package com.google.crypto.tink.jwt;

import com.google.errorprone.annotations.Immutable;
import com.google.gson.JsonObject;
import com.nimbusds.jwt.JWTClaimNames;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Optional;

@Immutable
/* loaded from: classes3.dex */
public final class JwtValidator {

    /* renamed from: k, reason: collision with root package name */
    public static final Duration f33048k = Duration.ofMinutes(10);

    /* renamed from: a, reason: collision with root package name */
    public final Optional<String> f33049a;

    /* renamed from: b, reason: collision with root package name */
    public final boolean f33050b;

    /* renamed from: c, reason: collision with root package name */
    public final Optional<String> f33051c;
    public final boolean d;

    /* renamed from: e, reason: collision with root package name */
    public final Optional<String> f33052e;

    /* renamed from: f, reason: collision with root package name */
    public final boolean f33053f;

    /* renamed from: g, reason: collision with root package name */
    public final boolean f33054g;

    /* renamed from: h, reason: collision with root package name */
    public final boolean f33055h;

    /* renamed from: i, reason: collision with root package name */
    public final Clock f33056i;

    /* renamed from: j, reason: collision with root package name */
    public final Duration f33057j;

    /* loaded from: classes3.dex */
    public static final class Builder {

        /* renamed from: i, reason: collision with root package name */
        public Clock f33065i = Clock.systemUTC();

        /* renamed from: j, reason: collision with root package name */
        public Duration f33066j = Duration.ZERO;

        /* renamed from: a, reason: collision with root package name */
        public Optional<String> f33058a = Optional.empty();

        /* renamed from: b, reason: collision with root package name */
        public boolean f33059b = false;

        /* renamed from: c, reason: collision with root package name */
        public Optional<String> f33060c = Optional.empty();
        public boolean d = false;

        /* renamed from: e, reason: collision with root package name */
        public Optional<String> f33061e = Optional.empty();

        /* renamed from: f, reason: collision with root package name */
        public boolean f33062f = false;

        /* renamed from: g, reason: collision with root package name */
        public boolean f33063g = false;

        /* renamed from: h, reason: collision with root package name */
        public boolean f33064h = false;

        public Builder allowMissingExpiration() {
            this.f33063g = true;
            return this;
        }

        public JwtValidator build() {
            if (this.f33059b && this.f33058a.isPresent()) {
                throw new IllegalArgumentException("ignoreTypeHeader() and expectedTypeHeader() cannot be used together.");
            }
            if (this.d && this.f33060c.isPresent()) {
                throw new IllegalArgumentException("ignoreIssuer() and expectedIssuer() cannot be used together.");
            }
            if (this.f33062f && this.f33061e.isPresent()) {
                throw new IllegalArgumentException("ignoreAudiences() and expectedAudience() cannot be used together.");
            }
            return new JwtValidator(this);
        }

        public Builder expectAudience(String str) {
            if (str == null) {
                throw new NullPointerException("audience cannot be null");
            }
            this.f33061e = Optional.of(str);
            return this;
        }

        public Builder expectIssuedInThePast() {
            this.f33064h = true;
            return this;
        }

        public Builder expectIssuer(String str) {
            if (str == null) {
                throw new NullPointerException("issuer cannot be null");
            }
            this.f33060c = Optional.of(str);
            return this;
        }

        public Builder expectTypeHeader(String str) {
            if (str == null) {
                throw new NullPointerException("typ header cannot be null");
            }
            this.f33058a = Optional.of(str);
            return this;
        }

        public Builder ignoreAudiences() {
            this.f33062f = true;
            return this;
        }

        public Builder ignoreIssuer() {
            this.d = true;
            return this;
        }

        public Builder ignoreTypeHeader() {
            this.f33059b = true;
            return this;
        }

        public Builder setClock(Clock clock) {
            if (clock == null) {
                throw new NullPointerException("clock cannot be null");
            }
            this.f33065i = clock;
            return this;
        }

        public Builder setClockSkew(Duration duration) {
            if (duration.compareTo(JwtValidator.f33048k) > 0) {
                throw new IllegalArgumentException("Clock skew too large, max is 10 minutes");
            }
            this.f33066j = duration;
            return this;
        }
    }

