package com.google.api.client.auth.openidconnect;

import com.google.api.client.http.d;
import com.google.api.client.http.m;
import com.google.api.client.util.h;
import com.google.api.client.util.k;
import com.google.api.client.util.n;
import com.google.api.client.util.u;
import com.google.common.base.o;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.AlgorithmParameters;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import wi.e;

/* loaded from: classes5.dex */
public class IdTokenVerifier {

    /* renamed from: h, reason: collision with root package name */
    private static final Logger f40371h = Logger.getLogger(IdTokenVerifier.class.getName());

    /* renamed from: i, reason: collision with root package name */
    private static final Set<String> f40372i = ImmutableSet.of("RS256", "ES256");

    /* renamed from: j, reason: collision with root package name */
    static final m f40373j = new e();

    /* renamed from: a, reason: collision with root package name */
    private final h f40374a;

    /* renamed from: b, reason: collision with root package name */
    private final String f40375b;

    /* renamed from: c, reason: collision with root package name */
    private final com.google.api.client.auth.openidconnect.a f40376c;

    /* renamed from: d, reason: collision with root package name */
    private final com.google.common.cache.h<String, Map<String, PublicKey>> f40377d;

    /* renamed from: e, reason: collision with root package name */
    private final long f40378e;

    /* renamed from: f, reason: collision with root package name */
    private final Collection<String> f40379f;

    /* renamed from: g, reason: collision with root package name */
    private final Collection<String> f40380g;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: classes5.dex */
    public static class VerificationException extends Exception {
        public VerificationException(String str) {
            super(str);
        }

        public VerificationException(String str, Throwable th2) {
            super(str, th2);
        }
    }

    /* loaded from: classes5.dex */
    public static class a {

        /* renamed from: b, reason: collision with root package name */
        String f40382b;

        /* renamed from: c, reason: collision with root package name */
        com.google.api.client.auth.openidconnect.a f40383c;

        /* renamed from: e, reason: collision with root package name */
        Collection<String> f40385e;

        /* renamed from: f, reason: collision with root package name */
        Collection<String> f40386f;

        /* renamed from: g, reason: collision with root package name */
        com.google.api.client.auth.openidconnect.b f40387g;

        /* renamed from: a, reason: collision with root package name */
        h f40381a = h.f40568a;

        /* renamed from: d, reason: collision with root package name */
        long f40384d = 300;

        public a a(Collection<String> collection) {
            this.f40386f = collection;
            return this;
        }

        public a b(Collection<String> collection) {
            u.b(collection == null || !collection.isEmpty(), "Issuers must not be empty");
            this.f40385e = collection;
            return this;
        }
    }

    /* loaded from: classes5.dex */
    static class b implements com.google.api.client.auth.openidconnect.b {
        b() {
        }

        @Override // com.google.api.client.auth.openidconnect.b
        public m create() {
            return IdTokenVerifier.f40373j;
        }
    }

    /* loaded from: classes5.dex */
    static class c extends CacheLoader<String, Map<String, PublicKey>> {

        /* renamed from: a, reason: collision with root package name */
        private final com.google.api.client.auth.openidconnect.b f40388a;

        /* loaded from: classes5.dex */
        public static class a {

            /* renamed from: a, reason: collision with root package name */
            @n
            public String f40389a;

            /* renamed from: b, reason: collision with root package name */
            @n
            public String f40390b;

            /* renamed from: c, reason: collision with root package name */
            @n
            public String f40391c;

            /* renamed from: d, reason: collision with root package name */
            @n
            public String f40392d;

            /* renamed from: e, reason: collision with root package name */
            @n
            public String f40393e;

            /* renamed from: f, reason: collision with root package name */
            @n
            public String f40394f;

            /* renamed from: g, reason: collision with root package name */
            @n
            public String f40395g;

            /* renamed from: h, reason: collision with root package name */
            @n
            public String f40396h;
        }

