package com.google.auth.oauth2;

import com.google.api.client.http.C0967k;
import com.google.api.client.http.n;
import com.google.api.client.util.C0973e;
import com.google.api.client.util.C0984p;
import com.google.api.client.util.InterfaceC0980l;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: classes2.dex */
public class TokenVerifier {

    /* renamed from: g, reason: collision with root package name */
    public static final String f28355g = "https://www.gstatic.com/iap/verify/public_key-jwk";

    /* renamed from: h, reason: collision with root package name */
    public static final String f28356h = "https://www.googleapis.com/oauth2/v3/certs";

    /* renamed from: i, reason: collision with root package name */
    public static final Set<String> f28357i = ImmutableSet.E("RS256", "ES256");

    /* renamed from: a, reason: collision with root package name */
    public final String f28358a;

    /* renamed from: b, reason: collision with root package name */
    public final String f28359b;

    /* renamed from: c, reason: collision with root package name */
    public final String f28360c;

    /* renamed from: d, reason: collision with root package name */
    public final PublicKey f28361d;

    /* renamed from: e, reason: collision with root package name */
    public final InterfaceC0980l f28362e;

    /* renamed from: f, reason: collision with root package name */
    public final com.google.common.cache.k<String, Map<String, PublicKey>> f28363f;

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    /* loaded from: classes2.dex */
    public static class b {

        /* renamed from: a, reason: collision with root package name */
        public String f28364a;

        /* renamed from: b, reason: collision with root package name */
        public String f28365b;

        /* renamed from: c, reason: collision with root package name */
        public String f28366c;

        /* renamed from: d, reason: collision with root package name */
        public PublicKey f28367d;

        /* renamed from: e, reason: collision with root package name */
        public InterfaceC0980l f28368e;

        /* renamed from: f, reason: collision with root package name */
        public W3.c f28369f;

        public TokenVerifier g() {
            return new TokenVerifier(this);
        }

        public b setAudience(String str) {
            this.f28364a = str;
            return this;
        }

        public b setCertificatesLocation(String str) {
            this.f28365b = str;
            return this;
        }

        public b setClock(InterfaceC0980l interfaceC0980l) {
            this.f28368e = interfaceC0980l;
            return this;
        }

        public b setHttpTransportFactory(W3.c cVar) {
            this.f28369f = cVar;
            return this;
        }

        public b setIssuer(String str) {
            this.f28366c = str;
            return this;
        }

        public b setPublicKey(PublicKey publicKey) {
            this.f28367d = publicKey;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    public static class c extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: v, reason: collision with root package name */
        public static final int f28370v = 2;

        /* renamed from: w, reason: collision with root package name */
        public static final int f28371w = 1000;

        /* renamed from: x, reason: collision with root package name */
        public static final double f28372x = 0.1d;

        /* renamed from: y, reason: collision with root package name */
        public static final double f28373y = 2.0d;

        /* renamed from: s, reason: collision with root package name */
        public final W3.c f28374s;

        /* loaded from: classes2.dex */
        public static class a {

            /* renamed from: a, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28375a;

            /* renamed from: b, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28376b;

            /* renamed from: c, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28377c;

            /* renamed from: d, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28378d;

            /* renamed from: e, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28379e;

            /* renamed from: f, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28380f;

            /* renamed from: g, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28381g;

            /* renamed from: h, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28382h;

            /* renamed from: i, reason: collision with root package name */
            @com.google.api.client.util.t
            public String f28383i;
        }

        /* loaded from: classes2.dex */
        public static class b extends K3.b {

            /* renamed from: x, reason: collision with root package name */
            @com.google.api.client.util.t
            public List<a> f28384x;
        }

        public c(W3.c cVar) {
            this.f28374s = cVar;
        }

        public final PublicKey g(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            com.google.common.base.w.d("EC".equals(aVar.f28378d));
            com.google.common.base.w.d("P-256".equals(aVar.f28376b));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, C0973e.a(aVar.f28380f)), new BigInteger(1, C0973e.a(aVar.f28381g)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        public final PublicKey h(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(aVar.f28375a)) {
                return g(aVar);
            }
            if ("RS256".equals(aVar.f28375a)) {
                return j(aVar);
            }
            return null;
        }

