package com.google.auth.oauth2;

import androidx.appcompat.widget.o$$ExternalSyntheticOutline0;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Key;
import com.google.auth.http.HttpTransportFactory;
import com.google.common.base.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: classes2.dex */
public class TokenVerifier {

    /* renamed from: g, reason: collision with root package name */
    private static final Set<String> f16451g = ImmutableSet.of("RS256", "ES256");

    /* renamed from: a, reason: collision with root package name */
    private final String f16452a;

    /* renamed from: b, reason: collision with root package name */
    private final String f16453b;

    /* renamed from: c, reason: collision with root package name */
    private final String f16454c;

    /* renamed from: d, reason: collision with root package name */
    private final PublicKey f16455d;

    /* renamed from: e, reason: collision with root package name */
    private final Clock f16456e;

    /* renamed from: f, reason: collision with root package name */
    private final LoadingCache<String, Map<String, PublicKey>> f16457f;

    /* loaded from: classes2.dex */
    public static class Builder {

        /* renamed from: a, reason: collision with root package name */
        private String f16458a;

        /* renamed from: b, reason: collision with root package name */
        private String f16459b;

        /* renamed from: c, reason: collision with root package name */
        private String f16460c;

        /* renamed from: d, reason: collision with root package name */
        private PublicKey f16461d;

        /* renamed from: e, reason: collision with root package name */
        private Clock f16462e;

        /* renamed from: f, reason: collision with root package name */
        private HttpTransportFactory f16463f;

        public TokenVerifier build() {
            return new TokenVerifier(this);
        }

        public Builder setAudience(String str) {
            this.f16458a = str;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.f16459b = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.f16462e = clock;
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.f16463f = httpTransportFactory;
            return this;
        }

        public Builder setIssuer(String str) {
            this.f16460c = str;
            return this;
        }

        public Builder setPublicKey(PublicKey publicKey) {
            this.f16461d = publicKey;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    public static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        private final HttpTransportFactory f16464a;

        /* loaded from: classes2.dex */
        public static class JsonWebKey {

            @Key
            public String alg;

            @Key
            public String crv;

            /* renamed from: e, reason: collision with root package name */
            @Key
            public String f16465e;

            @Key
            public String kid;

            @Key
            public String kty;

            /* renamed from: n, reason: collision with root package name */
            @Key
            public String f16466n;

            @Key
            public String use;

            /* renamed from: x, reason: collision with root package name */
            @Key
            public String f16467x;

            /* renamed from: y, reason: collision with root package name */
            @Key
            public String f16468y;
        }

        /* loaded from: classes2.dex */
        public static class JsonWebKeySet extends GenericJson {

            @Key
            public List<JsonWebKey> keys;
        }

        public PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.f16464a = httpTransportFactory;
        }

        private PublicKey a(JsonWebKey jsonWebKey) {
            Preconditions.checkArgument("EC".equals(jsonWebKey.kty));
            Preconditions.checkArgument("P-256".equals(jsonWebKey.crv));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, Base64.decodeBase64(jsonWebKey.f16467x)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.f16468y)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey b(JsonWebKey jsonWebKey) {
            if ("ES256".equals(jsonWebKey.alg)) {
                return a(jsonWebKey);
            }
            if ("RS256".equals(jsonWebKey.alg)) {
                return d(jsonWebKey);
            }
            return null;
        }

        private PublicKey c(String str) {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        private PublicKey d(JsonWebKey jsonWebKey) {
            Preconditions.checkArgument("RSA".equals(jsonWebKey.kty));
            Preconditions.checkNotNull(jsonWebKey.f16465e);
            Preconditions.checkNotNull(jsonWebKey.f16466n);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.decodeBase64(jsonWebKey.f16466n)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.f16465e))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: e, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> load(String str) {
            try {
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) this.f16464a.create().createRequestFactory().buildGetRequest(new GenericUrl(str)).setParser(l.f16568f.createJsonObjectParser()).execute().parseAs(JsonWebKeySet.class);
                ImmutableMap.Builder builder = new ImmutableMap.Builder();
                List<JsonWebKey> list = jsonWebKeySet.keys;
                if (list == null) {
                    for (String str2 : jsonWebKeySet.keySet()) {
                        builder.put(str2, c((String) jsonWebKeySet.get(str2)));
                    }
                } else {
                    for (JsonWebKey jsonWebKey : list) {
                        try {
                            builder.put(jsonWebKey.kid, b(jsonWebKey));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e2) {
                            e2.printStackTrace();
                        }
                    }
                }
                return builder.build();
            } catch (IOException unused) {
                return ImmutableMap.of();
            }
        }
    }

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    private TokenVerifier(Builder builder) {
        this.f16452a = builder.f16458a;
        this.f16453b = builder.f16459b;
        this.f16454c = builder.f16460c;
        this.f16455d = builder.f16461d;
        this.f16456e = builder.f16462e;
        this.f16457f = CacheBuilder.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build(new PublicKeyLoader(builder.f16463f));
    }

    private String a(JsonWebSignature jsonWebSignature) {
        String str = this.f16453b;
        if (str != null) {
            return str;
        }
        String algorithm = jsonWebSignature.getHeader().getAlgorithm();
        Objects.requireNonNull(algorithm);
        if (algorithm.equals("ES256")) {
            return "https://www.gstatic.com/iap/verify/public_key-jwk";
        }
        if (algorithm.equals("RS256")) {
            return "https://www.googleapis.com/oauth2/v3/certs";
        }
        throw new VerificationException("Unknown algorithm");
    }

    public static Builder newBuilder() {
        return new Builder().setClock(Clock.SYSTEM).setHttpTransportFactory(l.f16567e);
    }

    public JsonWebSignature verify(String str) {
        try {
            JsonWebSignature parse = JsonWebSignature.parse(l.f16568f, str);
            String str2 = this.f16452a;
            if (str2 != null && !str2.equals(parse.getPayload().getAudience())) {
                throw new VerificationException("Expected audience does not match");
            }
            String str3 = this.f16454c;
            if (str3 != null && !str3.equals(parse.getPayload().getIssuer())) {
                throw new VerificationException("Expected issuer does not match");
            }
            Long expirationTimeSeconds = parse.getPayload().getExpirationTimeSeconds();
            if (expirationTimeSeconds != null && expirationTimeSeconds.longValue() <= this.f16456e.currentTimeMillis() / 1000) {
                throw new VerificationException("Token is expired");
            }
            if (!f16451g.contains(parse.getHeader().getAlgorithm())) {
                throw new VerificationException("Unexpected signing algorithm: expected either RS256 or ES256");
            }
            PublicKey publicKey = this.f16455d;
            if (publicKey == null) {
                try {
                    publicKey = this.f16457f.get(a(parse)).get(parse.getHeader().getKeyId());
                } catch (UncheckedExecutionException | ExecutionException e2) {
                    throw new VerificationException("Error fetching PublicKey from certificate location", e2);
                }
            }
            if (publicKey == null) {
                StringBuilder m2 = o$$ExternalSyntheticOutline0.m("Could not find PublicKey for provided keyId: ");
                m2.append(parse.getHeader().getKeyId());
                throw new VerificationException(m2.toString());
            }
            try {
                if (parse.verifySignature(publicKey)) {
                    return parse;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e3) {
                throw new VerificationException("Error validating token", e3);
            }
        } catch (IOException e4) {
            throw new VerificationException("Error parsing JsonWebSignature token", e4);
        }
    }
}
