package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.json.JsonObject;
import com.sap.cloud.security.token.SecurityContext;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.x509.Certificate;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtX5tValidator.class */
public class JwtX5tValidator implements Validator<Token> {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtX5tValidator.class);
    private final OAuth2ServiceConfiguration config;

    public JwtX5tValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        this.config = oAuth2ServiceConfiguration;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        String extractCnfThumbprintFromToken = extractCnfThumbprintFromToken(token);
        LOGGER.debug("Token 'cnf' thumbprint: {}", extractCnfThumbprintFromToken);
        if (extractCnfThumbprintFromToken != null) {
            Certificate clientCertificate = SecurityContext.getClientCertificate();
            if (clientCertificate == null) {
                LOGGER.error("Client certificate missing from SecurityContext");
                return ValidationResults.createInvalid("Certificate validation failed");
            }
            String thumbprint = clientCertificate.getThumbprint();
            if (!thumbprint.equals(extractCnfThumbprintFromToken)) {
                LOGGER.error("Thumbprint validation failed -> x5t from token: \"{}\" != thumbprint from client certificate: \"{}\"", extractCnfThumbprintFromToken, thumbprint);
            } else {
                if (token.getAudiences().size() == 1 && token.getAudiences().contains(this.config.getClientId())) {
                    return ValidationResults.createValid();
                }
                LOGGER.error("Audience validation failed -> \"aud\": {} != \"clientid\": \"{}\"", token.getAudiences(), this.config.getClientId());
            }
        }
        return ValidationResults.createInvalid("Certificate validation failed");
    }

    @Nullable
    private static String extractCnfThumbprintFromToken(Token token) {
        JsonObject claimAsJsonObject = token.getClaimAsJsonObject("cnf");
        if (claimAsJsonObject == null) {
            return null;
        }
        return claimAsJsonObject.getAsString("x5t#S256");
    }
}
