package org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnException;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.Constants;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.cache.JWTCache;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.cache.JWTCacheEntry;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.dao.JWTEntry;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.dao.JWTStorageManager;
import org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.internal.JWTServiceComponent;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.jwt.JWKSBasedJWTValidator;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/token/handler/clientauth/jwt/validator/JWTValidator.class */
public class JWTValidator {
    private static final Log log = LogFactory.getLog(JWTValidator.class);
    public static final String FULLSTOP_DELIMITER = ".";
    public static final String DASH_DELIMITER = "-";
    public static final String KEYSTORE_FILE_EXTENSION = ".jks";
    public static final String RS = "RS";
    public static final String PS = "PS";
    private static final String IDP_ENTITY_ID = "IdPEntityId";
    private static final String PROP_ID_TOKEN_ISSUER_ID = "OAuth.OpenIDConnect.IDTokenIssuerID";
    private boolean preventTokenReuse;
    private List<String> validAudiences;
    private String validIssuer;
    private int rejectBeforeInMinutes;
    List<String> mandatoryClaims;
    private JWTCache jwtCache;
    private boolean enableJTICache;
    private JWTStorageManager jwtStorageManager;

    @Deprecated
    public JWTValidator(boolean z, String str, int i, String str2, List<String> list, boolean z2) {
        this.preventTokenReuse = z;
        this.validAudiences = StringUtils.isNotEmpty(str) ? Collections.singletonList(str) : null;
        this.validIssuer = str2;
        this.jwtStorageManager = new JWTStorageManager();
        this.mandatoryClaims = list;
        this.rejectBeforeInMinutes = i;
        this.enableJTICache = z2;
        this.jwtCache = JWTCache.getInstance();
    }

    public JWTValidator(boolean z, List<String> list, int i, String str, List<String> list2, boolean z2) {
        this.preventTokenReuse = z;
        this.validAudiences = list;
        this.validIssuer = str;
        this.jwtStorageManager = new JWTStorageManager();
        this.mandatoryClaims = list2;
        this.rejectBeforeInMinutes = i;
        this.enableJTICache = z2;
        this.jwtCache = JWTCache.getInstance();
    }

    @Deprecated
    public boolean isValidAssertion(SignedJWT signedJWT) throws OAuthClientAuthnException {
        return isValidAssertion(signedJWT, false);
    }

    public boolean isValidAssertion(SignedJWT signedJWT, boolean z) throws OAuthClientAuthnException {
        if (signedJWT == null) {
            return logAndThrowException("No valid JWT assertion found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        }
        try {
            JWTClaimsSet claimSet = getClaimSet(signedJWT);
            if (claimSet == null) {
                throw new OAuthClientAuthnException("Claim set is missing in the JWT assertion", "invalid_request");
            }
            String issuer = claimSet.getIssuer();
            String resolveSubject = resolveSubject(claimSet);
            List<String> audience = claimSet.getAudience();
            Date expirationTime = claimSet.getExpirationTime();
            String jwtid = claimSet.getJWTID();
            Date notBeforeTime = claimSet.getNotBeforeTime();
            Date issueTime = claimSet.getIssueTime();
            long currentTimeMillis = System.currentTimeMillis();
            long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
            OAuthAppDO oAuthAppDO = getOAuthAppDO(resolveSubject);
            String oauthConsumerKey = oAuthAppDO.getOauthConsumerKey();
            String tenantDomain = oAuthAppDO.getUser().getTenantDomain();
            if (!validateMandatoryFeilds(this.mandatoryClaims, claimSet) || !validateIssuer(issuer, oauthConsumerKey) || !validateSubject(resolveSubject, oauthConsumerKey)) {
                return false;
            }
            List<String> validAudience = getValidAudience(tenantDomain, z);
            long j = 0;
            long j2 = 0;
            if (expirationTime != null) {
                j = expirationTime.getTime();
            }
            if (issueTime != null) {
                j2 = issueTime.getTime();
            }
            return validateJTI(signedJWT, jwtid, currentTimeMillis, timeStampSkewInSeconds, j, j2) && validateAudience(validAudience, audience) && validateJWTWithExpTime(expirationTime, currentTimeMillis, timeStampSkewInSeconds) && validateNotBeforeClaim(currentTimeMillis, timeStampSkewInSeconds, notBeforeTime) && validateAgeOfTheToken(issueTime, currentTimeMillis, timeStampSkewInSeconds) && isValidSignature(oauthConsumerKey, signedJWT, tenantDomain, resolveSubject);
        } catch (IdentityOAuth2Exception e) {
            return logAndThrowException(e.getMessage());
        }
    }

