package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Collections;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/XsuaaJwtSignatureValidator.class */
public class XsuaaJwtSignatureValidator extends JwtSignatureValidator {
    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJwtSignatureValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, OidcConfigurationServiceWithCache oidcConfigurationServiceWithCache) {
        super(oAuth2ServiceConfiguration, oAuth2TokenKeyServiceWithCache, oidcConfigurationServiceWithCache);
    }

    @Override // com.sap.cloud.security.token.validation.validators.JwtSignatureValidator
    protected PublicKey getPublicKey(Token token, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws OAuth2ServiceException, InvalidKeySpecException, NoSuchAlgorithmException {
        PublicKey publicKey = null;
        try {
            publicKey = fetchPublicKey(token, jwtSignatureAlgorithm);
        } catch (OAuth2ServiceException | IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            if (!this.configuration.hasProperty("verificationkey")) {
                throw e;
            }
        }
        String property = this.configuration.hasProperty("verificationkey") ? this.configuration.getProperty("verificationkey") : null;
        if (publicKey == null && property != null) {
            try {
                publicKey = JsonWebKeyImpl.createPublicKeyFromPemEncodedPublicKey(JwtSignatureAlgorithm.RS256, property);
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
                throw new IllegalArgumentException("Fallback validation key supplied via verificationkey property in service credentials could not be used: {}", e2);
            }
        }
        return publicKey;
    }

    private PublicKey fetchPublicKey(Token token, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws OAuth2ServiceException, InvalidKeySpecException, NoSuchAlgorithmException {
        String headerParameterAsString = this.configuration.isLegacyMode() ? "legacy-token-key" : token.getHeaderParameterAsString("kid");
        if (headerParameterAsString == null) {
            throw new IllegalArgumentException("Token does not contain the mandatory kid header.");
        }
        String str = this.configuration.isLegacyMode() ? this.configuration.getUrl() + "/token_keys" : this.configuration.getProperty("uaadomain") + "/token_keys" + composeZidQueryParameter(token);
        URI create = URI.create(str);
        return this.tokenKeyService.getPublicKey(jwtSignatureAlgorithm, headerParameterAsString, create.isAbsolute() ? create : URI.create("https://" + str), Collections.singletonMap("X-zid", token.getAppTid()));
    }

    private String composeZidQueryParameter(Token token) {
        String appTid = token.getAppTid();
        return (appTid == null || appTid.trim().isEmpty()) ? "" : "?zid=" + appTid;
    }
}
