package com.google.api.client.auth.openidconnect;

import android.support.v4.media.a;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Preconditions;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.util.Collection;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

@Beta
/* loaded from: classes2.dex */
public class IdTokenVerifier {
    public static final long DEFAULT_TIME_SKEW_SECONDS = 300;
    private static final String FEDERATED_SIGNON_CERT_URL = "https://www.googleapis.com/oauth2/v3/certs";
    private static final String IAP_CERT_URL = "https://www.gstatic.com/iap/verify/public_key-jwk";
    private static final String NOT_SUPPORTED_ALGORITHM = "Unexpected signing algorithm %s: expected either RS256 or ES256";
    static final String SKIP_SIGNATURE_ENV_VAR = "OAUTH_CLIENT_SKIP_SIGNATURE";
    private final long acceptableTimeSkewSeconds;
    private final Collection<String> audience;
    private final String certificatesLocation;
    private final Clock clock;
    private final Environment environment;
    private final Collection<String> issuers;
    private final LoadingCache<String, Map<String, PublicKey>> publicKeyCache;
    private static final Logger LOGGER = Logger.getLogger(IdTokenVerifier.class.getName());
    private static final Set<String> SUPPORTED_ALGORITHMS = ImmutableSet.s(2, "RS256", "ES256");
    static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();

    @Beta
    /* loaded from: classes2.dex */
    public static class Builder {
        Collection<String> audience;
        String certificatesLocation;
        Environment environment;
        HttpTransportFactory httpTransportFactory;
        Collection<String> issuers;
        Clock clock = Clock.SYSTEM;
        long acceptableTimeSkewSeconds = 300;

        public final long getAcceptableTimeSkewSeconds() {
            return this.acceptableTimeSkewSeconds;
        }

        public final Collection<String> getAudience() {
            return this.audience;
        }

        public final Clock getClock() {
            return this.clock;
        }

        public final Environment getEnvironment() {
            return this.environment;
        }

        public final String getIssuer() {
            Collection<String> collection = this.issuers;
            if (collection == null) {
                return null;
            }
            return collection.iterator().next();
        }

        public final Collection<String> getIssuers() {
            return this.issuers;
        }

        public Builder setAcceptableTimeSkewSeconds(long j2) {
            Preconditions.checkArgument(j2 >= 0);
            this.acceptableTimeSkewSeconds = j2;
            return this;
        }

        public Builder setAudience(Collection collection) {
            this.audience = collection;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.certificatesLocation = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.clock = (Clock) Preconditions.checkNotNull(clock);
            return this;
        }

        public Builder setEnvironment(Environment environment) {
            this.environment = environment;
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.httpTransportFactory = httpTransportFactory;
            return this;
        }

        public Builder setIssuers(Collection collection) {
            boolean z;
            if (collection != null && collection.isEmpty()) {
                z = false;
                Preconditions.checkArgument(z, "Issuers must not be empty");
                this.issuers = collection;
                return this;
            }
            z = true;
            Preconditions.checkArgument(z, "Issuers must not be empty");
            this.issuers = collection;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    public static class DefaultHttpTransportFactory implements HttpTransportFactory {
        @Override // com.google.api.client.auth.openidconnect.HttpTransportFactory
        public final HttpTransport a() {
            return IdTokenVerifier.HTTP_TRANSPORT;
        }
    }

    /* loaded from: classes2.dex */
    public static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {
        public final HttpTransportFactory c;

        /* loaded from: classes2.dex */
        public static class JsonWebKey {
        }

        /* loaded from: classes2.dex */
        public static class JsonWebKeySet extends GenericJson {
        }

        public PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.c = httpTransportFactory;
        }

        /* JADX WARN: Unreachable blocks removed: 2, instructions: 2 */
        @Override // com.google.common.cache.CacheLoader
        public final Object b(Object obj) {
            String str = (String) obj;
            try {
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) this.c.a().createRequestFactory().buildGetRequest(new GenericUrl(str)).setParser(GsonFactory.getDefaultInstance().createJsonObjectParser()).execute().parseAs(JsonWebKeySet.class);
                ImmutableMap.Builder builder = new ImmutableMap.Builder(4);
                jsonWebKeySet.getClass();
                for (String str2 : jsonWebKeySet.keySet()) {
                    builder.d(str2, CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(((String) jsonWebKeySet.get(str2)).getBytes("UTF-8"))).getPublicKey());
                }
                if (builder.b(true).isEmpty()) {
                    throw new Exception(a.z("No valid public key returned by the keystore: ", str));
                }
                return builder.b(true);
            } catch (IOException e) {
                IdTokenVerifier.LOGGER.log(Level.WARNING, "Failed to get a certificate from certificate location " + str, (Throwable) e);
                throw e;
            }
        }
    }

