package com.ibm.ws.security.openidconnect.client;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.kernel.provisioning.ExtensionConstants;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.token.IDToken;
import com.ibm.ws.security.openidconnect.token.IDTokenValidationFailedException;
import com.ibm.ws.security.openidconnect.token.impl.IdTokenImpl;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.CookieHelper;
import com.ibm.ws.webcontainer.security.PostParameterHelper;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.ws.webcontainer.security.ReferrerURLCookieHandler;
import com.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl;
import com.ibm.wsspi.kernel.service.location.WsLocationConstants;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.ssl.SSLSupport;
import com.ibm.wsspi.webcontainer.servlet.IExtendedRequest;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:lib/com.ibm.ws.security.openidconnect.client_1.0.10.cl50720160308-1847.jar:com/ibm/ws/security/openidconnect/client/OidcClientAuthenticator.class */
public class OidcClientAuthenticator {
    private static final TraceComponent tc = Tr.register(OidcClientAuthenticator.class);
    static final String[] OIDC_COOKIES = {ClientConstants.WAS_OIDC_STATE_KEY, ClientConstants.WAS_REQ_URL_OIDC, ClientConstants.WAS_OIDC_CODE};
    Cache requestStates;
    ReferrerURLCookieHandler referrerURLCookieHandler;
    OidcClientUtil oidcClientUtil;
    private SSLSupport sslSupport;
    private JwKRetriever retriever;
    private static final String SIGNATURE_ALG_HS256 = "HS256";
    private static final String SIGNATURE_ALG_RS256 = "RS256";
    private static final String SIGNATURE_ALG_NONE = "none";
    static final long serialVersionUID = 5984246479507206768L;

    public OidcClientAuthenticator() {
        this.requestStates = null;
        this.referrerURLCookieHandler = null;
        this.oidcClientUtil = new OidcClientUtil();
        this.retriever = new JwKRetriever();
    }

    public OidcClientAuthenticator(AtomicServiceReference<SSLSupport> atomicServiceReference, OidcClientConfig oidcClientConfig) {
        this.requestStates = null;
        this.referrerURLCookieHandler = null;
        this.oidcClientUtil = new OidcClientUtil();
        this.retriever = new JwKRetriever();
        this.sslSupport = atomicServiceReference.getService();
        this.requestStates = new Cache(0, 0L);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "The size of requestStates: " + this.requestStates.size(), new Object[0]);
        }
    }

    boolean checkHttpsRequirement(OidcClientConfig oidcClientConfig, String str) {
        boolean z = true;
        if (oidcClientConfig.isHttpsRequired() && str != null && !str.startsWith("https")) {
            z = false;
        }
        return z;
    }

    public ProviderAuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig, ReferrerURLCookieHandler referrerURLCookieHandler) {
        this.referrerURLCookieHandler = referrerURLCookieHandler;
        boolean z = false;
        if (ClientConstants.IMPLICIT.equals(oidcClientConfig.getGrantType())) {
            z = true;
        }
        String str = null;
        String str2 = null;
        Hashtable<String, String> authzCodeAndStateFromCookie = getAuthzCodeAndStateFromCookie((IExtendedRequest) httpServletRequest, httpServletResponse);
        if (authzCodeAndStateFromCookie != null) {
            str = authzCodeAndStateFromCookie.get(ClientConstants.CODE);
            str2 = authzCodeAndStateFromCookie.get(ClientConstants.STATE);
        }
        ProviderAuthenticationResult handleRedirectToServer = str2 == null ? handleRedirectToServer(httpServletRequest, httpServletResponse, oidcClientConfig) : z ? handleTokens(httpServletRequest, httpServletResponse, str2, oidcClientConfig) : handleAuthorizationCode(httpServletRequest, httpServletResponse, str, str2, oidcClientConfig);
        if (handleRedirectToServer.getStatus() != AuthResult.REDIRECT_TO_PROVIDER) {
            new PostParameterHelper(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig()).restore(httpServletRequest, httpServletResponse, true);
            referrerURLCookieHandler.invalidateReferrerURLCookies(httpServletRequest, httpServletResponse, OIDC_COOKIES);
        }
        return handleRedirectToServer;
    }

