package org.wso2.carbon.identity.oauth2.util;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.sql.Timestamp;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.json.JSONException;
import org.json.JSONObject;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityConfigParser;
import org.wso2.carbon.identity.core.util.IdentityIOStreamUtils;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.AppInfoCache;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.dao.OAuthConsumerDAO;
import org.wso2.carbon.identity.oauth.dto.ScopeDTO;
import org.wso2.carbon.identity.oauth.event.OAuthEventInterceptor;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor;
import org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor;
import org.wso2.carbon.identity.oauth.user.UserInfoEndpointException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ScopeServerException;
import org.wso2.carbon.identity.oauth2.Oauth2ScopeConstants;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.bean.OAuthClientAuthnContext;
import org.wso2.carbon.identity.oauth2.bean.Scope;
import org.wso2.carbon.identity.oauth2.bean.ScopeBinding;
import org.wso2.carbon.identity.oauth2.config.SpOAuth2ExpiryTimeConfiguration;
import org.wso2.carbon.identity.oauth2.dao.OAuthTokenPersistenceFactory;
import org.wso2.carbon.identity.oauth2.device.constants.Constants;
import org.wso2.carbon.identity.oauth2.dto.OAuth2IntrospectionResponseDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuthRevocationRequestDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.internal.OAuthApplicationMgtListener;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.model.ClientCredentialDO;
import org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinder;
import org.wso2.carbon.identity.oauth2.token.bindings.TokenBinding;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler;
import org.wso2.carbon.identity.openidconnect.OIDCConstants;
import org.wso2.carbon.identity.openidconnect.model.RequestObject;
import org.wso2.carbon.identity.openidconnect.model.RequestedClaim;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.registry.core.Registry;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.registry.core.session.UserRegistry;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.UserCoreConstants;
import org.wso2.carbon.user.core.util.UserCoreUtil;
import org.wso2.carbon.utils.CarbonUtils;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/OAuth2Util.class */
public class OAuth2Util {
    public static final String REMOTE_ACCESS_TOKEN = "REMOTE_ACCESS_TOKEN";
    public static final String JWT_ACCESS_TOKEN = "JWT_ACCESS_TOKEN";
    public static final String ACCESS_TOKEN_DO = "AccessTokenDo";
    public static final String OAUTH2_VALIDATION_MESSAGE_CONTEXT = "OAuth2TokenValidationMessageContext";
    public static final String CONFIG_ELEM_OAUTH = "OAuth";
    public static final String OPENID_CONNECT = "OpenIDConnect";
    public static final String ENABLE_OPENID_CONNECT_AUDIENCES = "EnableAudiences";
    public static final String OPENID_CONNECT_AUDIENCE = "audience";
    public static final String OPENID_CONNECT_AUDIENCE_IDENTITY_CONFIG = "Audience";
    private static final String OPENID_CONNECT_AUDIENCES = "Audiences";
    private static final String DOT_SEPARATER = ".";
    private static final String IDP_ENTITY_ID = "IdPEntityId";
    public static final String DEFAULT_TOKEN_TYPE = "Default";
    public static final String SCOPE = "scope";
    public static final String CLIENT_ID = "client_id";
    public static final String USERNAME = "username";
    public static final String TOKEN_TYPE = "token_type";
    public static final String NBF = "nbf";
    public static final String AUD = "aud";
    public static final String ISS = "iss";
    public static final String JTI = "jti";
    public static final String SUB = "sub";
    public static final String EXP = "exp";
    public static final String IAT = "iat";
    public static final String USER_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS = "userAccessTokenExpireTime";
    public static final String REFRESH_TOKEN_EXP_TIME_IN_MILLISECONDS = "refreshTokenExpireTime";
    public static final String APPLICATION_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS = "applicationAccessTokenExpireTime";
    private static final String INTERNAL_LOGIN_SCOPE = "internal_login";
    private static final String IDENTITY_PATH = "identity";
    public static final String NAME = "name";
    private static final String DISPLAY_NAME = "displayName";
    private static final String DESCRIPTION = "description";
    private static final String PERMISSION = "Permission";
    private static final String ALLOW_WEAK_RSA_SIGNER_KEY = "allow_weak_rsa_signer_key";
    private static final String NONE = "NONE";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String SHA384_WITH_RSA = "SHA384withRSA";
    private static final String SHA512_WITH_RSA = "SHA512withRSA";
    private static final String SHA256_WITH_HMAC = "SHA256withHMAC";
    private static final String SHA384_WITH_HMAC = "SHA384withHMAC";
    private static final String SHA512_WITH_HMAC = "SHA512withHMAC";
    private static final String SHA256_WITH_EC = "SHA256withEC";
    private static final String SHA384_WITH_EC = "SHA384withEC";
    private static final String SHA512_WITH_EC = "SHA512withEC";
    private static final String SHA256_WITH_PS = "SHA256withPS";
    private static final String SHA256 = "SHA-256";
    private static final String SHA384 = "SHA-384";
    private static final String SHA512 = "SHA-512";
    private static final String CLIENT_SECRET_BASIC = "client_secret_basic";
    private static final String CLIENT_SECRET_POST = "client_secret_post";
    private static final String PRIVATE_KEY_JWT = "private_key_jwt";
    private static final Log log = LogFactory.getLog(OAuth2Util.class);
    private static long timestampSkew = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
    private static ThreadLocal<Integer> clientTenantId = new ThreadLocal<>();
    private static ThreadLocal<OAuthTokenReqMessageContext> tokenRequestContext = new ThreadLocal<>();
    private static ThreadLocal<OAuthAuthzReqMessageContext> authzRequestContext = new ThreadLocal<>();
    private static Pattern pkceCodeVerifierPattern = Pattern.compile("[\\w\\-\\._~]+");
    private static Map<Integer, Certificate> publicCerts = new ConcurrentHashMap();
    private static Map<Integer, Key> privateKeys = new ConcurrentHashMap();

