package com.wso2.openbanking.accelerator.gateway.executor.jws;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import com.wso2.openbanking.accelerator.common.config.OpenBankingConfigParser;
import com.wso2.openbanking.accelerator.common.exception.OpenBankingException;
import com.wso2.openbanking.accelerator.common.identity.retriever.JWKRetriever;
import com.wso2.openbanking.accelerator.common.identity.retriever.sp.CommonServiceProviderRetriever;
import com.wso2.openbanking.accelerator.common.util.Generated;
import com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor;
import com.wso2.openbanking.accelerator.gateway.executor.exception.OpenBankingExecutorException;
import com.wso2.openbanking.accelerator.gateway.executor.model.OBAPIRequestContext;
import com.wso2.openbanking.accelerator.gateway.executor.model.OBAPIResponseContext;
import com.wso2.openbanking.accelerator.gateway.executor.model.OpenBankingExecutorError;
import com.wso2.openbanking.accelerator.gateway.util.GatewayConstants;
import com.wso2.openbanking.accelerator.gateway.util.GatewayUtils;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:com/wso2/openbanking/accelerator/gateway/executor/jws/JwsRequestSignatureHandlingExecutor.class */
public class JwsRequestSignatureHandlingExecutor implements OpenBankingGatewayExecutor {
    private static final Log log = LogFactory.getLog(JwsRequestSignatureHandlingExecutor.class);
    private static final String B64_CLAIM_KEY = "b64";
    private static final String XML_DECLARATION = "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>\n";
    private static final String DOT_SYMBOL = ".";
    private String xWso2ApiVersion = null;
    private String xWso2ApiType = null;
    private String signatureHeaderName = getSignatureHeaderName();

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    @Generated(message = "Excluded from code coverage since it is covered by other methods")
    public void preProcessRequest(OBAPIRequestContext oBAPIRequestContext) {
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    @Generated(message = "Excluded from code coverage since it is covered by other methods")
    public void postProcessRequest(OBAPIRequestContext oBAPIRequestContext) {
        if (oBAPIRequestContext.isError()) {
            return;
        }
        String messageId = oBAPIRequestContext.getMsgInfo().getMessageId();
        log.info(String.format("Executing JwsSignatureHandlingExecutor postProcessRequest for request %s", messageId));
        if (StringUtils.isEmpty(getXWso2ApiVersion())) {
            setXWso2ApiVersion(oBAPIRequestContext.getApiRequestInfo().getVersion());
        }
        if (StringUtils.isEmpty(getXWso2ApiType())) {
            setXWso2ApiType(oBAPIRequestContext.getApiRequestInfo().getContext());
        }
        Map<String, String> headers = oBAPIRequestContext.getMsgInfo().getHeaders();
        if (preProcessValidation(oBAPIRequestContext, headers).booleanValue()) {
            Optional empty = Optional.empty();
            if (!headers.containsKey("Content-Type")) {
                empty = Optional.ofNullable(oBAPIRequestContext.getRequestPayload());
            } else if (headers.get("Content-Type").contains(GatewayConstants.TEXT_XML_CONTENT_TYPE) || headers.get("Content-Type").contains(GatewayConstants.APPLICATION_XML_CONTENT_TYPE)) {
                try {
                    empty = Optional.of(GatewayUtils.getXMLPayloadToSign(oBAPIRequestContext.getMsgInfo().getPayloadHandler().consumeAsString()));
                } catch (Exception e) {
                    GatewayUtils.handleRequestInternalServerError(oBAPIRequestContext, "Internal Server Error, Unable to process Payload", "500");
                }
            } else {
                empty = Optional.ofNullable(oBAPIRequestContext.getRequestPayload());
            }
            if (log.isDebugEnabled()) {
                log.debug(String.format("Request %s is Applicable for JWS Validation", messageId));
            }
            Optional ofNullable = Optional.ofNullable(oBAPIRequestContext.getApiRequestInfo().getConsumerKey());
            String str = headers.get(this.signatureHeaderName);
            Map<String, String> contextProps = oBAPIRequestContext.getContextProps();
            if (StringUtils.isEmpty(str)) {
                log.error("Error occurred in JWS Executor");
                handleJwsSignatureErrors(oBAPIRequestContext, "Empty JWS Signature", "200010");
                return;
            }
            contextProps.put(this.signatureHeaderName, str);
            oBAPIRequestContext.setContextProps(contextProps);
            if (ofNullable.isPresent()) {
                if (!empty.isPresent() || ((String) empty.get()).matches("\"\"")) {
                    if ("POST".equals(oBAPIRequestContext.getMsgInfo().getMessageId()) || "PUT".equals(oBAPIRequestContext.getMsgInfo().getMessageId())) {
                        handleJwsSignatureErrors(oBAPIRequestContext, "Request payload cannot be empty", "200013");
                        return;
                    }
                    return;
                }
                if (log.isDebugEnabled()) {
                    log.debug(String.format("Built ClientID %s for request", ofNullable.get()));
                    log.debug("Payload extracted from request");
                }
                try {
                    if (validateMessageSignature((String) ofNullable.get(), str, oBAPIRequestContext, (String) empty.get())) {
                        return;
                    }
                    log.error("Signature validation failed for the client ID " + ((String) ofNullable.get()));
                    handleJwsSignatureErrors(oBAPIRequestContext, "Invalid JWS Signature", "200010");
                } catch (OpenBankingException | OpenBankingExecutorException e2) {
                    log.error("Unable to validate message signature for the client ID " + ((String) ofNullable.get()), e2);
                    handleJwsSignatureErrors(oBAPIRequestContext, e2.getMessage(), "200010");
                }
            }
        }
    }

