package com.google.api.client.auth.openidconnect;

import android.graphics.Color;
import android.view.MotionEvent;
import android.view.View;
import android.view.ViewConfiguration;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.Base64;
import com.google.api.client.util.Beta;
import com.google.api.client.util.Clock;
import com.google.api.client.util.Key;
import com.google.api.client.util.Preconditions;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.google.firebase.perf.util.Constants;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.Method;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import o.getRelationStatus;
import o.isGlobalType;

@Beta
/* loaded from: classes3.dex */
public class IdTokenVerifier {
    public static final long DEFAULT_TIME_SKEW_SECONDS = 300;
    private static final String FEDERATED_SIGNON_CERT_URL = "https://www.googleapis.com/oauth2/v3/certs";
    private static final String IAP_CERT_URL = "https://www.gstatic.com/iap/verify/public_key-jwk";
    private static final String NOT_SUPPORTED_ALGORITHM = "Unexpected signing algorithm %s: expected either RS256 or ES256";
    static final String SKIP_SIGNATURE_ENV_VAR = "OAUTH_CLIENT_SKIP_SIGNATURE";
    private final long acceptableTimeSkewSeconds;
    private final Collection<String> audience;
    private final String certificatesLocation;
    private final Clock clock;
    private final Environment environment;
    private final Collection<String> issuers;
    private final LoadingCache<String, Map<String, PublicKey>> publicKeyCache;
    private static final Logger LOGGER = Logger.getLogger(IdTokenVerifier.class.getName());
    private static final Set<String> SUPPORTED_ALGORITHMS = ImmutableSet.of("RS256", "ES256");
    static final HttpTransport HTTP_TRANSPORT = new NetHttpTransport();

    @Beta
    /* loaded from: classes3.dex */
    public static class Builder {
        Collection<String> audience;
        String certificatesLocation;
        Environment environment;
        HttpTransportFactory httpTransportFactory;
        Collection<String> issuers;
        Clock clock = Clock.SYSTEM;
        long acceptableTimeSkewSeconds = 300;

        public IdTokenVerifier build() {
            return new IdTokenVerifier(this);
        }

        public final long getAcceptableTimeSkewSeconds() {
            return this.acceptableTimeSkewSeconds;
        }

        public final Collection<String> getAudience() {
            return this.audience;
        }

        public final Clock getClock() {
            return this.clock;
        }

        final Environment getEnvironment() {
            return this.environment;
        }

        public final String getIssuer() {
            Collection<String> collection = this.issuers;
            if (collection == null) {
                return null;
            }
            return collection.iterator().next();
        }

        public final Collection<String> getIssuers() {
            return this.issuers;
        }

        public Builder setAcceptableTimeSkewSeconds(long j) {
            Preconditions.checkArgument(j >= 0);
            this.acceptableTimeSkewSeconds = j;
            return this;
        }

        public Builder setAudience(Collection<String> collection) {
            this.audience = collection;
            return this;
        }

        public Builder setCertificatesLocation(String str) {
            this.certificatesLocation = str;
            return this;
        }

        public Builder setClock(Clock clock) {
            this.clock = (Clock) Preconditions.checkNotNull(clock);
            return this;
        }

        Builder setEnvironment(Environment environment) {
            this.environment = environment;
            return this;
        }

        public Builder setHttpTransportFactory(HttpTransportFactory httpTransportFactory) {
            this.httpTransportFactory = httpTransportFactory;
            return this;
        }

        public Builder setIssuer(String str) {
            return str == null ? setIssuers(null) : setIssuers(Collections.singleton(str));
        }

        public Builder setIssuers(Collection<String> collection) {
            Preconditions.checkArgument(collection == null || !collection.isEmpty(), "Issuers must not be empty");
            this.issuers = collection;
            return this;
        }
    }

    /* loaded from: classes3.dex */
    static class DefaultHttpTransportFactory implements HttpTransportFactory {
        DefaultHttpTransportFactory() {
        }

        @Override // com.google.api.client.auth.openidconnect.HttpTransportFactory
        public HttpTransport create() {
            return IdTokenVerifier.HTTP_TRANSPORT;
        }
    }

