package com.funambol.client.controller;

import com.funambol.client.customization.Customization;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Map;
import java.util.UUID;

/* loaded from: classes4.dex */
public class OAuth2NonceValidator {

    /* renamed from: a, reason: collision with root package name */
    private String f20048a;

    /* renamed from: b, reason: collision with root package name */
    private Customization f20049b;

    /* loaded from: classes4.dex */
    public static class InvalidNonceException extends Exception {
        public InvalidNonceException(String str) {
            super(str);
        }

        public InvalidNonceException(Throwable th2) {
            super(th2);
        }
    }

    /* loaded from: classes4.dex */
    public static class InvalidSignatureException extends Exception {
        public InvalidSignatureException(String str) {
            super(str);
        }

        public InvalidSignatureException(Throwable th2) {
            super(th2);
        }
    }

    public OAuth2NonceValidator(Customization customization) {
        this.f20049b = customization;
    }

    private void d(SignedJWT signedJWT) throws InvalidNonceException {
        try {
            String asString = signedJWT.getPayload().toJSONObject().getAsString("nonce");
            if (asString == null || !asString.equals(this.f20048a)) {
                throw new InvalidNonceException("Nonce mismatch. Expected:'" + this.f20048a + "' actual:'" + asString + "'");
            }
        } catch (Throwable th2) {
            com.funambol.util.z0.x("OAuth2NonceValidator", "Failed to validate nonce", th2);
            throw new InvalidNonceException(th2);
        }
    }

    private void e(SignedJWT signedJWT) throws InvalidSignatureException {
        String keyID = signedJWT.getHeader().getKeyID();
        Map<String, String> w02 = this.f20049b.w0();
        String str = (w02 == null || !w02.containsKey(keyID)) ? null : w02.get(keyID);
        if (com.funambol.util.h3.w(str)) {
            throw new InvalidSignatureException("Can't find public key for kid='" + keyID + "'");
        }
        try {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(ae.a.a(str)));
            if (!"RS256".equalsIgnoreCase(signedJWT.getHeader().getAlgorithm().getName())) {
                throw new InvalidSignatureException("Invalid signature. Token must be signed with RS256 algorithm.");
            }
            try {
                if (signedJWT.verify(new com.nimbusds.jose.crypto.f(rSAPublicKey))) {
                } else {
                    throw new InvalidSignatureException("JWT signature verification failed");
                }
            } catch (JOSEException e10) {
                throw new InvalidSignatureException(e10);
            }
        } finally {
            InvalidSignatureException invalidSignatureException = new InvalidSignatureException(e10);
        }
    }

    public final String a() {
        String b10 = b();
        this.f20048a = b10;
        return b10;
    }

    protected String b() {
        return UUID.randomUUID().toString();
    }

    public void c(String str) throws InvalidNonceException, InvalidSignatureException {
        if (com.funambol.util.h3.w(str)) {
            throw new InvalidSignatureException("Empty token");
        }
        try {
            SignedJWT m222parse = SignedJWT.m222parse(str);
            if (m222parse == null) {
                throw new InvalidSignatureException("Failed to parse id token");
            }
            d(m222parse);
            e(m222parse);
        } catch (Throwable th2) {
            throw new InvalidSignatureException(th2);
        }
    }
}
