package com.google.crypto.tink.jwt;

import com.google.errorprone.annotations.CanIgnoreReturnValue;
import com.google.errorprone.annotations.Immutable;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Optional;

@Immutable
/* loaded from: classes4.dex */
public final class JwtValidator {

    /* renamed from: k, reason: collision with root package name */
    public static final Duration f38835k;

    /* renamed from: a, reason: collision with root package name */
    public final Optional f38836a;

    /* renamed from: b, reason: collision with root package name */
    public final boolean f38837b;

    /* renamed from: c, reason: collision with root package name */
    public final Optional f38838c;

    /* renamed from: d, reason: collision with root package name */
    public final boolean f38839d;

    /* renamed from: e, reason: collision with root package name */
    public final Optional f38840e;

    /* renamed from: f, reason: collision with root package name */
    public final boolean f38841f;

    /* renamed from: g, reason: collision with root package name */
    public final boolean f38842g;

    /* renamed from: h, reason: collision with root package name */
    public final boolean f38843h;

    /* renamed from: i, reason: collision with root package name */
    public final Clock f38844i;

    /* renamed from: j, reason: collision with root package name */
    public final Duration f38845j;

    /* loaded from: classes4.dex */
    public static final class Builder {

        /* renamed from: a, reason: collision with root package name */
        public Optional f38846a;

        /* renamed from: b, reason: collision with root package name */
        public boolean f38847b;

        /* renamed from: c, reason: collision with root package name */
        public Optional f38848c;

        /* renamed from: d, reason: collision with root package name */
        public boolean f38849d;

        /* renamed from: e, reason: collision with root package name */
        public Optional f38850e;

        /* renamed from: f, reason: collision with root package name */
        public boolean f38851f;

        /* renamed from: g, reason: collision with root package name */
        public boolean f38852g;

        /* renamed from: h, reason: collision with root package name */
        public boolean f38853h;

        /* renamed from: i, reason: collision with root package name */
        public Clock f38854i;

        /* renamed from: j, reason: collision with root package name */
        public Duration f38855j;

        public Builder() {
            Clock systemUTC;
            Duration duration;
            systemUTC = Clock.systemUTC();
            this.f38854i = systemUTC;
            duration = Duration.ZERO;
            this.f38855j = duration;
            this.f38846a = Optional.empty();
            this.f38847b = false;
            this.f38848c = Optional.empty();
            this.f38849d = false;
            this.f38850e = Optional.empty();
            this.f38851f = false;
            this.f38852g = false;
            this.f38853h = false;
        }

        @CanIgnoreReturnValue
        public Builder allowMissingExpiration() {
            this.f38852g = true;
            return this;
        }

        public JwtValidator build() {
            if (this.f38847b && this.f38846a.isPresent()) {
                throw new IllegalArgumentException("ignoreTypeHeader() and expectedTypeHeader() cannot be used together.");
            }
            if (this.f38849d && this.f38848c.isPresent()) {
                throw new IllegalArgumentException("ignoreIssuer() and expectedIssuer() cannot be used together.");
            }
            if (this.f38851f && this.f38850e.isPresent()) {
                throw new IllegalArgumentException("ignoreAudiences() and expectedAudience() cannot be used together.");
            }
            return new JwtValidator(this);
        }

        @CanIgnoreReturnValue
        public Builder expectAudience(String str) {
            if (str == null) {
                throw new NullPointerException("audience cannot be null");
            }
            this.f38850e = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuedInThePast() {
            this.f38853h = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectIssuer(String str) {
            if (str == null) {
                throw new NullPointerException("issuer cannot be null");
            }
            this.f38848c = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder expectTypeHeader(String str) {
            if (str == null) {
                throw new NullPointerException("typ header cannot be null");
            }
            this.f38846a = Optional.of(str);
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreAudiences() {
            this.f38851f = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreIssuer() {
            this.f38849d = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder ignoreTypeHeader() {
            this.f38847b = true;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClock(Clock clock) {
            if (clock == null) {
                throw new NullPointerException("clock cannot be null");
            }
            this.f38854i = clock;
            return this;
        }

        @CanIgnoreReturnValue
        public Builder setClockSkew(Duration duration) {
            int compareTo;
            compareTo = duration.compareTo(JwtValidator.f38835k);
            if (compareTo > 0) {
                throw new IllegalArgumentException("Clock skew too large, max is 10 minutes");
            }
            this.f38855j = duration;
            return this;
        }
    }

    static {
        Duration ofMinutes;
        ofMinutes = Duration.ofMinutes(10L);
        f38835k = ofMinutes;
    }

    public JwtValidator(Builder builder) {
        this.f38836a = builder.f38846a;
        this.f38837b = builder.f38847b;
        this.f38838c = builder.f38848c;
        this.f38839d = builder.f38849d;
        this.f38840e = builder.f38850e;
        this.f38841f = builder.f38851f;
        this.f38842g = builder.f38852g;
        this.f38843h = builder.f38853h;
        this.f38844i = builder.f38854i;
        this.f38845j = builder.f38855j;
    }