    @Generated(message = "Removed from unit test coverage since Common module is required")
    public Boolean preProcessValidation(OBAPIRequestContext oBAPIRequestContext, Map<String, String> map) {
        return Boolean.valueOf((oBAPIRequestContext.isError() || !OpenBankingConfigParser.getInstance().isJwsSignatureValidationEnabled() || "GET".equals(oBAPIRequestContext.getMsgInfo().getHttpMethod()) || "DELETE".equals(oBAPIRequestContext.getMsgInfo().getHttpMethod())) ? false : true);
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    @Generated(message = "Excluded from code coverage since it is covered by other methods")
    public void preProcessResponse(OBAPIResponseContext oBAPIResponseContext) {
    }

    @Override // com.wso2.openbanking.accelerator.gateway.executor.core.OpenBankingGatewayExecutor
    @Generated(message = "Excluded from code coverage since it is covered by other methods")
    public void postProcessResponse(OBAPIResponseContext oBAPIResponseContext) {
    }

    public boolean validateClaims(OBAPIRequestContext oBAPIRequestContext, JWSHeader jWSHeader, String str, String str2) {
        if (OpenBankingConfigParser.getInstance().getJwsRequestSigningAlgorithms().contains(jWSHeader.getAlgorithm().getName())) {
            return true;
        }
        log.error("The " + jWSHeader.getAlgorithm().getName() + " algorithm is not supported by the Solution");
        handleJwsSignatureErrors(oBAPIRequestContext, "The " + jWSHeader.getAlgorithm().getName() + " algorithm is not supported by the Solution", "200010");
        return true;
    }

