package com.google.api.client.auth.openidconnect;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Key;
import com.google.common.base.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

@Beta
/* loaded from: classes2.dex */
public class IdTokenVerifier {

    /* renamed from: h, reason: collision with root package name */
    private static final Logger f12300h = Logger.getLogger(IdTokenVerifier.class.getName());

    /* renamed from: i, reason: collision with root package name */
    private static final Set f12301i = ImmutableSet.I("RS256", "ES256");

    /* renamed from: j, reason: collision with root package name */
    static final HttpTransport f12302j = new NetHttpTransport();

    /* renamed from: a, reason: collision with root package name */
    private final Clock f12303a;

    /* renamed from: b, reason: collision with root package name */
    private final String f12304b;

    /* renamed from: c, reason: collision with root package name */
    private final Environment f12305c;

    /* renamed from: d, reason: collision with root package name */
    private final LoadingCache f12306d;

    /* renamed from: e, reason: collision with root package name */
    private final long f12307e;

    /* renamed from: f, reason: collision with root package name */
    private final Collection f12308f;

    /* renamed from: g, reason: collision with root package name */
    private final Collection f12309g;

    @Beta
    /* loaded from: classes2.dex */
    public static class Builder {

        /* renamed from: b, reason: collision with root package name */
        String f12311b;

        /* renamed from: c, reason: collision with root package name */
        Environment f12312c;

        /* renamed from: e, reason: collision with root package name */
        Collection f12314e;

        /* renamed from: f, reason: collision with root package name */
        Collection f12315f;

        /* renamed from: g, reason: collision with root package name */
        HttpTransportFactory f12316g;

        /* renamed from: a, reason: collision with root package name */
        Clock f12310a = Clock.f12835a;

        /* renamed from: d, reason: collision with root package name */
        long f12313d = 300;
    }

    /* loaded from: classes2.dex */
    static class DefaultHttpTransportFactory implements HttpTransportFactory {
        DefaultHttpTransportFactory() {
        }

        @Override // com.google.api.client.auth.openidconnect.HttpTransportFactory
        public HttpTransport a() {
            return IdTokenVerifier.f12302j;
        }
    }

    /* loaded from: classes2.dex */
    static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        private final HttpTransportFactory f12317a;

        /* loaded from: classes2.dex */
        public static class JsonWebKey {

            @Key
            public String alg;

            @Key
            public String crv;

            /* renamed from: e, reason: collision with root package name */
            @Key
            public String f12318e;

            @Key
            public String kid;

            @Key
            public String kty;

            /* renamed from: n, reason: collision with root package name */
            @Key
            public String f12319n;

            @Key
            public String use;

            /* renamed from: x, reason: collision with root package name */
            @Key
            public String f12320x;

            /* renamed from: y, reason: collision with root package name */
            @Key
            public String f12321y;
        }

        /* loaded from: classes2.dex */
        public static class JsonWebKeySet extends GenericJson {

            @Key
            public List<JsonWebKey> keys;
        }

        PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.f12317a = httpTransportFactory;
        }

        private PublicKey c(JsonWebKey jsonWebKey) {
            Preconditions.d("EC".equals(jsonWebKey.kty));
            Preconditions.d("P-256".equals(jsonWebKey.crv));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, Base64.a(jsonWebKey.f12320x)), new BigInteger(1, Base64.a(jsonWebKey.f12321y)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey d(JsonWebKey jsonWebKey) {
            if ("ES256".equals(jsonWebKey.alg)) {
                return c(jsonWebKey);
            }
            if ("RS256".equals(jsonWebKey.alg)) {
                return f(jsonWebKey);
            }
            return null;
        }

        private PublicKey e(String str) {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        private PublicKey f(JsonWebKey jsonWebKey) {
            Preconditions.d("RSA".equals(jsonWebKey.kty));
            Preconditions.s(jsonWebKey.f12318e);
            Preconditions.s(jsonWebKey.f12319n);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.a(jsonWebKey.f12319n)), new BigInteger(1, Base64.a(jsonWebKey.f12318e))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: g, reason: merged with bridge method [inline-methods] */
        public Map a(String str) {
            try {
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) this.f12317a.a().c().a(new GenericUrl(str)).y(GsonFactory.n().b()).b().m(JsonWebKeySet.class);
                ImmutableMap.Builder builder = new ImmutableMap.Builder();
                List<JsonWebKey> list = jsonWebKeySet.keys;
                if (list == null) {
                    for (String str2 : jsonWebKeySet.keySet()) {
                        builder.g(str2, e((String) jsonWebKeySet.get(str2)));
                    }
                } else {
                    for (JsonWebKey jsonWebKey : list) {
                        try {
                            builder.g(jsonWebKey.kid, d(jsonWebKey));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e2) {
                            IdTokenVerifier.f12300h.log(Level.WARNING, "Failed to put a key into the cache", e2);
                        }
                    }
                }
                if (!builder.a().isEmpty()) {
                    return builder.a();
                }
                throw new VerificationException("No valid public key returned by the keystore: " + str);
            } catch (IOException e3) {
                IdTokenVerifier.f12300h.log(Level.WARNING, "Failed to get a certificate from certificate location " + str, (Throwable) e3);
                throw e3;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }
    }

    public IdTokenVerifier() {
        this(new Builder());
    }

    protected IdTokenVerifier(Builder builder) {
        this.f12304b = builder.f12311b;
        this.f12303a = builder.f12310a;
        this.f12307e = builder.f12313d;
        Collection collection = builder.f12314e;
        this.f12308f = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection collection2 = builder.f12315f;
        this.f12309g = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        HttpTransportFactory httpTransportFactory = builder.f12316g;
        this.f12306d = CacheBuilder.r().c(1L, TimeUnit.HOURS).a(new PublicKeyLoader(httpTransportFactory == null ? new DefaultHttpTransportFactory() : httpTransportFactory));
        Environment environment = builder.f12312c;
        this.f12305c = environment == null ? new Environment() : environment;
    }
}
