package com.ibm.ws.security.openidconnect.token;

import com.google.common.collect.Lists;
import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.InvalidGrantException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.PublicKey;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import net.oauth.jsontoken.JsonToken;
import net.oauth.jsontoken.JsonTokenParser;
import net.oauth.jsontoken.SystemClock;
import net.oauth.jsontoken.crypto.HmacSHA256Verifier;
import net.oauth.jsontoken.crypto.RsaSHA256Verifier;
import net.oauth.jsontoken.crypto.SignatureAlgorithm;
import net.oauth.jsontoken.crypto.Verifier;
import net.oauth.jsontoken.discovery.VerifierProvider;
import net.oauth.jsontoken.discovery.VerifierProviders;
import org.joda.time.Duration;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openidconnect.common_1.0.15.jar:com/ibm/ws/security/openidconnect/token/JWTVerifier.class */
public class JWTVerifier {
    String _tokenString;
    String _clientId;

    @Sensitive
    Object _key;
    long _lSkewSeconds;
    String _signAlgorithm;
    String[] _jwtParts;
    JsonToken _jsonToken;
    JWSHeader _header;
    JWTPayload _payload;
    static final long serialVersionUID = -2430651099847415982L;
    private static final TraceComponent tc = Tr.register((Class<?>) JWTVerifier.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.common.internal.resources.OidcCommonMessages");
    static final List<String> signAlgorithms = new ArrayList();

    public JWTVerifier(String str, @Sensitive Object obj, String str2, String str3, long j) throws InvalidGrantException {
        this._tokenString = null;
        this._clientId = null;
        this._key = null;
        this._lSkewSeconds = 0L;
        this._signAlgorithm = null;
        this._jwtParts = null;
        this._jsonToken = null;
        this._tokenString = str3;
        this._clientId = str;
        this._key = obj;
        this._signAlgorithm = str2;
        this._lSkewSeconds = j;
        if (str3 != null) {
            this._jwtParts = splitTokenString(str3);
        }
    }

    public JWTVerifier(String str) throws InvalidGrantException {
        this._tokenString = null;
        this._clientId = null;
        this._key = null;
        this._lSkewSeconds = 0L;
        this._signAlgorithm = null;
        this._jwtParts = null;
        this._jsonToken = null;
        this._tokenString = str;
        if (str != null) {
            this._jwtParts = splitTokenString(str);
        }
    }

    void initJsonToken() {
        this._jsonToken = JsonTokenUtil.deserialize(this._jwtParts, this._tokenString);
        this._payload = new JWTPayload();
        JsonTokenUtil.fromJsonToken(this._jsonToken, this._payload);
        this._header = new JWSHeader();
        JsonTokenUtil.fromJsonToken(this._jsonToken, this._header);
    }

    public JWSHeader getJwsHeader() {
        if (this._jsonToken == null) {
            initJsonToken();
        }
        return this._header;
    }

    public String getAlgHeader() {
        return (String) getJwsHeader().get("alg");
    }

    public JWTPayload getPayload() {
        if (this._jsonToken == null) {
            initJsonToken();
        }
        return this._payload;
    }

    public String getIssFromPayload() {
        return (String) getPayload().get("iss");
    }

    JsonToken getJsonToken() {
        if (this._jsonToken == null) {
            initJsonToken();
        }
        return this._jsonToken;
    }

    public boolean verifySignature() throws OAuthException {
        return verifySignature(new SystemClock(Duration.standardSeconds(this._lSkewSeconds)));
    }

    @FFDCIgnore({InvalidKeyException.class, SignatureException.class, IllegalStateException.class})
    public boolean verifySignature(SystemClock systemClock) throws OAuthException {
        byte[] bytes;
        if (this._jwtParts == null) {
            Tr.error(tc, "JWT_JWTTOKEN_NO_TOKEN_ERR", new Object[0]);
            throw formatException("JWT_JWTTOKEN_NO_TOKEN_ERR", null, new Object[0]);
        }
        JsonElement jsonElement = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(this._jwtParts[0])).getAsJsonObject().get("alg");
        String str = this._signAlgorithm;
        if (jsonElement != null) {
            String asString = jsonElement.getAsString();
            if (!asString.equalsIgnoreCase(str)) {
                Tr.error(tc, "JWT_JWTTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", this._clientId, asString, str);
                throw formatException("JWT_JWTTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", null, this._clientId, asString, str);
            }
        }
        if (this._jwtParts.length <= 2) {
            Tr.error(tc, "JWT_JWTTOKEN_SIGNATURE_VERIFY_SEGMENT_ERR", this._clientId, this._signAlgorithm);
            throw formatException("JWT_JWTTOKEN_SIGNATURE_VERIFY_SEGMENT_ERR", null, this._clientId, this._signAlgorithm);
        }
        VerifierProviders verifierProviders = null;
        try {
            if ("RS256".equals(str)) {
                final RsaSHA256Verifier rsaSHA256Verifier = new RsaSHA256Verifier((PublicKey) this._key);
                VerifierProvider verifierProvider = new VerifierProvider() { // from class: com.ibm.ws.security.openidconnect.token.JWTVerifier.1
                    static final long serialVersionUID = -198977529971671516L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