    @Generated(message = "Excluded from code coverage since method includes accessing jwks_uri")
    private boolean validateMessageSignature(String str, String str2, OBAPIRequestContext oBAPIRequestContext, String str3) throws OpenBankingExecutorException, OpenBankingException {
        RSASSAVerifier eCDSAVerifier;
        boolean verify;
        try {
            RSAKey rSAKey = null;
            ECKey eCKey = null;
            try {
                JWSObject parse = JWSObject.parse(reconstructJws(str2, str3));
                try {
                    String appPropertyFromSPMetaData = new CommonServiceProviderRetriever().getAppPropertyFromSPMetaData(str, "software_id");
                    try {
                        String jwksUrl = getJwksUrl(str);
                        try {
                            JWK retrievePublicKey = retrievePublicKey(getJwkSet(jwksUrl, appPropertyFromSPMetaData), parse);
                            if (retrievePublicKey == null) {
                                log.error("Public key of the signing certificate not found in JWK set");
                                throw new OpenBankingExecutorException("Public key of the signing certificate not found in JWK set");
                            }
                            X509Certificate x509Certificate = (X509Certificate) retrievePublicKey.getParsedX509CertChain().get(0);
                            if (retrievePublicKey.getKeyType().getValue().equals("RSA")) {
                                rSAKey = RSAKey.parse(x509Certificate);
                            } else {
                                if (!retrievePublicKey.getKeyType().getValue().equals("EC")) {
                                    String format = String.format("The kty %s of the Key is not supported", retrievePublicKey.getKeyType().getValue());
                                    log.error(format);
                                    throw new OpenBankingExecutorException(format);
                                }
                                eCKey = ECKey.parse(x509Certificate);
                            }
                            boolean validateClaims = validateClaims(oBAPIRequestContext, parse.getHeader(), appPropertyFromSPMetaData, jwksUrl);
                            try {
                                JWSAlgorithm parse2 = JWSAlgorithm.parse(parse.getHeader().getAlgorithm().getName());
                                HashSet hashSet = new HashSet(Arrays.asList(differedCriticalClaims()));
                                if (JWSAlgorithm.Family.RSA.contains(parse2)) {
                                    eCDSAVerifier = new RSASSAVerifier(rSAKey != null ? rSAKey.toRSAPublicKey() : null, hashSet);
                                } else {
                                    if (!JWSAlgorithm.Family.EC.contains(parse2)) {
                                        String str4 = "The " + parse.getHeader().getAlgorithm().getName() + " algorithm is not supported by the Solution";
                                        log.error(str4);
                                        throw new OpenBankingExecutorException(str4);
                                    }
                                    eCDSAVerifier = new ECDSAVerifier(eCKey != null ? eCKey.toECPublicKey() : null, hashSet);
                                }
                                if (!validateClaims) {
                                    return false;
                                }
                                try {
                                    if (isB64HeaderVerifiable(parse)) {
                                        verify = parse.verify(eCDSAVerifier);
                                    } else {
                                        String[] split = StringUtils.split(str2, DOT_SYMBOL);
                                        JWSHeader parse3 = JWSHeader.parse(new Base64URL(split[0]));
                                        verify = eCDSAVerifier.verify(parse3, getSigningInput(parse3, str3), new Base64URL(split[1]));
                                    }
                                    return verify;
                                } catch (JOSEException e) {
                                    log.error("Unable to verify JWS signature", e);
                                    throw new OpenBankingExecutorException("Unable to verify JWS signature", e);
                                } catch (ParseException e2) {
                                    log.error("Error occurred while parsing the JWS Header", e2);
                                    throw new OpenBankingExecutorException("Error occurred while parsing the JWS Header", e2);
                                }
                            } catch (JOSEException e3) {
                                log.error("Invalid Signing Algorithm", e3);
                                throw new OpenBankingExecutorException("Invalid JWS Signature,signed with invalid algorithm", e3);
                            }
                        } catch (JOSEException e4) {
                            log.error("Certificate not valid", e4);
                            throw new OpenBankingExecutorException("Certificate not valid", e4);
                        }
                    } catch (OpenBankingException e5) {
                        log.error("Unable to validate JWS Signature retrieving public key", e5);
                        throw new OpenBankingExecutorException("Unable to validate JWS Signature retrieving public key", e5);
                    }
                } catch (OpenBankingException e6) {
                    log.error("Error while retrieving the app name", e6);
                    throw new OpenBankingExecutorException("Error while retrieving the app name", e6);
                }
            } catch (ParseException e7) {
                log.error("Unable to parse JWS signature", e7);
                throw new OpenBankingExecutorException("Unable to parse JWS signature", e7);
            }
        } catch (OpenBankingExecutorException e8) {
            log.error("Unable to reconstruct JWS", e8);
            throw new OpenBankingExecutorException("Malformed JWS Signature", e8);
        }
    }

    private String reconstructJws(String str, String str2) throws OpenBankingExecutorException {
        if (StringUtils.isEmpty(str2)) {
            throw new OpenBankingExecutorException("Payload is required for JWS reconstruction");
        }
        String[] split = str.split("\\.");
        if (log.isDebugEnabled()) {
            log.debug(String.format("Found %d parts in JWS for reconstruction", Integer.valueOf(split.length)));
        }
        if (split.length == 3) {
            split[1] = Base64URL.encode(str2).toString();
            return String.join(DOT_SYMBOL, split);
        }
        if (split.length == 5) {
            throw new OpenBankingExecutorException("Not supported for signed and encrypted JWTs.");
        }
        throw new OpenBankingExecutorException("Required number of parts not found in JWS for reconstruction");
    }

