package com.google.api.client.auth.openidconnect;

import androidx.activity.result.a;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonObjectParser;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Key;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

@Beta
/* loaded from: classes2.dex */
public class IdTokenVerifier {
    public static final Logger c = Logger.getLogger(IdTokenVerifier.class.getName());
    public static final NetHttpTransport d;

    /* renamed from: a, reason: collision with root package name */
    public final Clock f19840a = new Builder().f19842a;

    /* renamed from: b, reason: collision with root package name */
    public final LoadingCache<String, Map<String, PublicKey>> f19841b;

    @Beta
    /* loaded from: classes2.dex */
    public static class Builder {

        /* renamed from: a, reason: collision with root package name */
        public final Clock f19842a = Clock.f20015a;
    }

    /* loaded from: classes2.dex */
    public static class DefaultHttpTransportFactory implements HttpTransportFactory {
        @Override // com.google.api.client.auth.openidconnect.HttpTransportFactory
        public final NetHttpTransport a() {
            return IdTokenVerifier.d;
        }
    }

    /* loaded from: classes2.dex */
    public static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: o, reason: collision with root package name */
        public final HttpTransportFactory f19843o;

        /* loaded from: classes2.dex */
        public static class JsonWebKey {

            @Key
            public String alg;

            @Key
            public String crv;

            @Key
            public String e;

            @Key
            public String kid;

            @Key
            public String kty;

            /* renamed from: n, reason: collision with root package name */
            @Key
            public String f19844n;

            @Key
            public String use;

            @Key
            public String x;

            @Key
            public String y;
        }

        /* loaded from: classes2.dex */
        public static class JsonWebKeySet extends GenericJson {

            @Key
            public List<JsonWebKey> keys;
        }

        public PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.f19843o = httpTransportFactory;
        }

        public static PublicKey c(JsonWebKey jsonWebKey) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(jsonWebKey.alg)) {
                Preconditions.g("EC".equals(jsonWebKey.kty));
                Preconditions.g("P-256".equals(jsonWebKey.crv));
                ECPoint eCPoint = new ECPoint(new BigInteger(1, Base64.a(jsonWebKey.x)), new BigInteger(1, Base64.a(jsonWebKey.y)));
                AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
                algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
                return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
            }
            if (!"RS256".equals(jsonWebKey.alg)) {
                return null;
            }
            Preconditions.g("RSA".equals(jsonWebKey.kty));
            jsonWebKey.e.getClass();
            jsonWebKey.f19844n.getClass();
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.a(jsonWebKey.f19844n)), new BigInteger(1, Base64.a(jsonWebKey.e))));
        }

        @Override // com.google.common.cache.CacheLoader
        public final Map<String, PublicKey> a(String str) throws Exception {
            String str2 = str;
            NetHttpTransport a2 = this.f19843o.a();
            try {
                a2.getClass();
                HttpRequest a3 = new HttpRequestFactory(a2, null).a("GET", new GenericUrl(str2), null);
                GsonFactory e = GsonFactory.e();
                e.getClass();
                a3.f19926q = new JsonObjectParser(e);
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) a3.b().f(JsonWebKeySet.class);
                ImmutableMap.Builder builder = new ImmutableMap.Builder();
                List<JsonWebKey> list = jsonWebKeySet.keys;
                if (list == null) {
                    for (String str3 : jsonWebKeySet.keySet()) {
                        builder.c(str3, CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((String) jsonWebKeySet.get(str3)).getBytes("UTF-8"))).getPublicKey());
                    }
                } else {
                    for (JsonWebKey jsonWebKey : list) {
                        try {
                            builder.c(jsonWebKey.kid, c(jsonWebKey));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e2) {
                            IdTokenVerifier.c.log(Level.WARNING, "Failed to put a key into the cache", e2);
                        }
                    }
                }
                if (builder.a(true).isEmpty()) {
                    throw new VerificationException(a.z("No valid public key returned by the keystore: ", str2));
                }
                return builder.a(true);
            } catch (IOException e3) {
                IdTokenVerifier.c.log(Level.WARNING, "Failed to get a certificate from certificate location " + str2, (Throwable) e3);
                throw e3;
            }
        }
    }

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }
    }

    static {
        ImmutableSet.k(2, 2, "RS256", "ES256");
        d = new NetHttpTransport();
    }

    public IdTokenVerifier() {
        DefaultHttpTransportFactory defaultHttpTransportFactory = new DefaultHttpTransportFactory();
        CacheBuilder cacheBuilder = new CacheBuilder();
        TimeUnit timeUnit = TimeUnit.HOURS;
        long j2 = cacheBuilder.f20143f;
        if (!(j2 == -1)) {
            throw new IllegalStateException(Strings.c("expireAfterWrite was already set to %s ns", Long.valueOf(j2)));
        }
        cacheBuilder.f20143f = timeUnit.toNanos(1L);
        this.f19841b = cacheBuilder.a(new PublicKeyLoader(defaultHttpTransportFactory));
        new Environment();
    }
}