    /* loaded from: classes3.dex */
    static class PublicKeyLoader extends CacheLoader<String, Map<String, PublicKey>> {
        public static final byte[] $$a = {61, 89, 45, -101};
        public static final int $$b = 180;
        private static int $10 = 0;
        private static int $11 = 1;
        private static int IconCompatParcelizer = 0;
        private static int MediaBrowserCompat$CustomActionResultReceiver = 1;
        private static long write = 5204366612816492831L;
        private final HttpTransportFactory httpTransportFactory;

        /* loaded from: classes3.dex */
        public static class JsonWebKey {

            @Key
            public String alg;

            @Key
            public String crv;

            @Key
            public String e;

            @Key
            public String kid;

            @Key
            public String kty;

            @Key
            public String n;

            @Key
            public String use;

            @Key
            public String x;

            @Key
            public String y;
        }

        /* loaded from: classes3.dex */
        public static class JsonWebKeySet extends GenericJson {

            @Key
            public List<JsonWebKey> keys;
        }

        PublicKeyLoader(HttpTransportFactory httpTransportFactory) {
            this.httpTransportFactory = httpTransportFactory;
        }

        private static void a(int i, char[] cArr, Object[] objArr) {
            getRelationStatus getrelationstatus = new getRelationStatus();
            char[] read = getRelationStatus.read(write ^ 6420597167705141270L, cArr, i);
            getrelationstatus.RemoteActionCompatParcelizer = 4;
            int i2 = $10 + 23;
            $11 = i2 % Constants.MAX_CONTENT_TYPE_LENGTH;
            int i3 = i2 % 2;
            while (true) {
                if (getrelationstatus.RemoteActionCompatParcelizer >= read.length) {
                    objArr[0] = new String(read, 4, read.length - 4);
                    return;
                }
                int i4 = $11 + 89;
                $10 = i4 % Constants.MAX_CONTENT_TYPE_LENGTH;
                int i5 = i4 % 2;
                getrelationstatus.write = getrelationstatus.RemoteActionCompatParcelizer - 4;
                int i6 = getrelationstatus.RemoteActionCompatParcelizer;
                try {
                    Object[] objArr2 = {Long.valueOf(read[getrelationstatus.RemoteActionCompatParcelizer] ^ read[getrelationstatus.RemoteActionCompatParcelizer % 4]), Long.valueOf(getrelationstatus.write), Long.valueOf(write)};
                    Object obj = isGlobalType.MediaSessionCompat$ResultReceiverWrapper.get(-1585798315);
                    if (obj == null) {
                        Class cls = (Class) isGlobalType.write(81 - (ViewConfiguration.getScrollDefaultDelay() >> 16), (char) (36196 - Color.green(0)), MotionEvent.axisFromString("") + 4);
                        byte b = (byte) 0;
                        byte b2 = (byte) (b + 1);
                        Object[] objArr3 = new Object[1];
                        b(b, b2, (byte) (b2 - 1), objArr3);
                        obj = cls.getMethod((String) objArr3[0], Long.TYPE, Long.TYPE, Long.TYPE);
                        isGlobalType.MediaSessionCompat$ResultReceiverWrapper.put(-1585798315, obj);
                    }
                    read[i6] = ((Character) ((Method) obj).invoke(null, objArr2)).charValue();
                    try {
                        Object[] objArr4 = {getrelationstatus, getrelationstatus};
                        Object obj2 = isGlobalType.MediaSessionCompat$ResultReceiverWrapper.get(-1639246760);
                        if (obj2 == null) {
                            Class cls2 = (Class) isGlobalType.write(809 - (ViewConfiguration.getMaximumDrawingCacheSize() >> 24), (char) View.resolveSizeAndState(0, 0, 0), View.combineMeasuredStates(0, 0) + 14);
                            byte b3 = (byte) 0;
                            byte b4 = b3;
                            Object[] objArr5 = new Object[1];
                            b(b3, b4, b4, objArr5);
                            obj2 = cls2.getMethod((String) objArr5[0], Object.class, Object.class);
                            isGlobalType.MediaSessionCompat$ResultReceiverWrapper.put(-1639246760, obj2);
                        }
                        ((Method) obj2).invoke(null, objArr4);
                    } catch (Throwable th) {
                        Throwable cause = th.getCause();
                        if (cause == null) {
                            throw th;
                        }
                        throw cause;
                    }
                } catch (Throwable th2) {
                    Throwable cause2 = th2.getCause();
                    if (cause2 == null) {
                        throw th2;
                    }
                    throw cause2;
                }
            }
        }

