package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.XsuaaJkuFactory;
import com.sap.cloud.security.token.validation.validators.OAuth2TokenKeyServiceWithCache;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.ServiceConfigurationError;
import java.util.ServiceLoader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/XsuaaJwtSignatureValidator.class */
class XsuaaJwtSignatureValidator extends JwtSignatureValidator {
    public static final Logger LOGGER = LoggerFactory.getLogger(XsuaaJwtSignatureValidator.class);
    List<XsuaaJkuFactory> jkuFactories;

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJwtSignatureValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, OidcConfigurationServiceWithCache oidcConfigurationServiceWithCache) {
        super(oAuth2ServiceConfiguration, oAuth2TokenKeyServiceWithCache, oidcConfigurationServiceWithCache);
        this.jkuFactories = new ArrayList<XsuaaJkuFactory>() { // from class: com.sap.cloud.security.token.validation.validators.XsuaaJwtSignatureValidator.1
            {
                try {
                    ServiceLoader.load(XsuaaJkuFactory.class).forEach((v1) -> {
                        add(v1);
                    });
                    XsuaaJwtSignatureValidator.LOGGER.debug("loaded XsuaaJkuFactory service providers: {}", this);
                } catch (Exception | ServiceConfigurationError e) {
                    XsuaaJwtSignatureValidator.LOGGER.warn("Unexpected failure while loading XsuaaJkuFactory service providers: {}", e.getMessage());
                }
            }
        };
    }

    @Override // com.sap.cloud.security.token.validation.validators.JwtSignatureValidator
    protected PublicKey getPublicKey(Token token, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws OAuth2ServiceException, InvalidKeySpecException, NoSuchAlgorithmException {
        PublicKey publicKey = null;
        try {
            publicKey = fetchPublicKey(token, jwtSignatureAlgorithm);
        } catch (OAuth2ServiceException | IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            LOGGER.error("Error fetching public key from XSUAA service: {}", e.getMessage());
            if (!this.configuration.hasProperty("verificationkey")) {
                throw e;
            }
            if (this.configuration.hasProperty("verificationkey")) {
                try {
                    publicKey = JsonWebKeyImpl.createPublicKeyFromPemEncodedPublicKey(JwtSignatureAlgorithm.RS256, this.configuration.getProperty("verificationkey"));
                } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
                    IllegalArgumentException illegalArgumentException = new IllegalArgumentException("Fallback validation key supplied via verificationkey property in service credentials could not be used: " + e2.getMessage());
                    if (!(e instanceof OAuth2ServiceException)) {
                        throw illegalArgumentException;
                    }
                    e.addSuppressed(illegalArgumentException);
                    throw e;
                }
            }
        }
        return publicKey;
    }

    private PublicKey fetchPublicKey(Token token, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws OAuth2ServiceException, InvalidKeySpecException, NoSuchAlgorithmException {
        String create;
        String headerParameterAsString = this.configuration.isLegacyMode() ? "legacy-token-key" : token.getHeaderParameterAsString("kid");
        if (headerParameterAsString == null) {
            throw new IllegalArgumentException("Token does not contain the mandatory kid header.");
        }
        String composeZidQueryParameter = composeZidQueryParameter(token);
        if (this.jkuFactories.isEmpty()) {
            create = this.configuration.isLegacyMode() ? this.configuration.getUrl() + "/token_keys" : this.configuration.getProperty("uaadomain") + "/token_keys" + composeZidQueryParameter;
        } else {
            LOGGER.info("Loaded custom JKU factory");
            create = this.jkuFactories.get(0).create(token.getTokenValue());
        }
        URI create2 = URI.create(create);
        return this.tokenKeyService.getPublicKey(new OAuth2TokenKeyServiceWithCache.KeyParameters(jwtSignatureAlgorithm, headerParameterAsString, create2.isAbsolute() ? create2 : URI.create("https://" + create)), Collections.singletonMap("X-zid", token.getAppTid()));
    }

    private String composeZidQueryParameter(Token token) {
        String appTid = token.getAppTid();
        return (appTid == null || appTid.isBlank()) ? "" : "?zid=" + appTid;
    }
}