    /* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/OAuth2Util$OAuthURL.class */
    public static class OAuthURL {
        public static String getOAuth1RequestTokenUrl() {
            String oAuth1RequestTokenUrl = OAuthServerConfiguration.getInstance().getOAuth1RequestTokenUrl();
            if (StringUtils.isBlank(oAuth1RequestTokenUrl)) {
                oAuth1RequestTokenUrl = IdentityUtil.getServerURL("oauth/request-token", true, true);
            }
            return oAuth1RequestTokenUrl;
        }

        public static String getOAuth1AuthorizeUrl() {
            String oAuth1AuthorizeUrl = OAuthServerConfiguration.getInstance().getOAuth1AuthorizeUrl();
            if (StringUtils.isBlank(oAuth1AuthorizeUrl)) {
                oAuth1AuthorizeUrl = IdentityUtil.getServerURL("oauth/authorize-url", true, true);
            }
            return oAuth1AuthorizeUrl;
        }

        public static String getOAuth1AccessTokenUrl() {
            String oAuth1AccessTokenUrl = OAuthServerConfiguration.getInstance().getOAuth1AccessTokenUrl();
            if (StringUtils.isBlank(oAuth1AccessTokenUrl)) {
                oAuth1AccessTokenUrl = IdentityUtil.getServerURL("oauth/access-token", true, true);
            }
            return oAuth1AccessTokenUrl;
        }

        public static String getOAuth2AuthzEPUrl() {
            String oAuth2AuthzEPUrl = OAuthServerConfiguration.getInstance().getOAuth2AuthzEPUrl();
            if (StringUtils.isBlank(oAuth2AuthzEPUrl)) {
                oAuth2AuthzEPUrl = IdentityUtil.getServerURL("oauth2/authorize", true, false);
            }
            return oAuth2AuthzEPUrl;
        }

        public static String getOAuth2TokenEPUrl() {
            String oAuth2TokenEPUrl = OAuthServerConfiguration.getInstance().getOAuth2TokenEPUrl();
            if (StringUtils.isBlank(oAuth2TokenEPUrl)) {
                oAuth2TokenEPUrl = IdentityUtil.getServerURL("oauth2/token", true, false);
            }
            return oAuth2TokenEPUrl;
        }

        public static String getOAuth2DCREPUrl(String str) throws URISyntaxException {
            String oAuth2DCREPUrl = OAuthServerConfiguration.getInstance().getOAuth2DCREPUrl();
            if (StringUtils.isBlank(oAuth2DCREPUrl)) {
                oAuth2DCREPUrl = IdentityUtil.getServerURL("/api/identity/oauth2/dcr/v1.0/register", true, false);
            }
            if (StringUtils.isNotBlank(str) && !"carbon.super".equals(str)) {
                oAuth2DCREPUrl = getTenantUrl(oAuth2DCREPUrl, str);
            }
            return oAuth2DCREPUrl;
        }

        public static String getOAuth2JWKSPageUrl(String str) throws URISyntaxException {
            String oAuth2JWKSPageUrl = OAuthServerConfiguration.getInstance().getOAuth2JWKSPageUrl();
            if (StringUtils.isBlank(oAuth2JWKSPageUrl)) {
                oAuth2JWKSPageUrl = IdentityUtil.getServerURL("/oauth2/jwks", true, false);
            }
            if (StringUtils.isNotBlank(str) && !"carbon.super".equals(str)) {
                oAuth2JWKSPageUrl = getTenantUrl(oAuth2JWKSPageUrl, str);
            }
            return oAuth2JWKSPageUrl;
        }

        public static String getOidcWebFingerEPUrl() {
            String oidcWebFingerEPUrl = OAuthServerConfiguration.getInstance().getOidcWebFingerEPUrl();
            if (StringUtils.isBlank(oidcWebFingerEPUrl)) {
                oidcWebFingerEPUrl = IdentityUtil.getServerURL(".well-know/webfinger", true, false);
            }
            return oidcWebFingerEPUrl;
        }

        public static String getOidcDiscoveryEPUrl(String str) throws URISyntaxException {
            String oidcDiscoveryUrl = OAuthServerConfiguration.getInstance().getOidcDiscoveryUrl();
            if (StringUtils.isBlank(oidcDiscoveryUrl)) {
                oidcDiscoveryUrl = IdentityUtil.getServerURL("/oauth2/oidcdiscovery", true, false);
            }
            if (StringUtils.isNotBlank(str) && !"carbon.super".equals(str)) {
                oidcDiscoveryUrl = getTenantUrl(oidcDiscoveryUrl, str);
            }
            return oidcDiscoveryUrl;
        }

        public static String getOAuth2UserInfoEPUrl() {
            String oauth2UserInfoEPUrl = OAuthServerConfiguration.getInstance().getOauth2UserInfoEPUrl();
            if (StringUtils.isBlank(oauth2UserInfoEPUrl)) {
                oauth2UserInfoEPUrl = IdentityUtil.getServerURL("oauth2/userinfo", true, false);
            }
            return oauth2UserInfoEPUrl;
        }

        public static String getOIDCConsentPageUrl() {
            String oIDCConsentPageUrl = OAuthServerConfiguration.getInstance().getOIDCConsentPageUrl();
            if (StringUtils.isBlank(oIDCConsentPageUrl)) {
                oIDCConsentPageUrl = IdentityUtil.getServerURL("/authenticationendpoint/oauth2_consent.do", false, false);
            }
            return oIDCConsentPageUrl;
        }

        public static String getOAuth2ConsentPageUrl() {
            String oauth2ConsentPageUrl = OAuthServerConfiguration.getInstance().getOauth2ConsentPageUrl();
            if (StringUtils.isBlank(oauth2ConsentPageUrl)) {
                oauth2ConsentPageUrl = IdentityUtil.getServerURL("/authenticationendpoint/oauth2_authz.do", false, false);
            }
            return oauth2ConsentPageUrl;
        }

        public static String getOAuth2ErrorPageUrl() {
            String oauth2ErrorPageUrl = OAuthServerConfiguration.getInstance().getOauth2ErrorPageUrl();
            if (StringUtils.isBlank(oauth2ErrorPageUrl)) {
                oauth2ErrorPageUrl = IdentityUtil.getServerURL("/authenticationendpoint/oauth2_error.do", false, false);
            }
            return oauth2ErrorPageUrl;
        }