    ProviderAuthenticationResult handleRedirectToServer(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OidcClientConfig oidcClientConfig) {
        String authorizationEndpointUrl = oidcClientConfig.getAuthorizationEndpointUrl();
        if (!checkHttpsRequirement(oidcClientConfig, authorizationEndpointUrl)) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", authorizationEndpointUrl);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        String generateRandom = generateRandom();
        String generateRandom2 = generateRandom();
        this.requestStates.put(generateRandom, generateRandom2);
        httpServletResponse.addCookie(this.referrerURLCookieHandler.createCookie(ClientConstants.WAS_OIDC_STATE_KEY + generateRandom2.hashCode(), generateRandom, httpServletRequest));
        String redirectUrlIfNotDefined = setRedirectUrlIfNotDefined(httpServletRequest, oidcClientConfig);
        if (!checkHttpsRequirement(oidcClientConfig, redirectUrlIfNotDefined)) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", redirectUrlIfNotDefined);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        try {
            if (!isOpenIDScopeSpecified(oidcClientConfig)) {
                Tr.error(tc, "OIDC_CLIENT_REQUEST_MISSING_OPENID_SCOPE", oidcClientConfig.getClientId(), oidcClientConfig.getScope());
                return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
            }
            String buildAuthorizationUrlWithQuery = buildAuthorizationUrlWithQuery(generateRandom2, oidcClientConfig, redirectUrlIfNotDefined);
            new PostParameterHelper(WebAppSecurityCollaboratorImpl.getGlobalWebAppSecurityConfig()).save(httpServletRequest, httpServletResponse);
            doClientSideRedirect(httpServletResponse, buildAuthorizationUrlWithQuery, generateRandom2);
            return new ProviderAuthenticationResult(AuthResult.REDIRECT_TO_PROVIDER, 200, null, null, null, buildAuthorizationUrlWithQuery);
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "200", this, new Object[]{httpServletRequest, httpServletResponse, oidcClientConfig});
            Tr.error(tc, "OIDC_CLIENT_AUTHORIZE_ERR", oidcClientConfig.getClientId(), e.getMessage(), ClientConstants.CHARSET);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        } catch (IOException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "204", this, new Object[]{httpServletRequest, httpServletResponse, oidcClientConfig});
            Tr.error(tc, "OIDC_CLIENT_AUTHORIZE_ERR", oidcClientConfig.getClientId(), e2.getMessage(), ClientConstants.CHARSET);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
    }

    private void doClientSideRedirect(HttpServletResponse httpServletResponse, String str, String str2) throws IOException {
        httpServletResponse.setStatus(200);
        PrintWriter writer = httpServletResponse.getWriter();
        writer.println("<html xmlns=\"http://www.w3.org/1999/xhtml\">");
        writer.println("<head>");
        writer.println(createJavaScripts(str, str2));
        writer.println("<title>Redirect To OP</title> ");
        writer.println("</head>");
        writer.println("<body></body>");
        writer.println("</html>");
        httpServletResponse.setHeader("Cache-Control", "no-cache, no-store, must-revalidate, private, max-age=0");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        httpServletResponse.setContentType("text/html; charset=UTF-8");
        writer.close();
    }

    private String createJavaScripts(String str, String str2) {
        String str3 = ClientConstants.WAS_REQ_URL_OIDC + str2.hashCode();
        StringBuilder sb = new StringBuilder();
        sb.append("<script type=\"text/javascript\" language=\"javascript\">").append("var loc=window.location.href;").append("document.cookie=\"").append(str3).append("=\"").append("+loc+").append("\"; path=/\"").append("</script>");
        sb.append("<script type=\"text/javascript\" language=\"javascript\">").append("window.location.replace(\"" + str + "\")").append("</script>");
        String sb2 = sb.toString();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "createJavaScripts returns [" + sb2 + "]", new Object[0]);
        }
        return sb2;
    }

    private boolean isOpenIDScopeSpecified(OidcClientConfig oidcClientConfig) {
        return oidcClientConfig.getScope().contains("openid");
    }

