package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.json.JsonObject;
import com.sap.cloud.security.token.SecurityContext;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.x509.Certificate;
import com.sap.cloud.security.xsuaa.Assertions;
import javax.annotation.Nullable;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtX5tValidator.class */
public class JwtX5tValidator implements Validator<Token> {
    public JwtX5tValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        Assertions.assertNotNull(oAuth2ServiceConfiguration, "Service configuration must not be null");
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        if (token == null) {
            return ValidationResults.createInvalid("No token passed to validate certificate thumbprint");
        }
        String extractCnfThumbprintFromToken = extractCnfThumbprintFromToken(token);
        if (extractCnfThumbprintFromToken == null) {
            return ValidationResults.createInvalid("Token doesn't contain certificate thumbprint confirmation method");
        }
        Certificate clientCertificate = SecurityContext.getClientCertificate();
        if (clientCertificate == null) {
            return ValidationResults.createInvalid("Client certificate missing from SecurityContext");
        }
        String thumbprint = clientCertificate.getThumbprint();
        return thumbprint.equals(extractCnfThumbprintFromToken) ? ValidationResults.createValid() : ValidationResults.createInvalid("Certificate thumbprint validation failed with Token 'cnf' thumbprint: {} != {}", extractCnfThumbprintFromToken, thumbprint);
    }

    @Nullable
    private static String extractCnfThumbprintFromToken(Token token) {
        JsonObject claimAsJsonObject = token.getClaimAsJsonObject("cnf");
        if (claimAsJsonObject == null) {
            return null;
        }
        return claimAsJsonObject.getAsString("x5t#S256");
    }
}