        private static String getTenantUrl(String str, String str2) throws URISyntaxException {
            URI uri = new URI(str);
            return new URI(uri.getScheme(), uri.getUserInfo(), uri.getHost(), uri.getPort(), "/t/" + str2 + uri.getPath(), uri.getQuery(), uri.getFragment()).toString();
        }
    }

    private OAuth2Util() {
    }

    public static OAuthAuthzReqMessageContext getAuthzRequestContext() {
        if (log.isDebugEnabled()) {
            log.debug("Retreived OAuthAuthzReqMessageContext from threadlocal");
        }
        return authzRequestContext.get();
    }

    public static void setAuthzRequestContext(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext) {
        authzRequestContext.set(oAuthAuthzReqMessageContext);
        if (log.isDebugEnabled()) {
            log.debug("Added OAuthAuthzReqMessageContext to threadlocal");
        }
    }

    public static void clearAuthzRequestContext() {
        authzRequestContext.remove();
        if (log.isDebugEnabled()) {
            log.debug("Cleared OAuthAuthzReqMessageContext");
        }
    }

    public static OAuthTokenReqMessageContext getTokenRequestContext() {
        if (log.isDebugEnabled()) {
            log.debug("Retreived OAuthTokenReqMessageContext from threadlocal");
        }
        return tokenRequestContext.get();
    }

    public static void setTokenRequestContext(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        tokenRequestContext.set(oAuthTokenReqMessageContext);
        if (log.isDebugEnabled()) {
            log.debug("Added OAuthTokenReqMessageContext to threadlocal");
        }
    }

    public static void clearTokenRequestContext() {
        tokenRequestContext.remove();
        if (log.isDebugEnabled()) {
            log.debug("Cleared OAuthTokenReqMessageContext");
        }
    }

    public static int getClientTenatId() {
        if (clientTenantId.get() == null) {
            return -1;
        }
        return clientTenantId.get().intValue();
    }

    public static void setClientTenatId(int i) {
        clientTenantId.set(Integer.valueOf(i));
    }

    public static void clearClientTenantId() {
        clientTenantId.remove();
    }

    public static String buildScopeString(String[] strArr) {
        if (strArr == null) {
            return null;
        }
        Arrays.sort(strArr);
        return StringUtils.join(strArr, Constants.SEPARATED_WITH_SPACE);
    }

    public static String[] buildScopeArray(String str) {
        return StringUtils.isNotBlank(str) ? str.trim().split("\\s") : new String[0];
    }

    public static boolean authenticateClient(String str, String str2) throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
        OAuthAppDO appInformationByClientId = getAppInformationByClientId(str);
        if (appInformationByClientId == null) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Cannot find a valid application with the provided client_id: " + str);
            return false;
        }
        boolean isHashDisabled = isHashDisabled();
        String oauthConsumerSecret = appInformationByClientId.getOauthConsumerSecret();
        if (isHashDisabled) {
            if (!StringUtils.equals(oauthConsumerSecret, str2)) {
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("Provided the Client ID : " + str + " and Client Secret do not match with the issued credentials.");
                return false;
            }
        } else if (!StringUtils.equals(oauthConsumerSecret, getPersistenceProcessor().getProcessedClientSecret(str2))) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Provided the Client ID : " + str + " and Client Secret do not match with the issued credentials.");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Successfully authenticated the client with client id : " + str);
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v8, types: [org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor] */
    public static TokenPersistenceProcessor getPersistenceProcessor() {
        PlainTextPersistenceProcessor plainTextPersistenceProcessor;
        try {
            plainTextPersistenceProcessor = OAuthServerConfiguration.getInstance().getPersistenceProcessor();
        } catch (IdentityOAuth2Exception e) {
            log.warn("Error retrieving TokenPersistenceProcessor configured in OAuth.TokenPersistenceProcessor in identity.xml. Defaulting to PlainTextPersistenceProcessor.");
            if (log.isDebugEnabled()) {
                log.debug("Error retrieving TokenPersistenceProcessor configured in OAuth.TokenPersistenceProcessor in identity.xml. Defaulting to PlainTextPersistenceProcessor.", e);
            }
            plainTextPersistenceProcessor = new PlainTextPersistenceProcessor();
        }
        return plainTextPersistenceProcessor;
    }

    public static boolean isHashDisabled() {
        return !OAuthServerConfiguration.getInstance().isClientSecretHashEnabled();
    }

    public static boolean isHashEnabled() {
        return OAuthServerConfiguration.getInstance().isClientSecretHashEnabled();
    }

    public static String getAuthenticatedUsername(String str, String str2) throws IdentityOAuthAdminException, IdentityOAuth2Exception, InvalidOAuthClientException {
        boolean z = false;
        String str3 = null;
        boolean isUserStoreInUsernameCaseSensitive = IdentityUtil.isUserStoreInUsernameCaseSensitive((String) null);
        if (authenticateClient(str, str2)) {
            CacheEntry cacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(new OAuthCacheKey(str + ":" + ((String) null)));
            if (cacheEntry != null && (cacheEntry instanceof ClientCredentialDO)) {
                str3 = ((ClientCredentialDO) cacheEntry).getClientSecret();
                z = true;
                if (log.isDebugEnabled()) {
                    log.debug("Username was available in the cache : " + str3);
                }
            }
            if (str3 == null) {
                str3 = new OAuthConsumerDAO().getAuthenticatedUsername(str, str2);
                if (log.isDebugEnabled()) {
                    log.debug("Username fetch from the database");
                }
            }
            if (str3 != null && !z) {
                if (isUserStoreInUsernameCaseSensitive) {
                    OAuthCache.getInstance().addToCache(new OAuthCacheKey(str + ":" + str3), new ClientCredentialDO(str3));
                } else {
                    OAuthCache.getInstance().addToCache(new OAuthCacheKey(str + ":" + str3.toLowerCase()), new ClientCredentialDO(str3));
                }
                if (log.isDebugEnabled()) {
                    log.debug("Caching username : " + str3);
                }
            }
        }
        return str3;
    }

    public static String buildCacheKeyStringForAuthzCode(String str, String str2) {
        return str + ":" + str2;
    }