    ProviderAuthenticationResult handleAuthorizationCode(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, OidcClientConfig oidcClientConfig) {
        ProviderAuthenticationResult providerAuthenticationResult;
        String clientId = oidcClientConfig.getClientId();
        ProviderAuthenticationResult verifyResponseState = verifyResponseState(httpServletRequest, httpServletResponse, str2, clientId);
        if (verifyResponseState != null) {
            return verifyResponseState;
        }
        if (!checkHttpsRequirement(oidcClientConfig, oidcClientConfig.getTokenEndpointUrl())) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", oidcClientConfig.getTokenEndpointUrl());
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        String redirectUrlIfNotDefined = setRedirectUrlIfNotDefined(httpServletRequest, oidcClientConfig);
        if (!checkHttpsRequirement(oidcClientConfig, redirectUrlIfNotDefined)) {
            Tr.error(tc, "OIDC_CLIENT_URL_PROTOCOL_NOT_HTTPS", redirectUrlIfNotDefined);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        try {
            try {
                providerAuthenticationResult = createResult(str2, this.oidcClientUtil.getTokensFromAuthzCode(oidcClientConfig.getTokenEndpointUrl(), clientId, oidcClientConfig.getClientSecret(), redirectUrlIfNotDefined, str, oidcClientConfig.getGrantType(), getSSLContext(oidcClientConfig.getTokenEndpointUrl(), oidcClientConfig.getSSLConfigurationName(), clientId), oidcClientConfig.isHostNameVerificationEnabled(), oidcClientConfig.getTokenEndpointAuthMethod()), oidcClientConfig);
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "323", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, oidcClientConfig});
                Tr.error(tc, "OIDC_CLIENT_TOKEN_REQUEST_FAILURE", e.getMessage(), clientId, oidcClientConfig.getTokenEndpointUrl());
                providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
            }
            return providerAuthenticationResult;
        } catch (SSLException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "308", this, new Object[]{httpServletRequest, httpServletResponse, str, str2, oidcClientConfig});
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = e2.getMessage() != null ? e2.getMessage() : "invalid ssl context";
            objArr[1] = oidcClientConfig.getClientId();
            Tr.error(traceComponent, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", objArr);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
    }

    ProviderAuthenticationResult handleTokens(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, OidcClientConfig oidcClientConfig) {
        ProviderAuthenticationResult providerAuthenticationResult;
        String clientId = oidcClientConfig.getClientId();
        ProviderAuthenticationResult verifyResponseState = verifyResponseState(httpServletRequest, httpServletResponse, str, clientId);
        if (verifyResponseState != null) {
            return verifyResponseState;
        }
        HashMap<String, String> hashMap = new HashMap<>();
        Enumeration parameterNames = httpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str2 = (String) parameterNames.nextElement();
            String[] parameterValues = httpServletRequest.getParameterValues(str2);
            if (parameterValues.length > 0) {
                hashMap.put(str2, parameterValues[0]);
            } else {
                hashMap.put(str2, ExtensionConstants.CORE_EXTENSION);
            }
        }
        try {
            providerAuthenticationResult = createResult(str, hashMap, oidcClientConfig);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "355", this, new Object[]{httpServletRequest, httpServletResponse, str, oidcClientConfig});
            Tr.error(tc, "OIDC_CLIENT_TOKEN_REQUEST_FAILURE", e.getMessage(), clientId, oidcClientConfig.getTokenEndpointUrl());
            providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        return providerAuthenticationResult;
    }

    Hashtable<String, String> getAuthzCodeAndStateFromCookie(IExtendedRequest iExtendedRequest, HttpServletResponse httpServletResponse) {
        byte[] cookieValueAsBytes = iExtendedRequest.getCookieValueAsBytes(ClientConstants.WAS_OIDC_CODE);
        if (cookieValueAsBytes == null || cookieValueAsBytes.length == 0) {
            return null;
        }
        Hashtable<String, String> hashtable = null;
        try {
            hashtable = (Hashtable) new ObjectInputStream(new ByteArrayInputStream(Base64Coder.base64Decode(cookieValueAsBytes))).readObject();
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "381", this, new Object[]{iExtendedRequest, httpServletResponse});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getAuthzCodeAndState encounted an un-expected exception: " + e, new Object[0]);
            }
        } catch (ClassNotFoundException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "385", this, new Object[]{iExtendedRequest, httpServletResponse});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "getAuthzCodeAndState encounted an un-expected exception: " + e2, new Object[0]);
            }
        }
        return hashtable;
    }

