package com.google.firebase.auth.internal;

import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.util.ArrayMap;
import com.google.api.client.util.Clock;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.firebase.auth.FirebaseAuthException;
import java.io.IOException;
import java.math.BigDecimal;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;

/* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenVerifier.class */
public final class FirebaseTokenVerifier extends IdTokenVerifier {

    @VisibleForTesting
    static final String CLIENT_CERT_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
    public static final GooglePublicKeysManager DEFAULT_KEY_MANAGER = new GooglePublicKeysManager.Builder(new NetHttpTransport.Builder().build(), new GsonFactory()).setClock(Clock.SYSTEM).setPublicCertsEncodedUrl(CLIENT_CERT_URL).build();
    private static final String ISSUER_PREFIX = "https://securetoken.google.com/";
    private static final String FIREBASE_AUDIENCE = "https://identitytoolkit.googleapis.com/google.identity.identitytoolkit.v1.IdentityToolkit";
    private static final String ERROR_INVALID_CREDENTIAL = "ERROR_INVALID_CREDENTIAL";
    private static final String ERROR_RUNTIME_EXCEPTION = "ERROR_RUNTIME_EXCEPTION";
    private static final String PROJECT_ID_MATCH_MESSAGE = " Make sure the ID token comes from the same Firebase project as the service account used to authenticate this SDK.";
    private static final String VERIFY_ID_TOKEN_DOCS_MESSAGE = " See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.";
    private static final String ALGORITHM = "RS256";
    private String projectId;
    private GooglePublicKeysManager publicKeysManager;

    /* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenVerifier$Builder.class */
    public static class Builder extends IdTokenVerifier.Builder {
        String projectId;
        GooglePublicKeysManager publicKeysManager = FirebaseTokenVerifier.DEFAULT_KEY_MANAGER;

        public String getProjectId() {
            return this.projectId;
        }

        public Builder setProjectId(String str) {
            this.projectId = str;
            setIssuer(FirebaseTokenVerifier.ISSUER_PREFIX + str);
            setAudience(Collections.singleton(str));
            return this;
        }

        /* renamed from: setClock, reason: merged with bridge method [inline-methods] */
        public Builder m23setClock(Clock clock) {
            return (Builder) super.setClock(clock);
        }

        public GooglePublicKeysManager getPublicKeyManager() {
            return this.publicKeysManager;
        }

        public Builder setPublicKeysManager(GooglePublicKeysManager googlePublicKeysManager) {
            this.publicKeysManager = googlePublicKeysManager;
            return this;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public FirebaseTokenVerifier m24build() {
            return new FirebaseTokenVerifier(this);
        }
    }

    protected FirebaseTokenVerifier(Builder builder) {
        super(builder);
        Preconditions.checkArgument(builder.projectId != null, "projectId must be set");
        this.projectId = builder.projectId;
        this.publicKeysManager = builder.publicKeysManager;
    }

    public boolean verifyTokenAndSignature(IdToken idToken) throws FirebaseAuthException {
        IdToken.Payload payload = idToken.getPayload();
        JsonWebSignature.Header header = idToken.getHeader();
        String str = null;
        boolean z = payload.getAudience() != null && payload.getAudience().equals(FIREBASE_AUDIENCE);
        boolean z2 = (header.getAlgorithm() == null || !header.getAlgorithm().equals("HS256") || payload.get("v") == null || !payload.get("v").equals(new BigDecimal(0)) || payload.get("d") == null || !(payload.get("d") instanceof ArrayMap) || ((ArrayMap) payload.get("d")).get("uid") == null) ? false : true;
        if (header.getKeyId() == null) {
            str = z ? "verifyIdToken() expects an ID token, but was given a custom token." : z2 ? "verifyIdToken() expects an ID token, but was given a legacy custom token." : "Firebase ID token has no \"kid\" claim.";
        } else if (header.getAlgorithm() == null || !header.getAlgorithm().equals(ALGORITHM)) {
            str = String.format("Firebase ID token has incorrect algorithm. Expected \"%s\" but got \"%s\".", ALGORITHM, header.getAlgorithm());
        } else if (!idToken.verifyAudience(getAudience())) {
            str = String.format("Firebase ID token has incorrect \"aud\" (audience) claim. Expected \"%s\" but got \"%s\".", concat(getAudience()), concat(idToken.getPayload().getAudienceAsList())) + PROJECT_ID_MATCH_MESSAGE;
        } else if (!idToken.verifyIssuer(getIssuers())) {
            str = String.format("Firebase ID token has incorrect \"iss\" (issuer) claim. Expected \"%s\" but got \"%s\".", concat(getIssuers()), idToken.getPayload().getIssuer()) + PROJECT_ID_MATCH_MESSAGE;
        } else if (payload.getSubject() == null) {
            str = "Firebase ID token has no \"sub\" (subject) claim.";
        } else if (payload.getSubject().isEmpty()) {
            str = "Firebase ID token has an empty string \"sub\" (subject) claim.";
        } else if (payload.getSubject().length() > 128) {
            str = "Firebase ID token has \"sub\" (subject) claim longer than 128 characters.";
        } else if (!idToken.verifyTime(getClock().currentTimeMillis(), getAcceptableTimeSkewSeconds())) {
            str = "Firebase ID token has expired or is not yet valid. Get a fresh token from your client app and try again.";
        }
        if (str != null) {
            throw new FirebaseAuthException(ERROR_INVALID_CREDENTIAL, str + VERIFY_ID_TOKEN_DOCS_MESSAGE);
        }
        try {
            if (verifySignature(idToken)) {
                return true;
            }
            throw new FirebaseAuthException(ERROR_INVALID_CREDENTIAL, "Firebase ID token isn't signed by a valid public key. See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token.");
        } catch (IOException | GeneralSecurityException e) {
            throw new FirebaseAuthException(ERROR_RUNTIME_EXCEPTION, "Error while verifying token signature.", e);
        }
    }

    private String concat(Collection<String> collection) {
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = collection.iterator();
        while (it.hasNext()) {
            sb.append(it.next().trim()).append(", ");
        }
        return sb.substring(0, sb.length() - 2);
    }

    private boolean verifySignature(IdToken idToken) throws GeneralSecurityException, IOException {
        Iterator it = this.publicKeysManager.getPublicKeys().iterator();
        while (it.hasNext()) {
            if (idToken.verifySignature((PublicKey) it.next())) {
                return true;
            }
        }
        return false;
    }

    public String getProjectId() {
        return this.projectId;
    }
}