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    public IdTokenVerifier(GoogleIdTokenVerifier.Builder builder) {
        this.certificatesLocation = builder.certificatesLocation;
        this.clock = builder.clock;
        this.acceptableTimeSkewSeconds = builder.acceptableTimeSkewSeconds;
        Collection<String> collection = builder.issuers;
        Collection<String> collection2 = null;
        this.issuers = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection3 = builder.audience;
        if (collection3 != null) {
            collection2 = Collections.unmodifiableCollection(collection3);
        }
        this.audience = collection2;
        HttpTransportFactory httpTransportFactory = builder.httpTransportFactory;
        HttpTransportFactory obj = httpTransportFactory == null ? new Object() : httpTransportFactory;
        CacheBuilder b = CacheBuilder.b();
        TimeUnit timeUnit = TimeUnit.HOURS;
        long j2 = b.b;
        if (j2 != -1) {
            throw new IllegalStateException(Strings.a("expireAfterWrite was already set to %s ns", Long.valueOf(j2)));
        }
        b.b = timeUnit.toNanos(1L);
        this.publicKeyCache = b.a(new PublicKeyLoader(obj));
        Environment environment = builder.environment;
        this.environment = environment == null ? new Object() : environment;
    }

    /* JADX WARN: Unreachable blocks removed: 1, instructions: 1 */
    public final String a(JsonWebSignature.Header header) {
        String str = this.certificatesLocation;
        if (str != null) {
            return str;
        }
        String str2 = header.c;
        str2.getClass();
        if (str2.equals("ES256")) {
            return IAP_CERT_URL;
        }
        if (str2.equals("RS256")) {
            return FEDERATED_SIGNON_CERT_URL;
        }
        throw new Exception(a.l("Unexpected signing algorithm ", header.c, ": expected either RS256 or ES256"));
    }

    public final long getAcceptableTimeSkewSeconds() {
        return this.acceptableTimeSkewSeconds;
    }

    public final Collection<String> getAudience() {
        return this.audience;
    }

    public final Clock getClock() {
        return this.clock;
    }

    public final String getIssuer() {
        Collection<String> collection = this.issuers;
        if (collection == null) {
            return null;
        }
        return collection.iterator().next();
    }

    public final Collection<String> getIssuers() {
        return this.issuers;
    }

    public boolean verify(IdToken idToken) {
        if (!verifyPayload(idToken)) {
            return false;
        }
        try {
            return verifySignature(idToken);
        } catch (VerificationException e) {
            LOGGER.log(Level.SEVERE, "id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options", (Throwable) e);
            return false;
        }
    }

    public boolean verifyPayload(IdToken idToken) {
        Collection<String> collection = this.issuers;
        if (collection != null) {
            if (idToken.verifyIssuer(collection)) {
            }
            return false;
        }
        Collection<String> collection2 = this.audience;
        if (collection2 != null) {
            if (idToken.verifyAudience(collection2)) {
            }
            return false;
        }
        if (idToken.verifyTime(this.clock.currentTimeMillis(), this.acceptableTimeSkewSeconds)) {
            return true;
        }
        return false;
    }

    /* JADX WARN: Unreachable blocks removed: 4, instructions: 4 */
    @VisibleForTesting
    public boolean verifySignature(IdToken idToken) {
        this.environment.getClass();
        if (Boolean.parseBoolean(System.getenv(SKIP_SIGNATURE_ENV_VAR))) {
            return true;
        }
        if (!SUPPORTED_ALGORITHMS.contains(idToken.getHeader().c)) {
            throw new Exception(a.l("Unexpected signing algorithm ", idToken.getHeader().c, ": expected either RS256 or ES256"));
        }
        try {
            PublicKey publicKey = (PublicKey) ((Map) this.publicKeyCache.get(a(idToken.getHeader()))).get(idToken.getHeader().f9787k);
            if (publicKey == null) {
                throw new Exception("Could not find public key for provided keyId: " + idToken.getHeader().f9787k);
            }
            try {
                if (idToken.verifySignature(publicKey)) {
                    return true;
                }
                throw new Exception("Invalid signature");
            } catch (GeneralSecurityException e) {
                throw new Exception("Error validating token", e);
            }
        } catch (UncheckedExecutionException | ExecutionException e2) {
            throw new Exception("Error fetching public key from certificate location " + this.certificatesLocation, e2);
        }
    }
}
