package com.google.auth.oauth2;

import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.auth.Credentials;
import j$.util.Objects;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import tt.InterfaceC2502x8;
import tt.Zx;

/* loaded from: classes3.dex */
public class JwtCredentials extends Credentials {
    private static final long CLOCK_SKEW = TimeUnit.MINUTES.toSeconds(5);
    private static final String JWT_ACCESS_PREFIX = "Bearer ";
    private static final String JWT_INCOMPLETE_ERROR_MESSAGE = "JWT claims must contain audience, issuer, and subject.";
    transient InterfaceC2502x8 clock;
    private transient Long expiryInSeconds;
    private transient String jwt;
    private final JwtClaims jwtClaims;
    private final Long lifeSpanSeconds;
    private final Object lock;
    private final PrivateKey privateKey;
    private final String privateKeyId;

    /* loaded from: classes3.dex */
    public static class b {
        private PrivateKey a;
        private String b;
        private JwtClaims c;
        private InterfaceC2502x8 d = InterfaceC2502x8.a;
        private Long e = Long.valueOf(TimeUnit.HOURS.toSeconds(1));

        protected b() {
        }

        public JwtCredentials a() {
            return new JwtCredentials(this);
        }

        InterfaceC2502x8 b() {
            return this.d;
        }

        public JwtClaims c() {
            return this.c;
        }

        public Long d() {
            return this.e;
        }

        public PrivateKey e() {
            return this.a;
        }

        public String f() {
            return this.b;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public b g(InterfaceC2502x8 interfaceC2502x8) {
            this.d = (InterfaceC2502x8) Zx.s(interfaceC2502x8);
            return this;
        }

        public b h(JwtClaims jwtClaims) {
            this.c = (JwtClaims) Zx.s(jwtClaims);
            return this;
        }

        public b i(Long l) {
            this.e = (Long) Zx.s(l);
            return this;
        }

        public b j(PrivateKey privateKey) {
            this.a = (PrivateKey) Zx.s(privateKey);
            return this;
        }

        public b k(String str) {
            this.b = str;
            return this;
        }
    }

    private JwtCredentials(b bVar) {
        this.lock = new byte[0];
        this.privateKey = (PrivateKey) Zx.s(bVar.e());
        this.privateKeyId = bVar.f();
        JwtClaims jwtClaims = (JwtClaims) Zx.s(bVar.c());
        this.jwtClaims = jwtClaims;
        Zx.z(jwtClaims.isComplete(), JWT_INCOMPLETE_ERROR_MESSAGE);
        this.lifeSpanSeconds = (Long) Zx.s(bVar.d());
        this.clock = (InterfaceC2502x8) Zx.s(bVar.b());
    }

    public static b newBuilder() {
        return new b();
    }

    private boolean shouldRefresh() {
        return this.expiryInSeconds == null || getClock().currentTimeMillis() / 1000 > this.expiryInSeconds.longValue() - CLOCK_SKEW;
    }

    public boolean equals(Object obj) {
        if (!(obj instanceof JwtCredentials)) {
            return false;
        }
        JwtCredentials jwtCredentials = (JwtCredentials) obj;
        return Objects.equals(this.privateKey, jwtCredentials.privateKey) && Objects.equals(this.privateKeyId, jwtCredentials.privateKeyId) && Objects.equals(this.jwtClaims, jwtCredentials.jwtClaims) && Objects.equals(this.lifeSpanSeconds, jwtCredentials.lifeSpanSeconds);
    }

    @Override // com.google.auth.Credentials
    public String getAuthenticationType() {
        return "JWT";
    }

    InterfaceC2502x8 getClock() {
        if (this.clock == null) {
            this.clock = InterfaceC2502x8.a;
        }
        return this.clock;
    }

    @Override // com.google.auth.Credentials
    public Map<String, List<String>> getRequestMetadata(URI uri) {
        Map<String, List<String>> singletonMap;
        synchronized (this.lock) {
            try {
                if (shouldRefresh()) {
                    refresh();
                }
                singletonMap = Collections.singletonMap("Authorization", Collections.singletonList(JWT_ACCESS_PREFIX + this.jwt));
            } catch (Throwable th) {
                throw th;
            }
        }
        return singletonMap;
    }

    @Override // com.google.auth.Credentials
    public boolean hasRequestMetadata() {
        return true;
    }

    @Override // com.google.auth.Credentials
    public boolean hasRequestMetadataOnly() {
        return true;
    }

    public int hashCode() {
        return Objects.hash(this.privateKey, this.privateKeyId, this.jwtClaims, this.lifeSpanSeconds);
    }

    public JwtCredentials jwtWithClaims(JwtClaims jwtClaims) {
        return newBuilder().j(this.privateKey).k(this.privateKeyId).h(this.jwtClaims.merge(jwtClaims)).a();
    }

    @Override // com.google.auth.Credentials
    public void refresh() {
        JsonWebSignature.Header header = new JsonWebSignature.Header();
        header.k("RS256");
        header.m("JWT");
        header.l(this.privateKeyId);
        JsonWebToken.Payload payload = new JsonWebToken.Payload();
        payload.g(this.jwtClaims.getAudience());
        payload.k(this.jwtClaims.getIssuer());
        payload.l(this.jwtClaims.getSubject());
        long currentTimeMillis = this.clock.currentTimeMillis() / 1000;
        payload.i(Long.valueOf(currentTimeMillis));
        payload.h(Long.valueOf(currentTimeMillis + this.lifeSpanSeconds.longValue()));
        payload.putAll(this.jwtClaims.getAdditionalClaims());
        synchronized (this.lock) {
            try {
                this.expiryInSeconds = payload.d();
                try {
                    this.jwt = JsonWebSignature.f(this.privateKey, l.f, header, payload);
                } catch (GeneralSecurityException e) {
                    throw new IOException("Error signing service account JWT access header with private key.", e);
                }
            } catch (Throwable th) {
                throw th;
            }
        }
    }
}