    public static Builder newBuilder() {
        return new Builder();
    }

    public VerifiedJwt b(RawJwt rawJwt) {
        e(rawJwt);
        f(rawJwt);
        d(rawJwt);
        c(rawJwt);
        return new VerifiedJwt(rawJwt);
    }

    public final void c(RawJwt rawJwt) {
        if (this.f38840e.isPresent()) {
            if (!rawJwt.s() || !rawJwt.c().contains(this.f38840e.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected audience %s.", this.f38840e.get()));
            }
        } else if (rawJwt.s() && !this.f38841f) {
            throw new JwtInvalidException("invalid JWT; token has audience set, but validator not.");
        }
    }

    public final void d(RawJwt rawJwt) {
        if (!this.f38838c.isPresent()) {
            if (rawJwt.w() && !this.f38839d) {
                throw new JwtInvalidException("invalid JWT; token has issuer set, but validator not.");
            }
        } else {
            if (!rawJwt.w()) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected issuer %s.", this.f38838c.get()));
            }
            if (!rawJwt.h().equals(this.f38838c.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected issuer %s, but got %s", this.f38838c.get(), rawJwt.h()));
            }
        }
    }

    public final void e(RawJwt rawJwt) {
        Instant instant;
        Instant plus;
        boolean isAfter;
        Instant plus2;
        boolean isAfter2;
        Instant minus;
        boolean isAfter3;
        instant = this.f38844i.instant();
        if (!rawJwt.u() && !this.f38842g) {
            throw new JwtInvalidException("token does not have an expiration set");
        }
        if (rawJwt.u()) {
            Instant e2 = rawJwt.e();
            minus = instant.minus((TemporalAmount) this.f38845j);
            isAfter3 = e2.isAfter(minus);
            if (!isAfter3) {
                throw new JwtInvalidException("token has expired since " + rawJwt.e());
            }
        }
        if (rawJwt.A()) {
            Instant m2 = rawJwt.m();
            plus2 = instant.plus((TemporalAmount) this.f38845j);
            isAfter2 = m2.isAfter(plus2);
            if (isAfter2) {
                throw new JwtInvalidException("token cannot be used before " + rawJwt.m());
            }
        }
        if (this.f38843h) {
            if (!rawJwt.v()) {
                throw new JwtInvalidException("token does not have an iat claim");
            }
            Instant g2 = rawJwt.g();
            plus = instant.plus((TemporalAmount) this.f38845j);
            isAfter = g2.isAfter(plus);
            if (isAfter) {
                throw new JwtInvalidException("token has a invalid iat claim in the future: " + rawJwt.g());
            }
        }
    }

    public final void f(RawJwt rawJwt) {
        if (!this.f38836a.isPresent()) {
            if (rawJwt.E() && !this.f38837b) {
                throw new JwtInvalidException("invalid JWT; token has type header set, but validator not.");
            }
        } else {
            if (!rawJwt.E()) {
                throw new JwtInvalidException(String.format("invalid JWT; missing expected type header %s.", this.f38836a.get()));
            }
            if (!rawJwt.r().equals(this.f38836a.get())) {
                throw new JwtInvalidException(String.format("invalid JWT; expected type header %s, but got %s", this.f38836a.get(), rawJwt.r()));
            }
        }
    }

    public String toString() {
        boolean isZero;
        ArrayList<String> arrayList = new ArrayList();
        if (this.f38836a.isPresent()) {
            arrayList.add("expectedTypeHeader=" + ((String) this.f38836a.get()));
        }
        if (this.f38837b) {
            arrayList.add("ignoreTypeHeader");
        }
        if (this.f38838c.isPresent()) {
            arrayList.add("expectedIssuer=" + ((String) this.f38838c.get()));
        }
        if (this.f38839d) {
            arrayList.add("ignoreIssuer");
        }
        if (this.f38840e.isPresent()) {
            arrayList.add("expectedAudience=" + ((String) this.f38840e.get()));
        }
        if (this.f38841f) {
            arrayList.add("ignoreAudiences");
        }
        if (this.f38842g) {
            arrayList.add("allowMissingExpiration");
        }
        if (this.f38843h) {
            arrayList.add("expectIssuedInThePast");
        }
        isZero = this.f38845j.isZero();
        if (!isZero) {
            arrayList.add("clockSkew=" + this.f38845j);
        }
        StringBuilder sb = new StringBuilder();
        sb.append("JwtValidator{");
        String str = "";
        for (String str2 : arrayList) {
            sb.append(str);
            sb.append(str2);
            str = ",";
        }
        sb.append("}");
        return sb.toString();
    }
}
