package com.google.crypto.tink.jwt;

import com.google.android.exoplayer2.text.webvtt.CssParser;
import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.Immutable;
import j$.time.Clock;
import j$.time.Duration;
import j$.time.Instant;
import j$.util.Optional;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Iterator;

@Immutable
/* loaded from: classes5.dex */
public final class JwtValidator {
    public static final Duration MAX_CLOCK_SKEW = Duration.ofMinutes(10);
    public final boolean allowMissingExpiration;
    public final Clock clock;
    public final Duration clockSkew;
    public final boolean expectIssuedInThePast;
    public final Optional<String> expectedAudience;
    public final Optional<String> expectedIssuer;
    public final Optional<String> expectedTypeHeader;
    public final boolean ignoreAudiences;
    public final boolean ignoreIssuer;
    public final boolean ignoreTypeHeader;

    /* loaded from: classes5.dex */
    public static final class Builder {
        public boolean allowMissingExpiration;
        public Clock clock;
        public Duration clockSkew;
        public boolean expectIssuedInThePast;
        public Optional<String> expectedAudience;
        public Optional<String> expectedIssuer;
        public Optional<String> expectedTypeHeader;
        public boolean ignoreAudiences;
        public boolean ignoreIssuer;
        public boolean ignoreTypeHeader;

        public Builder() {
            this.clock = Clock.systemUTC();
            this.clockSkew = Duration.ZERO;
            this.expectedTypeHeader = Optional.empty();
            this.ignoreTypeHeader = false;
            this.expectedIssuer = Optional.empty();
            this.ignoreIssuer = false;
            this.expectedAudience = Optional.empty();
            this.ignoreAudiences = false;
            this.allowMissingExpiration = false;
            this.expectIssuedInThePast = false;
        }

        @CanIgnoreReturnValue
        public Builder allowMissingExpiration() {
            this.allowMissingExpiration = true;
            return this;
        }

        public JwtValidator build() {
            if (this.ignoreTypeHeader && this.expectedTypeHeader.isPresent()) {
                throw new IllegalArgumentException("ignoreTypeHeader() and expectedTypeHeader() cannot be used together.");
            }
            if (this.ignoreIssuer && this.expectedIssuer.isPresent()) {
                throw new IllegalArgumentException("ignoreIssuer() and expectedIssuer() cannot be used together.");
            }
            if (this.ignoreAudiences && this.expectedAudience.isPresent()) {
                throw new IllegalArgumentException("ignoreAudiences() and expectedAudience() cannot be used together.");
            }
            return new JwtValidator(this);
        }

        @CanIgnoreReturnValue
        public Builder expectAudience(String str) {
            if (str == null) {
                throw new NullPointerException("audience cannot be null");
            }
            this.expectedAudience = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuedInThePast() {
            this.expectIssuedInThePast = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuer(String str) {
            if (str == null) {
                throw new NullPointerException("issuer cannot be null");
            }
            this.expectedIssuer = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectTypeHeader(String str) {
            if (str == null) {
                throw new NullPointerException("typ header cannot be null");
            }
            this.expectedTypeHeader = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreAudiences() {
            this.ignoreAudiences = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreIssuer() {
            this.ignoreIssuer = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreTypeHeader() {
            this.ignoreTypeHeader = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClock(Clock clock) {
            if (clock == null) {
                throw new NullPointerException("clock cannot be null");
            }
            this.clock = clock;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClockSkew(Duration duration) {
            if (duration.compareTo(JwtValidator.MAX_CLOCK_SKEW) > 0) {
                throw new IllegalArgumentException("Clock skew too large, max is 10 minutes");
            }
            this.clockSkew = duration;
            return this;
        }
    }

    public JwtValidator(Builder builder) {
        this.expectedTypeHeader = builder.expectedTypeHeader;
        this.ignoreTypeHeader = builder.ignoreTypeHeader;
        this.expectedIssuer = builder.expectedIssuer;
        this.ignoreIssuer = builder.ignoreIssuer;
        this.expectedAudience = builder.expectedAudience;
        this.ignoreAudiences = builder.ignoreAudiences;
        this.allowMissingExpiration = builder.allowMissingExpiration;
        this.expectIssuedInThePast = builder.expectIssuedInThePast;
        this.clock = builder.clock;
        this.clockSkew = builder.clockSkew;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public String toString() {
        ArrayList arrayList = new ArrayList();
        if (this.expectedTypeHeader.isPresent()) {
            arrayList.add("expectedTypeHeader=" + this.expectedTypeHeader.get());
        }
        if (this.ignoreTypeHeader) {
            arrayList.add("ignoreTypeHeader");
        }
        if (this.expectedIssuer.isPresent()) {
            arrayList.add("expectedIssuer=" + this.expectedIssuer.get());
        }
        if (this.ignoreIssuer) {
            arrayList.add("ignoreIssuer");
        }
        if (this.expectedAudience.isPresent()) {
            arrayList.add("expectedAudience=" + this.expectedAudience.get());
        }
        if (this.ignoreAudiences) {
            arrayList.add("ignoreAudiences");
        }
        if (this.allowMissingExpiration) {
            arrayList.add("allowMissingExpiration");
        }
        if (this.expectIssuedInThePast) {
            arrayList.add("expectIssuedInThePast");
        }
        if (!this.clockSkew.isZero()) {
            arrayList.add("clockSkew=" + this.clockSkew);
        }
        StringBuilder sb = new StringBuilder("JwtValidator{");
        Iterator it2 = arrayList.iterator();
        String str = "";
        while (it2.hasNext()) {
            String str2 = (String) it2.next();
            sb.append(str);
            sb.append(str2);
            str = ",";
        }
        sb.append(CssParser.RULE_END);
        return sb.toString();
    }

