package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import com.sap.cloud.security.xsuaa.client.DefaultOidcConfigurationService;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.InvalidKeySpecException;
import java.util.Base64;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtSignatureValidator.class */
public class JwtSignatureValidator implements Validator<Token> {
    private final OAuth2TokenKeyServiceWithCache tokenKeyService;
    private final OidcConfigurationServiceWithCache oidcConfigurationService;
    private OAuth2ServiceConfiguration configuration;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtSignatureValidator$Validation.class */
    public static class Validation {
        JwtSignatureAlgorithm jwtSignatureAlgorithm;
        PublicKey publicKey;
        Signature publicSignature;
        private static final Pattern DOT = Pattern.compile("\\.", 0);

        private Validation() {
        }

        static Validation getInstance() {
            return new Validation();
        }

        ValidationResult validate(OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, String str, String str2, String str3, URI uri, @Nullable String str4, @Nullable String str5) {
            ValidationResult supportedJwtAlgorithm = setSupportedJwtAlgorithm(str2);
            if (supportedJwtAlgorithm.isErroneous()) {
                return supportedJwtAlgorithm;
            }
            ValidationResult publicKey = setPublicKey(oAuth2TokenKeyServiceWithCache, str3, uri, str5);
            if (publicKey.isErroneous()) {
                if (str4 == null) {
                    return publicKey;
                }
                try {
                    this.publicKey = JsonWebKeyImpl.createPublicKeyFromPemEncodedPublicKey(JwtSignatureAlgorithm.RS256, str4);
                } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                    return ValidationResults.createInvalid("Error occurred during signature validation: ({}). Fallback with configured 'verificationkey' was not successful.", e.getMessage());
                }
            }
            ValidationResult publicSignatureForKeyType = setPublicSignatureForKeyType();
            return publicSignatureForKeyType.isErroneous() ? publicSignatureForKeyType : validateTokenSignature(str, this.publicKey, this.publicSignature);
        }

        private ValidationResult setSupportedJwtAlgorithm(String str) {
            if (str == null) {
                return ValidationResults.createValid();
            }
            this.jwtSignatureAlgorithm = JwtSignatureAlgorithm.fromValue(str);
            return this.jwtSignatureAlgorithm != null ? ValidationResults.createValid() : ValidationResults.createInvalid("Jwt token with signature algorithm '{}' is not supported.", str);
        }

        private ValidationResult setPublicKey(OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, String str, URI uri, String str2) {
            try {
                this.publicKey = oAuth2TokenKeyServiceWithCache.getPublicKey(this.jwtSignatureAlgorithm, str, uri, str2);
                return this.publicKey == null ? ValidationResults.createInvalid("There is no Json Web Token Key with keyId '{}' and type '{}' to prove the identity of the Jwt.", str, this.jwtSignatureAlgorithm.type()) : ValidationResults.createValid();
            } catch (OAuth2ServiceException e) {
                return ValidationResults.createInvalid("Error retrieving Json Web Keys from Identity Service: {}.", e.getMessage());
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
                return ValidationResults.createInvalid("Error creating PublicKey from Json Web Key received from {}: {}.", uri, e2.getMessage());
            }
        }

        private ValidationResult setPublicSignatureForKeyType() {
            try {
                this.publicSignature = Signature.getInstance(this.jwtSignatureAlgorithm.javaSignature());
                return ValidationResults.createValid();
            } catch (NoSuchAlgorithmException e) {
                return ValidationResults.createInvalid("Jwt token with signature algorithm '{}' can not be verified.", this.jwtSignatureAlgorithm.javaSignature());
            }
        }

