package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.ValidationResults;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.Assertions;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.InvalidKeySpecException;
import java.util.Base64;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/JwtSignatureValidator.class */
abstract class JwtSignatureValidator implements Validator<Token> {
    protected final OAuth2TokenKeyServiceWithCache tokenKeyService;
    protected final OidcConfigurationServiceWithCache oidcConfigurationService;
    protected final OAuth2ServiceConfiguration configuration;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSignatureValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, OidcConfigurationServiceWithCache oidcConfigurationServiceWithCache) {
        Assertions.assertNotNull(oAuth2ServiceConfiguration, "JwtSignatureValidator requires configuration.");
        Assertions.assertNotNull(oAuth2TokenKeyServiceWithCache, "JwtSignatureValidator requires a tokenKeyService.");
        Assertions.assertNotNull(oidcConfigurationServiceWithCache, "JwtSignatureValidator requires a oidcConfigurationService.");
        this.configuration = oAuth2ServiceConfiguration;
        this.tokenKeyService = oAuth2TokenKeyServiceWithCache;
        this.oidcConfigurationService = oidcConfigurationServiceWithCache;
    }

    @Override // com.sap.cloud.security.token.validation.Validator
    public ValidationResult validate(Token token) {
        if (token.getTokenValue() == null) {
            return ValidationResults.createInvalid("JWT token validation failed because token content was null.");
        }
        JwtSignatureAlgorithm jwtSignatureAlgorithm = JwtSignatureAlgorithm.RS256;
        if (token.hasHeaderParameter("alg")) {
            String headerParameterAsString = token.getHeaderParameterAsString("alg");
            jwtSignatureAlgorithm = JwtSignatureAlgorithm.fromValue(headerParameterAsString);
            if (jwtSignatureAlgorithm == null) {
                return ValidationResults.createInvalid("JWT token validation with signature algorithm '" + headerParameterAsString + "' is not supported.");
            }
        }
        try {
            PublicKey publicKey = getPublicKey(token, jwtSignatureAlgorithm);
            return publicKey == null ? ValidationResults.createInvalid("Token signature can not be validated because JWKS was empty.") : validateSignature(token, publicKey, jwtSignatureAlgorithm);
        } catch (IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            return ValidationResults.createInvalid("Token signature can not be validated because: {}", e.getMessage());
        } catch (OAuth2ServiceException e2) {
            return ValidationResults.createInvalid("Token signature can not be validated because JWKS could not be fetched: {}", e2.getMessage());
        }
    }

    protected abstract PublicKey getPublicKey(Token token, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws OAuth2ServiceException, InvalidKeySpecException, NoSuchAlgorithmException;

    protected ValidationResult validateSignature(Token token, PublicKey publicKey, JwtSignatureAlgorithm jwtSignatureAlgorithm) {
        try {
            Signature signature = Signature.getInstance(jwtSignatureAlgorithm.javaSignature());
            String[] split = token.getTokenValue().split("\\.");
            if (split.length != 3) {
                return ValidationResults.createInvalid("Jwt token does not consist of three sections: 'header'.'payload'.'signature'.");
            }
            String str = split[0] + "." + split[1];
            String str2 = split[2];
            try {
                signature.initVerify(publicKey);
                signature.update(str.getBytes(StandardCharsets.UTF_8));
                return signature.verify(Base64.getUrlDecoder().decode(str2)) ? ValidationResults.createValid() : ValidationResults.createInvalid("Signature of Jwt Token is not valid: the identity provided by the JSON Web Token Key can not be trusted (Signature: {}).", str2);
            } catch (Exception e) {
                return ValidationResults.createInvalid("Unexpected Error occurred during Json Web Signature Validation: {}.", e.getMessage());
            }
        } catch (NoSuchAlgorithmException e2) {
            return ValidationResults.createInvalid("Token signature can not be validated because implementation of algorithm could not be found: {}", e2.getMessage());
        }
    }
}