        /* JADX WARN: Removed duplicated region for block: B:10:0x0027  */
        /* JADX WARN: Removed duplicated region for block: B:7:0x001f  */
        /* JADX WARN: Unsupported multi-entry loop pattern (BACK_EDGE: B:10:0x0027 -> B:4:0x002f). Please report as a decompilation issue!!! */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        private static void b(short r7, byte r8, byte r9, java.lang.Object[] r10) {
            /*
                int r7 = r7 * 4
                int r7 = r7 + 1
                int r8 = r8 + 114
                int r9 = r9 * 4
                int r9 = 4 - r9
                byte[] r0 = com.google.api.client.auth.openidconnect.IdTokenVerifier.PublicKeyLoader.$$a
                byte[] r1 = new byte[r7]
                r2 = 0
                if (r0 != 0) goto L17
                r3 = r1
                r4 = 0
                r1 = r0
                r0 = r10
                r10 = r9
                goto L2f
            L17:
                r3 = 0
            L18:
                int r4 = r3 + 1
                byte r5 = (byte) r8
                r1[r3] = r5
                if (r4 != r7) goto L27
                java.lang.String r7 = new java.lang.String
                r7.<init>(r1, r2)
                r10[r2] = r7
                return
            L27:
                r3 = r0[r9]
                r6 = r10
                r10 = r8
                r8 = r3
                r3 = r1
                r1 = r0
                r0 = r6
            L2f:
                int r8 = -r8
                int r9 = r9 + 1
                int r8 = r8 + r10
                r10 = r0
                r0 = r1
                r1 = r3
                r3 = r4
                goto L18
            */
            throw new UnsupportedOperationException("Method not decompiled: com.google.api.client.auth.openidconnect.IdTokenVerifier.PublicKeyLoader.b(short, byte, byte, java.lang.Object[]):void");
        }

        private PublicKey buildEs256PublicKey(JsonWebKey jsonWebKey) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            com.google.common.base.Preconditions.checkArgument("EC".equals(jsonWebKey.kty));
            com.google.common.base.Preconditions.checkArgument("P-256".equals(jsonWebKey.crv));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, Base64.decodeBase64(jsonWebKey.x)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.y)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            PublicKey generatePublic = KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
            try {
                int i = MediaBrowserCompat$CustomActionResultReceiver + 101;
                IconCompatParcelizer = i % Constants.MAX_CONTENT_TYPE_LENGTH;
                int i2 = i % 2;
                return generatePublic;
            } catch (Exception e) {
                throw e;
            }
        }

        /* JADX WARN: Multi-variable type inference failed */
        private PublicKey buildPublicKey(JsonWebKey jsonWebKey) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            Object[] objArr = null;
            Object[] objArr2 = 0;
            if ("ES256".equals(jsonWebKey.alg)) {
                int i = IconCompatParcelizer + 91;
                MediaBrowserCompat$CustomActionResultReceiver = i % Constants.MAX_CONTENT_TYPE_LENGTH;
                if (i % 2 != 0) {
                    return buildEs256PublicKey(jsonWebKey);
                }
                PublicKey buildEs256PublicKey = buildEs256PublicKey(jsonWebKey);
                int length = (objArr2 == true ? 1 : 0).length;
                return buildEs256PublicKey;
            }
            if (!("RS256".equals(jsonWebKey.alg))) {
                return null;
            }
            int i2 = MediaBrowserCompat$CustomActionResultReceiver + 93;
            IconCompatParcelizer = i2 % Constants.MAX_CONTENT_TYPE_LENGTH;
            if ((i2 % 2 != 0 ? '@' : 'T') == 'T') {
                return buildRs256PublicKey(jsonWebKey);
            }
            PublicKey buildRs256PublicKey = buildRs256PublicKey(jsonWebKey);
            int length2 = objArr.length;
            return buildRs256PublicKey;
        }

