package com.google.api.client.auth.openidconnect;

import a7.i;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.d;
import com.google.common.cache.g;
import com.google.common.collect.w;
import com.google.common.collect.x;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import ta.e;
import va.h;
import va.p;
import xa.l;

/* loaded from: classes6.dex */
public class IdTokenVerifier {

    /* renamed from: f, reason: collision with root package name */
    public static final Logger f22859f = Logger.getLogger(IdTokenVerifier.class.getName());
    public static final Set<String> g = x.q("RS256", "ES256");
    public static final e h = new e();

    /* renamed from: a, reason: collision with root package name */
    public final h.a f22860a;

    /* renamed from: b, reason: collision with root package name */
    public final ja.a f22861b;

    /* renamed from: c, reason: collision with root package name */
    public final g.n f22862c;

    /* renamed from: d, reason: collision with root package name */
    public final long f22863d;

    /* renamed from: e, reason: collision with root package name */
    public final Collection<String> f22864e;

    /* loaded from: classes6.dex */
    public static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        public final ja.b f22865a;

        /* loaded from: classes6.dex */
        public static class JsonWebKey {

            @p
            public String alg;

            @p
            public String crv;

            /* renamed from: e, reason: collision with root package name */
            @p
            public String f22866e;

            @p
            public String kid;

            @p
            public String kty;

            /* renamed from: n, reason: collision with root package name */
            @p
            public String f22867n;

            @p
            public String use;

            /* renamed from: x, reason: collision with root package name */
            @p
            public String f22868x;

            /* renamed from: y, reason: collision with root package name */
            @p
            public String f22869y;
        }

        /* loaded from: classes6.dex */
        public static class JsonWebKeySet extends GenericJson {

            @p
            public List<JsonWebKey> keys;
        }

        public PublicKeyLoader(ja.b bVar) {
            this.f22865a = bVar;
        }

        @Override // com.google.common.cache.CacheLoader
        public final Map<String, PublicKey> a(String str) throws Exception {
            String str2 = str;
            Objects.requireNonNull((b) this.f22865a);
            try {
                com.google.api.client.http.a a10 = IdTokenVerifier.h.createRequestFactory().a(new sa.h(str2));
                a10.f22893q = GsonFactory.getDefaultInstance().createJsonObjectParser();
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) a10.b().f(JsonWebKeySet.class);
                w.a aVar = new w.a();
                List<JsonWebKey> list = jsonWebKeySet.keys;
                if (list == null) {
                    for (String str3 : jsonWebKeySet.keySet()) {
                        aVar.c(str3, CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((String) jsonWebKeySet.get(str3)).getBytes("UTF-8"))).getPublicKey());
                    }
                } else {
                    for (JsonWebKey jsonWebKey : list) {
                        try {
                            aVar.c(jsonWebKey.kid, b(jsonWebKey));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e10) {
                            IdTokenVerifier.f22859f.log(Level.WARNING, "Failed to put a key into the cache", e10);
                        }
                    }
                }
                if (aVar.a(true).isEmpty()) {
                    throw new c(i.j("No valid public key returned by the keystore: ", str2));
                }
                return aVar.a(true);
            } catch (IOException e11) {
                IdTokenVerifier.f22859f.log(Level.WARNING, "Failed to get a certificate from certificate location " + str2, (Throwable) e11);
                throw e11;
            }
        }

        public final PublicKey b(JsonWebKey jsonWebKey) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(jsonWebKey.alg)) {
                l.b("EC".equals(jsonWebKey.kty));
                l.b("P-256".equals(jsonWebKey.crv));
                ECPoint eCPoint = new ECPoint(new BigInteger(1, va.c.a(jsonWebKey.f22868x)), new BigInteger(1, va.c.a(jsonWebKey.f22869y)));
                AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
                algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
                return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
            }
            if (!"RS256".equals(jsonWebKey.alg)) {
                return null;
            }
            l.b("RSA".equals(jsonWebKey.kty));
            Objects.requireNonNull(jsonWebKey.f22866e);
            Objects.requireNonNull(jsonWebKey.f22867n);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, va.c.a(jsonWebKey.f22867n)), new BigInteger(1, va.c.a(jsonWebKey.f22866e))));
        }
    }

    /* loaded from: classes6.dex */
    public static class a {

        /* renamed from: a, reason: collision with root package name */
        public h.a f22870a = h.f41365a;

        /* renamed from: b, reason: collision with root package name */
        public long f22871b = 300;

        /* renamed from: c, reason: collision with root package name */
        public Collection<String> f22872c;
    }

    /* loaded from: classes6.dex */
    public static class b implements ja.b {
    }

    /* loaded from: classes6.dex */
    public static class c extends Exception {
        public c(String str) {
            super(str);
        }

        public c(String str, Throwable th) {
            super(str, th);
        }
    }

    public IdTokenVerifier() {
        this(new a());
    }

    public IdTokenVerifier(a aVar) {
        Objects.requireNonNull(aVar);
        this.f22860a = aVar.f22870a;
        this.f22863d = aVar.f22871b;
        Collection<String> collection = aVar.f22872c;
        this.f22864e = collection == null ? null : Collections.unmodifiableCollection(collection);
        b bVar = new b();
        d<Object, Object> c10 = d.c();
        c10.b(1L, TimeUnit.HOURS);
        PublicKeyLoader publicKeyLoader = new PublicKeyLoader(bVar);
        c10.a();
        this.f22862c = new g.n(c10, publicKeyLoader);
        this.f22861b = new ja.a();
    }

    public final String a(JsonWebSignature.Header header) throws c {
        String algorithm = header.getAlgorithm();
        Objects.requireNonNull(algorithm);
        if (algorithm.equals("ES256")) {
            return "https://www.gstatic.com/iap/verify/public_key-jwk";
        }
        if (algorithm.equals("RS256")) {
            return "https://www.googleapis.com/oauth2/v3/certs";
        }
        throw new c(String.format("Unexpected signing algorithm %s: expected either RS256 or ES256", header.getAlgorithm()));
    }

    public final void b(IdToken idToken) throws c {
        Objects.requireNonNull(this.f22861b);
        if (Boolean.parseBoolean(System.getenv("OAUTH_CLIENT_SKIP_SIGNATURE"))) {
            return;
        }
        if (!g.contains(idToken.getHeader().getAlgorithm())) {
            throw new c(String.format("Unexpected signing algorithm %s: expected either RS256 or ES256", idToken.getHeader().getAlgorithm()));
        }
        try {
            PublicKey publicKey = (PublicKey) ((Map) this.f22862c.a(a(idToken.getHeader()))).get(idToken.getHeader().getKeyId());
            if (publicKey == null) {
                StringBuilder s10 = i.s("Could not find public key for provided keyId: ");
                s10.append(idToken.getHeader().getKeyId());
                throw new c(s10.toString());
            }
            try {
                if (idToken.verifySignature(publicKey)) {
                } else {
                    throw new c("Invalid signature");
                }
            } catch (GeneralSecurityException e10) {
                throw new c("Error validating token", e10);
            }
        } catch (UncheckedExecutionException | ExecutionException e11) {
            throw new c("Error fetching public key from certificate location null", e11);
        }
    }
}