    public VerifiedJwt validate(RawJwt rawJwt) throws JwtInvalidException {
        validateTimestampClaims(rawJwt);
        validateTypeHeader(rawJwt);
        validateIssuer(rawJwt);
        validateAudiences(rawJwt);
        return new VerifiedJwt(rawJwt);
    }

    public final void validateAudiences(RawJwt rawJwt) throws JwtInvalidException {
        if (this.expectedAudience.isPresent()) {
            if (!rawJwt.hasAudiences() || !rawJwt.getAudiences().contains(this.expectedAudience.get())) {
                throw new GeneralSecurityException(String.format("invalid JWT; missing expected audience %s.", this.expectedAudience.get()));
            }
        } else if (rawJwt.hasAudiences() && !this.ignoreAudiences) {
            throw new GeneralSecurityException("invalid JWT; token has audience set, but validator not.");
        }
    }

    public final void validateIssuer(RawJwt rawJwt) throws JwtInvalidException {
        if (!this.expectedIssuer.isPresent()) {
            if (rawJwt.hasIssuer() && !this.ignoreIssuer) {
                throw new GeneralSecurityException("invalid JWT; token has issuer set, but validator not.");
            }
        } else {
            if (!rawJwt.hasIssuer()) {
                throw new GeneralSecurityException(String.format("invalid JWT; missing expected issuer %s.", this.expectedIssuer.get()));
            }
            if (!rawJwt.getStringClaimInternal("iss").equals(this.expectedIssuer.get())) {
                throw new GeneralSecurityException(String.format("invalid JWT; expected issuer %s, but got %s", this.expectedIssuer.get(), rawJwt.getStringClaimInternal("iss")));
            }
        }
    }

    public final void validateTimestampClaims(RawJwt rawJwt) throws JwtInvalidException {
        Instant instant = this.clock.instant();
        if (!rawJwt.hasExpiration() && !this.allowMissingExpiration) {
            throw new GeneralSecurityException("token does not have an expiration set");
        }
        if (rawJwt.hasExpiration() && !rawJwt.getInstant("exp").isAfter(instant.minus(this.clockSkew))) {
            throw new GeneralSecurityException("token has expired since " + rawJwt.getInstant("exp"));
        }
        if (rawJwt.hasNotBefore() && rawJwt.getInstant(JwtNames.CLAIM_NOT_BEFORE).isAfter(instant.plus(this.clockSkew))) {
            throw new GeneralSecurityException("token cannot be used before " + rawJwt.getInstant(JwtNames.CLAIM_NOT_BEFORE));
        }
        if (this.expectIssuedInThePast) {
            if (!rawJwt.hasIssuedAt()) {
                throw new GeneralSecurityException("token does not have an iat claim");
            }
            if (rawJwt.getInstant("iat").isAfter(instant.plus(this.clockSkew))) {
                throw new GeneralSecurityException("token has a invalid iat claim in the future: " + rawJwt.getInstant("iat"));
            }
        }
    }

    public final void validateTypeHeader(RawJwt rawJwt) throws JwtInvalidException {
        if (!this.expectedTypeHeader.isPresent()) {
            if (rawJwt.typeHeader.isPresent() && !this.ignoreTypeHeader) {
                throw new GeneralSecurityException("invalid JWT; token has type header set, but validator not.");
            }
        } else {
            if (!rawJwt.typeHeader.isPresent()) {
                throw new GeneralSecurityException(String.format("invalid JWT; missing expected type header %s.", this.expectedTypeHeader.get()));
            }
            if (!rawJwt.getTypeHeader().equals(this.expectedTypeHeader.get())) {
                throw new GeneralSecurityException(String.format("invalid JWT; expected type header %s, but got %s", this.expectedTypeHeader.get(), rawJwt.getTypeHeader()));
            }
        }
    }
}