    @Deprecated
    public static String buildCacheKeyStringForToken(String str, String str2, String str3) {
        return IdentityUtil.isUserStoreInUsernameCaseSensitive(str3) ? str + ":" + str3 + ":" + str2 : str + ":" + str3.toLowerCase() + ":" + str2;
    }

    @Deprecated
    public static String buildCacheKeyStringForToken(String str, String str2, String str3, String str4) {
        return IdentityUtil.isUserStoreInUsernameCaseSensitive(str3) ? str + ":" + str3 + ":" + str2 + ":" + str4 : str + ":" + str3.toLowerCase() + ":" + str2 + ":" + str4;
    }

    public static String buildCacheKeyStringForToken(String str, String str2, String str3, String str4, String str5) {
        return IdentityUtil.isUserStoreInUsernameCaseSensitive(str3) ? str + ":" + str3 + ":" + str2 + ":" + str4 + ":" + str5 : str + ":" + str3.toLowerCase() + ":" + str2 + ":" + str4 + ":" + str5;
    }

    public static String getTokenBindingReference(String str) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        return DigestUtils.md5Hex(str);
    }

    public static AccessTokenDO validateAccessTokenDO(AccessTokenDO accessTokenDO) {
        long validityPeriodInMillis = accessTokenDO.getValidityPeriodInMillis();
        long time = accessTokenDO.getIssuedTime().getTime();
        long timeToExpire = getTimeToExpire(time, validityPeriodInMillis);
        if (timeToExpire <= 1000) {
            return null;
        }
        long timeToExpire2 = getTimeToExpire(time, OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000);
        if (timeToExpire2 <= 1000) {
            return null;
        }
        accessTokenDO.setValidityPeriodInMillis(timeToExpire);
        accessTokenDO.setRefreshTokenValidityPeriodInMillis(timeToExpire2);
        accessTokenDO.setIssuedTime(new Timestamp(time));
        return accessTokenDO;
    }

    public static boolean checkAccessTokenPartitioningEnabled() {
        return OAuthServerConfiguration.getInstance().isAccessTokenPartitioningEnabled();
    }

    public static boolean checkUserNameAssertionEnabled() {
        return OAuthServerConfiguration.getInstance().isUserNameAssertionEnabled();
    }

    public static String getAccessTokenPartitioningDomains() {
        return OAuthServerConfiguration.getInstance().getAccessTokenPartitioningDomains();
    }

    public static Map<String, String> getAvailableUserStoreDomainMappings() throws IdentityOAuth2Exception {
        TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
        String accessTokenPartitioningDomains = getAccessTokenPartitioningDomains();
        if (accessTokenPartitioningDomains != null) {
            for (String str : accessTokenPartitioningDomains.split(",")) {
                String[] split = str.trim().split(":");
                if (split.length < 2) {
                    throw new IdentityOAuth2Exception("Domain mapping has not defined correctly");
                }
                treeMap.put(split[1].trim(), split[0].trim());
            }
        }
        return treeMap;
    }

    public static String getMappedUserStoreDomain(String str) throws IdentityOAuth2Exception {
        String str2 = str;
        Map<String, String> availableUserStoreDomainMappings = getAvailableUserStoreDomainMappings();
        if (str != null && availableUserStoreDomainMappings.containsKey(str)) {
            str2 = availableUserStoreDomainMappings.get(str);
        }
        return str2;
    }

    public static String getPartitionedTableByUserStore(String str, String str2) throws IdentityOAuth2Exception {
        if (StringUtils.isNotBlank(str) && StringUtils.isNotBlank(str2) && !IdentityUtil.getPrimaryDomainName().equalsIgnoreCase(str2)) {
            str = str + "_" + getMappedUserStoreDomain(str2);
        }
        return str;
    }

    public static String getTokenPartitionedSqlByUserStore(String str, String str2) throws IdentityOAuth2Exception {
        String str3 = str;
        if (checkAccessTokenPartitioningEnabled() && checkUserNameAssertionEnabled()) {
            String partitionedTableByUserStore = getPartitionedTableByUserStore("IDN_OAUTH2_ACCESS_TOKEN", str2);
            String partitionedTableByUserStore2 = getPartitionedTableByUserStore("IDN_OAUTH2_ACCESS_TOKEN_SCOPE", str2);
            if (log.isDebugEnabled()) {
                log.debug("PartitionedAccessTokenTable: " + partitionedTableByUserStore + " & PartitionedAccessTokenScopeTable: " + partitionedTableByUserStore2 + " for user store domain: " + str2);
            }
            str3 = str.replaceAll("\\bIDN_OAUTH2_ACCESS_TOKEN\\b", partitionedTableByUserStore).replaceAll("\\bIDN_OAUTH2_ACCESS_TOKEN_SCOPE\\b", partitionedTableByUserStore2);
            if (log.isDebugEnabled()) {
                log.debug("Original SQL: " + str);
                log.debug("Partitioned SQL: " + str3);
            }
        }
        return str3;
    }

    public static String getTokenPartitionedSqlByUserId(String str, String str2) throws IdentityOAuth2Exception {
        String[] split;
        String str3 = str;
        if (checkAccessTokenPartitioningEnabled() && checkUserNameAssertionEnabled()) {
            if (log.isDebugEnabled()) {
                log.debug("Calculating partitioned sql for username: " + str2);
            }
            String str4 = null;
            if (str2 != null && (split = str2.split(UserCoreConstants.DOMAIN_SEPARATOR)) != null && split.length > 1) {
                str4 = split[0];
            }
            str3 = getTokenPartitionedSqlByUserStore(str, str4);
        }
        return str3;
    }

    public static String getTokenPartitionedSqlByToken(String str, String str2) throws IdentityOAuth2Exception {
        String str3 = str;
        if (checkAccessTokenPartitioningEnabled() && checkUserNameAssertionEnabled()) {
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("Calculating partitioned sql for token: " + str2);
                } else {
                    log.debug("Calculating partitioned sql for token");
                }
            }
            str3 = getTokenPartitionedSqlByUserId(str, getUserIdFromAccessToken(str2));
        }
        return str3;
    }

    public static String getUserStoreDomainFromUserId(String str) throws IdentityOAuth2Exception {
        String[] split;
        String str2 = null;
        if (str != null && (split = str.split(UserCoreConstants.DOMAIN_SEPARATOR)) != null && split.length > 1) {
            str2 = getMappedUserStoreDomain(split[0]);
        }
        return str2;
    }

    public static String getUserStoreDomainFromAccessToken(String str) throws IdentityOAuth2Exception {
        String str2;
        String str3 = null;
        String[] split = new String(Base64.decodeBase64(str.getBytes(Charsets.UTF_8)), Charsets.UTF_8).split(":");
        if (split != null && (str2 = split[1]) != null) {
            str3 = getUserStoreDomainFromUserId(str2);
        }
        return str3;
    }

