package com.google.auth.oauth2;

import com.google.api.client.util.t;
import com.google.common.base.u;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;

/* loaded from: classes2.dex */
public class TokenVerifier {

    /* renamed from: a, reason: collision with root package name */
    private static final String f23601a = "https://www.gstatic.com/iap/verify/public_key-jwk";

    /* renamed from: b, reason: collision with root package name */
    private static final String f23602b = "https://www.googleapis.com/oauth2/v3/certs";

    /* renamed from: c, reason: collision with root package name */
    private static final Set<String> f23603c = ImmutableSet.v("RS256", "ES256");

    /* renamed from: d, reason: collision with root package name */
    private final String f23604d;

    /* renamed from: e, reason: collision with root package name */
    private final String f23605e;

    /* renamed from: f, reason: collision with root package name */
    private final String f23606f;

    /* renamed from: g, reason: collision with root package name */
    private final PublicKey f23607g;

    /* renamed from: h, reason: collision with root package name */
    private final com.google.api.client.util.l f23608h;
    private final com.google.common.cache.h<String, Map<String, PublicKey>> i;

    /* loaded from: classes2.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    /* loaded from: classes2.dex */
    public static class b {

        /* renamed from: a, reason: collision with root package name */
        private String f23609a;

        /* renamed from: b, reason: collision with root package name */
        private String f23610b;

        /* renamed from: c, reason: collision with root package name */
        private String f23611c;

        /* renamed from: d, reason: collision with root package name */
        private PublicKey f23612d;

        /* renamed from: e, reason: collision with root package name */
        private com.google.api.client.util.l f23613e;

        /* renamed from: f, reason: collision with root package name */
        private com.google.auth.b.c f23614f;

        public TokenVerifier g() {
            return new TokenVerifier(this);
        }

        public b h(String str) {
            this.f23609a = str;
            return this;
        }

        public b i(String str) {
            this.f23610b = str;
            return this;
        }

        public b j(com.google.api.client.util.l lVar) {
            this.f23613e = lVar;
            return this;
        }

        public b k(com.google.auth.b.c cVar) {
            this.f23614f = cVar;
            return this;
        }

        public b l(String str) {
            this.f23611c = str;
            return this;
        }

        public b m(PublicKey publicKey) {
            this.f23612d = publicKey;
            return this;
        }
    }

    /* loaded from: classes2.dex */
    static class c extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        private final com.google.auth.b.c f23615a;

        /* loaded from: classes2.dex */
        public static class a {

            /* renamed from: a, reason: collision with root package name */
            @t
            public String f23616a;

            /* renamed from: b, reason: collision with root package name */
            @t
            public String f23617b;

            /* renamed from: c, reason: collision with root package name */
            @t
            public String f23618c;

            /* renamed from: d, reason: collision with root package name */
            @t
            public String f23619d;

            /* renamed from: e, reason: collision with root package name */
            @t
            public String f23620e;

            /* renamed from: f, reason: collision with root package name */
            @t
            public String f23621f;

            /* renamed from: g, reason: collision with root package name */
            @t
            public String f23622g;

            /* renamed from: h, reason: collision with root package name */
            @t
            public String f23623h;

            @t
            public String i;
        }

        /* loaded from: classes2.dex */
        public static class b extends com.google.api.client.json.b {

            /* renamed from: f, reason: collision with root package name */
            @t
            public List<a> f23624f;
        }

        c(com.google.auth.b.c cVar) {
            this.f23615a = cVar;
        }

        private PublicKey g(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            u.d("EC".equals(aVar.f23619d));
            u.d("P-256".equals(aVar.f23617b));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, com.google.api.client.util.e.a(aVar.f23621f)), new BigInteger(1, com.google.api.client.util.e.a(aVar.f23622g)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey h(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(aVar.f23616a)) {
                return g(aVar);
            }
            if ("RS256".equals(aVar.f23616a)) {
                return j(aVar);
            }
            return null;
        }

        private PublicKey i(String str) throws CertificateException, UnsupportedEncodingException {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        private PublicKey j(a aVar) throws NoSuchAlgorithmException, InvalidKeySpecException {
            u.d("RSA".equals(aVar.f23619d));
            u.E(aVar.f23623h);
            u.E(aVar.i);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, com.google.api.client.util.e.a(aVar.i)), new BigInteger(1, com.google.api.client.util.e.a(aVar.f23623h))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: k, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> d(String str) throws Exception {
            try {
                b bVar = (b) this.f23615a.create().c().b(new com.google.api.client.http.k(str)).T(l.f23699g.c()).b().r(b.class);
                ImmutableMap.b bVar2 = new ImmutableMap.b();
                List<a> list = bVar.f23624f;
                if (list == null) {
                    for (String str2 : bVar.keySet()) {
                        bVar2.e(str2, i((String) bVar.get(str2)));
                    }
                } else {
                    for (a aVar : list) {
                        try {
                            bVar2.e(aVar.f23618c, h(aVar));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e2) {
                            e2.printStackTrace();
                        }
                    }
                }
                return bVar2.a();
            } catch (IOException unused) {
                return ImmutableMap.r();
            }
        }
    }

    private TokenVerifier(b bVar) {
        this.f23604d = bVar.f23609a;
        this.f23605e = bVar.f23610b;
        this.f23606f = bVar.f23611c;
        this.f23607g = bVar.f23612d;
        this.f23608h = bVar.f23613e;
        this.i = CacheBuilder.D().g(1L, TimeUnit.HOURS).b(new c(bVar.f23614f));
    }

    private String a(com.google.api.client.json.l.b bVar) throws VerificationException {
        String str = this.f23605e;
        if (str != null) {
            return str;
        }
        String t = bVar.a().t();
        t.hashCode();
        if (t.equals("ES256")) {
            return f23601a;
        }
        if (t.equals("RS256")) {
            return f23602b;
        }
        throw new VerificationException("Unknown algorithm");
    }

    public static b b() {
        return new b().j(com.google.api.client.util.l.f23274a).k(l.f23698f);
    }

    public com.google.api.client.json.l.b c(String str) throws VerificationException {
        try {
            com.google.api.client.json.l.b g2 = com.google.api.client.json.l.b.g(l.f23699g, str);
            String str2 = this.f23604d;
            if (str2 != null && !str2.equals(g2.b().m())) {
                throw new VerificationException("Expected audience does not match");
            }
            String str3 = this.f23606f;
            if (str3 != null && !str3.equals(g2.b().r())) {
                throw new VerificationException("Expected issuer does not match");
            }
            Long p = g2.b().p();
            if (p != null && p.longValue() <= this.f23608h.currentTimeMillis() / 1000) {
                throw new VerificationException("Token is expired");
            }
            if (!f23603c.contains(g2.a().t())) {
                throw new VerificationException("Unexpected signing algorithm: expected either RS256 or ES256");
            }
            PublicKey publicKey = this.f23607g;
            if (publicKey == null) {
                try {
                    publicKey = this.i.get(a(g2)).get(g2.a().z());
                } catch (UncheckedExecutionException | ExecutionException e2) {
                    throw new VerificationException("Error fetching PublicKey from certificate location", e2);
                }
            }
            if (publicKey == null) {
                throw new VerificationException("Could not find PublicKey for provided keyId: " + g2.a().z());
            }
            try {
                if (g2.l(publicKey)) {
                    return g2;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e3) {
                throw new VerificationException("Error validating token", e3);
            }
        } catch (IOException e4) {
            throw new VerificationException("Error parsing JsonWebSignature token", e4);
        }
    }
}
