package com.google.auth.oauth2;

import com.google.api.client.util.C2846e;
import com.google.api.client.util.InterfaceC2853l;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.collect.AbstractC3048i1;
import com.google.common.collect.AbstractC3083r1;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: classes2.dex */
public class TokenVerifier {

    /* renamed from: g, reason: collision with root package name */
    private static final String f58226g = "https://www.gstatic.com/iap/verify/public_key-jwk";

    /* renamed from: h, reason: collision with root package name */
    private static final String f58227h = "https://www.googleapis.com/oauth2/v3/certs";

    /* renamed from: i, reason: collision with root package name */
    private static final Set<String> f58228i = AbstractC3083r1.a0("RS256", "ES256");

    /* renamed from: a, reason: collision with root package name */
    private final String f58229a;

    /* renamed from: b, reason: collision with root package name */
    private final String f58230b;

    /* renamed from: c, reason: collision with root package name */
    private final String f58231c;

    /* renamed from: d, reason: collision with root package name */
    private final PublicKey f58232d;

    /* renamed from: e, reason: collision with root package name */
    private final InterfaceC2853l f58233e;

    /* renamed from: f, reason: collision with root package name */
    private final com.google.common.cache.i<String, Map<String, PublicKey>> f58234f;

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    /* loaded from: classes2.dex */
    public static class b {

        /* renamed from: a, reason: collision with root package name */
        private String f58235a;

        /* renamed from: b, reason: collision with root package name */
        private String f58236b;

        /* renamed from: c, reason: collision with root package name */
        private String f58237c;

        /* renamed from: d, reason: collision with root package name */
        private PublicKey f58238d;

        /* renamed from: e, reason: collision with root package name */
        private InterfaceC2853l f58239e;

        /* renamed from: f, reason: collision with root package name */
        private com.google.auth.http.c f58240f;

        public TokenVerifier g() {
            return new TokenVerifier(this);
        }

        public b h(String str) {
            this.f58235a = str;
            return this;
        }

        public b i(String str) {
            this.f58236b = str;
            return this;
        }

        public b j(InterfaceC2853l interfaceC2853l) {
            this.f58239e = interfaceC2853l;
            return this;
        }

        public b k(com.google.auth.http.c cVar) {
            this.f58240f = cVar;
            return this;
        }

        public b l(String str) {
            this.f58237c = str;
            return this;
        }

        public b m(PublicKey publicKey) {
            this.f58238d = publicKey;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    static class c extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        private final com.google.auth.http.c f58241a;

        /* loaded from: classes2.dex */
        public static class a {

            /* renamed from: a, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58242a;

            /* renamed from: b, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58243b;

            /* renamed from: c, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58244c;

            /* renamed from: d, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58245d;

            /* renamed from: e, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58246e;

            /* renamed from: f, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58247f;

            /* renamed from: g, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58248g;

            /* renamed from: h, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58249h;

            /* renamed from: i, reason: collision with root package name */
            @com.google.api.client.util.u
            public String f58250i;
        }

        /* loaded from: classes2.dex */
        public static class b extends com.google.api.client.json.b {

            /* renamed from: s, reason: collision with root package name */
            @com.google.api.client.util.u
            public List<a> f58251s;
        }

        c(com.google.auth.http.c cVar) {
            this.f58241a = cVar;
        }

        private PublicKey g(a aVar) {
            com.google.common.base.F.d("EC".equals(aVar.f58245d));
            com.google.common.base.F.d("P-256".equals(aVar.f58243b));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, C2846e.a(aVar.f58247f)), new BigInteger(1, C2846e.a(aVar.f58248g)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey h(a aVar) {
            if ("ES256".equals(aVar.f58242a)) {
                return g(aVar);
            }
            if ("RS256".equals(aVar.f58242a)) {
                return j(aVar);
            }
            return null;
        }

        private PublicKey i(String str) {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        private PublicKey j(a aVar) {
            com.google.common.base.F.d("RSA".equals(aVar.f58245d));
            com.google.common.base.F.E(aVar.f58249h);
            com.google.common.base.F.E(aVar.f58250i);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, C2846e.a(aVar.f58250i)), new BigInteger(1, C2846e.a(aVar.f58249h))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: k, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> d(String str) {
            try {
                b bVar = (b) this.f58241a.a().c().b(new com.google.api.client.http.k(str)).T(z.f58478g.c()).b().r(b.class);
                AbstractC3048i1.b bVar2 = new AbstractC3048i1.b();
                List<a> list = bVar.f58251s;
                if (list == null) {
                    for (String str2 : bVar.keySet()) {
                        bVar2.i(str2, i((String) bVar.get(str2)));
                    }
                } else {
                    for (a aVar : list) {
                        try {
                            bVar2.i(aVar.f58244c, h(aVar));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e6) {
                            e6.printStackTrace();
                        }
                    }
                }
                return bVar2.a();
            } catch (IOException unused) {
                return AbstractC3048i1.r();
            }
        }
    }

    private TokenVerifier(b bVar) {
        this.f58229a = bVar.f58235a;
        this.f58230b = bVar.f58236b;
        this.f58231c = bVar.f58237c;
        this.f58232d = bVar.f58238d;
        this.f58233e = bVar.f58239e;
        this.f58234f = CacheBuilder.D().g(1L, TimeUnit.HOURS).b(new c(bVar.f58240f));
    }

    private String a(com.google.api.client.json.webtoken.b bVar) {
        String str = this.f58230b;
        if (str != null) {
            return str;
        }
        String t6 = bVar.a().t();
        t6.getClass();
        if (t6.equals("ES256")) {
            return f58226g;
        }
        if (t6.equals("RS256")) {
            return f58227h;
        }
        throw new VerificationException("Unknown algorithm");
    }

    public static b b() {
        return new b().j(InterfaceC2853l.f56890a).k(z.f58477f);
    }

    public com.google.api.client.json.webtoken.b c(String str) {
        try {
            com.google.api.client.json.webtoken.b g6 = com.google.api.client.json.webtoken.b.g(z.f58478g, str);
            String str2 = this.f58229a;
            if (str2 != null && !str2.equals(g6.b().n())) {
                throw new VerificationException("Expected audience does not match");
            }
            String str3 = this.f58231c;
            if (str3 != null && !str3.equals(g6.b().r())) {
                throw new VerificationException("Expected issuer does not match");
            }
            Long p6 = g6.b().p();
            if (p6 != null && p6.longValue() <= this.f58233e.b() / 1000) {
                throw new VerificationException("Token is expired");
            }
            if (!f58228i.contains(g6.a().t())) {
                throw new VerificationException("Unexpected signing algorithm: expected either RS256 or ES256");
            }
            PublicKey publicKey = this.f58232d;
            if (publicKey == null) {
                try {
                    publicKey = this.f58234f.get(a(g6)).get(g6.a().x());
                } catch (UncheckedExecutionException | ExecutionException e6) {
                    throw new VerificationException("Error fetching PublicKey from certificate location", e6);
                }
            }
            if (publicKey == null) {
                throw new VerificationException("Could not find PublicKey for provided keyId: " + g6.a().x());
            }
            try {
                if (g6.l(publicKey)) {
                    return g6;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e7) {
                throw new VerificationException("Error validating token", e7);
            }
        } catch (IOException e8) {
            throw new VerificationException("Error parsing JsonWebSignature token", e8);
        }
    }
}
