package com.auth0.utils.tokens;

import com.auth0.exception.IdTokenValidationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.utils.Asserts;
import java.util.Calendar;
import java.util.Date;
import java.util.List;

/* loaded from: input_file:com/auth0/utils/tokens/IdTokenVerifier.class */
public final class IdTokenVerifier {
    private static final Integer DEFAULT_LEEWAY = 60;
    private static final String NONCE_CLAIM = "nonce";
    private static final String AZP_CLAIM = "azp";
    private static final String AUTH_TIME_CLAIM = "auth_time";
    private final String issuer;
    private final String audience;
    private final Integer leeway;
    private final Date clock;
    private final SignatureVerifier signatureVerifier;
    private final String organization;

    /* loaded from: input_file:com/auth0/utils/tokens/IdTokenVerifier$Builder.class */
    public static class Builder {
        private final String issuer;
        private final String audience;
        private final SignatureVerifier signatureVerifier;
        private Integer leeway;
        private Date clock;
        private String organization;

        private Builder(String str, String str2, SignatureVerifier signatureVerifier) {
            Asserts.assertNotNull(str, "issuer");
            Asserts.assertNotNull(str2, "audience");
            Asserts.assertNotNull(signatureVerifier, "signatureVerifier");
            this.issuer = str;
            this.audience = str2;
            this.signatureVerifier = signatureVerifier;
        }

        public Builder withLeeway(Integer num) {
            this.leeway = num;
            return this;
        }

        public Builder withOrganization(String str) {
            this.organization = str;
            return this;
        }

        Builder withClock(Date date) {
            this.clock = date;
            return this;
        }

        public IdTokenVerifier build() {
            return new IdTokenVerifier(this);
        }
    }

    private IdTokenVerifier(Builder builder) {
        this.issuer = builder.issuer;
        this.audience = builder.audience;
        this.leeway = builder.leeway;
        this.signatureVerifier = builder.signatureVerifier;
        this.clock = builder.clock;
        this.organization = builder.organization;
    }

    public static Builder init(String str, String str2, SignatureVerifier signatureVerifier) {
        return new Builder(str, str2, signatureVerifier);
    }

    public void verify(String str) throws IdTokenValidationException {
        verify(str, null);
    }

    public void verify(String str, String str2) throws IdTokenValidationException {
        verify(str, str2, null);
    }

    public void verify(String str, String str2, Integer num) throws IdTokenValidationException {
        if (isEmpty(str)) {
            throw new IdTokenValidationException("ID token is required but missing");
        }
        DecodedJWT verifySignature = this.signatureVerifier.verifySignature(str);
        if (isEmpty(verifySignature.getIssuer())) {
            throw new IdTokenValidationException("Issuer (iss) claim must be a string present in the ID token");
        }
        if (!verifySignature.getIssuer().equals(this.issuer)) {
            throw new IdTokenValidationException(String.format("Issuer (iss) claim mismatch in the ID token, expected \"%s\", found \"%s\"", this.issuer, verifySignature.getIssuer()));
        }
        if (isEmpty(verifySignature.getSubject())) {
            throw new IdTokenValidationException("Subject (sub) claim must be a string present in the ID token");
        }
        List<String> audience = verifySignature.getAudience();
        if (audience == null) {
            throw new IdTokenValidationException("Audience (aud) claim must be a string or array of strings present in the ID token");
        }
        if (!audience.contains(this.audience)) {
            throw new IdTokenValidationException(String.format("Audience (aud) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", this.audience, verifySignature.getAudience()));
        }
        if (this.organization != null) {
            String asString = verifySignature.getClaim("org_id").asString();
            if (isEmpty(asString)) {
                throw new IdTokenValidationException("Organization Id (org_id) claim must be a string present in the ID token");
            }
            if (!this.organization.equals(asString)) {
                throw new IdTokenValidationException(String.format("Organization (org_id) claim mismatch in the ID token; expected \"%s\" but found \"%s\"", this.organization, asString));
            }
        }
        Calendar calendar = Calendar.getInstance();
        Date time = this.clock != null ? this.clock : calendar.getTime();
        int intValue = (this.leeway != null ? this.leeway : DEFAULT_LEEWAY).intValue();
        if (verifySignature.getExpiresAt() == null) {
            throw new IdTokenValidationException("Expiration Time (exp) claim must be a number present in the ID token");
        }
        calendar.setTime(verifySignature.getExpiresAt());
        calendar.add(13, intValue);
        Date time2 = calendar.getTime();
        if (time.after(time2)) {
            throw new IdTokenValidationException(String.format("Expiration Time (exp) claim error in the ID token; current time (%d) is after expiration time (%d)", Long.valueOf(time.getTime() / 1000), Long.valueOf(time2.getTime() / 1000)));
        }
        if (verifySignature.getIssuedAt() == null) {
            throw new IdTokenValidationException("Issued At (iat) claim must be a number present in the ID token");
        }
        calendar.setTime(verifySignature.getIssuedAt());
        calendar.add(13, (-1) * intValue);
        if (str2 != null) {
            String asString2 = verifySignature.getClaim(NONCE_CLAIM).asString();
            if (isEmpty(asString2)) {
                throw new IdTokenValidationException("Nonce (nonce) claim must be a string present in the ID token");
            }
            if (!str2.equals(asString2)) {
                throw new IdTokenValidationException(String.format("Nonce (nonce) claim mismatch in the ID token; expected \"%s\", found \"%s\"", str2, asString2));
            }
        }
        if (audience.size() > 1) {
            String asString3 = verifySignature.getClaim(AZP_CLAIM).asString();
            if (isEmpty(asString3)) {
                throw new IdTokenValidationException("Authorized Party (azp) claim must be a string present in the ID token when Audience (aud) claim has multiple values");
            }
            if (!this.audience.equals(asString3)) {
                throw new IdTokenValidationException(String.format("Authorized Party (azp) claim mismatch in the ID token; expected \"%s\", found \"%s\"", this.audience, asString3));
            }
        }
        if (num != null) {
            Date asDate = verifySignature.getClaim(AUTH_TIME_CLAIM).asDate();
            if (asDate == null) {
                throw new IdTokenValidationException("Authentication Time (auth_time) claim must be a number present in the ID token when Max Age (max_age) is specified");
            }
            calendar.setTime(asDate);
            calendar.add(13, num.intValue());
            calendar.add(13, intValue);
            Date time3 = calendar.getTime();
            if (time.after(time3)) {
                throw new IdTokenValidationException(String.format("Authentication Time (auth_time) claim in the ID token indicates that too much time has passed since the last end-user authentication. Current time (%d) is after last auth at (%d)", Long.valueOf(time.getTime() / 1000), Long.valueOf(time3.getTime() / 1000)));
            }
        }
    }

    private boolean isEmpty(String str) {
        return str == null || str.isEmpty();
    }
}
