package com.google.api.client.auth.openidconnect;

import Tj.b;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Preconditions;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import vi.W0;
import x6.C4318a;
import x6.C4319b;

@Beta
/* loaded from: classes2.dex */
public class IdTokenVerifier {
    public static final long DEFAULT_TIME_SKEW_SECONDS = 300;

    /* renamed from: h, reason: collision with root package name */
    public static final Logger f38722h = Logger.getLogger(IdTokenVerifier.class.getName());

    /* renamed from: i, reason: collision with root package name */
    public static final ImmutableSet f38723i = ImmutableSet.of("RS256", "ES256");

    /* renamed from: j, reason: collision with root package name */
    public static final NetHttpTransport f38724j = new NetHttpTransport();

    /* renamed from: a, reason: collision with root package name */
    public final Clock f38725a;
    public final String b;

    /* renamed from: c, reason: collision with root package name */
    public final W0 f38726c;

    /* renamed from: d, reason: collision with root package name */
    public final LoadingCache f38727d;

    /* renamed from: e, reason: collision with root package name */
    public final long f38728e;
    public final Collection f;

    /* renamed from: g, reason: collision with root package name */
    public final Collection f38729g;

    @Beta
    /* loaded from: classes2.dex */
    public static class Builder {
        public String b;

        /* renamed from: d, reason: collision with root package name */
        public Collection f38732d;

        /* renamed from: e, reason: collision with root package name */
        public Collection f38733e;
        public HttpTransportFactory f;

        /* renamed from: a, reason: collision with root package name */
        public Clock f38730a = Clock.SYSTEM;

        /* renamed from: c, reason: collision with root package name */
        public long f38731c = 300;

        public IdTokenVerifier build() {
            return new IdTokenVerifier(this);
        }

        public final long getAcceptableTimeSkewSeconds() {
            return this.f38731c;
        }

        public final Collection<String> getAudience() {
            return this.f38733e;
        }

        public final Clock getClock() {
            return this.f38730a;
        }

        public final String getIssuer() {
            Collection collection = this.f38732d;
            if (collection == null) {
                return null;
            }
            return (String) collection.iterator().next();
        }

        public final Collection<String> getIssuers() {
            return this.f38732d;
        }

        public Builder setAcceptableTimeSkewSeconds(long j10) {
            Preconditions.checkArgument(j10 >= 0);
            this.f38731c = j10;
            return this;
        }

        public Builder setAudience(Collection<String> collection) {
            this.f38733e = collection;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.b = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.f38730a = (Clock) Preconditions.checkNotNull(clock);
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.f = httpTransportFactory;
            return this;
        }

        public Builder setIssuer(String str) {
            return str == null ? setIssuers(null) : setIssuers(Collections.singleton(str));
        }

        public Builder setIssuers(Collection<String> collection) {
            Preconditions.checkArgument(collection == null || !collection.isEmpty(), "Issuers must not be empty");
            this.f38732d = collection;
            return this;
        }
    }

    public IdTokenVerifier() {
        this(new Builder());
    }

    public IdTokenVerifier(Builder builder) {
        this.b = builder.b;
        this.f38725a = builder.f38730a;
        this.f38728e = builder.f38731c;
        Collection collection = builder.f38732d;
        this.f = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection collection2 = builder.f38733e;
        this.f38729g = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        HttpTransportFactory httpTransportFactory = builder.f;
        this.f38727d = CacheBuilder.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build(new C4318a(httpTransportFactory == null ? new W0(2) : httpTransportFactory));
        this.f38726c = new W0(1);
    }

    public final String a(JsonWebSignature.Header header) {
        String str = this.b;
        if (str != null) {
            return str;
        }
        String algorithm = header.getAlgorithm();
        algorithm.getClass();
        if (algorithm.equals("ES256")) {
            return "https://www.gstatic.com/iap/verify/public_key-jwk";
        }
        if (algorithm.equals("RS256")) {
            return "https://www.googleapis.com/oauth2/v3/certs";
        }
        throw new Exception(b.z("Unexpected signing algorithm ", header.getAlgorithm(), ": expected either RS256 or ES256"));
    }

    public final void b(IdToken idToken) {
        this.f38726c.getClass();
        if (Boolean.parseBoolean(System.getenv("OAUTH_CLIENT_SKIP_SIGNATURE"))) {
            return;
        }
        if (!f38723i.contains(idToken.getHeader().getAlgorithm())) {
            throw new Exception(b.z("Unexpected signing algorithm ", idToken.getHeader().getAlgorithm(), ": expected either RS256 or ES256"));
        }
        try {
            PublicKey publicKey = (PublicKey) ((Map) this.f38727d.get(a(idToken.getHeader()))).get(idToken.getHeader().getKeyId());
            if (publicKey == null) {
                throw new Exception("Could not find public key for provided keyId: " + idToken.getHeader().getKeyId());
            }
            try {
                if (idToken.verifySignature(publicKey)) {
                } else {
                    throw new Exception("Invalid signature");
                }
            } catch (GeneralSecurityException e5) {
                throw new Exception("Error validating token", e5);
            }
        } catch (UncheckedExecutionException | ExecutionException e7) {
            throw new Exception("Error fetching public key from certificate location " + this.b, e7);
        }
    }

    public final long getAcceptableTimeSkewSeconds() {
        return this.f38728e;
    }

    public final Collection<String> getAudience() {
        return this.f38729g;
    }

    public final Clock getClock() {
        return this.f38725a;
    }

    public final String getIssuer() {
        Collection collection = this.f;
        if (collection == null) {
            return null;
        }
        return (String) collection.iterator().next();
    }

    public final Collection<String> getIssuers() {
        return this.f;
    }

    public boolean verify(IdToken idToken) {
        if (!verifyPayload(idToken)) {
            return false;
        }
        try {
            b(idToken);
            return true;
        } catch (C4319b e5) {
            f38722h.log(Level.SEVERE, "id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options", (Throwable) e5);
            return false;
        }
    }

    public boolean verifyPayload(IdToken idToken) {
        Collection<String> collection;
        Collection<String> collection2 = this.f;
        return (collection2 == null || idToken.verifyIssuer(collection2)) && ((collection = this.f38729g) == null || idToken.verifyAudience(collection)) && idToken.verifyTime(this.f38725a.currentTimeMillis(), this.f38728e);
    }
}