    ProviderAuthenticationResult verifyResponseState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2) {
        String str3 = null;
        if (str != null) {
            str3 = getOriginalState(httpServletRequest, httpServletResponse, str);
        }
        if (str == null) {
            Tr.error(tc, "OIDC_CLIENT_RESPONSE_STATE_VERIFY_ERR", str3, "null response state", str2);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        if (str3 != null && str3.equals(str)) {
            return null;
        }
        Tr.error(tc, "OIDC_CLIENT_RESPONSE_STATE_VERIFY_ERR", str3, str, str2);
        return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
    }

    String getOriginalState(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        String cookieValue = CookieHelper.getCookieValue(httpServletRequest.getCookies(), ClientConstants.WAS_OIDC_STATE_KEY + str.hashCode());
        String str2 = null;
        if (cookieValue != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "size of requestStates: " + this.requestStates.size(), new Object[0]);
            }
            str2 = (String) this.requestStates.get(cookieValue);
            this.requestStates.remove(cookieValue);
        }
        return str2;
    }

    ProviderAuthenticationResult createResult(String str, HashMap<String, String> hashMap, OidcClientConfig oidcClientConfig) {
        ProviderAuthenticationResult providerAuthenticationResult;
        String str2 = hashMap.get("id_token");
        String str3 = hashMap.get("access_token");
        String str4 = hashMap.get("refresh_token");
        String clientId = oidcClientConfig.getClientId();
        try {
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "513", this, new Object[]{str, hashMap, oidcClientConfig});
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = e.getMessage() == null ? "IDTokenValidatonFailedException" : e.getMessage();
            objArr[1] = clientId;
            Tr.error(traceComponent, "OIDC_CLIENT_IDTOKEN_VERIFY_ERR", objArr);
            providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        } catch (IDTokenValidationFailedException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "510", this, new Object[]{str, hashMap, oidcClientConfig});
            providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        if (str2 == null) {
            Tr.error(tc, "OIDC_CLIENT_IDTOKEN_REQUEST_FAILURE", clientId, oidcClientConfig.getTokenEndpointUrl());
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        IDToken createIDToken = createIDToken(str2, str3, oidcClientConfig);
        IDToken.Payload payload = createIDToken.getPayload();
        String str5 = (String) payload.get(oidcClientConfig.getUserIdentityToCreateSubject());
        if (str5 == null || str5.isEmpty()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "There is no principal", new Object[0]);
            }
            Tr.error(tc, "OIDC_CLIENT_MISSING_PRINCIPAL_ERR", clientId);
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        if (oidcClientConfig.isNonceEnabled()) {
            String nonce = payload.getNonce();
            String str6 = (String) this.requestStates.get(str);
            if (str6 != null) {
                this.requestStates.remove(str);
            }
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Found nonce: " + nonce + " and cached nonce:" + str6, new Object[0]);
            }
            if (!(nonce == null ? false : nonce.equals(str6))) {
                Tr.error(tc, "OIDC_CLIENT_REQUEST_NONCE_FAILED", clientId, nonce, str6);
                return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
            }
        }
        IdTokenImpl idTokenImpl = new IdTokenImpl(createIDToken);
        Hashtable<String, Object> hashtable = new Hashtable<>();
        if (oidcClientConfig.isIncludeCustomCacheKeyInSubject()) {
            hashtable.put("com.ibm.wsspi.security.cred.cacheKey", str5 + str2.toString().hashCode());
            hashtable.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        Subject subject = null;
        if (oidcClientConfig.isIncludeIdTokenInSubject()) {
            subject = new Subject();
            subject.getPrivateCredentials().add(idTokenImpl);
            hashtable.putAll(hashMap);
        } else {
            if (str4 != null) {
                hashtable.put("refresh_token", str4);
            }
            if (str3 != null) {
                hashtable.put("access_token", str3);
            }
        }
        doIdAssertion(hashtable, payload, oidcClientConfig);
        providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, str5, subject, hashtable, null);
        return providerAuthenticationResult;
    }

