package com.google.api.client.auth.openidconnect;

import com.google.api.client.http.c0;
import com.google.api.client.http.javanet.e;
import com.google.api.client.http.k;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.f;
import com.google.api.client.util.l;
import com.google.api.client.util.v;
import com.google.common.base.h0;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.d;
import com.google.common.cache.j;
import com.google.common.collect.r8;
import com.google.common.collect.y7;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.microsoft.identity.common.java.platform.AbstractDevicePopManager;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

@f
/* loaded from: classes.dex */
public class IdTokenVerifier {

    /* renamed from: i, reason: collision with root package name */
    private static final String f45811i = "https://www.gstatic.com/iap/verify/public_key-jwk";

    /* renamed from: j, reason: collision with root package name */
    private static final String f45812j = "https://www.googleapis.com/oauth2/v3/certs";

    /* renamed from: l, reason: collision with root package name */
    private static final String f45814l = "Unexpected signing algorithm %s: expected either RS256 or ES256";

    /* renamed from: n, reason: collision with root package name */
    static final String f45816n = "OAUTH_CLIENT_SKIP_SIGNATURE";

    /* renamed from: o, reason: collision with root package name */
    public static final long f45817o = 300;

    /* renamed from: a, reason: collision with root package name */
    private final l f45818a;

    /* renamed from: b, reason: collision with root package name */
    private final String f45819b;

    /* renamed from: c, reason: collision with root package name */
    private final com.google.api.client.auth.openidconnect.a f45820c;

    /* renamed from: d, reason: collision with root package name */
    private final j<String, Map<String, PublicKey>> f45821d;

    /* renamed from: e, reason: collision with root package name */
    private final long f45822e;

    /* renamed from: f, reason: collision with root package name */
    private final Collection<String> f45823f;

    /* renamed from: g, reason: collision with root package name */
    private final Collection<String> f45824g;

    /* renamed from: h, reason: collision with root package name */
    private static final Logger f45810h = Logger.getLogger(IdTokenVerifier.class.getName());

    /* renamed from: k, reason: collision with root package name */
    private static final Set<String> f45813k = r8.X("RS256", "ES256");

    /* renamed from: m, reason: collision with root package name */
    static final c0 f45815m = new e();

    /* loaded from: classes.dex */
    static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: c, reason: collision with root package name */
        private final com.google.api.client.auth.openidconnect.b f45825c;

        /* loaded from: classes.dex */
        public static class JsonWebKeySet extends com.google.api.client.json.b {

            @v
            public List<a> keys;
        }

        /* loaded from: classes.dex */
        public static class a {

            /* renamed from: a, reason: collision with root package name */
            @v
            public String f45826a;

            /* renamed from: b, reason: collision with root package name */
            @v
            public String f45827b;

            /* renamed from: c, reason: collision with root package name */
            @v
            public String f45828c;

            /* renamed from: d, reason: collision with root package name */
            @v
            public String f45829d;

            /* renamed from: e, reason: collision with root package name */
            @v
            public String f45830e;

            /* renamed from: f, reason: collision with root package name */
            @v
            public String f45831f;

            /* renamed from: g, reason: collision with root package name */
            @v
            public String f45832g;

            /* renamed from: h, reason: collision with root package name */
            @v
            public String f45833h;

            /* renamed from: i, reason: collision with root package name */
            @v
            public String f45834i;
        }

        PublicKeyLoader(com.google.api.client.auth.openidconnect.b bVar) {
            this.f45825c = bVar;
        }

        private PublicKey g(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            h0.d("EC".equals(aVar.f45829d));
            h0.d("P-256".equals(aVar.f45827b));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, com.google.api.client.util.e.a(aVar.f45831f)), new BigInteger(1, com.google.api.client.util.e.a(aVar.f45832g)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey h(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(aVar.f45826a)) {
                return g(aVar);
            }
            if ("RS256".equals(aVar.f45826a)) {
                return j(aVar);
            }
            return null;
        }

        private PublicKey i(String str) throws CertificateException, UnsupportedEncodingException {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        private PublicKey j(a aVar) throws NoSuchAlgorithmException, InvalidKeySpecException {
            h0.d(AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA.equals(aVar.f45829d));
            h0.E(aVar.f45833h);
            h0.E(aVar.f45834i);
            return KeyFactory.getInstance(AbstractDevicePopManager.KeyPairGeneratorAlgorithms.RSA).generatePublic(new RSAPublicKeySpec(new BigInteger(1, com.google.api.client.util.e.a(aVar.f45834i)), new BigInteger(1, com.google.api.client.util.e.a(aVar.f45833h))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: k, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> d(String str) throws Exception {
            try {
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) this.f45825c.f().c().b(new k(str)).T(com.google.api.client.json.gson.a.q().c()).b().r(JsonWebKeySet.class);
                y7.b bVar = new y7.b();
                List<a> list = jsonWebKeySet.keys;
                if (list == null) {
                    for (String str2 : jsonWebKeySet.keySet()) {
                        bVar.j(str2, i((String) jsonWebKeySet.get(str2)));
                    }
                } else {
                    for (a aVar : list) {
                        try {
                            bVar.j(aVar.f45828c, h(aVar));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e10) {
                            IdTokenVerifier.f45810h.log(Level.WARNING, "Failed to put a key into the cache", e10);
                        }
                    }
                }
                if (!bVar.a().isEmpty()) {
                    return bVar.a();
                }
                throw new c("No valid public key returned by the keystore: " + str);
            } catch (IOException e11) {
                IdTokenVerifier.f45810h.log(Level.WARNING, "Failed to get a certificate from certificate location " + str, (Throwable) e11);
                throw e11;
            }
        }
    }