    private boolean validateMandatoryFeilds(List<String> list, JWTClaimsSet jWTClaimsSet) throws OAuthClientAuthnException {
        for (String str : list) {
            if (jWTClaimsSet.getClaim(str) == null) {
                return logAndThrowException("Mandatory field :" + str + " is missing in the JWT assertion.");
            }
        }
        return true;
    }

    public boolean validateSubject(String str, String str2) throws OAuthClientAuthnException {
        String format = String.format("Invalid Subject '%s' is found in the JWT. It should be equal to the '%s'", str, str2);
        if (str.trim().equals(str2)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug(format);
        }
        throw new OAuthClientAuthnException("Invalid Subject: " + str + " is found in the JWT", "invalid_request");
    }

    private boolean validateIssuer(String str, String str2) throws OAuthClientAuthnException {
        String format = String.format("Invalid issuer '%s' is found in the JWT. It should be equal to the '%s'", str, str2);
        String format2 = String.format("Invalid issuer '%s' is found in the JWT. ", str);
        if (StringUtils.isEmpty(this.validIssuer)) {
            if (str.trim().equals(str2)) {
                return true;
            }
            if (log.isDebugEnabled()) {
                log.debug(format);
            }
            throw new OAuthClientAuthnException(format2, "invalid_request");
        }
        if (this.validIssuer.equals(str)) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug(format);
        }
        throw new OAuthClientAuthnException(format2, "invalid_request");
    }

    private boolean validateAudience(List<String> list, List<String> list2) throws OAuthClientAuthnException {
        Iterator<String> it = list2.iterator();
        while (it.hasNext()) {
            if (list.contains(it.next())) {
                return true;
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("None of the audience values matched the expected audience values");
        }
        throw new OAuthClientAuthnException("Failed to match audience values.", "invalid_request");
    }

    private boolean validateJTI(SignedJWT signedJWT, String str, long j, long j2, long j3, long j4) throws OAuthClientAuthnException {
        if ((this.enableJTICache && !validateJTIInCache(str, signedJWT, (JWTCacheEntry) this.jwtCache.getValueFromCache(str), j, j2, this.jwtCache)) || !validateJWTInDataBase(str, j, j2)) {
            return false;
        }
        persistJWTID(str, j3, j4);
        return true;
    }

    private boolean validateJWTInDataBase(String str, long j, long j2) throws OAuthClientAuthnException {
        JWTEntry jwtFromDB = this.jwtStorageManager.getJwtFromDB(str);
        if (jwtFromDB == null) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            log.debug("JWT id: " + str + " not found in the Storage the JWT has been validated successfully.");
            return true;
        }
        if (!this.preventTokenReuse) {
            return checkJTIValidityPeriod(str, jwtFromDB.getExp(), j, j2);
        }
        if (this.jwtStorageManager.isJTIExistsInDB(str)) {
            return logAndThrowException("JWT Token with JTI: " + str + " has been replayed");
        }
        return true;
    }

    private boolean checkJTIValidityPeriod(String str, long j, long j2, long j3) throws OAuthClientAuthnException {
        if (j2 + j3 <= j) {
            return logAndThrowException("JWT Token with jti: " + str + " has been replayed before the allowed expiry time: " + j);
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("JWT Token with jti: " + str + "has been reused after the allowed expiry time: " + j);
        return true;
    }

    private void persistJWTID(String str, long j, long j2) throws OAuthClientAuthnException {
        this.jwtStorageManager.persistJWTIdInDB(str, j, j2);
    }

    private OAuthAppDO getOAuthAppDO(String str) throws OAuthClientAuthnException {
        OAuthAppDO oAuthAppDO = null;
        String format = String.format("Error while retrieving OAuth application with provided JWT information with subject '%s' ", str);
        try {
            oAuthAppDO = OAuth2Util.getAppInformationByClientId(str);
            if (oAuthAppDO == null) {
                logAndThrowException(format);
            }
        } catch (InvalidOAuthClientException e) {
            logAndThrowException(format);
        } catch (IdentityOAuth2Exception e2) {
            logAndThrowException(format);
        }
        return oAuthAppDO;
    }

    private boolean logAndThrowException(String str) throws OAuthClientAuthnException {
        if (log.isDebugEnabled()) {
            log.debug(str);
        }
        throw new OAuthClientAuthnException(str, "invalid_request");
    }

