package org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.ReadOnlyJWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.cache.JWTCache;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.cache.JWTCacheEntry;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.internal.JWTServiceComponent;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.storage.JWTEntry;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.storage.JWTStorageManager;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handler/clientauth/jwt/validator/JWTValidator.class */
public class JWTValidator {
    private static final Log log = LogFactory.getLog(JWTValidator.class);
    public static final String FULLSTOP_DELIMITER = ".";
    public static final String DASH_DELIMITER = "-";
    public static final String KEYSTORE_FILE_EXTENSION = ".jks";
    public static final String RS = "RS";
    private int notAcceptBeforeTimeInMins;
    private boolean enableJTICache;
    private boolean preventTokenReuse;
    private String validAudience;
    private String validIssuer;
    private JWTStorageManager jwtStorageManager = new JWTStorageManager();
    private JWTCache jwtCache = JWTCache.getInstance();

    public JWTValidator(int i, boolean z, boolean z2, String str, String str2) {
        this.notAcceptBeforeTimeInMins = i;
        this.preventTokenReuse = z;
        this.enableJTICache = z2;
        this.validAudience = str;
        this.validIssuer = str2;
    }

    public boolean isValidToken(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        if (signedJWT == null) {
            return logAndReturnFalse("No Valid Assertion was found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        }
        ReadOnlyJWTClaimsSet claimSet = getClaimSet(signedJWT);
        if (claimSet == null) {
            return logAndReturnFalse("Claim values are empty in the given JSON Web Token.");
        }
        String issuer = claimSet.getIssuer();
        String resolveSubject = resolveSubject(claimSet);
        List<String> audience = claimSet.getAudience();
        Date expirationTime = claimSet.getExpirationTime();
        Date notBeforeTime = claimSet.getNotBeforeTime();
        Date issueTime = claimSet.getIssueTime();
        String jwtid = claimSet.getJWTID();
        long currentTimeMillis = System.currentTimeMillis();
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        if (StringUtils.isEmpty(issuer) || StringUtils.isEmpty(resolveSubject) || expirationTime == null || audience == null || (this.preventTokenReuse && jwtid == null)) {
            return logAndReturnFalse("Mandatory fields(Issuer, Subject, Expiration time , JWT ID or Audience) are empty in the given JSON Web Token.");
        }
        if (StringUtils.isNotEmpty(this.validIssuer) && !this.validIssuer.equals(issuer)) {
            return logAndReturnFalse("Invalid Issuer:" + issuer + " in the given JSON Web Token.");
        }
        if (!validateJTI(signedJWT, jwtid, currentTimeMillis, timeStampSkewInSeconds, expirationTime.getTime(), issueTime.getTime())) {
            return false;
        }
        OAuthAppDO oAuthAppDO = getOAuthAppDO(resolveSubject);
        if (oAuthAppDO == null) {
            return logAndReturnFalse("Unable to find OAuth application with provided JWT information with subject:" + resolveSubject);
        }
        if (StringUtils.isEmpty(this.validIssuer) && !issuer.equals(oAuthAppDO.getOauthConsumerKey())) {
            return logAndReturnFalse("Invalid field Issuer:" + issuer + " in the given JSON Web Token.");
        }
        String tenantDomain = oAuthAppDO.getUser().getTenantDomain();
        return !isValidSignature(signedJWT, tenantDomain, resolveSubject) ? logAndReturnFalse("Signature or Message Authentication invalid for:" + resolveSubject) : validateAudience(getValidAudience(tenantDomain), audience) && validateExpirationTime(expirationTime, currentTimeMillis, timeStampSkewInSeconds) && checkNotBeforeTime(notBeforeTime, currentTimeMillis, timeStampSkewInSeconds) && validateAgeOfTheToken(issueTime, currentTimeMillis, timeStampSkewInSeconds) && validateCustomClaims(claimSet.getCustomClaims());
    }

    private OAuthAppDO getOAuthAppDO(String str) throws IdentityOAuth2Exception {
        OAuthAppDO oAuthAppDO = null;
        try {
            oAuthAppDO = OAuth2Util.getAppInformationByClientId(str);
        } catch (InvalidOAuthClientException e) {
            handleException("Error while retrieving OAuth application with provided JWT information with subject:" + str, e);
        }
        return oAuthAppDO;
    }

