package com.google.api.client.auth.openidconnect;

import com.google.android.exoplayer2.C;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Key;
import com.google.api.client.util.Preconditions;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

@Beta
/* loaded from: classes2.dex */
public class IdTokenVerifier {
    public static final long DEFAULT_TIME_SKEW_SECONDS = 300;

    /* renamed from: h, reason: collision with root package name */
    public static final Logger f15691h = Logger.getLogger(IdTokenVerifier.class.getName());

    /* renamed from: i, reason: collision with root package name */
    public static final Set<String> f15692i = ImmutableSet.of("RS256", "ES256");

    /* renamed from: j, reason: collision with root package name */
    public static final HttpTransport f15693j = new NetHttpTransport();

    /* renamed from: a, reason: collision with root package name */
    public final Clock f15694a;

    /* renamed from: b, reason: collision with root package name */
    public final String f15695b;

    /* renamed from: c, reason: collision with root package name */
    public final o9.a f15696c;

    /* renamed from: d, reason: collision with root package name */
    public final LoadingCache<String, Map<String, PublicKey>> f15697d;

    /* renamed from: e, reason: collision with root package name */
    public final long f15698e;

    /* renamed from: f, reason: collision with root package name */
    public final Collection<String> f15699f;

    /* renamed from: g, reason: collision with root package name */
    public final Collection<String> f15700g;

    @Beta
    /* loaded from: classes2.dex */
    public static class Builder {

        /* renamed from: b, reason: collision with root package name */
        public String f15702b;

        /* renamed from: c, reason: collision with root package name */
        public o9.a f15703c;

        /* renamed from: e, reason: collision with root package name */
        public Collection<String> f15705e;

        /* renamed from: f, reason: collision with root package name */
        public Collection<String> f15706f;

        /* renamed from: g, reason: collision with root package name */
        public HttpTransportFactory f15707g;

        /* renamed from: a, reason: collision with root package name */
        public Clock f15701a = Clock.SYSTEM;

        /* renamed from: d, reason: collision with root package name */
        public long f15704d = 300;

        public IdTokenVerifier build() {
            return new IdTokenVerifier(this);
        }

        public final long getAcceptableTimeSkewSeconds() {
            return this.f15704d;
        }

        public final Collection<String> getAudience() {
            return this.f15706f;
        }

        public final Clock getClock() {
            return this.f15701a;
        }

        public final String getIssuer() {
            Collection<String> collection = this.f15705e;
            if (collection == null) {
                return null;
            }
            return collection.iterator().next();
        }

        public final Collection<String> getIssuers() {
            return this.f15705e;
        }

        public Builder setAcceptableTimeSkewSeconds(long j10) {
            Preconditions.checkArgument(j10 >= 0);
            this.f15704d = j10;
            return this;
        }

        public Builder setAudience(Collection<String> collection) {
            this.f15706f = collection;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.f15702b = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.f15701a = (Clock) Preconditions.checkNotNull(clock);
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.f15707g = httpTransportFactory;
            return this;
        }

        public Builder setIssuer(String str) {
            return str == null ? setIssuers(null) : setIssuers(Collections.singleton(str));
        }

        public Builder setIssuers(Collection<String> collection) {
            Preconditions.checkArgument(collection == null || !collection.isEmpty(), "Issuers must not be empty");
            this.f15705e = collection;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    public static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        public final HttpTransportFactory f15708a;

        /* loaded from: classes2.dex */
        public static class JsonWebKey {

            @Key
            public String alg;

            @Key
            public String crv;

            /* renamed from: e, reason: collision with root package name */
            @Key
            public String f15709e;

            @Key
            public String kid;

            @Key
            public String kty;

            /* renamed from: n, reason: collision with root package name */
            @Key
            public String f15710n;

            @Key
            public String use;

            /* renamed from: x, reason: collision with root package name */
            @Key
            public String f15711x;

            /* renamed from: y, reason: collision with root package name */
            @Key
            public String f15712y;
        }

        /* loaded from: classes2.dex */
        public static class JsonWebKeySet extends GenericJson {

            @Key
            public List<JsonWebKey> keys;
        }

        public PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.f15708a = httpTransportFactory;
        }

        public final PublicKey a(JsonWebKey jsonWebKey) {
            com.google.common.base.Preconditions.checkArgument("EC".equals(jsonWebKey.kty));
            com.google.common.base.Preconditions.checkArgument("P-256".equals(jsonWebKey.crv));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, Base64.decodeBase64(jsonWebKey.f15711x)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.f15712y)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        public final PublicKey b(JsonWebKey jsonWebKey) {
            if ("ES256".equals(jsonWebKey.alg)) {
                return a(jsonWebKey);
            }
            if ("RS256".equals(jsonWebKey.alg)) {
                return d(jsonWebKey);
            }
            return null;
        }

        public final PublicKey c(String str) {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(C.UTF8_NAME))).getPublicKey();
        }