    private boolean validateJWTWithExpTime(Date date, long j, long j2) throws OAuthClientAuthnException {
        if (j + j2 <= date.getTime()) {
            return true;
        }
        String str = "JWT Token is expired. Expired Time: " + date;
        if (log.isDebugEnabled()) {
            log.debug(str);
        }
        throw new OAuthClientAuthnException(str, "invalid_request");
    }

    private boolean validateNotBeforeClaim(long j, long j2, Date date) throws OAuthClientAuthnException {
        if (date == null || (j + j2) - date.getTime() > 0) {
            return true;
        }
        if (log.isDebugEnabled()) {
            log.debug("The token is used bfore the nbf claim value.");
        }
        throw new OAuthClientAuthnException("The token is used bfore the nbf claim value.", "invalid_request");
    }

    private boolean isValidSignature(String str, SignedJWT signedJWT, String str2, String str3) throws OAuthClientAuthnException {
        X509Certificate x509Certificate = null;
        String str4 = Constants.DEFAULT_AUDIENCE;
        boolean z = false;
        try {
            x509Certificate = (X509Certificate) OAuth2Util.getX509CertOfOAuthApp(str, str2);
        } catch (IdentityOAuth2Exception e) {
            if (log.isDebugEnabled()) {
                log.debug("Unable to retrieve the certificate for the service provider", e);
            }
        }
        if (x509Certificate == null) {
            try {
                ServiceProviderProperty[] spProperties = OAuth2Util.getServiceProvider(str).getSpProperties();
                int length = spProperties.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    ServiceProviderProperty serviceProviderProperty = spProperties[i];
                    if (Constants.JWKS_URI.equals(serviceProviderProperty.getName())) {
                        str4 = serviceProviderProperty.getValue();
                        break;
                    }
                    i++;
                }
                if (StringUtils.isNotBlank(str4)) {
                    if (log.isDebugEnabled()) {
                        log.debug("Found jwks end point for service provider " + str4);
                    }
                    z = new JWKSBasedJWTValidator().validateSignature(signedJWT.getParsedString(), str4, signedJWT.getHeader().getAlgorithm().getName(), new HashMap());
                }
            } catch (IdentityOAuth2Exception e2) {
                log.error("Error occurred while validating signature using jwks ", e2);
                return false;
            }
        }
        if (StringUtils.isBlank(str4) && x509Certificate == null) {
            x509Certificate = getCertificate(str2, str3);
        }
        if (StringUtils.isBlank(str4) && x509Certificate != null) {
            try {
                z = validateSignature(signedJWT, x509Certificate);
            } catch (JOSEException e3) {
                throw new OAuthClientAuthnException("Error while validating the signature", "invalid_request", e3);
            }
        }
        return z;
    }

    private List<String> getValidAudience(String str, boolean z) throws OAuthClientAuthnException {
        if (this.validAudiences != null && !this.validAudiences.isEmpty()) {
            return this.validAudiences;
        }
        ArrayList arrayList = new ArrayList();
        try {
            Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(IdentityProviderManager.getInstance().getResidentIdP(str).getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), IDP_ENTITY_ID);
            if (property != null) {
                arrayList.add(property.getValue());
            }
            if (arrayList.size() == 0) {
                arrayList.add(IdentityUtil.getProperty(PROP_ID_TOKEN_ISSUER_ID));
            }
            if (z) {
                arrayList.add(IdentityUtil.getServerURL(Constants.OAUTH2_TOKEN_EP, false, false));
                arrayList.add(IdentityUtil.getServerURL(Constants.OAUTH2_CIBA_EP, false, false));
            }
            return arrayList;
        } catch (IdentityProviderManagementException e) {
            String str2 = "Error while loading OAuth2TokenEPUrl of the resident IDP of tenant: " + str;
            if (log.isDebugEnabled()) {
                log.debug(str2);
            }
            throw new OAuthClientAuthnException(str2, "invalid_request");
        }
    }

    public JWTClaimsSet getClaimSet(SignedJWT signedJWT) throws OAuthClientAuthnException {
        if (signedJWT == null) {
            throw new OAuthClientAuthnException("No Valid Assertion was found for urn:ietf:params:oauth:client-assertion-type:jwt-bearer", "invalid_request");
        }
        try {
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            if (jWTClaimsSet == null) {
                throw new OAuthClientAuthnException("Claim values are empty in the given JSON Web Token.", "invalid_request");
            }
            return jWTClaimsSet;
        } catch (ParseException e) {
            if (log.isDebugEnabled()) {
                log.debug("Error when trying to retrieve claimsSet from the JWT.");
            }
            throw new OAuthClientAuthnException("Error when trying to retrieve claimsSet from the JWT.", "invalid_request");
        }
    }