                    @Override // net.oauth.jsontoken.discovery.VerifierProvider
                    public List<Verifier> findVerifier(String str2, String str3) {
                        return Lists.newArrayList(rsaSHA256Verifier);
                    }
                };
                verifierProviders = new VerifierProviders();
                verifierProviders.setVerifierProvider(SignatureAlgorithm.RS256, verifierProvider);
            } else if ("HS256".equals(str)) {
                if (this._key instanceof String) {
                    try {
                        bytes = ((String) this._key).getBytes("UTF-8");
                    } catch (UnsupportedEncodingException e) {
                        FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.token.JWTVerifier", "192", this, new Object[]{systemClock});
                        FFDCFilter.processException((Throwable) e, getClass().getName(), "createSigner", new Object[]{getJwsHeader().getKeyId()});
                        TraceComponent traceComponent = tc;
                        Object[] objArr = new Object[3];
                        objArr[0] = getJwsHeader().getAlgorithm();
                        objArr[1] = getJwsHeader().getKeyId();
                        objArr[2] = e.getMessage() != null ? e.getMessage() : e.getClass().getSimpleName();
                        Tr.error(traceComponent, "JWT_JWTTOKEN_INVALID_KEY_ERR", objArr);
                        throw new InvalidKeyException("Unsupported encoding");
                    }
                } else {
                    if (!(this._key instanceof byte[])) {
                        throw new InvalidKeyException("Not a valid key");
                    }
                    bytes = (byte[]) this._key;
                }
                final HmacSHA256Verifier hmacSHA256Verifier = new HmacSHA256Verifier(bytes);
                VerifierProvider verifierProvider2 = new VerifierProvider() { // from class: com.ibm.ws.security.openidconnect.token.JWTVerifier.2
                    static final long serialVersionUID = 4964371274258271697L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass2.class);

                    @Override // net.oauth.jsontoken.discovery.VerifierProvider
                    public List<Verifier> findVerifier(String str2, String str3) {
                        return Lists.newArrayList(hmacSHA256Verifier);
                    }
                };
                verifierProviders = new VerifierProviders();
                verifierProviders.setVerifierProvider(SignatureAlgorithm.HS256, verifierProvider2);
            }
            this._jsonToken = new JsonTokenParser(systemClock, verifierProviders, new IgnoreAudience()).verifyAndDeserialize(this._tokenString);
            this._payload = new JWTPayload();
            JsonTokenUtil.fromJsonToken(this._jsonToken, this._payload);
            this._header = new JWSHeader();
            JsonTokenUtil.fromJsonToken(this._jsonToken, this._header);
            return true;
        } catch (IllegalStateException e2) {
            Object[] objArr2 = new Object[2];
            objArr2[0] = this._clientId;
            objArr2[1] = e2.getMessage() == null ? e2.getClass().getSimpleName() : e2.getMessage();
            Tr.error(tc, "JWT_JWTTOKEN_ILLEGAL_STATE_ERR", objArr2);
            throw formatException("JWT_JWTTOKEN_ILLEGAL_STATE_ERR", e2, objArr2);
        } catch (InvalidKeyException e3) {
            Object[] objArr3 = new Object[3];
            objArr3[0] = this._clientId;
            objArr3[1] = e3.getMessage() == null ? e3.getClass().getSimpleName() : e3.getMessage();
            objArr3[2] = str;
            Tr.error(tc, "JWT_JWTTOKEN_SIGNATURE_VERIFY_INVALIDKEY_ERR", objArr3);
            throw formatException("JWT_JWTTOKEN_SIGNATURE_VERIFY_INVALIDKEY_ERR", e3, objArr3);
        } catch (SignatureException e4) {
            Object[] objArr4 = new Object[2];
            objArr4[0] = this._clientId;
            objArr4[1] = e4.getMessage() == null ? e4.getClass().getSimpleName() : e4.getMessage();
            Tr.error(tc, "JWT_JWTTOKEN_SIGNATURE_VERIFY_ERR", objArr4);
            throw formatException("JWT_JWTTOKEN_SIGNATURE_VERIFY_ERR", e4, objArr4);
        }
    }

    public String[] splitTokenString(String str) throws InvalidGrantException {
        boolean z = false;
        if (str.endsWith(".")) {
            z = true;
        }
        String[] split = str.split(Pattern.quote("."));
        if (z || split.length == 3) {
            return split;
        }
        Tr.error(tc, "JWT_JWTTOKEN_BAD_SEGMENTS_ERR", Long.valueOf(split.length));
        throw formatException("JWT_JWTTOKEN_BAD_SEGMENTS_ERR", null, Integer.valueOf(split.length));
    }

    private InvalidGrantException formatException(String str, Throwable th, Object... objArr) {
        return new InvalidGrantException(Tr.formatMessage(tc, str, objArr), th);
    }

    static {
        signAlgorithms.add("RS256");
        signAlgorithms.add("HS256");
    }
}
