package org.keycloak;

import java.security.PublicKey;
import org.keycloak.common.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.representations.AccessToken;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/RSATokenVerifier.class */
public class RSATokenVerifier {
    public static AccessToken verifyToken(String str, PublicKey publicKey, String str2) throws VerificationException {
        return verifyToken(str, publicKey, str2, true, true);
    }

    public static AccessToken verifyToken(String str, PublicKey publicKey, String str2, boolean z, boolean z2) throws VerificationException {
        String type;
        AccessToken accessToken = toAccessToken(str, publicKey);
        if (accessToken.getSubject() == null) {
            throw new VerificationException("Token user was null.");
        }
        if (str2 == null) {
            throw new VerificationException("Realm URL is null. Make sure to add auth-server-url to the configuration of your adapter!");
        }
        if (!str2.equals(accessToken.getIssuer())) {
            throw new VerificationException("Token audience doesn't match domain. Token issuer is " + accessToken.getIssuer() + ", but URL from configuration is " + str2);
        }
        if (z2 && ((type = accessToken.getType()) == null || !type.equalsIgnoreCase(TokenUtil.TOKEN_TYPE_BEARER))) {
            throw new VerificationException("Token type is incorrect. Expected 'Bearer' but was '" + type + "'");
        }
        if (!z || accessToken.isActive()) {
            return accessToken;
        }
        throw new VerificationException("Token is not active.");
    }

    public static AccessToken toAccessToken(String str, PublicKey publicKey) throws VerificationException {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!isPublicKeyValid(jWSInput, publicKey)) {
                throw new VerificationException("Invalid token signature.");
            }
            try {
                return (AccessToken) jWSInput.readJsonContent(AccessToken.class);
            } catch (JWSInputException e) {
                throw new VerificationException("Couldn't parse token signature", e);
            }
        } catch (JWSInputException e2) {
            throw new VerificationException("Couldn't parse token", e2);
        }
    }

    private static boolean isPublicKeyValid(JWSInput jWSInput, PublicKey publicKey) throws VerificationException {
        try {
            return RSAProvider.verify(jWSInput, publicKey);
        } catch (Exception e) {
            throw new VerificationException("Token signature not validated.", e);
        }
    }
}