    public String resolveSubject(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getSubject();
    }

    private static X509Certificate getCertificate(String str, String str2) throws OAuthClientAuthnException {
        try {
            int tenantId = JWTServiceComponent.getRealmService().getTenantManager().getTenantId(str);
            KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
            try {
                return (X509Certificate) (tenantId != -1234 ? keyStoreManager.getKeyStore(generateKSNameFromDomainName(str)) : keyStoreManager.getPrimaryKeyStore()).getCertificate(str2);
            } catch (KeyStoreException e) {
                String str3 = "Error instantiating an X509Certificate object for the certificate alias: " + str2 + " in tenant:" + str;
                if (log.isDebugEnabled()) {
                    log.debug(str3);
                }
                throw new OAuthClientAuthnException(str3, "invalid_request");
            } catch (Exception e2) {
                String str4 = "Unable to load key store manager for the tenant domain: " + str;
                if (log.isDebugEnabled()) {
                    log.debug(str4);
                }
                throw new OAuthClientAuthnException(str4, "invalid_request");
            }
        } catch (UserStoreException e3) {
            throw new OAuthClientAuthnException("Error getting the tenant ID for the tenant domain : " + str, "invalid_request");
        }
    }

    private static String generateKSNameFromDomainName(String str) {
        return str.trim().replace(FULLSTOP_DELIMITER, DASH_DELIMITER) + KEYSTORE_FILE_EXTENSION;
    }

    private boolean validateSignature(SignedJWT signedJWT, X509Certificate x509Certificate) throws JOSEException, OAuthClientAuthnException {
        JWSHeader header = signedJWT.getHeader();
        if (x509Certificate == null) {
            throw new OAuthClientAuthnException("Unable to locate certificate for JWT " + header.toString(), "invalid_request");
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            throw new OAuthClientAuthnException("Signature validation failed. No algorithm is found in the JWT header.", "invalid_request");
        }
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the JWT Header: " + name);
        }
        if (name.indexOf(RS) != 0 && name.indexOf(PS) != 0) {
            throw new OAuthClientAuthnException("Signature Algorithm not supported : " + name, "invalid_request");
        }
        PublicKey publicKey = x509Certificate.getPublicKey();
        if (publicKey instanceof RSAPublicKey) {
            return signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
        }
        throw new OAuthClientAuthnException("Signature validation failed. Public key is not an RSA public key.", "invalid_request");
    }

    private boolean validateAgeOfTheToken(Date date, long j, long j2) throws OAuthClientAuthnException {
        if (date == null || this.rejectBeforeInMinutes <= 0) {
            return true;
        }
        long time = date.getTime();
        long j3 = 60000 * this.rejectBeforeInMinutes;
        if ((j + j2) - time <= j3) {
            return true;
        }
        String tokenTooOldMessage = getTokenTooOldMessage(j, j2, time, j3);
        if (log.isDebugEnabled()) {
            log.debug(tokenTooOldMessage);
        }
        throw new OAuthClientAuthnException("The jwt is too old to use.", "invalid_request");
    }

    private String getTokenTooOldMessage(long j, long j2, long j3, long j4) {
        return "JSON Web Token is issued before the allowed time. Issued At Time(ms) : " + j3 + ", Reject before limit(ms) : " + j4 + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated";
    }

    private boolean validateJTIInCache(String str, SignedJWT signedJWT, JWTCacheEntry jWTCacheEntry, long j, long j2, JWTCache jWTCache) throws OAuthClientAuthnException {
        if (jWTCacheEntry == null) {
            jWTCache.addToCache(str, new JWTCacheEntry(signedJWT));
        } else {
            if (this.preventTokenReuse) {
                throw new OAuthClientAuthnException("JWT Token with jti: " + str + " has been replayed", "invalid_request");
            }
            try {
                if (!checkJTIValidityPeriod(str, jWTCacheEntry.getJwt().getJWTClaimsSet().getExpirationTime().getTime(), j, j2)) {
                    return false;
                }
                jWTCache.addToCache(str, new JWTCacheEntry(signedJWT));
            } catch (ParseException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Unable to parse the cached jwt assertion : " + jWTCacheEntry.getEncodedJWt());
                }
                throw new OAuthClientAuthnException("JTI validation failed.", "invalid_request");
            }
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("JWT id: " + str + " not found in the cache and the JWT has been validated successfully in cache.");
        return true;
    }
}
