package org.wso2.choreo.connect.enforcer.util;

import com.google.common.cache.LoadingCache;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.text.ParseException;
import java.util.Base64;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.json.JSONObject;
import org.wso2.choreo.connect.enforcer.common.CacheProvider;
import org.wso2.choreo.connect.enforcer.config.ConfigHolder;
import org.wso2.choreo.connect.enforcer.constants.Constants;
import org.wso2.choreo.connect.enforcer.exception.EnforcerException;
import org.wso2.choreo.connect.enforcer.security.jwt.SignedJWTInfo;

/* loaded from: input_file:org/wso2/choreo/connect/enforcer/util/JWTUtils.class */
public class JWTUtils {
    private static final Logger log = LogManager.getLogger(JWTUtils.class);

    public static String retrieveJWKSConfiguration(String str) throws IOException {
        CloseableHttpClient closeableHttpClient = (CloseableHttpClient) FilterUtils.getHttpClient(new URL(str).getProtocol());
        try {
            CloseableHttpResponse execute = closeableHttpClient.execute((HttpUriRequest) new HttpGet(str));
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    if (execute != null) {
                        execute.close();
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return null;
                }
                InputStream content = execute.getEntity().getContent();
                try {
                    String iOUtils = IOUtils.toString(content, Charset.defaultCharset());
                    if (content != null) {
                        content.close();
                    }
                    if (execute != null) {
                        execute.close();
                    }
                    if (closeableHttpClient != null) {
                        closeableHttpClient.close();
                    }
                    return iOUtils;
                } catch (Throwable th) {
                    if (content != null) {
                        try {
                            content.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (execute != null) {
                    try {
                        execute.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (Throwable th5) {
            if (closeableHttpClient != null) {
                try {
                    closeableHttpClient.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }

    public static boolean verifyTokenSignature(SignedJWT signedJWT, RSAPublicKey rSAPublicKey) {
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        if (!JWSAlgorithm.RS256.equals(algorithm) && !JWSAlgorithm.RS512.equals(algorithm) && !JWSAlgorithm.RS384.equals(algorithm)) {
            log.error("Public key is not a RSA");
            return false;
        }
        try {
            return signedJWT.verify(new RSASSAVerifier(rSAPublicKey));
        } catch (JOSEException e) {
            log.error("Error while verifying JWT signature", e);
            return false;
        }
    }

    public static boolean verifyTokenSignature(SignedJWT signedJWT, String str) throws EnforcerException {
        try {
            Certificate certificate = ConfigHolder.getInstance().getTrustStoreForJWT().getCertificate(str);
            if (certificate == null) {
                log.error("Couldn't find a public certificate to verify the signature");
                throw new EnforcerException("Couldn't find a public certificate to verify the signature");
            }
            JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
            if (JWSAlgorithm.RS256.equals(algorithm) || JWSAlgorithm.RS512.equals(algorithm) || JWSAlgorithm.RS384.equals(algorithm)) {
                return verifyTokenSignature(signedJWT, (RSAPublicKey) certificate.getPublicKey());
            }
            log.error("Public key is not RSA");
            throw new EnforcerException("Public key is not RSA");
        } catch (KeyStoreException e) {
            throw new EnforcerException("Error while retrieving the certificate for JWT verification.", e);
        }
    }

    public static PrivateKey getPrivateKey(String str) throws EnforcerException {
        try {
            String readString = Files.readString(Paths.get(str, new String[0]), Charset.defaultCharset());
            String lineSeparator = System.lineSeparator();
            if (System.getProperty("os.version").toLowerCase().contains("wsl")) {
                lineSeparator = "\r\n";
            }
            return (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(readString.replace(Constants.BEGINING_OF_PRIVATE_KEY, "").replaceAll(lineSeparator, "").replace(Constants.END_OF_PRIVATE_KEY, ""))));
        } catch (IOException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            log.debug("Error obtaining private key", e);
            throw new EnforcerException("Error obtaining private key");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static SignedJWTInfo getSignedJwt(String str) throws ParseException {
        String str2 = str.split("\\.")[2];
        SignedJWTInfo signedJWTInfo = null;
        LoadingCache gatewaySignedJWTParseCache = CacheProvider.getGatewaySignedJWTParseCache();
        if (gatewaySignedJWTParseCache != null) {
            V ifPresent = gatewaySignedJWTParseCache.getIfPresent(str2);
            if (ifPresent != 0) {
                signedJWTInfo = (SignedJWTInfo) ifPresent;
            }
            if (signedJWTInfo == null || !signedJWTInfo.getToken().equals(str)) {
                SignedJWT parse = SignedJWT.parse(str);
                signedJWTInfo = new SignedJWTInfo(str, parse, parse.getJWTClaimsSet());
                gatewaySignedJWTParseCache.put(str2, signedJWTInfo);
            }
        } else {
            SignedJWT parse2 = SignedJWT.parse(str);
            signedJWTInfo = new SignedJWTInfo(str, parse2, parse2.getJWTClaimsSet());
        }
        return signedJWTInfo;
    }

    public static boolean isExpired(String str) {
        return new JSONObject(new String(Base64.getUrlDecoder().decode(str.split("\\.")[1]))).getLong("exp") - System.currentTimeMillis() < FilterUtils.getTimeStampSkewInSeconds() * 1000;
    }
}
