package org.wso2.carbon.apimgt.authenticator.oidc.util;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import org.wso2.carbon.apimgt.authenticator.oidc.common.AuthClient;
import org.wso2.carbon.apimgt.authenticator.oidc.common.AuthenticationToken;
import org.wso2.carbon.apimgt.authenticator.oidc.common.ServerConfiguration;

/* loaded from: input_file:org/wso2/carbon/apimgt/authenticator/oidc/util/Util.class */
public class Util {
    private static Log log = LogFactory.getLog(Util.class);

    public static boolean verifySignature(SignedJWT signedJWT, ServerConfiguration serverConfiguration) throws IOException, ParseException, JOSEException {
        String str;
        boolean z = false;
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(new DefaultHttpClient().execute(new HttpGet(serverConfiguration.getJwksUri())).getEntity().getContent()));
        String str2 = "";
        while (true) {
            str = str2;
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                break;
            }
            str2 = str + readLine;
        }
        JWKSet parse = JWKSet.parse(str);
        HashMap hashMap = new HashMap();
        for (RSAKey rSAKey : parse.getKeys()) {
            if (rSAKey != null && rSAKey.getKeyID() != null && (rSAKey instanceof RSAKey)) {
                hashMap.put(rSAKey.getKeyID(), new RSASSAVerifier(rSAKey.toRSAPublicKey()));
            }
        }
        Iterator it = hashMap.values().iterator();
        while (it.hasNext()) {
            try {
                if (signedJWT.verify((JWSVerifier) it.next())) {
                    z = true;
                }
            } catch (JOSEException e) {
                log.error("Failed to validate signature, error was: ", e);
            }
        }
        return z;
    }

    public static boolean validateIdClaims(ServerConfiguration serverConfiguration, AuthClient authClient, JWT jwt, String str, JWTClaimsSet jWTClaimsSet) throws Exception {
        boolean z = true;
        String clientId = authClient.getClientId();
        String clientAlgorithm = authClient.getClientAlgorithm();
        Algorithm algorithm = jwt.getHeader().getAlgorithm();
        if (clientAlgorithm != null) {
            Algorithm algorithm2 = new Algorithm(clientAlgorithm);
            if (!algorithm2.equals(algorithm)) {
                z = false;
                log.error("Token algorithm " + algorithm + " does not match expected algorithm " + algorithm2);
            }
        }
        if (jWTClaimsSet.getIssuer() == null) {
            z = false;
            log.error("Id Token Issuer is null");
        } else if (!jWTClaimsSet.getIssuer().equals(serverConfiguration.getIssuer())) {
            z = false;
            log.error("Issuers do not match, expected " + serverConfiguration.getIssuer() + " got " + jWTClaimsSet.getIssuer());
        }
        if (jWTClaimsSet.getExpirationTime() == null) {
            z = false;
            log.error("Id Token does not have required expiration claim");
        } else if (new Date(System.currentTimeMillis() - 300000).after(jWTClaimsSet.getExpirationTime())) {
            z = false;
            log.error("Id Token is expired: " + jWTClaimsSet.getExpirationTime());
        }
        if (jWTClaimsSet.getNotBeforeTime() != null && new Date(System.currentTimeMillis() + 300000).before(jWTClaimsSet.getNotBeforeTime())) {
            z = false;
            log.error("Id Token not valid untill: " + jWTClaimsSet.getNotBeforeTime());
        }
        if (jWTClaimsSet.getIssueTime() == null) {
            z = false;
            log.error("Id Token does not have required issued-at claim");
        } else if (new Date(System.currentTimeMillis() + 300000).before(jWTClaimsSet.getIssueTime())) {
            z = false;
            log.error("Id Token was issued in the future: " + jWTClaimsSet.getIssueTime());
        }
        if (jWTClaimsSet.getAudience() == null) {
            z = false;
            log.error("Id token audience is null");
        } else if (!jWTClaimsSet.getAudience().contains(clientId)) {
            z = false;
            log.error("Audience does not match, expected " + clientId + " got " + jWTClaimsSet.getAudience());
        }
        String stringClaim = jWTClaimsSet.getStringClaim("nonce");
        if (stringClaim == null || "".equals(stringClaim)) {
            z = false;
            log.error("ID token did not contain a nonce claim.");
        } else if (!stringClaim.equals(str)) {
            z = false;
            log.error("Possible replay attack detected! The comparison of the nonce in the returned ID Token to the session NONCE failed. Expected " + str + " got " + stringClaim + ".");
        }
        return z;
    }

    public static String getUserInfo(ServerConfiguration serverConfiguration, AuthenticationToken authenticationToken) throws IOException {
        DefaultHttpClient defaultHttpClient = new DefaultHttpClient();
        HttpGet httpGet = new HttpGet(serverConfiguration.getUserInfoUri());
        httpGet.setHeader("Authorization", String.format("Bearer %s", authenticationToken.getAccessTokenValue()));
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(defaultHttpClient.execute(httpGet).getEntity().getContent()));
        String str = "";
        while (true) {
            String str2 = str;
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                return str2;
            }
            str = str2 + readLine;
        }
    }
}