    @Deprecated
    public static String getAccessTokenStoreTableFromUserId(String str) throws IdentityOAuth2Exception {
        String str2 = "IDN_OAUTH2_ACCESS_TOKEN";
        if (str != null) {
            String[] split = str.split(UserCoreConstants.DOMAIN_SEPARATOR);
            if (split.length > 1) {
                str2 = getPartitionedTableByUserStore("IDN_OAUTH2_ACCESS_TOKEN", split[0]);
            }
        }
        return str2;
    }

    @Deprecated
    public static String getAccessTokenStoreTableFromAccessToken(String str) throws IdentityOAuth2Exception {
        return getAccessTokenStoreTableFromUserId(getUserIdFromAccessToken(str));
    }

    public static String getUserIdFromAccessToken(String str) {
        String str2 = null;
        String[] split = new String(Base64.decodeBase64(str.getBytes(Charsets.UTF_8)), Charsets.UTF_8).split(":");
        if (split != null && split.length > 1) {
            str2 = split[1];
        }
        return str2;
    }

    public static long getTokenExpireTimeMillis(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("accessTokenDO is 'NULL'");
        }
        long accessTokenExpireMillis = getAccessTokenExpireMillis(accessTokenDO);
        long refreshTokenExpireTimeMillis = getRefreshTokenExpireTimeMillis(accessTokenDO);
        if (accessTokenExpireMillis <= 1000) {
            return 0L;
        }
        if (refreshTokenExpireTimeMillis > 1000 || refreshTokenExpireTimeMillis < 0) {
            return accessTokenExpireMillis;
        }
        return 0L;
    }

    public static long getRefreshTokenExpireTimeMillis(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("accessTokenDO is 'NULL'");
        }
        long refreshTokenValidityPeriodInMillis = accessTokenDO.getRefreshTokenValidityPeriodInMillis();
        if (refreshTokenValidityPeriodInMillis < 0) {
            if (!log.isDebugEnabled()) {
                return -1L;
            }
            log.debug("Refresh Token has infinite lifetime");
            return -1L;
        }
        long timeToExpire = getTimeToExpire(accessTokenDO.getRefreshTokenIssuedTime().getTime(), refreshTokenValidityPeriodInMillis);
        if (timeToExpire > 1000) {
            return timeToExpire;
        }
        return 0L;
    }

    public static long getAccessTokenExpireMillis(AccessTokenDO accessTokenDO) {
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("accessTokenDO is 'NULL'");
        }
        long validityPeriodInMillis = accessTokenDO.getValidityPeriodInMillis();
        if (validityPeriodInMillis >= 0) {
            long timeToExpire = getTimeToExpire(accessTokenDO.getIssuedTime().getTime(), validityPeriodInMillis);
            if (timeToExpire > 1000) {
                return timeToExpire;
            }
            return 0L;
        }
        if (!log.isDebugEnabled()) {
            return -1L;
        }
        if (IdentityUtil.isTokenLoggable("AccessToken")) {
            log.debug("Access Token(hashed) : " + DigestUtils.sha256Hex(accessTokenDO.getAccessToken()) + " has infinite lifetime");
            return -1L;
        }
        log.debug("Access Token has infinite lifetime");
        return -1L;
    }

    @Deprecated
    public static long calculateValidityInMillis(long j, long j2) {
        return getTimeToExpire(j, j2);
    }

    public static long getTimeToExpire(long j, long j2) {
        return (j + j2) - (System.currentTimeMillis() - timestampSkew);
    }

    public static int getTenantId(String str) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getInstance().getRealmService().getTenantManager().getTenantId(str);
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception("Error in obtaining tenant ID from tenant domain : " + str, (Throwable) e);
        }
    }

    public static String getTenantDomain(int i) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getInstance().getRealmService().getTenantManager().getDomain(i);
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception("Error in obtaining tenant domain from tenant ID : " + i, (Throwable) e);
        }
    }

    public static int getTenantIdFromUserName(String str) throws IdentityOAuth2Exception {
        return getTenantId(MultitenantUtils.getTenantDomain(str));
    }

    public static String hashScopes(String[] strArr) {
        return DigestUtils.md5Hex(buildScopeString(strArr));
    }

    public static String hashScopes(String str) {
        if (str != null) {
            return DigestUtils.md5Hex(buildScopeString(buildScopeArray(str)));
        }
        return null;
    }

    public static AuthenticatedUser getUserFromUserName(String str) throws IllegalArgumentException {
        if (!StringUtils.isNotBlank(str)) {
            throw new IllegalArgumentException("Cannot create user from empty user name");
        }
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        String removeDomainFromName = UserCoreUtil.removeDomainFromName(MultitenantUtils.getTenantAwareUsername(str));
        String upperCase = IdentityUtil.extractDomainFromName(str).toUpperCase();
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        authenticatedUser.setUserName(removeDomainFromName);
        authenticatedUser.setTenantDomain(tenantDomain);
        authenticatedUser.setUserStoreDomain(upperCase);
        return authenticatedUser;
    }