        public final PublicKey i(String str) throws CertificateException, UnsupportedEncodingException {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        public final PublicKey j(a aVar) throws NoSuchAlgorithmException, InvalidKeySpecException {
            com.google.common.base.w.d("RSA".equals(aVar.f28378d));
            com.google.common.base.w.E(aVar.f28382h);
            com.google.common.base.w.E(aVar.f28383i);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, C0973e.a(aVar.f28383i)), new BigInteger(1, C0973e.a(aVar.f28382h))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: k, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> d(String str) throws Exception {
            com.google.api.client.http.w parser = this.f28374s.a().c().b(new C0967k(str)).setParser(q.f28515j.c());
            parser.setNumberOfRetries(2);
            parser.setUnsuccessfulResponseHandler(new com.google.api.client.http.n(new C0984p.a().setInitialIntervalMillis(1000).setRandomizationFactor(0.1d).setMultiplier(2.0d).a()).setBackOffRequired(n.a.f27700a));
            b bVar = (b) parser.b().i(b.class);
            ImmutableMap.b bVar2 = new ImmutableMap.b();
            List<a> list = bVar.f28384x;
            if (list == null) {
                for (String str2 : bVar.keySet()) {
                    bVar2.i(str2, i((String) bVar.get(str2)));
                }
            } else {
                for (a aVar : list) {
                    try {
                        bVar2.i(aVar.f28377c, h(aVar));
                    } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e7) {
                        e7.printStackTrace();
                    }
                }
            }
            ImmutableMap a7 = bVar2.a();
            if (!a7.isEmpty()) {
                return a7;
            }
            throw new VerificationException("No valid public key returned by the keystore: " + str);
        }
    }

    public TokenVerifier(b bVar) {
        this.f28358a = bVar.f28364a;
        this.f28359b = bVar.f28365b;
        this.f28360c = bVar.f28366c;
        this.f28361d = bVar.f28367d;
        this.f28362e = bVar.f28368e;
        this.f28363f = CacheBuilder.x().h(1L, TimeUnit.HOURS).c(new c(bVar.f28369f));
    }

    public static b a() {
        return new b().setClock(InterfaceC0980l.f27901a).setHttpTransportFactory(q.f28514i);
    }

    private String getCertificateLocation(M3.b bVar) throws VerificationException {
        String str = this.f28359b;
        if (str != null) {
            return str;
        }
        String algorithm = bVar.getHeader().getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals("ES256")) {
            return f28355g;
        }
        if (algorithm.equals("RS256")) {
            return f28356h;
        }
        throw new VerificationException("Unknown algorithm");
    }

    public M3.b b(String str) throws VerificationException {
        try {
            M3.b c7 = M3.b.c(q.f28515j, str);
            String str2 = this.f28358a;
            if (str2 != null && !str2.equals(c7.getPayload().getAudience())) {
                throw new VerificationException("Expected audience does not match");
            }
            String str3 = this.f28360c;
            if (str3 != null && !str3.equals(c7.getPayload().getIssuer())) {
                throw new VerificationException("Expected issuer does not match");
            }
            Long expirationTimeSeconds = c7.getPayload().getExpirationTimeSeconds();
            if (expirationTimeSeconds != null && expirationTimeSeconds.longValue() <= this.f28362e.currentTimeMillis() / 1000) {
                throw new VerificationException("Token is expired");
            }
            if (!f28357i.contains(c7.getHeader().getAlgorithm())) {
                throw new VerificationException("Unexpected signing algorithm: expected either RS256 or ES256");
            }
            PublicKey publicKey = this.f28361d;
            if (publicKey == null) {
                try {
                    publicKey = this.f28363f.get(getCertificateLocation(c7)).get(c7.getHeader().getKeyId());
                } catch (UncheckedExecutionException | ExecutionException e7) {
                    throw new VerificationException("Error fetching PublicKey from certificate location", e7);
                }
            }
            if (publicKey == null) {
                throw new VerificationException("Could not find PublicKey for provided keyId: " + c7.getHeader().getKeyId());
            }
            try {
                if (c7.h(publicKey)) {
                    return c7;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e8) {
                throw new VerificationException("Error validating token", e8);
            }
        } catch (IOException e9) {
            throw new VerificationException("Error parsing JsonWebSignature token", e9);
        }
    }
}
