package jp.co.yahoo.yconnect.core.oidc;

import android.util.Base64;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import jp.co.yahoo.yconnect.core.api.ApiClientException;
import jp.co.yahoo.yconnect.core.util.YConnectLogger;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: classes2.dex */
public class IdTokenVerification {
    private static final long ACCEPTABLE_RANGE = 600;
    private static final int HEADER = 0;
    private static final int IDTOKEN_JWT_LENGTH = 3;
    private static final String ISSUER = "https://auth.login.yahoo.co.jp/yconnect/v2";
    private static final int PAYLOAD = 1;
    private static final int SIGNATURE = 2;
    private static final String TAG = "IdTokenVerification";
    private static long currentTime;

    private static boolean commonVerify(String str, String str2, String str3) throws IdTokenException, ApiClientException, PublicKeysException {
        if (!verifySignature(str3)) {
            throw new IdTokenException("Invalid Signature.", "ID Token signature is invalid.");
        }
        verifyCommonPayload(str, str2, str3);
        return true;
    }

    private static String getEncodeString(String str) throws IdTokenException {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA256");
            messageDigest.update(str.getBytes());
            byte[] digest = messageDigest.digest();
            byte[] bArr = new byte[digest.length / 2];
            for (int i = 0; i < digest.length / 2; i++) {
                bArr[i] = digest[i];
            }
            return Base64.encodeToString(bArr, 8);
        } catch (NoSuchAlgorithmException e) {
            throw new IdTokenException("Failed to verification.", e.getMessage());
        }
    }

    private static String[] getIdTokenJwtParts(String str) throws IdTokenException {
        String[] split = str.split("\\.", 0);
        if (split.length == 3) {
            return split;
        }
        throw new IdTokenException("Invalid ID Token.", "");
    }

    private static IdTokenObject getIdTokenObject(String str) throws IdTokenException {
        return new IdTokenObject(str);
    }

    public static boolean verify(String str, String str2, String str3, String str4, String str5, String str6) throws IdTokenException, ApiClientException, PublicKeysException {
        commonVerify(str2, str3, str);
        if (str4 != null) {
            verifyChash(str4, str);
        }
        if (str5 != null) {
            verifyAthash(str5, str);
        }
        if (str6 == null) {
            return true;
        }
        verifyAuthTime(str, Long.parseLong(str6));
        return true;
    }

    private static boolean verifyAthash(String str, String str2) throws IdTokenException {
        if (getEncodeString(str).startsWith(getIdTokenObject(str2).getAtHash())) {
            return true;
        }
        YConnectLogger.error(TAG, "Not match Access Token.");
        throw new IdTokenException("Not match Access Token.", "The AccessToken did not match.");
    }

    private static boolean verifyAuthTime(String str, long j) throws IdTokenException {
        long authTime = getIdTokenObject(str).getAuthTime();
        if (currentTime - authTime > j) {
            YConnectLogger.error(TAG, "Over acceptable auth time.");
            throw new IdTokenException("Over acceptable auth time.", "This access has expired possible.");
        }
        YConnectLogger.debug(TAG, "Current time - authTime = " + Long.toString(currentTime - authTime) + " sec");
        YConnectLogger.debug(TAG, "Issued time: " + Long.toString(authTime) + "(Current Time: " + Long.toString(currentTime) + ")");
        return true;
    }

    private static boolean verifyChash(String str, String str2) throws IdTokenException {
        if (getEncodeString(str).startsWith(getIdTokenObject(str2).getCHash())) {
            return true;
        }
        YConnectLogger.error(TAG, "Not match Authorization Code.");
        throw new IdTokenException("Not match Authorization Code.", "The Authorization Code did not match.");
    }

    private static boolean verifyCommonPayload(String str, String str2, String str3) throws IdTokenException {
        IdTokenObject idTokenObject = getIdTokenObject(str3);
        String iss = idTokenObject.getIss();
        String aud = idTokenObject.getAud();
        String nonce = idTokenObject.getNonce();
        if (!iss.equals(ISSUER)) {
            YConnectLogger.error(TAG, "Invalid issuer.");
            throw new IdTokenException("Invalid issuer.", "The issuer did not match.");
        }
        if (!aud.equals("")) {
            try {
                aud = new JSONArray(aud).getString(0);
            } catch (JSONException e) {
                throw new IdTokenException("Invalid ID Token.", e.getMessage());
            }
        }
        if (!str.equals(aud)) {
            throw new IdTokenException("Invalid audience.", "The client id did not match.");
        }
        if (!str2.equals(nonce)) {
            YConnectLogger.error(TAG, "Not match nonce.");
            throw new IdTokenException("Not match nonce.", "The nonce did not match.");
        }
        long exp = idTokenObject.getExp();
        long iat = idTokenObject.getIat();
        if (exp < currentTime) {
            YConnectLogger.error(TAG, "Expired ID Token.");
            throw new IdTokenException("Expired ID Token.", "Re-issue Id Token.");
        }
        YConnectLogger.debug(TAG, "Expiraiton: " + Long.toString(exp) + "(Current Time: " + Long.toString(currentTime) + ")");
        if (currentTime - iat > ACCEPTABLE_RANGE) {
            YConnectLogger.error(TAG, "Over acceptable range.");
            throw new IdTokenException("Over acceptable range.", "This access has expired possible.");
        }
        YConnectLogger.debug(TAG, "Current time - iat = " + Long.toString(currentTime - iat) + " sec");
        YConnectLogger.debug(TAG, "Issued time: " + Long.toString(iat) + "(Current Time: " + Long.toString(currentTime) + ")");
        return true;
    }

    private static boolean verifySignature(String str) throws IdTokenException, ApiClientException, PublicKeysException {
        String[] idTokenJwtParts = getIdTokenJwtParts(str);
        String str2 = idTokenJwtParts[0] + "." + idTokenJwtParts[1];
        byte[] decode = Base64.decode(idTokenJwtParts[2], 8);
        try {
            String optString = new JSONObject(new String(Base64.decode(idTokenJwtParts[0], 8))).optString("kid");
            YConnectLogger.debug(TAG, "kid: " + optString);
            PublicKeysClient publicKeysClient = new PublicKeysClient();
            publicKeysClient.fetch();
            currentTime = publicKeysClient.getCurrentTime();
            PublicKey publicKey = publicKeysClient.getPublicKey(optString);
            if (publicKey == null) {
                YConnectLogger.warn(TAG, "There is no public key for the kid.");
                return false;
            }
            try {
                Signature signature = Signature.getInstance("SHA256withRSA");
                signature.initVerify(publicKey);
                signature.update(str2.getBytes());
                return signature.verify(decode);
            } catch (Exception e) {
                YConnectLogger.warn(TAG, e.getMessage());
                return false;
            }
        } catch (JSONException e2) {
            throw new IdTokenException("Invalid ID Token.", e2.getMessage());
        }
    }
}