    void doIdAssertion(Hashtable<String, Object> hashtable, IDToken.Payload payload, OidcClientConfig oidcClientConfig) {
        if (oidcClientConfig.isMapIdentityToRegistryUser() || payload == null) {
            return;
        }
        String str = (String) payload.get(oidcClientConfig.getRealmIdentifier());
        if (str == null || str.isEmpty()) {
            str = (String) payload.get(ClientConstants.ISS);
        }
        String str2 = (String) payload.get(oidcClientConfig.getUniqueUserIdentifier());
        if (str2 == null || str2.isEmpty()) {
            str2 = (String) payload.get(oidcClientConfig.getUserIdentityToCreateSubject());
        }
        Object stringBuffer = new StringBuffer("user:").append(str).append(WsLocationConstants.LOC_VIRTUAL_ROOT).append(str2).toString();
        ArrayList arrayList = (ArrayList) payload.get(oidcClientConfig.getGroupIdentifier());
        ArrayList arrayList2 = new ArrayList();
        if (arrayList != null && !arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                arrayList2.add(new StringBuffer("group:").append(str).append(WsLocationConstants.LOC_VIRTUAL_ROOT).append(it.next()).toString());
            }
        }
        hashtable.put("com.ibm.wsspi.security.cred.uniqueId", stringBuffer);
        if (str != null && !str.isEmpty()) {
            hashtable.put("com.ibm.wsspi.security.cred.realm", str);
        }
        if (arrayList2 == null || arrayList2.isEmpty()) {
            return;
        }
        hashtable.put("com.ibm.wsspi.security.cred.groups", arrayList2);
    }

    String buildAuthorizationUrlWithQuery(String str, OidcClientConfig oidcClientConfig, String str2) throws UnsupportedEncodingException {
        String str3 = ClientConstants.CODE;
        boolean z = false;
        if (ClientConstants.IMPLICIT.equals(oidcClientConfig.getGrantType())) {
            z = true;
            str3 = "id_token token";
        }
        String format = String.format("response_type=%s&client_id=%s&state=%s&redirect_uri=%s&scope=%s", URLEncoder.encode(str3, ClientConstants.CHARSET), URLEncoder.encode(oidcClientConfig.getClientId(), ClientConstants.CHARSET), URLEncoder.encode(str, ClientConstants.CHARSET), URLEncoder.encode(str2, ClientConstants.CHARSET), URLEncoder.encode(oidcClientConfig.getScope(), ClientConstants.CHARSET));
        if (oidcClientConfig.isNonceEnabled() || z) {
            String generateRandom = generateRandom();
            this.requestStates.put(str, generateRandom);
            format = String.format("%s&nonce=%s", format, URLEncoder.encode(generateRandom, ClientConstants.CHARSET));
        }
        if (isACRSpecified(oidcClientConfig)) {
            format = String.format("%s&acr_values=%s", format, URLEncoder.encode(oidcClientConfig.getAuthContextClassReference(), ClientConstants.CHARSET));
        }
        if (oidcClientConfig.getPrompt() != null) {
            format = String.format("%s&prompt=%s", format, URLEncoder.encode(oidcClientConfig.getPrompt(), ClientConstants.CHARSET));
        }
        if (z) {
            format = String.format("%s&response_mode=%s", format, URLEncoder.encode("form_post", ClientConstants.CHARSET));
        }
        return oidcClientConfig.getAuthorizationEndpointUrl() + "?" + format;
    }

    private boolean isACRSpecified(OidcClientConfig oidcClientConfig) {
        boolean z = false;
        String authContextClassReference = oidcClientConfig.getAuthContextClassReference();
        if (authContextClassReference != null && !authContextClassReference.isEmpty()) {
            z = true;
        }
        return z;
    }

    public static String generateRandom() {
        StringBuffer stringBuffer = new StringBuffer();
        Random random = new Random();
        for (int i = 0; i < 20; i++) {
            stringBuffer.append(ClientConstants.CHARS.charAt(random.nextInt(ClientConstants.CHARS.length())));
        }
        return stringBuffer.toString();
    }