    public static String getIDTokenIssuer() {
        String openIDConnectIDTokenIssuerIdentifier = OAuthServerConfiguration.getInstance().getOpenIDConnectIDTokenIssuerIdentifier();
        if (StringUtils.isBlank(openIDConnectIDTokenIssuerIdentifier)) {
            openIDConnectIDTokenIssuerIdentifier = OAuthURL.getOAuth2TokenEPUrl();
        }
        return openIDConnectIDTokenIssuerIdentifier;
    }

    public static boolean isOIDCAuthzRequest(Set<String> set) {
        return set.contains("openid");
    }

    public static boolean isOIDCAuthzRequest(String[] strArr) {
        for (String str : strArr) {
            if (str.equals("openid")) {
                return true;
            }
        }
        return false;
    }

    public static boolean validatePKCECodeVerifier(String str) {
        return pkceCodeVerifierPattern.matcher(str).matches() && str.length() >= 43 && str.length() <= 128;
    }

    public static boolean validatePKCECodeChallenge(String str, String str2) {
        return (str2 == null || "plain".equals(str2)) ? validatePKCECodeVerifier(str) : "S256".equals(str2) && str != null && str.trim().length() == 43;
    }

    @Deprecated
    public static boolean doPKCEValidation(String str, String str2, String str3, OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        return validatePKCE(str, str2, str3, oAuthAppDO);
    }

    public static boolean validatePKCE(String str, String str2, String str3, OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        if ((oAuthAppDO == null || !oAuthAppDO.isPkceMandatory()) && str == null) {
            return true;
        }
        if (str3 == null || str3.trim().length() == 0) {
            str3 = "plain";
        }
        if (str2 == null || str2.trim().length() == 0) {
            if (oAuthAppDO.isPkceMandatory()) {
                throw new IdentityOAuth2Exception("No PKCE code verifier found.PKCE is mandatory for this oAuth 2.0 application.");
            }
            if (str == null || str.trim().length() == 0) {
                return true;
            }
            throw new IdentityOAuth2Exception("Empty PKCE code_verifier sent. This authorization code requires a PKCE verification to obtain an access token.");
        }
        if (!validatePKCECodeVerifier(str2)) {
            throw new IdentityOAuth2Exception("Code verifier used is not up to RFC 7636 specifications.");
        }
        if ("plain".equals(str3)) {
            if (oAuthAppDO.isPkceSupportPlain()) {
                return str.equals(str2);
            }
            throw new IdentityOAuth2Exception("This application does not allow 'plain' transformation algorithm.");
        }
        if (!"S256".equals(str3)) {
            throw new IdentityOAuth2Exception("Invalid OAuth2 Token Response. Invalid PKCE Code Challenge Method '" + str3 + "'");
        }
        try {
            return new String(Base64.encodeBase64URLSafe(MessageDigest.getInstance(SHA256).digest(str2.getBytes(StandardCharsets.US_ASCII))), StandardCharsets.UTF_8).trim().equals(str);
        } catch (NoSuchAlgorithmException e) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Failed to create SHA256 Message Digest.");
            return false;
        }
    }

    @Deprecated
    public static boolean isPKCESupportEnabled() {
        return OAuth2ServiceComponentHolder.isPkceEnabled();
    }

    public static boolean isImplicitResponseType(String str) {
        return (StringUtils.isNotBlank(str) && OIDCConstants.ID_TOKEN.equals(str)) || "token".equals(str) || "id_token token".equals(str);
    }

    public static boolean isHybridResponseType(String str) {
        return (StringUtils.isNotBlank(str) && "code token".equals(str)) || "code id_token".equals(str) || "code id_token token".equals(str);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r6v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    public static void initiateOIDCScopes(int i) {
        try {
            OAuthTokenPersistenceFactory.getInstance().getScopeClaimMappingDAO().addScopes(i, loadScopeConfigFile());
        } catch (IdentityOAuth2Exception e) {
            log.error(e.getMessage(), e);
        }
    }

    public static List<String> getOIDCScopes(String str) {
        ArrayList arrayList = new ArrayList();
        try {
            List<ScopeDTO> scopes = OAuthTokenPersistenceFactory.getInstance().getScopeClaimMappingDAO().getScopes(OAuthComponentServiceHolder.getInstance().getRealmService().getTenantManager().getTenantId(str));
            if (CollectionUtils.isNotEmpty(scopes)) {
                Iterator<ScopeDTO> it = scopes.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next().getName());
                }
            }
        } catch (UserStoreException | IdentityOAuth2Exception e) {
            log.error("Error while retrieving OIDC scopes.", e);
        }
        return arrayList;
    }

    public static AccessTokenDO getAccessTokenDOfromTokenIdentifier(String str) throws IdentityOAuth2Exception {
        return getAccessTokenDOFromTokenIdentifier(str, false);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.wso2.carbon.identity.oauth.cache.OAuthCache] */
    /* JADX WARN: Type inference failed for: r2v1, types: [java.io.Serializable] */
    public static AccessTokenDO getAccessTokenDOFromTokenIdentifier(String str, boolean z) throws IdentityOAuth2Exception {
        boolean z2 = false;
        AccessTokenDO accessTokenDO = null;
        getPersistenceProcessor().getProcessedAccessTokenIdentifier(str);
        OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(str);
        CacheEntry cacheEntry = (CacheEntry) OAuthCache.getInstance().getValueFromCache(oAuthCacheKey);
        if (cacheEntry != null && (cacheEntry instanceof AccessTokenDO)) {
            accessTokenDO = (AccessTokenDO) cacheEntry;
            z2 = true;
        }
        if (accessTokenDO == null) {
            accessTokenDO = OAuthTokenPersistenceFactory.getInstance().getAccessTokenDAO().getAccessToken(str, z);
        }
        if (accessTokenDO == null) {
            throw new IllegalArgumentException("Invalid Access Token. Access token is not ACTIVE.");
        }
        if ((!z2) & isHashDisabled()) {
            OAuthCache.getInstance().addToCache(oAuthCacheKey, accessTokenDO);
            if (log.isDebugEnabled()) {
                log.debug("Access Token Info object was added back to the cache.");
            }
        }
        return accessTokenDO;
    }

    public static String getClientIdForAccessToken(String str) throws IdentityOAuth2Exception {
        return getAccessTokenDOfromTokenIdentifier(str).getConsumerKey();
    }