    public boolean isValidSignature(SignedJWT signedJWT, String str, String str2) throws IdentityOAuth2Exception {
        try {
            return validateSignature(signedJWT, getCertificate(str, str2));
        } catch (JOSEException e) {
            return handleException("Error when verifying signature with error:" + e.getMessage(), e);
        }
    }

    public boolean validateJTI(SignedJWT signedJWT, String str, long j, long j2, long j3, long j4) throws IdentityOAuth2Exception {
        if (str == null) {
            return true;
        }
        if ((this.enableJTICache && !validateJTIInCache(str, signedJWT, (JWTCacheEntry) this.jwtCache.getValueFromCache(str), j, j2, this.jwtCache)) || !validateJwtInDataBase(str, j, j2)) {
            return false;
        }
        persistJWTID(str, j3, j4);
        return true;
    }

    public boolean validateAudience(String str, List<String> list) throws IdentityOAuth2Exception {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (StringUtils.equals(str, it.next())) {
                return logAndReturnTrue(str + " is found in the list of audiences.");
            }
        }
        return logAndReturnFalse("None of the audience values matched the tokenEndpoint Alias:" + str);
    }

    public String getValidAudience(String str) throws IdentityOAuth2Exception {
        if (StringUtils.isNotEmpty(this.validAudience)) {
            return this.validAudience;
        }
        String str2 = null;
        try {
            str2 = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(IdentityProviderManager.getInstance().getResidentIdP(str).getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), "OAuth2TokenEPUrl").getValue();
        } catch (IdentityProviderManagementException e) {
            handleException("Error while loading OAuth2TokenEPUrl of the resident IDP of tenant:" + str, e);
        }
        if (StringUtils.isEmpty(str2)) {
            str2 = IdentityUtil.getServerURL("oauth2/token", true, false);
        }
        return str2;
    }

    private boolean handleException(String str, Exception exc) throws IdentityOAuth2Exception {
        log.error(str, exc);
        return false;
    }

    private boolean logAndReturnFalse(String str) {
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug(str);
        return false;
    }

    private boolean logAndReturnTrue(String str) {
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug(str);
        return true;
    }

    public ReadOnlyJWTClaimsSet getClaimSet(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        try {
            return signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            log.error("Error when trying to retrieve claimsSet from the JWT.", e);
            throw new IdentityOAuth2Exception("Error when trying to retrieve claimsSet from the JWT.", e);
        }
    }

    public String resolveSubject(ReadOnlyJWTClaimsSet readOnlyJWTClaimsSet) {
        return readOnlyJWTClaimsSet.getSubject();
    }

    public static X509Certificate getCertificate(String str, String str2) throws IdentityOAuth2Exception {
        try {
            int tenantId = JWTServiceComponent.getRealmService().getTenantManager().getTenantId(str);
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
            try {
                return (X509Certificate) (tenantId != -1234 ? keyStoreManager.getKeyStore(generateKSNameFromDomainName(str)) : keyStoreManager.getPrimaryKeyStore()).getCertificate(str2);
            } catch (KeyStoreException e) {
                String str3 = "Error instantiating an X509Certificate object for the certificate alias:" + str2 + " in tenant:" + str;
                log.error(str3, e);
                throw new IdentityOAuth2Exception(str3, e);
            } catch (Exception e2) {
                log.error("Unable to load key store manager for the tenant domain:" + str, e2);
                throw new IdentityOAuth2Exception("Unable to load key store manager for the tenant domain:" + str, e2);
            }
        } catch (UserStoreException e3) {
            throw new IdentityOAuth2Exception("Error getting the tenant ID for the tenant domain : " + str, e3);
        }
    }

    public static String generateKSNameFromDomainName(String str) {
        return str.trim().replace(FULLSTOP_DELIMITER, DASH_DELIMITER) + KEYSTORE_FILE_EXTENSION;
    }

