package com.uid2.shared.secure.azurecc;

import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.json.webtoken.JsonWebSignature;
import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.api.client.util.Clock;
import com.google.auth.oauth2.TokenVerifier;
import com.google.common.base.Strings;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationException;
import com.uid2.shared.secure.AttestationFailure;
import com.uid2.shared.secure.JwtUtils;
import com.uid2.shared.secure.azurecc.MaaTokenPayload;
import com.uid2.shared.secure.azurecc.RuntimeData;
import java.io.IOException;
import java.util.Map;

/* loaded from: input_file:com/uid2/shared/secure/azurecc/MaaTokenSignatureValidator.class */
public class MaaTokenSignatureValidator implements IMaaTokenSignatureValidator {
    public static final boolean BYPASS_SIGNATURE_CHECK = false;
    private final String maaServerBaseUrl;
    private final IPublicKeyProvider publicKeyProvider;
    private final Clock clockOverride;

    public MaaTokenSignatureValidator(String str) {
        this(str, new AzurePublicKeyProvider(), null);
    }

    protected MaaTokenSignatureValidator(String str, IPublicKeyProvider iPublicKeyProvider, Clock clock) {
        this.maaServerBaseUrl = str;
        this.publicKeyProvider = iPublicKeyProvider;
        this.clockOverride = clock;
    }

    private TokenVerifier buildTokenVerifier(String str) throws AttestationException {
        TokenVerifier.Builder newBuilder = TokenVerifier.newBuilder();
        newBuilder.setPublicKey(this.publicKeyProvider.GetPublicKey(this.maaServerBaseUrl, str));
        if (this.clockOverride != null) {
            newBuilder.setClock(this.clockOverride);
        }
        newBuilder.setIssuer(this.maaServerBaseUrl);
        return newBuilder.build();
    }

    @Override // com.uid2.shared.secure.azurecc.IMaaTokenSignatureValidator
    public MaaTokenPayload validate(String str) throws AttestationException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("tokenString can not be null or empty");
        }
        try {
            JsonWebSignature parse = JsonWebSignature.parse(GsonFactory.getDefaultInstance(), str);
            buildTokenVerifier(parse.getHeader().getKeyId()).verify(str);
            JsonWebToken.Payload payload = parse.getPayload();
            MaaTokenPayload.MaaTokenPayloadBuilder builder = MaaTokenPayload.builder();
            builder.attestationType((String) JwtUtils.tryGetField(payload, "x-ms-attestation-type", String.class));
            builder.complianceStatus((String) JwtUtils.tryGetField(payload, "x-ms-compliance-status", String.class));
            builder.vmDebuggable(((Boolean) JwtUtils.tryGetField(payload, "x-ms-sevsnpvm-is-debuggable", Boolean.class)).booleanValue());
            builder.ccePolicyDigest((String) JwtUtils.tryGetField(payload, "x-ms-sevsnpvm-hostdata", String.class));
            Map map = (Map) JwtUtils.tryGetField(payload, "x-ms-runtime", Map.class);
            if (map != null) {
                RuntimeData.RuntimeDataBuilder builder2 = RuntimeData.builder();
                builder2.attestationUrl((String) JwtUtils.tryGetField(map, "attestationUrl", String.class));
                builder2.location((String) JwtUtils.tryGetField(map, "location", String.class));
                builder2.publicKey((String) JwtUtils.tryGetField(map, "publicKey", String.class));
                builder.runtimeData(builder2.build());
            }
            return builder.build();
        } catch (TokenVerifier.VerificationException e) {
            throw new AttestationClientException("Fail to validate the token signature, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
        } catch (IOException e2) {
            throw new AttestationClientException("Fail to parse token, error: " + e2.getMessage(), AttestationFailure.BAD_PAYLOAD);
        }
    }
}