    @Deprecated
    public static void initTokenExpiryTimesOfSps(int i) {
        try {
            UserRegistry configSystemRegistry = OAuth2ServiceComponentHolder.getRegistryService().getConfigSystemRegistry(i);
            if (!configSystemRegistry.resourceExists("/identity/config/spTokenExpireTime")) {
                configSystemRegistry.put("/identity/config/spTokenExpireTime", configSystemRegistry.newResource());
            }
        } catch (RegistryException e) {
            log.error("Error while creating registry collection for :/identity/config/spTokenExpireTime", e);
        }
    }

    @Deprecated
    public static SpOAuth2ExpiryTimeConfiguration getSpTokenExpiryTimeConfig(String str, int i) {
        SpOAuth2ExpiryTimeConfiguration spOAuth2ExpiryTimeConfiguration = new SpOAuth2ExpiryTimeConfiguration();
        try {
            if (log.isDebugEnabled()) {
                log.debug("SP wise token expiry time feature is applied for tenant id : " + i + "and consumer key : " + str);
            }
            IdentityTenantUtil.initializeRegistry(i, getTenantDomain(i));
            Registry configRegistry = IdentityTenantUtil.getConfigRegistry(i);
            if (configRegistry.resourceExists("/identity/config/spTokenExpireTime")) {
                String str2 = "{}";
                Object obj = configRegistry.get("/identity/config/spTokenExpireTime").getProperties().get(str);
                if ((obj instanceof List) && !((List) obj).isEmpty()) {
                    str2 = ((List) obj).get(0).toString();
                }
                JSONObject jSONObject = new JSONObject(str2);
                if (jSONObject.length() > 0) {
                    if (!jSONObject.has(USER_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS) || jSONObject.isNull(USER_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS)) {
                        spOAuth2ExpiryTimeConfiguration.setUserAccessTokenExpiryTime(Long.valueOf(OAuthServerConfiguration.getInstance().getUserAccessTokenValidityPeriodInSeconds() * 1000));
                    } else {
                        try {
                            spOAuth2ExpiryTimeConfiguration.setUserAccessTokenExpiryTime(Long.valueOf(Long.parseLong(jSONObject.get(USER_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS).toString())));
                            if (log.isDebugEnabled()) {
                                log.debug("The user access token expiry time :" + jSONObject.get(USER_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS).toString() + "  for application id : " + str);
                            }
                        } catch (NumberFormatException e) {
                            log.error(String.format("Invalid value provided as user access token expiry time for consumer key %s, tenant id : %d. Given value: %s, Expected a long value", str, Integer.valueOf(i), jSONObject.get(USER_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS).toString()), e);
                        }
                    }
                    if (!jSONObject.has(APPLICATION_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS) || jSONObject.isNull(APPLICATION_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS)) {
                        spOAuth2ExpiryTimeConfiguration.setApplicationAccessTokenExpiryTime(Long.valueOf(OAuthServerConfiguration.getInstance().getApplicationAccessTokenValidityPeriodInSeconds() * 1000));
                    } else {
                        try {
                            spOAuth2ExpiryTimeConfiguration.setApplicationAccessTokenExpiryTime(Long.valueOf(Long.parseLong(jSONObject.get(APPLICATION_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS).toString())));
                            if (log.isDebugEnabled()) {
                                log.debug("The application access token expiry time :" + jSONObject.get(APPLICATION_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS).toString() + "  for application id : " + str);
                            }
                        } catch (NumberFormatException e2) {
                            log.error(String.format("Invalid value provided as application access token expiry time for consumer key %s, tenant id : %d. Given value: %s, Expected a long value ", str, Integer.valueOf(i), jSONObject.get(APPLICATION_ACCESS_TOKEN_EXP_TIME_IN_MILLISECONDS).toString()), e2);
                        }
                    }
                    if (!jSONObject.has(REFRESH_TOKEN_EXP_TIME_IN_MILLISECONDS) || jSONObject.isNull(REFRESH_TOKEN_EXP_TIME_IN_MILLISECONDS)) {
                        spOAuth2ExpiryTimeConfiguration.setRefreshTokenExpiryTime(Long.valueOf(OAuthServerConfiguration.getInstance().getRefreshTokenValidityPeriodInSeconds() * 1000));
                    } else {
                        try {
                            spOAuth2ExpiryTimeConfiguration.setRefreshTokenExpiryTime(Long.valueOf(Long.parseLong(jSONObject.get(REFRESH_TOKEN_EXP_TIME_IN_MILLISECONDS).toString())));
                            if (log.isDebugEnabled()) {
                                log.debug("The refresh token expiry time :" + jSONObject.get(REFRESH_TOKEN_EXP_TIME_IN_MILLISECONDS).toString() + " for application id : " + str);
                            }
                        } catch (NumberFormatException e3) {
                            log.error(String.format("Invalid value provided as refresh token expiry time for consumer key %s, tenant id : %d. Given value: %s, Expected a long value", str, Integer.valueOf(i), jSONObject.get(REFRESH_TOKEN_EXP_TIME_IN_MILLISECONDS).toString()), e3);
                        }
                    }
                }
            }
        } catch (IdentityException e4) {
            log.error("Error while getting the tenant domain from tenant id : " + i, e4);
        } catch (RegistryException e5) {
            log.error("Error while getting data from the registry.", e5);
        }
        return spOAuth2ExpiryTimeConfiguration;
    }

