package com.google.auth.oauth2;

import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpBackOffUnsuccessfulResponseHandler;
import com.google.api.client.http.HttpRequest;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Clock;
import com.google.api.client.util.ExponentialBackOff;
import com.google.api.client.util.Key;
import com.google.auth.http.HttpTransportFactory;
import com.google.common.collect.t;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: classes.dex */
public class TokenVerifier {
    private static final String FEDERATED_SIGNON_CERT_URL = "https://www.googleapis.com/oauth2/v3/certs";
    private static final String IAP_CERT_URL = "https://www.gstatic.com/iap/verify/public_key-jwk";
    private static final Set<String> SUPPORTED_ALGORITHMS = com.google.common.collect.v.z("RS256", "ES256");
    private final String audience;
    private final String certificatesLocation;
    private final Clock clock;
    private final String issuer;
    private final PublicKey publicKey;
    private final com.google.common.cache.h publicKeyCache;

    /* loaded from: classes.dex */
    public static class Builder {
        private String audience;
        private String certificatesLocation;
        private Clock clock;
        private HttpTransportFactory httpTransportFactory;
        private String issuer;
        private PublicKey publicKey;

        public TokenVerifier build() {
            return new TokenVerifier(this);
        }

        public Builder setAudience(String str) {
            this.audience = str;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.certificatesLocation = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.clock = clock;
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.httpTransportFactory = httpTransportFactory;
            return this;
        }

        public Builder setIssuer(String str) {
            this.issuer = str;
            return this;
        }

        public Builder setPublicKey(PublicKey publicKey) {
            this.publicKey = publicKey;
            return this;
        }
    }

    /* loaded from: classes.dex */
    public static class PublicKeyLoader extends com.google.common.cache.e {

        /* renamed from: a, reason: collision with root package name */
        public final HttpTransportFactory f8920a;

        /* loaded from: classes.dex */
        public static class JsonWebKey {

            @Key
            public String alg;

            @Key
            public String crv;

            /* renamed from: e, reason: collision with root package name */
            @Key
            public String f8921e;

            @Key
            public String kid;

            @Key
            public String kty;

            /* renamed from: n, reason: collision with root package name */
            @Key
            public String f8922n;

            @Key
            public String use;

            /* renamed from: x, reason: collision with root package name */
            @Key
            public String f8923x;

            /* renamed from: y, reason: collision with root package name */
            @Key
            public String f8924y;
        }

        /* loaded from: classes.dex */
        public static class JsonWebKeySet extends GenericJson {

            @Key
            public List<JsonWebKey> keys;
        }

        public PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.f8920a = httpTransportFactory;
        }

        public final PublicKey c(JsonWebKey jsonWebKey) {
            com.google.common.base.t.d("EC".equals(jsonWebKey.kty));
            com.google.common.base.t.d("P-256".equals(jsonWebKey.crv));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, Base64.decodeBase64(jsonWebKey.f8923x)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.f8924y)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        public final PublicKey d(JsonWebKey jsonWebKey) {
            if ("ES256".equals(jsonWebKey.alg)) {
                return c(jsonWebKey);
            }
            if ("RS256".equals(jsonWebKey.alg)) {
                return f(jsonWebKey);
            }
            return null;
        }

        public final PublicKey e(String str) {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        public final PublicKey f(JsonWebKey jsonWebKey) {
            com.google.common.base.t.d("RSA".equals(jsonWebKey.kty));
            com.google.common.base.t.q(jsonWebKey.f8921e);
            com.google.common.base.t.q(jsonWebKey.f8922n);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.decodeBase64(jsonWebKey.f8922n)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.f8921e))));
        }