    public JwtValidator(Builder builder) {
        this.f33049a = builder.f33058a;
        this.f33050b = builder.f33059b;
        this.f33051c = builder.f33060c;
        this.d = builder.d;
        this.f33052e = builder.f33061e;
        this.f33053f = builder.f33062f;
        this.f33054g = builder.f33063g;
        this.f33055h = builder.f33064h;
        this.f33056i = builder.f33065i;
        this.f33057j = builder.f33066j;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public final VerifiedJwt a(RawJwt rawJwt) throws JwtInvalidException {
        Instant instant = this.f33056i.instant();
        JsonObject jsonObject = rawJwt.f33067a;
        if (!jsonObject.has(JWTClaimNames.EXPIRATION_TIME) && !this.f33054g) {
            throw new JwtInvalidException("token does not have an expiration set");
        }
        boolean has = jsonObject.has(JWTClaimNames.EXPIRATION_TIME);
        Duration duration = this.f33057j;
        if (has && !rawJwt.b(JWTClaimNames.EXPIRATION_TIME).isAfter(instant.minus((TemporalAmount) duration))) {
            throw new JwtInvalidException("token has expired since " + rawJwt.b(JWTClaimNames.EXPIRATION_TIME));
        }
        if (jsonObject.has(JWTClaimNames.NOT_BEFORE) && rawJwt.b(JWTClaimNames.NOT_BEFORE).isAfter(instant.plus((TemporalAmount) duration))) {
            throw new JwtInvalidException("token cannot be used before " + rawJwt.b(JWTClaimNames.NOT_BEFORE));
        }
        if (this.f33055h) {
            if (!jsonObject.has(JWTClaimNames.ISSUED_AT)) {
                throw new JwtInvalidException("token does not have an iat claim");
            }
            if (rawJwt.b(JWTClaimNames.ISSUED_AT).isAfter(instant.plus((TemporalAmount) duration))) {
                throw new JwtInvalidException("token has a invalid iat claim in the future: " + rawJwt.b(JWTClaimNames.ISSUED_AT));
            }
        }
        Optional<String> optional = this.f33049a;
        boolean isPresent = optional.isPresent();
        Optional<String> optional2 = rawJwt.f33068b;
        if (isPresent) {
            if (!optional2.isPresent()) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected type header %s.", optional.get()));
            }
            if (!rawJwt.d().equals(optional.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected type header %s, but got %s", optional.get(), rawJwt.d()));
            }
        } else if (optional2.isPresent() && !this.f33050b) {
            throw new JwtInvalidException("invalid JWT; token has type header set, but validator not.");
        }
        Optional<String> optional3 = this.f33051c;
        if (optional3.isPresent()) {
            if (!jsonObject.has(JWTClaimNames.ISSUER)) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected issuer %s.", optional3.get()));
            }
            if (!rawJwt.c(JWTClaimNames.ISSUER).equals(optional3.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected issuer %s, but got %s", optional3.get(), rawJwt.c(JWTClaimNames.ISSUER)));
            }
        } else if (jsonObject.has(JWTClaimNames.ISSUER) && !this.d) {
            throw new JwtInvalidException("invalid JWT; token has issuer set, but validator not.");
        }
        Optional<String> optional4 = this.f33052e;
        if (optional4.isPresent()) {
            if (!jsonObject.has(JWTClaimNames.AUDIENCE) || !rawJwt.a().contains(optional4.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected audience %s.", optional4.get()));
            }
        } else if (jsonObject.has(JWTClaimNames.AUDIENCE) && !this.f33053f) {
            throw new JwtInvalidException("invalid JWT; token has audience set, but validator not.");
        }
        return new VerifiedJwt(rawJwt);
    }

    public String toString() {
        ArrayList arrayList = new ArrayList();
        Optional<String> optional = this.f33049a;
        if (optional.isPresent()) {
            arrayList.add("expectedTypeHeader=" + optional.get());
        }
        if (this.f33050b) {
            arrayList.add("ignoreTypeHeader");
        }
        Optional<String> optional2 = this.f33051c;
        if (optional2.isPresent()) {
            arrayList.add("expectedIssuer=" + optional2.get());
        }
        if (this.d) {
            arrayList.add("ignoreIssuer");
        }
        Optional<String> optional3 = this.f33052e;
        if (optional3.isPresent()) {
            arrayList.add("expectedAudience=" + optional3.get());
        }
        if (this.f33053f) {
            arrayList.add("ignoreAudiences");
        }
        if (this.f33054g) {
            arrayList.add("allowMissingExpiration");
        }
        if (this.f33055h) {
            arrayList.add("expectIssuedInThePast");
        }
        Duration duration = this.f33057j;
        if (!duration.isZero()) {
            arrayList.add("clockSkew=" + duration);
        }
        StringBuilder sb2 = new StringBuilder("JwtValidator{");
        Iterator it = arrayList.iterator();
        String str = "";
        while (it.hasNext()) {
            String str2 = (String) it.next();
            sb2.append(str);
            sb2.append(str2);
            str = ",";
        }
        sb2.append("}");
        return sb2.toString();
    }
}
