package com.okta.authfoundation.client;

import com.okta.authfoundation.client.DeviceSecretValidator;
import com.okta.authfoundation.jwt.Jwt;
import kotlin.Unit;
import kotlin.coroutines.Continuation;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlin.text.StringsKt__StringsKt;
import okio.ByteString;
import okio.Options;
import org.jetbrains.annotations.NotNull;

/* loaded from: classes.dex */
public final class DefaultDeviceSecretValidator implements DeviceSecretValidator {
    @Override // com.okta.authfoundation.client.DeviceSecretValidator
    public Object validate(@NotNull OidcClient oidcClient, @NotNull String str, @NotNull Jwt jwt, @NotNull Continuation continuation) {
        if (!Intrinsics.areEqual(jwt.getAlgorithm(), "RS256")) {
            throw new DeviceSecretValidator.Error("Unsupported algorithm");
        }
        String dsHash = ((IdTokenDsHash) jwt.deserializeClaims(IdTokenDsHash.Companion.serializer())).getDsHash();
        if (dsHash == null) {
            return Unit.INSTANCE;
        }
        ByteString byteString = ByteString.EMPTY;
        byte[] bytes = str.getBytes(Charsets.US_ASCII);
        Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
        ByteString digest$okio = Options.Companion.of$default(bytes).digest$okio("SHA-256");
        if (Intrinsics.areEqual(StringsKt__StringsKt.trimEnd(digest$okio.substring(digest$okio.data.length / 2).base64Url(), '='), dsHash)) {
            return Unit.INSTANCE;
        }
        throw new DeviceSecretValidator.Error("ID Token ds_hash didn't match the device secret.");
    }
}
