
        public static class a {

            /* renamed from: a, reason: collision with root package name */
            @r
            public String f37313a;

            /* renamed from: b, reason: collision with root package name */
            @r
            public String f37314b;

            /* renamed from: c, reason: collision with root package name */
            @r
            public String f37315c;

            /* renamed from: d, reason: collision with root package name */
            @r
            public String f37316d;

            /* renamed from: e, reason: collision with root package name */
            @r
            public String f37317e;

            /* renamed from: f, reason: collision with root package name */
            @r
            public String f37318f;

            /* renamed from: g, reason: collision with root package name */
            @r
            public String f37319g;

            /* renamed from: h, reason: collision with root package name */
            @r
            public String f37320h;
        }

        /* loaded from: classes2.dex */
        public static class b extends C6196b {

            /* renamed from: a, reason: collision with root package name */
            @r
            public List<a> f37321a;
        }

        c(com.google.api.client.auth.openidconnect.b bVar) {
            this.f37312a = bVar;
        }

        private PublicKey c(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            o.d("EC".equals(aVar.f37316d));
            o.d("P-256".equals(aVar.f37314b));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, C5878e.a(aVar.f37317e)), new BigInteger(1, C5878e.a(aVar.f37318f)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey d(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(aVar.f37313a)) {
                return c(aVar);
            }
            if ("RS256".equals(aVar.f37313a)) {
                return f(aVar);
            }
            return null;
        }

        private PublicKey e(String str) throws CertificateException, UnsupportedEncodingException {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(HTTP.UTF_8))).getPublicKey();
        }

        private PublicKey f(a aVar) throws NoSuchAlgorithmException, InvalidKeySpecException {
            o.d("RSA".equals(aVar.f37316d));
            o.p(aVar.f37319g);
            o.p(aVar.f37320h);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, C5878e.a(aVar.f37320h)), new BigInteger(1, C5878e.a(aVar.f37319g))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: g, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> a(String str) throws Exception {
            try {
                s E8 = this.f37312a.a().createRequestFactory().a(new i(str)).E(C6271a.o().b());
                E8.D(2);
                E8.J(new k(new C5886m.a().b(1000).d(0.1d).c(2.0d).a()).a(k.a.f37372a));
                b bVar = (b) E8.b().n(b.class);
                AbstractC7526t.a aVar = new AbstractC7526t.a();
                List<a> list = bVar.f37321a;
                if (list == null) {
                    for (String str2 : bVar.keySet()) {
                        aVar.f(str2, e((String) bVar.get(str2)));
                    }
                } else {
                    for (a aVar2 : list) {
                        try {
                            aVar.f(aVar2.f37315c, d(aVar2));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e9) {
                            d.LOGGER.log(Level.WARNING, "Failed to put a key into the cache", e9);
                        }
                    }
                }
                AbstractC7526t a9 = aVar.a();
                if (!a9.isEmpty()) {
                    return a9;
                }
                throw new C0307d("No valid public key returned by the keystore: " + str);
            } catch (IOException e10) {
                d.LOGGER.log(Level.WARNING, "Failed to get a certificate from certificate location " + str, (Throwable) e10);
                throw e10;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.google.api.client.auth.openidconnect.d$d, reason: collision with other inner class name */
    /* loaded from: classes2.dex */
    public static class C0307d extends Exception {
        public C0307d(String str) {
            super(str);
        }

        public C0307d(String str, Throwable th) {
            super(str, th);
        }
    }

    public d() {
        this(new a());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public d(a aVar) {
        this.certificatesLocation = aVar.certificatesLocation;
        this.clock = aVar.clock;
        this.acceptableTimeSkewSeconds = aVar.acceptableTimeSkewSeconds;
        Collection<String> collection = aVar.issuers;
        this.issuers = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection2 = aVar.audience;
        this.audience = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        com.google.api.client.auth.openidconnect.b bVar = aVar.httpTransportFactory;
        this.publicKeyCache = com.google.common.cache.c.r().c(1L, TimeUnit.HOURS).a(new c(bVar == null ? new b() : bVar));
        com.google.api.client.auth.openidconnect.a aVar2 = aVar.environment;
        this.environment = aVar2 == null ? new com.google.api.client.auth.openidconnect.a() : aVar2;
    }

    private String getCertificateLocation(C6394b.a aVar) throws C0307d {
        String str = this.certificatesLocation;
        if (str != null) {
            return str;
        }
        String f9 = aVar.f();
        f9.hashCode();
        if (f9.equals("ES256")) {
            return IAP_CERT_URL;
        }
        if (f9.equals("RS256")) {
            return FEDERATED_SIGNON_CERT_URL;
        }
        throw new C0307d(String.format(NOT_SUPPORTED_ALGORITHM, aVar.f()));
    }

    public final long getAcceptableTimeSkewSeconds() {
        return this.acceptableTimeSkewSeconds;
    }

    public final Collection<String> getAudience() {
        return this.audience;
    }

    public final InterfaceC5882i getClock() {
        return this.clock;
    }

    public final String getIssuer() {
        Collection<String> collection = this.issuers;
        if (collection == null) {
            return null;
        }
        return collection.iterator().next();
    }

    public final Collection<String> getIssuers() {
        return this.issuers;
    }

    @Deprecated
    public boolean verify(com.google.api.client.auth.openidconnect.c cVar) {
        try {
            return verifyOrThrow(cVar);
        } catch (IOException e9) {
            LOGGER.log(Level.SEVERE, e9.getMessage(), (Throwable) e9);
            return false;
        }
    }

    public boolean verifyOrThrow(com.google.api.client.auth.openidconnect.c cVar) throws IOException {
        if (!verifyPayload(cVar)) {
            return false;
        }
        try {
            return verifySignature(cVar);
        } catch (C0307d e9) {
            LOGGER.log(Level.INFO, "Id token signature verification failed. ", (Throwable) e9);
            return false;
        }
    }

    protected boolean verifyPayload(com.google.api.client.auth.openidconnect.c cVar) {
        Collection<String> collection;
        Collection<String> collection2 = this.issuers;
        return (collection2 == null || cVar.verifyIssuer(collection2)) && ((collection = this.audience) == null || cVar.verifyAudience(collection)) && cVar.verifyTime(this.clock.a(), this.acceptableTimeSkewSeconds);
    }

    boolean verifySignature(com.google.api.client.auth.openidconnect.c cVar) throws IOException, C0307d {
        if (Boolean.parseBoolean(this.environment.a(SKIP_SIGNATURE_ENV_VAR))) {
            return true;
        }
        if (!SUPPORTED_ALGORITHMS.contains(cVar.getHeader().f())) {
            throw new C0307d(String.format(NOT_SUPPORTED_ALGORITHM, cVar.getHeader().f()));
        }
        try {
            PublicKey publicKey = this.publicKeyCache.get(getCertificateLocation(cVar.getHeader())).get(cVar.getHeader().g());
            if (publicKey == null) {
                throw new IOException("Could not find public key for provided keyId: " + cVar.getHeader().g());
            }
            try {
                if (cVar.verifySignature(publicKey)) {
                    return true;
                }
                throw new C0307d("Invalid signature");
            } catch (GeneralSecurityException e9) {
                throw new C0307d("Error validating token", e9);
            }
        } catch (UncheckedExecutionException | ExecutionException e10) {
            throw new IOException("Error fetching public key from certificate location " + this.certificatesLocation, e10);
        }
    }
}