        private PublicKey buildPublicKey(String str) throws CertificateException, UnsupportedEncodingException {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Object[] objArr = new Object[1];
            a(-MotionEvent.axisFromString(""), new char[]{15780, 15857, 498, 51375, 12334, 52091, 6584, 41594, 36941}, objArr);
            PublicKey publicKey = certificateFactory.generateCertificate(new ByteArrayInputStream(str.getBytes(((String) objArr[0]).intern()))).getPublicKey();
            int i = MediaBrowserCompat$CustomActionResultReceiver + 39;
            IconCompatParcelizer = i % Constants.MAX_CONTENT_TYPE_LENGTH;
            int i2 = i % 2;
            return publicKey;
        }

        private PublicKey buildRs256PublicKey(JsonWebKey jsonWebKey) throws NoSuchAlgorithmException, InvalidKeySpecException {
            com.google.common.base.Preconditions.checkArgument("RSA".equals(jsonWebKey.kty));
            com.google.common.base.Preconditions.checkNotNull(jsonWebKey.e);
            com.google.common.base.Preconditions.checkNotNull(jsonWebKey.n);
            PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.decodeBase64(jsonWebKey.n)), new BigInteger(1, Base64.decodeBase64(jsonWebKey.e))));
            int i = MediaBrowserCompat$CustomActionResultReceiver + 11;
            IconCompatParcelizer = i % Constants.MAX_CONTENT_TYPE_LENGTH;
            if ((i % 2 != 0 ? '!' : '\r') != '!') {
                return generatePublic;
            }
            int i2 = 40 / 0;
            return generatePublic;
        }

        @Override // com.google.common.cache.CacheLoader
        public /* bridge */ /* synthetic */ Map<String, PublicKey> load(String str) throws Exception {
            try {
                int i = IconCompatParcelizer + 107;
                MediaBrowserCompat$CustomActionResultReceiver = i % Constants.MAX_CONTENT_TYPE_LENGTH;
                if ((i % 2 == 0 ? 'a' : '\\') != 'a') {
                    return load2(str);
                }
                Map<String, PublicKey> load2 = load2(str);
                Object[] objArr = null;
                int length = objArr.length;
                return load2;
            } catch (Exception e) {
                throw e;
            }
        }

        /* renamed from: load, reason: avoid collision after fix types in other method */
        public Map<String, PublicKey> load2(String str) throws Exception {
            Iterator<String> it;
            try {
                JsonWebKeySet jsonWebKeySet = (JsonWebKeySet) this.httpTransportFactory.create().createRequestFactory().buildGetRequest(new GenericUrl(str)).setParser(GsonFactory.getDefaultInstance().createJsonObjectParser()).execute().parseAs(JsonWebKeySet.class);
                ImmutableMap.Builder builder = new ImmutableMap.Builder();
                List<JsonWebKey> list = jsonWebKeySet.keys;
                if (!(list == null)) {
                    try {
                        Iterator<JsonWebKey> it2 = list.iterator();
                        while (true) {
                            if (!(it2.hasNext())) {
                                break;
                            }
                            JsonWebKey next = it2.next();
                            try {
                                builder.put(next.kid, buildPublicKey(next));
                            } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e) {
                                try {
                                    IdTokenVerifier.LOGGER.log(Level.WARNING, "Failed to put a key into the cache", e);
                                    int i = MediaBrowserCompat$CustomActionResultReceiver + 47;
                                    IconCompatParcelizer = i % Constants.MAX_CONTENT_TYPE_LENGTH;
                                    int i2 = i % 2;
                                } catch (Exception e2) {
                                    throw e2;
                                }
                            }
                        }
                    } catch (Exception e3) {
                        throw e3;
                    }
                } else {
                    int i3 = MediaBrowserCompat$CustomActionResultReceiver + 55;
                    IconCompatParcelizer = i3 % Constants.MAX_CONTENT_TYPE_LENGTH;
                    if (i3 % 2 != 0) {
                        it = jsonWebKeySet.keySet().iterator();
                        int i4 = 61 / 0;
                    } else {
                        it = jsonWebKeySet.keySet().iterator();
                    }
                    while (it.hasNext()) {
                        String next2 = it.next();
                        builder.put(next2, buildPublicKey((String) jsonWebKeySet.get(next2)));
                    }
                }
                return builder.build();
            } catch (IOException e4) {
                Logger logger = IdTokenVerifier.LOGGER;
                Level level = Level.WARNING;
                StringBuilder sb = new StringBuilder();
                sb.append("Failed to get a certificate from certificate location ");
                sb.append(str);
                logger.log(level, sb.toString(), (Throwable) e4);
                return ImmutableMap.of();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes3.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    public IdTokenVerifier() {
        this(new Builder());
    }