    public boolean validateSignature(SignedJWT signedJWT, X509Certificate x509Certificate) throws JOSEException, IdentityOAuth2Exception {
        ReadOnlyJWSHeader header = signedJWT.getHeader();
        if (x509Certificate == null) {
            return logAndReturnFalse("Unable to locate certificate for JWT " + header.toString());
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the JWT Header: " + name);
        }
        if (name.indexOf(RS) != 0) {
            return logAndReturnFalse("Signature Algorithm not supported yet : " + name);
        }
        PublicKey publicKey = x509Certificate.getPublicKey();
        return publicKey instanceof RSAPublicKey ? signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey)) : logAndReturnFalse("Public key is not an RSA public key.");
    }

    public boolean validateExpirationTime(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        return j + j2 > time ? logAndReturnFalse("JSON Web Token is expired. Expiration Time(ms) : " + time + ". JWT Rejected and validation terminated") : logAndReturnTrue("Expiration Time(exp) of JWT was validated successfully.");
    }

    public boolean checkNotBeforeTime(Date date, long j, long j2) throws IdentityOAuth2Exception {
        return date == null || j + j2 >= date.getTime() || logAndReturnFalse("NotBeforeTime check is failed. Token is used before the intended time.");
    }

    public boolean validateAgeOfTheToken(Date date, long j, long j2) throws IdentityOAuth2Exception {
        if (date == null || this.notAcceptBeforeTimeInMins <= 0) {
            return true;
        }
        long time = date.getTime();
        long j3 = 60000 * this.notAcceptBeforeTimeInMins;
        if ((j + j2) - time > j3) {
            return logAndReturnFalse(getTokenTooOldMessage(j, j2, time, j3));
        }
        return true;
    }

    private String getTokenTooOldMessage(long j, long j2, long j3, long j4) {
        return "JSON Web Token is issued before the allowed time. Issued At Time(ms) : " + j3 + ", Reject before limit(ms) : " + j4 + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated";
    }

    private boolean validateJTIInCache(String str, SignedJWT signedJWT, JWTCacheEntry jWTCacheEntry, long j, long j2, JWTCache jWTCache) throws IdentityOAuth2Exception {
        if (jWTCacheEntry == null) {
            jWTCache.addToCache(str, new JWTCacheEntry(signedJWT));
        } else {
            if (this.preventTokenReuse) {
                return logAndReturnFalse("JWT Token with jti: " + str + "Has been replayed");
            }
            try {
                if (!checkJTIValidityPeriod(str, jWTCacheEntry.getJwt().getJWTClaimsSet().getExpirationTime().getTime(), j, j2)) {
                    return false;
                }
                jWTCache.addToCache(str, new JWTCacheEntry(signedJWT));
            } catch (ParseException e) {
                return handleException("Unable to parse the cached jwt assertion : " + jWTCacheEntry.getEncodedJWt(), e);
            }
        }
        return logAndReturnTrue("JWT id: " + str + " not found in the cache and the JWT has been validated successfully in cache.");
    }

    public boolean checkJTIValidityPeriod(String str, long j, long j2, long j3) throws IdentityOAuth2Exception {
        return j2 + j3 > j ? logAndReturnTrue("JWT Token with jti: " + str + "has been reused after the allowed expiry time:" + j) : logAndReturnFalse("JWT Token with jti: " + str + " Has been replayed before the allowed expiry time:" + j);
    }

    public boolean validateCustomClaims(Map<String, Object> map) {
        return true;
    }

    public boolean validateJwtInDataBase(String str, long j, long j2) throws IdentityOAuth2Exception {
        try {
            JWTEntry jwtFromDB = this.jwtStorageManager.getJwtFromDB(str);
            return jwtFromDB == null ? logAndReturnTrue("JWT id: " + str + " not found in the Storage the JWT has been validated successfully.") : this.preventTokenReuse ? logAndReturnFalse("JWT Token with jti: " + str + " has been replayed") : checkJTIValidityPeriod(str, jwtFromDB.getExp(), j, j2);
        } catch (IdentityOAuth2Exception e) {
            return handleException("Error while loading jwt with jti: " + str + " from database", e);
        }
    }

    public void persistJWTID(String str, long j, long j2) {
        try {
            this.jwtStorageManager.persistJWTIdInDB(str, j, j2);
        } catch (IdentityOAuth2Exception e) {
            log.error("Error while persisting JWT reference with jti: " + str, e);
        }
    }
}