    private boolean isB64HeaderVerifiable(JWSObject jWSObject) {
        Object customParam = jWSObject.getHeader().getCustomParam(B64_CLAIM_KEY);
        if (customParam != null) {
            return ((Boolean) customParam).booleanValue();
        }
        return true;
    }

    private byte[] getSigningInput(JWSHeader jWSHeader, String str) {
        return (jWSHeader.toBase64URL().toString() + DOT_SYMBOL + str).getBytes(StandardCharsets.UTF_8);
    }

    public void handleJwsSignatureErrors(OBAPIRequestContext oBAPIRequestContext, String str, String str2) {
        setErrorsToRequestContext(oBAPIRequestContext, new OpenBankingExecutorError(str2, "Error occurred while validating JWS Signature", str, "400"));
    }

    public void setErrorsToRequestContext(OBAPIRequestContext oBAPIRequestContext, OpenBankingExecutorError openBankingExecutorError) {
        ArrayList<OpenBankingExecutorError> errors = oBAPIRequestContext.getErrors();
        errors.add(openBankingExecutorError);
        oBAPIRequestContext.setError(true);
        oBAPIRequestContext.setErrors(errors);
    }

    @Generated(message = "Excluded from code coverage since method includes service call")
    private String getJwksUrl(String str) throws OpenBankingException {
        try {
            String appPropertyFromSPMetaData = new CommonServiceProviderRetriever().getAppPropertyFromSPMetaData(str, "jwksURI");
            if (appPropertyFromSPMetaData == null) {
                throw new OpenBankingException("The JWK set URL must not be null");
            }
            return appPropertyFromSPMetaData;
        } catch (OpenBankingException e) {
            log.error("JWKS URL is not found", e);
            throw new OpenBankingException("The JWKS_URI is not found for client ID " + str, e);
        }
    }

    @Generated(message = "Excluded from code coverage since method includes accessing jwks_uri")
    private JWKSet getJwkSet(String str, String str2) throws OpenBankingException {
        try {
            return new JWKRetriever().getJWKSet(new URL(str), str2);
        } catch (MalformedURLException e) {
            log.error("Provided JWKS URL is malformed", e);
            throw new OpenBankingException("The provided JWKS_URI is malformed", e);
        }
    }

    @Generated(message = "Excluded from code coverage since method includes accessing JWKSet")
    private JWK retrievePublicKey(JWKSet jWKSet, JWSObject jWSObject) {
        JWK jwk = null;
        List select = new JWKSelector(new JWKMatcher.Builder().keyID(jWSObject.getHeader().getKeyID()).keyUse(KeyUse.SIGNATURE).keyOperation(KeyOperation.VERIFY).build()).select(jWKSet);
        if (select.isEmpty()) {
            select = new JWKSelector(new JWKMatcher.Builder().keyID(jWSObject.getHeader().getKeyID()).keyUse(KeyUse.SIGNATURE).build()).select(jWKSet);
            if (select.isEmpty()) {
                select = new JWKSelector(new JWKMatcher.Builder().keyID(jWSObject.getHeader().getKeyID()).build()).select(jWKSet);
            }
        }
        if (select.isEmpty()) {
            log.error("No matching KID found to retrieve public key in JWK set");
        } else {
            jwk = (JWK) select.get(0);
        }
        return jwk;
    }

    public String[] differedCriticalClaims() {
        return new String[0];
    }

    public void setXWso2ApiVersion(String str) {
        this.xWso2ApiVersion = str;
    }

    public String getXWso2ApiVersion() {
        return this.xWso2ApiVersion;
    }

    public String getXWso2ApiType() {
        return this.xWso2ApiType;
    }

    public void setXWso2ApiType(String str) {
        this.xWso2ApiType = str;
    }

    public String getSignatureHeaderName() {
        return "x-jws-signature";
    }
}