        @Override // com.google.common.cache.e
        /* renamed from: g, reason: merged with bridge method [inline-methods] */
        public Map a(String str) {
            HttpRequest parser = this.f8920a.create().createRequestFactory().buildGetRequest(new GenericUrl(str)).setParser(b0.f8945f.createJsonObjectParser());
            parser.setNumberOfRetries(2);
            parser.setUnsuccessfulResponseHandler(new HttpBackOffUnsuccessfulResponseHandler(new ExponentialBackOff.Builder().setInitialIntervalMillis(1000).setRandomizationFactor(0.1d).setMultiplier(2.0d).build()).setBackOffRequired(HttpBackOffUnsuccessfulResponseHandler.BackOffRequired.ALWAYS));
            JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) parser.execute().parseAs(JsonWebKeySet.class);
            t.a aVar = new t.a();
            List<JsonWebKey> list = jsonWebKeySet.keys;
            if (list == null) {
                for (String str2 : jsonWebKeySet.keySet()) {
                    aVar.g(str2, e((String) jsonWebKeySet.get(str2)));
                }
            } else {
                for (JsonWebKey jsonWebKey : list) {
                    try {
                        aVar.g(jsonWebKey.kid, d(jsonWebKey));
                    } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e10) {
                        e10.printStackTrace();
                    }
                }
            }
            com.google.common.collect.t a10 = aVar.a();
            if (!a10.isEmpty()) {
                return a10;
            }
            throw new VerificationException("No valid public key returned by the keystore: " + str);
        }
    }

    /* loaded from: classes.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    private TokenVerifier(Builder builder) {
        this.audience = builder.audience;
        this.certificatesLocation = builder.certificatesLocation;
        this.issuer = builder.issuer;
        this.publicKey = builder.publicKey;
        this.clock = builder.clock;
        this.publicKeyCache = com.google.common.cache.d.y().g(1L, TimeUnit.HOURS).b(new PublicKeyLoader(builder.httpTransportFactory));
    }

    private String getCertificateLocation(JsonWebSignature jsonWebSignature) {
        String str = this.certificatesLocation;
        if (str != null) {
            return str;
        }
        String algorithm = jsonWebSignature.getHeader().getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals("ES256")) {
            return IAP_CERT_URL;
        }
        if (algorithm.equals("RS256")) {
            return FEDERATED_SIGNON_CERT_URL;
        }
        throw new VerificationException("Unknown algorithm");
    }

    public static Builder newBuilder() {
        return new Builder().setClock(Clock.SYSTEM).setHttpTransportFactory(b0.f8944e);
    }

    public JsonWebSignature verify(String str) {
        try {
            JsonWebSignature parse = JsonWebSignature.parse(b0.f8945f, str);
            String str2 = this.audience;
            if (str2 != null && !str2.equals(parse.getPayload().getAudience())) {
                throw new VerificationException("Expected audience does not match");
            }
            String str3 = this.issuer;
            if (str3 != null && !str3.equals(parse.getPayload().getIssuer())) {
                throw new VerificationException("Expected issuer does not match");
            }
            Long expirationTimeSeconds = parse.getPayload().getExpirationTimeSeconds();
            if (expirationTimeSeconds != null && expirationTimeSeconds.longValue() <= this.clock.currentTimeMillis() / 1000) {
                throw new VerificationException("Token is expired");
            }
            if (!SUPPORTED_ALGORITHMS.contains(parse.getHeader().getAlgorithm())) {
                throw new VerificationException("Unexpected signing algorithm: expected either RS256 or ES256");
            }
            PublicKey publicKey = this.publicKey;
            if (publicKey == null) {
                try {
                    publicKey = (PublicKey) ((Map) this.publicKeyCache.get(getCertificateLocation(parse))).get(parse.getHeader().getKeyId());
                } catch (com.google.common.util.concurrent.m0 | ExecutionException e10) {
                    throw new VerificationException("Error fetching PublicKey from certificate location", e10);
                }
            }
            if (publicKey == null) {
                throw new VerificationException("Could not find PublicKey for provided keyId: " + parse.getHeader().getKeyId());
            }
            try {
                if (parse.verifySignature(publicKey)) {
                    return parse;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e11) {
                throw new VerificationException("Error validating token", e11);
            }
        } catch (IOException e12) {
            throw new VerificationException("Error parsing JsonWebSignature token", e12);
        }
    }
}