        /* loaded from: classes5.dex */
        public static class b extends xi.b {

            /* renamed from: d, reason: collision with root package name */
            @n
            public List<a> f40397d;
        }

        c(com.google.api.client.auth.openidconnect.b bVar) {
            this.f40388a = bVar;
        }

        private PublicKey a(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            o.d("EC".equals(aVar.f40392d));
            o.d("P-256".equals(aVar.f40390b));
            ECPoint eCPoint = new ECPoint(new BigInteger(1, com.google.api.client.util.e.a(aVar.f40393e)), new BigInteger(1, com.google.api.client.util.e.a(aVar.f40394f)));
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
            algorithmParameters.init(new ECGenParameterSpec("secp256r1"));
            return KeyFactory.getInstance("EC").generatePublic(new ECPublicKeySpec(eCPoint, (ECParameterSpec) algorithmParameters.getParameterSpec(ECParameterSpec.class)));
        }

        private PublicKey b(a aVar) throws NoSuchAlgorithmException, InvalidParameterSpecException, InvalidKeySpecException {
            if ("ES256".equals(aVar.f40389a)) {
                return a(aVar);
            }
            if ("RS256".equals(aVar.f40389a)) {
                return d(aVar);
            }
            return null;
        }

        private PublicKey c(String str) throws CertificateException, UnsupportedEncodingException {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes("UTF-8"))).getPublicKey();
        }

        private PublicKey d(a aVar) throws NoSuchAlgorithmException, InvalidKeySpecException {
            o.d("RSA".equals(aVar.f40392d));
            o.s(aVar.f40395g);
            o.s(aVar.f40396h);
            return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, com.google.api.client.util.e.a(aVar.f40396h)), new BigInteger(1, com.google.api.client.util.e.a(aVar.f40395g))));
        }

        @Override // com.google.common.cache.CacheLoader
        /* renamed from: e, reason: merged with bridge method [inline-methods] */
        public Map<String, PublicKey> load(String str) throws Exception {
            try {
                com.google.api.client.http.h p10 = this.f40388a.create().c().a(new com.google.api.client.http.b(str)).p(com.google.api.client.json.gson.a.m().b());
                p10.o(2);
                p10.s(new d(new k.a().b(1000).d(0.1d).c(2.0d).a()).b(d.a.f40448a));
                b bVar = (b) p10.b().l(b.class);
                ImmutableMap.b bVar2 = new ImmutableMap.b();
                List<a> list = bVar.f40397d;
                if (list == null) {
                    for (String str2 : bVar.keySet()) {
                        bVar2.h(str2, c((String) bVar.get(str2)));
                    }
                } else {
                    for (a aVar : list) {
                        try {
                            bVar2.h(aVar.f40391c, b(aVar));
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e10) {
                            IdTokenVerifier.f40371h.log(Level.WARNING, "Failed to put a key into the cache", e10);
                        }
                    }
                }
                ImmutableMap a10 = bVar2.a();
                if (!a10.isEmpty()) {
                    return a10;
                }
                throw new VerificationException("No valid public key returned by the keystore: " + str);
            } catch (IOException e11) {
                IdTokenVerifier.f40371h.log(Level.WARNING, "Failed to get a certificate from certificate location " + str, (Throwable) e11);
                throw e11;
            }
        }
    }

    public IdTokenVerifier() {
        this(new a());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IdTokenVerifier(a aVar) {
        this.f40375b = aVar.f40382b;
        this.f40374a = aVar.f40381a;
        this.f40378e = aVar.f40384d;
        Collection<String> collection = aVar.f40385e;
        this.f40379f = collection == null ? null : Collections.unmodifiableCollection(collection);
        Collection<String> collection2 = aVar.f40386f;
        this.f40380g = collection2 != null ? Collections.unmodifiableCollection(collection2) : null;
        com.google.api.client.auth.openidconnect.b bVar = aVar.f40387g;
        this.f40377d = CacheBuilder.A().h(1L, TimeUnit.HOURS).c(new c(bVar == null ? new b() : bVar));
        com.google.api.client.auth.openidconnect.a aVar2 = aVar.f40383c;
        this.f40376c = aVar2 == null ? new com.google.api.client.auth.openidconnect.a() : aVar2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean b(com.google.api.client.auth.openidconnect.c cVar) {
        Collection<String> collection;
        Collection<String> collection2 = this.f40379f;
        return (collection2 == null || cVar.l(collection2)) && ((collection = this.f40380g) == null || cVar.i(collection)) && cVar.m(this.f40374a.a(), this.f40378e);
    }
}