    @f
    /* loaded from: classes.dex */
    public static class a {

        /* renamed from: b, reason: collision with root package name */
        String f45836b;

        /* renamed from: c, reason: collision with root package name */
        com.google.api.client.auth.openidconnect.a f45837c;

        /* renamed from: e, reason: collision with root package name */
        Collection<String> f45839e;

        /* renamed from: f, reason: collision with root package name */
        Collection<String> f45840f;

        /* renamed from: g, reason: collision with root package name */
        com.google.api.client.auth.openidconnect.b f45841g;

        /* renamed from: a, reason: collision with root package name */
        l f45835a = l.f46523a;

        /* renamed from: d, reason: collision with root package name */
        long f45838d = 300;

        public IdTokenVerifier a() {
            return new IdTokenVerifier(this);
        }

        public final long b() {
            return this.f45838d;
        }

        public final Collection<String> c() {
            return this.f45840f;
        }

        public final l d() {
            return this.f45835a;
        }

        final com.google.api.client.auth.openidconnect.a e() {
            return this.f45837c;
        }

        public final String f() {
            Collection<String> collection = this.f45839e;
            if (collection == null) {
                return null;
            }
            return collection.iterator().next();
        }

        public final Collection<String> g() {
            return this.f45839e;
        }

        public a h(long j10) {
            com.google.api.client.util.h0.a(j10 >= 0);
            this.f45838d = j10;
            return this;
        }

        public a i(Collection<String> collection) {
            this.f45840f = collection;
            return this;
        }

        public a j(String str) {
            this.f45836b = str;
            return this;
        }

        public a k(l lVar) {
            this.f45835a = (l) com.google.api.client.util.h0.d(lVar);
            return this;
        }

        a l(com.google.api.client.auth.openidconnect.a aVar) {
            this.f45837c = aVar;
            return this;
        }

        public a m(com.google.api.client.auth.openidconnect.b bVar) {
            this.f45841g = bVar;
            return this;
        }

        public a n(String str) {
            return str == null ? o(null) : o(Collections.singleton(str));
        }

        public a o(Collection<String> collection) {
            com.google.api.client.util.h0.b(collection == null || !collection.isEmpty(), "Issuers must not be empty");
            this.f45839e = collection;
            return this;
        }
    }

    /* loaded from: classes.dex */
    static class b implements com.google.api.client.auth.openidconnect.b {
        b() {
        }

        @Override // com.google.api.client.auth.openidconnect.b
        public c0 f() {
            return IdTokenVerifier.f45815m;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes.dex */
    public static class c extends Exception {
        public c(String str) {
            super(str);
        }

        public c(String str, Throwable th) {
            super(str, th);
        }
    }

    public IdTokenVerifier() {
        this(new a());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IdTokenVerifier(a aVar) {
        this.f45819b = aVar.f45836b;
        this.f45818a = aVar.f45835a;
        this.f45822e = aVar.f45838d;
        Collection<String> collection = aVar.f45839e;
        this.f45823f = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection2 = aVar.f45840f;
        this.f45824g = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        com.google.api.client.auth.openidconnect.b bVar = aVar.f45841g;
        this.f45821d = d.F().h(1L, TimeUnit.HOURS).b(new PublicKeyLoader(bVar == null ? new b() : bVar));
        com.google.api.client.auth.openidconnect.a aVar2 = aVar.f45837c;
        this.f45820c = aVar2 == null ? new com.google.api.client.auth.openidconnect.a() : aVar2;
    }

    private String d(JsonWebSignature.Header header) throws c {
        String str = this.f45819b;
        if (str != null) {
            return str;
        }
        String algorithm = header.getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals("ES256")) {
            return f45811i;
        }
        if (algorithm.equals("RS256")) {
            return f45812j;
        }
        throw new c(String.format(f45814l, header.getAlgorithm()));
    }

    public final long b() {
        return this.f45822e;
    }

    public final Collection<String> c() {
        return this.f45824g;
    }

    public final l e() {
        return this.f45818a;
    }

    public final String f() {
        Collection<String> collection = this.f45823f;
        if (collection == null) {
            return null;
        }
        return collection.iterator().next();
    }

    public final Collection<String> g() {
        return this.f45823f;
    }

    public boolean h(IdToken idToken) {
        if (!i(idToken)) {
            return false;
        }
        try {
            return j(idToken);
        } catch (c e10) {
            f45810h.log(Level.SEVERE, "id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options", (Throwable) e10);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean i(IdToken idToken) {
        Collection<String> collection;
        Collection<String> collection2 = this.f45823f;
        return (collection2 == null || idToken.s(collection2)) && ((collection = this.f45824g) == null || idToken.o(collection)) && idToken.t(this.f45818a.currentTimeMillis(), this.f45822e);
    }

    @x0.d
    boolean j(IdToken idToken) throws c {
        if (Boolean.parseBoolean(this.f45820c.a(f45816n))) {
            return true;
        }
        if (!f45813k.contains(idToken.a().getAlgorithm())) {
            throw new c(String.format(f45814l, idToken.a().getAlgorithm()));
        }
        try {
            PublicKey publicKey = this.f45821d.get(d(idToken.a())).get(idToken.a().getKeyId());
            if (publicKey == null) {
                throw new c("Could not find public key for provided keyId: " + idToken.a().getKeyId());
            }
            try {
                if (idToken.l(publicKey)) {
                    return true;
                }
                throw new c("Invalid signature");
            } catch (GeneralSecurityException e10) {
                throw new c("Error validating token", e10);
            }
        } catch (UncheckedExecutionException | ExecutionException e11) {
            throw new c("Error fetching public key from certificate location " + this.f45819b, e11);
        }
    }
}