    String getIssuerIdentifier(OidcClientConfig oidcClientConfig) {
        String issuerIdentifier = oidcClientConfig.getIssuerIdentifier();
        if (issuerIdentifier == null || issuerIdentifier.isEmpty()) {
            String tokenEndpointUrl = oidcClientConfig.getTokenEndpointUrl();
            issuerIdentifier = tokenEndpointUrl.substring(0, tokenEndpointUrl.lastIndexOf(WsLocationConstants.LOC_VIRTUAL_ROOT));
        }
        return issuerIdentifier;
    }

    IDToken createIDToken(String str, String str2, OidcClientConfig oidcClientConfig) throws Exception {
        String issuerIdentifier = getIssuerIdentifier(oidcClientConfig);
        Object obj = null;
        String clientId = oidcClientConfig.getClientId();
        IDToken createIDToken = this.oidcClientUtil.createIDToken(str, null, clientId, issuerIdentifier, oidcClientConfig.getSignatureAlgorithm(), str2);
        try {
            obj = getVerifyKey(oidcClientConfig, createIDToken.getHeader().getKeyId(), createIDToken.getHeader().getX509Thumbprint());
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.client.OidcClientAuthenticator", "648", this, new Object[]{str, str2, oidcClientConfig});
        }
        if (str != null && createIDToken.verify(oidcClientConfig.getClockSkewInSeconds(), obj)) {
            createIDToken.getPayload().setJwtId(oidcClientConfig.getClientId());
            return createIDToken;
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "ID token validation failed: ", new Object[0]);
        }
        throw new IDTokenValidationFailedException(Tr.formatMessage(tc, "OIDC_CLIENT_IDTOKEN_VERIFY_ERR", "ID token validation Error", clientId));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v11, types: [byte[]] */
    /* JADX WARN: Type inference failed for: r0v22, types: [byte[]] */
    protected Object getVerifyKey(OidcClientConfig oidcClientConfig, String str, String str2) throws KeyStoreException, CertificateException, UnsupportedEncodingException {
        PublicKey publicKey = null;
        String signatureAlgorithm = oidcClientConfig.getSignatureAlgorithm();
        if (SIGNATURE_ALG_HS256.equals(signatureAlgorithm)) {
            publicKey = Base64Coder.getBytes(oidcClientConfig.getSharedKey());
        } else if (SIGNATURE_ALG_RS256.equals(signatureAlgorithm)) {
            publicKey = (str == null && str2 == null) ? oidcClientConfig.getPublicKey() : this.retriever.getPublicKeyFromJwk(str, str2, oidcClientConfig, this.sslSupport);
        } else if (SIGNATURE_ALG_NONE.equals(signatureAlgorithm)) {
            publicKey = Base64Coder.getBytes(oidcClientConfig.getSharedKey());
        }
        return publicKey;
    }

    String setRedirectUrlIfNotDefined(HttpServletRequest httpServletRequest, OidcClientConfig oidcClientConfig) {
        String redirectUrlFromServerToClient = oidcClientConfig.getRedirectUrlFromServerToClient();
        if (redirectUrlFromServerToClient == null || redirectUrlFromServerToClient.isEmpty()) {
            redirectUrlFromServerToClient = this.oidcClientUtil.getRedirectUrl(httpServletRequest, oidcClientConfig.getId());
        }
        return redirectUrlFromServerToClient;
    }

    String getReqURL(HttpServletRequest httpServletRequest) {
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            requestURL.append("?");
            requestURL.append(queryString);
        }
        return requestURL.toString();
    }

    protected SSLContext getSSLContext(String str, String str2, String str3) throws SSLException {
        SSLContext sSLContext = null;
        JSSEHelper jSSEHelper = getJSSEHelper();
        if (jSSEHelper != null) {
            sSLContext = jSSEHelper.getSSLContext(str2, (Map) null, (SSLConfigChangeListener) null, true);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "sslContext () get: " + sSLContext, new Object[0]);
            }
        }
        if (sSLContext == null && str != null && str.startsWith("https")) {
            throw new SSLException(Tr.formatMessage(tc, "OIDC_CLIENT_HTTPS_WITH_SSLCONTEXT_NULL", "Null ssl conext", str3));
        }
        return sSLContext;
    }

    protected JSSEHelper getJSSEHelper() throws SSLException {
        if (this.sslSupport != null) {
            return this.sslSupport.getJSSEHelper();
        }
        return null;
    }
}
