package com.telenor.connect.utils;

import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.telenor.connect.ConnectException;
import com.telenor.connect.ConnectSdk;
import com.telenor.connect.id.IdToken;
import java.text.ParseException;
import java.util.Date;
import java.util.HashSet;
import java.util.List;

/* loaded from: classes.dex */
public class IdTokenValidator {
    public static boolean isValidExpirationTime(Date date, Date date2, Date date3) {
        if (date == null) {
            return false;
        }
        if (date.after(date2)) {
            return true;
        }
        if (date3 == null) {
            return false;
        }
        return date.after(date3);
    }

    public static void validate(IdToken idToken, Date date) {
        try {
            ReadOnlyJWTClaimsSet jWTClaimsSet = SignedJWT.parse(idToken.getSerializedSignedJwt()).getJWTClaimsSet();
            String issuer = jWTClaimsSet.getIssuer();
            String expectedIssuer = ConnectSdk.getExpectedIssuer();
            if (!expectedIssuer.equals(issuer)) {
                throw new ConnectException("ID token issuer is not the same as the issuer this client is configured with. expectedIssuer=" + expectedIssuer + " idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
            }
            String clientId = ConnectSdk.getClientId();
            List<String> audience = jWTClaimsSet.getAudience();
            List<String> expectedAudiences = ConnectSdk.getExpectedAudiences();
            if (audience == null || !audience.containsAll(expectedAudiences)) {
                throw new ConnectException("ID token audience list does not contain the configured client ID. clientId=" + clientId + " idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
            }
            HashSet hashSet = new HashSet(jWTClaimsSet.getAudience());
            hashSet.removeAll(expectedAudiences);
            if (hashSet.size() != 0) {
                throw new ConnectException("ID token audience list contains untrusted audiences. untrustedAudiences=" + hashSet + " trustedAudiences=" + expectedAudiences + " idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
            }
            String str = (String) jWTClaimsSet.getCustomClaim("azp");
            if (jWTClaimsSet.getAudience().size() > 1 && str == null) {
                throw new ConnectException("ID token contains multiple audiences but no azp claim is present. idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
            }
            if (str != null && !clientId.equals(str)) {
                throw new ConnectException("ID token authorized party is not the configured client ID. configuredClientId=" + clientId + " idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
            }
            if (!isValidExpirationTime(jWTClaimsSet.getExpirationTime(), new Date(), date)) {
                throw new ConnectException("ID token has expired. idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
            }
            if (jWTClaimsSet.getIssueTime() != null) {
                return;
            }
            throw new ConnectException("ID token is missing the \"iat\" claim. idTokenClaimsSet=" + jWTClaimsSet.toJSONObject());
        } catch (ParseException e) {
            throw new ConnectException("Failed to parse ID token. serializedIdToken=" + idToken.getSerializedSignedJwt(), e);
        }
    }
}