        static ValidationResult validateTokenSignature(String str, PublicKey publicKey, Signature signature) {
            String[] split = DOT.split(str);
            if (split.length != 3) {
                return ValidationResults.createInvalid("Jwt token does not consist of 'header'.'payload'.'signature'.");
            }
            String str2 = split[0] + "." + split[1];
            try {
                signature.initVerify(publicKey);
                signature.update(str2.getBytes(StandardCharsets.UTF_8));
                return signature.verify(Base64.getUrlDecoder().decode(split[2])) ? ValidationResults.createValid() : ValidationResults.createInvalid("Signature of Jwt Token is not valid: the identity provided by the JSON Web Token Key can not be verified.");
            } catch (Exception e) {
                return ValidationResults.createInvalid("Error occurred during Json Web Signature Validation: {}.", e.getMessage());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSignatureValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, OidcConfigurationServiceWithCache oidcConfigurationServiceWithCache) {
        Assertions.assertNotNull(oAuth2ServiceConfiguration, "JwtSignatureValidator requires configuration.");
        Assertions.assertNotNull(oAuth2TokenKeyServiceWithCache, "JwtSignatureValidator requires a tokenKeyService.");
        Assertions.assertNotNull(oidcConfigurationServiceWithCache, "JwtSignatureValidator requires a oidcConfigurationService.");
        this.configuration = oAuth2ServiceConfiguration;
        this.tokenKeyService = oAuth2TokenKeyServiceWithCache;
        this.oidcConfigurationService = oidcConfigurationServiceWithCache;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        if (Service.IAS == this.configuration.getService() && token.getZoneId() == null) {
            return ValidationResults.createInvalid("Error occurred during signature validation: OIDC token must provide zone_uuid.");
        }
        try {
            String orRequestJwksUri = getOrRequestJwksUri(token);
            String str = null;
            if (this.configuration != null && this.configuration.hasProperty("verificationkey")) {
                str = this.configuration.getProperty("verificationkey");
            }
            return validate(token.getTokenValue(), getOrDefaultSignatureAlgorithm(token), getOrDefaultKeyId(token), orRequestJwksUri, str, token.getZoneId());
        } catch (OAuth2ServiceException | IllegalArgumentException e) {
            return ValidationResults.createInvalid("Error occurred during jwks uri determination: {}", e.getMessage());
        }
    }

    @Nonnull
    private String getOrDefaultKeyId(Token token) {
        return this.configuration.isLegacyMode() ? "legacy-token-key" : token.hasHeaderParameter("kid") ? token.getHeaderParameterAsString("kid") : JsonWebKey.DEFAULT_KEY_ID;
    }

    @Nonnull
    private String getOrDefaultSignatureAlgorithm(Token token) {
        String headerParameterAsString = token.getHeaderParameterAsString("alg");
        if (token.hasHeaderParameter("alg") && JwtSignatureAlgorithm.fromValue(headerParameterAsString) == null) {
            throw new IllegalArgumentException("Jwt token with signature algorithm '" + headerParameterAsString + "' is not supported.");
        }
        return JwtSignatureAlgorithm.RS256.value();
    }

    @Nonnull
    private String getOrRequestJwksUri(Token token) throws OAuth2ServiceException {
        if (this.configuration.isLegacyMode()) {
            return this.configuration.getUrl() + "/token_keys";
        }
        if (this.configuration.getService() == Service.XSUAA && token.hasHeaderParameter("jku")) {
            return token.getHeaderParameterAsString("jku");
        }
        if (this.configuration.getService() != Service.XSUAA && token.hasClaim("iss")) {
            URI jwksUri = this.oidcConfigurationService.getOrRetrieveEndpoints(DefaultOidcConfigurationService.getDiscoveryEndpointUri(token.getClaimAsString("iss"))).getJwksUri();
            if (jwksUri != null) {
                return jwksUri.toString();
            }
        }
        throw new IllegalArgumentException("Token signature can not be validated as jwks uri can not be determined: Token does not provide the required 'jku' header or 'issuer' claim.");
    }

    ValidationResult validate(String str, String str2, String str3, String str4, @Nullable String str5, @Nullable String str6) {
        Assertions.assertHasText(str, "token must not be null or empty.");
        Assertions.assertHasText(str2, "tokenAlgorithm must not be null or empty.");
        Assertions.assertHasText(str3, "tokenKeyId must not be null or empty.");
        Assertions.assertHasText(str4, "tokenKeysUrl must not be null or empty.");
        return Validation.getInstance().validate(this.tokenKeyService, str, str2, str3, URI.create(str4), str5, str6);
    }
}