    public IdTokenVerifier(Builder builder) {
        this.certificatesLocation = builder.certificatesLocation;
        this.clock = builder.clock;
        this.acceptableTimeSkewSeconds = builder.acceptableTimeSkewSeconds;
        Collection<String> collection = builder.issuers;
        this.issuers = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection2 = builder.audience;
        this.audience = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        HttpTransportFactory httpTransportFactory = builder.httpTransportFactory;
        this.publicKeyCache = CacheBuilder.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build(new PublicKeyLoader(httpTransportFactory == null ? new DefaultHttpTransportFactory() : httpTransportFactory));
        Environment environment = builder.environment;
        this.environment = environment == null ? new Environment() : environment;
    }

    private String getCertificateLocation(JsonWebSignature.Header header) throws VerificationException {
        String str = this.certificatesLocation;
        if (str != null) {
            return str;
        }
        String algorithm = header.getAlgorithm();
        algorithm.hashCode();
        if (algorithm.equals("ES256")) {
            return IAP_CERT_URL;
        }
        if (algorithm.equals("RS256")) {
            return FEDERATED_SIGNON_CERT_URL;
        }
        throw new VerificationException(String.format(NOT_SUPPORTED_ALGORITHM, header.getAlgorithm()));
    }

    public final long getAcceptableTimeSkewSeconds() {
        return this.acceptableTimeSkewSeconds;
    }

    public final Collection<String> getAudience() {
        return this.audience;
    }

    public final Clock getClock() {
        return this.clock;
    }

    public final String getIssuer() {
        Collection<String> collection = this.issuers;
        if (collection == null) {
            return null;
        }
        return collection.iterator().next();
    }

    public final Collection<String> getIssuers() {
        return this.issuers;
    }

    public boolean verify(IdToken idToken) {
        Collection<String> collection;
        Collection<String> collection2 = this.issuers;
        if (!((collection2 == null || idToken.verifyIssuer(collection2)) && ((collection = this.audience) == null || idToken.verifyAudience(collection)) && idToken.verifyTime(this.clock.currentTimeMillis(), this.acceptableTimeSkewSeconds))) {
            return false;
        }
        try {
            return verifySignature(idToken);
        } catch (VerificationException e) {
            LOGGER.log(Level.SEVERE, "id token signature verification failed. Please see docs for IdTokenVerifier for default settings and configuration options", (Throwable) e);
            return false;
        }
    }

    @VisibleForTesting
    boolean verifySignature(IdToken idToken) throws VerificationException {
        if (Boolean.parseBoolean(this.environment.getVariable(SKIP_SIGNATURE_ENV_VAR))) {
            return true;
        }
        if (!SUPPORTED_ALGORITHMS.contains(idToken.getHeader().getAlgorithm())) {
            throw new VerificationException(String.format(NOT_SUPPORTED_ALGORITHM, idToken.getHeader().getAlgorithm()));
        }
        try {
            PublicKey publicKey = this.publicKeyCache.get(getCertificateLocation(idToken.getHeader())).get(idToken.getHeader().getKeyId());
            if (publicKey == null) {
                StringBuilder sb = new StringBuilder();
                sb.append("Could not find PublicKey for provided keyId: ");
                sb.append(idToken.getHeader().getKeyId());
                throw new VerificationException(sb.toString());
            }
            try {
                if (idToken.verifySignature(publicKey)) {
                    return true;
                }
                throw new VerificationException("Invalid signature");
            } catch (GeneralSecurityException e) {
                throw new VerificationException("Error validating token", e);
            }
        } catch (UncheckedExecutionException | ExecutionException e2) {
            StringBuilder sb2 = new StringBuilder();
            sb2.append("Error fetching PublicKey from certificate location ");
            sb2.append(this.certificatesLocation);
            throw new VerificationException(sb2.toString(), e2);
        }
    }
}