        public final PublicKey d(JsonWebKey jsonWebKey) {
            com.google.common.base.Preconditions.checkArgument("RSA".equals(jsonWebKey.kty));
            com.google.common.base.Preconditions.checkNotNull(jsonWebKey.f15709e);
            com.google.common.base.Preconditions.checkNotNull(jsonWebKey.f15710n);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.decodeBase64(jsonWebKey.f15710n)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.f15709e))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: e, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> load(String str) {
            try {
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) this.f15708a.create().createRequestFactory().buildGetRequest(new GenericUrl(str)).setParser(GsonFactory.getDefaultInstance().createJsonObjectParser()).execute().parseAs(JsonWebKeySet.class);
                ImmutableMap.Builder builder = new ImmutableMap.Builder();
                List<JsonWebKey> list = jsonWebKeySet.keys;
                if (list == null) {
                    for (String str2 : jsonWebKeySet.keySet()) {
                        builder.put(str2, c((String) jsonWebKeySet.get(str2)));
                    }
                } else {
                    for (JsonWebKey jsonWebKey : list) {
                        try {
                            builder.put(jsonWebKey.kid, b(jsonWebKey));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e10) {
                            IdTokenVerifier.f15691h.log(Level.WARNING, "Failed to put a key into the cache", e10);
                        }
                    }
                }
                if (!builder.build().isEmpty()) {
                    return builder.build();
                }
                throw new b("No valid public key returned by the keystore: " + str);
            } catch (IOException e11) {
                IdTokenVerifier.f15691h.log(Level.WARNING, "Failed to get a certificate from certificate location " + str, (Throwable) e11);
                throw e11;
            }
        }
    }

    /* loaded from: classes2.dex */
    public static class a implements HttpTransportFactory {
        @Override // com.google.api.client.auth.openidconnect.HttpTransportFactory
        public HttpTransport create() {
            return IdTokenVerifier.f15693j;
        }
    }

    /* loaded from: classes2.dex */
    public static class b extends Exception {
        public b(String str) {
            super(str);
        }

        public b(String str, Throwable th) {
            super(str, th);
        }
    }

    public IdTokenVerifier() {
        this(new Builder());
    }

    public IdTokenVerifier(Builder builder) {
        this.f15695b = builder.f15702b;
        this.f15694a = builder.f15701a;
        this.f15698e = builder.f15704d;
        Collection<String> collection = builder.f15705e;
        this.f15699f = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection2 = builder.f15706f;
        this.f15700g = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        HttpTransportFactory httpTransportFactory = builder.f15707g;
        this.f15697d = CacheBuilder.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build(new PublicKeyLoader(httpTransportFactory == null ? new a() : httpTransportFactory));
        o9.a aVar = builder.f15703c;
        this.f15696c = aVar == null ? new o9.a() : aVar;
    }

    public final String b(JsonWebSignature.Header header) {
        String str = this.f15695b;
        if (str != null) {
            return str;
        }
        String algorithm = header.getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals("ES256")) {
            return "https://www.gstatic.com/iap/verify/public_key-jwk";
        }
        if (algorithm.equals("RS256")) {
            return "https://www.googleapis.com/oauth2/v3/certs";
        }
        throw new b(String.format("Unexpected signing algorithm %s: expected either RS256 or ES256", header.getAlgorithm()));
    }

    public boolean c(IdToken idToken) {
        Collection<String> collection;
        Collection<String> collection2 = this.f15699f;
        return (collection2 == null || idToken.verifyIssuer(collection2)) && ((collection = this.f15700g) == null || idToken.verifyAudience(collection)) && idToken.verifyTime(this.f15694a.currentTimeMillis(), this.f15698e);
    }

    @VisibleForTesting
    public boolean d(IdToken idToken) {
        if (Boolean.parseBoolean(this.f15696c.a("OAUTH_CLIENT_SKIP_SIGNATURE"))) {
            return true;
        }
        if (!f15692i.contains(idToken.getHeader().getAlgorithm())) {
            throw new b(String.format("Unexpected signing algorithm %s: expected either RS256 or ES256", idToken.getHeader().getAlgorithm()));
        }
        try {
            PublicKey publicKey = this.f15697d.get(b(idToken.getHeader())).get(idToken.getHeader().getKeyId());
            if (publicKey == null) {
                throw new b("Could not find public key for provided keyId: " + idToken.getHeader().getKeyId());
            }
            try {
                if (idToken.verifySignature(publicKey)) {
                    return true;
                }
                throw new b("Invalid signature");
            } catch (GeneralSecurityException e10) {
                throw new b("Error validating token", e10);
            }
        } catch (UncheckedExecutionException | ExecutionException e11) {
            throw new b("Error fetching public key from certificate location " + this.f15695b, e11);
        }
    }

    public final long getAcceptableTimeSkewSeconds() {
        return this.f15698e;
    }

    public final Collection<String> getAudience() {
        return this.f15700g;
    }

    public final Clock getClock() {
        return this.f15694a;
    }

    public final String getIssuer() {
        Collection<String> collection = this.f15699f;
        if (collection == null) {
            return null;
        }
        return collection.iterator().next();
    }

    public final Collection<String> getIssuers() {
        return this.f15699f;
    }

    public boolean verify(IdToken idToken) {
        if (!c(idToken)) {
            return false;
        }
        try {
            return d(idToken);
        } catch (b e10) {
            f15691h.log(Level.SEVERE, "id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options", (Throwable) e10);
            return false;
        }
    }
}
