package com.google.firebase.auth.internal;

import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.Clock;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.firebase.auth.FirebaseAuthException;
import com.google.firebase.auth.FirebaseToken;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.util.Collections;
import java.util.Iterator;

/* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenVerifier.class */
public final class FirebaseTokenVerifier extends IdTokenVerifier {
    private static final String ISSUER_PREFIX = "https://securetoken.google.com/";

    @VisibleForTesting
    static final String CLIENT_CERT_URL = "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com";
    private static final String ERROR_CODE = "ERROR_INVALID_CREDENTIAL";
    private String projectId;
    private GooglePublicKeysManager publicKeysManager;

    /* loaded from: input_file:com/google/firebase/auth/internal/FirebaseTokenVerifier$Builder.class */
    public static class Builder extends IdTokenVerifier.Builder {
        String projectId;
        GooglePublicKeysManager publicKeysManager;

        public String getProjectId() {
            return this.projectId;
        }

        public Builder setProjectId(String str) {
            String str2;
            this.projectId = str;
            String valueOf = String.valueOf(str);
            if (valueOf.length() != 0) {
                str2 = FirebaseTokenVerifier.ISSUER_PREFIX.concat(valueOf);
            } else {
                str2 = r2;
                String str3 = new String(FirebaseTokenVerifier.ISSUER_PREFIX);
            }
            setIssuer(str2);
            setAudience(Collections.singleton(str));
            return this;
        }

        /* renamed from: setClock, reason: merged with bridge method [inline-methods] */
        public Builder m26setClock(Clock clock) {
            return (Builder) super.setClock(clock);
        }

        public GooglePublicKeysManager getPublicKeyManager() {
            return this.publicKeysManager;
        }

        public Builder setPublicKeysManager(GooglePublicKeysManager googlePublicKeysManager) {
            this.publicKeysManager = googlePublicKeysManager;
            return this;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public FirebaseTokenVerifier m27build() {
            if (this.publicKeysManager == null) {
                this.publicKeysManager = new GooglePublicKeysManager.Builder(new NetHttpTransport.Builder().build(), new GsonFactory()).setClock(getClock()).setPublicCertsEncodedUrl(FirebaseTokenVerifier.CLIENT_CERT_URL).build();
            }
            return new FirebaseTokenVerifier(this);
        }
    }

    protected FirebaseTokenVerifier(Builder builder) {
        super(builder);
        Preconditions.checkArgument(builder.projectId != null, "projectId must be set");
        this.projectId = builder.projectId;
        this.publicKeysManager = builder.publicKeysManager;
    }

    public boolean verify(FirebaseToken firebaseToken) throws FirebaseAuthException, GeneralSecurityException, IOException {
        if (!firebaseToken.verifyAudience(getAudience()) || !firebaseToken.verifyIssuer(getIssuers())) {
            throw new FirebaseAuthException(ERROR_CODE, "Token is not for this app");
        }
        if (!firebaseToken.verifyTime(getClock().currentTimeMillis(), getAcceptableTimeSkewSeconds())) {
            throw new FirebaseAuthException(ERROR_CODE, "Token has expired or is not yet valid");
        }
        if (verifySignature(firebaseToken)) {
            return true;
        }
        throw new FirebaseAuthException(ERROR_CODE, "Token isn't signed by a valid public key");
    }

    private boolean verifySignature(FirebaseToken firebaseToken) throws GeneralSecurityException, IOException {
        Iterator it = this.publicKeysManager.getPublicKeys().iterator();
        while (it.hasNext()) {
            if (firebaseToken.verifySignature((PublicKey) it.next())) {
                return true;
            }
        }
        return false;
    }

    public String getProjectId() {
        return this.projectId;
    }
}