    public static List<String> getOIDCAudience(String str, OAuthAppDO oAuthAppDO) {
        List<String> definedCustomOIDCAudiences = getDefinedCustomOIDCAudiences(oAuthAppDO);
        if (definedCustomOIDCAudiences.contains(str)) {
            Collections.swap(definedCustomOIDCAudiences, definedCustomOIDCAudiences.indexOf(str), 0);
        } else {
            definedCustomOIDCAudiences.add(0, str);
        }
        return definedCustomOIDCAudiences;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static List<String> getDefinedCustomOIDCAudiences(OAuthAppDO oAuthAppDO) {
        List arrayList = new ArrayList();
        if (OAuth2ServiceComponentHolder.isAudienceEnabled()) {
            arrayList = getAudienceListFromOAuthAppDO(oAuthAppDO);
            if (CollectionUtils.isNotEmpty(arrayList)) {
                if (log.isDebugEnabled()) {
                    log.debug("OIDC Audiences " + arrayList + " had been retrieved for the client_id: " + oAuthAppDO.getOauthConsumerKey());
                }
                return arrayList;
            }
        }
        OMElement configElement = IdentityConfigParser.getInstance().getConfigElement(CONFIG_ELEM_OAUTH);
        if (configElement == null) {
            log.warn("Error in OAuth Configuration: <OAuth> configuration element is not available in identity.xml.");
            return arrayList;
        }
        OMElement firstChildWithName = configElement.getFirstChildWithName(new QName("http://wso2.org/projects/carbon/carbon.xml", "OpenIDConnect"));
        if (firstChildWithName == null) {
            log.warn("Error in OAuth Configuration: <OpenIDConnect> element is not available in identity.xml.");
            return arrayList;
        }
        OMElement firstChildWithName2 = firstChildWithName.getFirstChildWithName(new QName("http://wso2.org/projects/carbon/carbon.xml", OPENID_CONNECT_AUDIENCES));
        if (firstChildWithName2 == null) {
            return arrayList;
        }
        Iterator childrenWithName = firstChildWithName2.getChildrenWithName(new QName("http://wso2.org/projects/carbon/carbon.xml", OPENID_CONNECT_AUDIENCE_IDENTITY_CONFIG));
        while (childrenWithName.hasNext()) {
            OMElement oMElement = (OMElement) childrenWithName.next();
            if (oMElement != null) {
                String fillURLPlaceholders = IdentityUtil.fillURLPlaceholders(oMElement.getText());
                if (StringUtils.isNotBlank(fillURLPlaceholders)) {
                    arrayList.add(fillURLPlaceholders);
                }
            }
        }
        return arrayList;
    }

    private static List<String> getAudienceListFromOAuthAppDO(OAuthAppDO oAuthAppDO) {
        return oAuthAppDO.getAudiences() == null ? new ArrayList() : new ArrayList(Arrays.asList(oAuthAppDO.getAudiences()));
    }

    public static OauthTokenIssuer getOAuthTokenIssuerForOAuthApp(String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        try {
            return getOAuthTokenIssuerForOAuthApp(getAppInformationByClientId(str));
        } catch (IdentityOAuth2Exception e) {
            throw new IdentityOAuth2Exception("Error while retrieving app information for clientId: " + str, (Throwable) e);
        }
    }

    public static OauthTokenIssuer getOAuthTokenIssuerForOAuthApp(OAuthAppDO oAuthAppDO) throws IdentityOAuth2Exception {
        OauthTokenIssuer identityOauthTokenIssuer;
        if (oAuthAppDO.getTokenType() != null) {
            identityOauthTokenIssuer = OAuthServerConfiguration.getInstance().addAndReturnTokenIssuerInstance(oAuthAppDO.getTokenType());
            if (identityOauthTokenIssuer == null) {
                identityOauthTokenIssuer = OAuthServerConfiguration.getInstance().getIdentityOauthTokenIssuer();
            }
        } else {
            identityOauthTokenIssuer = OAuthServerConfiguration.getInstance().getIdentityOauthTokenIssuer();
            if (log.isDebugEnabled()) {
                log.debug("Token type is not set for service provider app with client Id: " + oAuthAppDO.getOauthConsumerKey() + ". Hence the default Identity OAuth token issuer will be used. No custom token generator is set.");
            }
        }
        return identityOauthTokenIssuer;
    }

    private static List<ScopeDTO> loadScopeConfigFile() {
        ArrayList arrayList = new ArrayList();
        String path = Paths.get(CarbonUtils.getCarbonConfigDirPath(), IDENTITY_PATH, "oidc-scope-config.xml").toString();
        File file = new File(path);
        if (!file.exists()) {
            log.warn("OIDC scope-claim Configuration File is not present at: " + path);
        }
        XMLStreamReader xMLStreamReader = null;
        FileInputStream fileInputStream = null;
        try {
            try {
                fileInputStream = new FileInputStream(file);
                xMLStreamReader = XMLInputFactory.newInstance().createXMLStreamReader(fileInputStream);
                Iterator childElements = new StAXOMBuilder(xMLStreamReader).getDocumentElement().getChildElements();
                while (childElements.hasNext()) {
                    ScopeDTO scopeDTO = new ScopeDTO();
                    OMElement oMElement = (OMElement) childElements.next();
                    String attributeValue = oMElement.getAttributeValue(new QName("id"));
                    scopeDTO.setName(attributeValue);
                    scopeDTO.setDisplayName(attributeValue);
                    scopeDTO.setClaim(loadClaimConfig(oMElement));
                    arrayList.add(scopeDTO);
                }
                if (xMLStreamReader != null) {
                    try {
                        xMLStreamReader.close();
                    } catch (XMLStreamException e) {
                        log.error("Error while closing XML stream", e);
                    }
                }
                if (fileInputStream != null) {
                    IdentityIOStreamUtils.closeInputStream(fileInputStream);
                }
            } catch (XMLStreamException e2) {
                log.warn("Error while loading scope config.", e2);
                if (xMLStreamReader != null) {
                    try {
                        xMLStreamReader.close();
                    } catch (XMLStreamException e3) {
                        log.error("Error while closing XML stream", e3);
                    }
                }
                if (fileInputStream != null) {
                    IdentityIOStreamUtils.closeInputStream(fileInputStream);
                }
            } catch (FileNotFoundException e4) {
                log.warn("Error while loading email config.", e4);
                if (xMLStreamReader != null) {
                    try {
                        xMLStreamReader.close();
                    } catch (XMLStreamException e5) {
                        log.error("Error while closing XML stream", e5);
                    }
                }
                if (fileInputStream != null) {
                    IdentityIOStreamUtils.closeInputStream(fileInputStream);
                }
            }
            return arrayList;
        } catch (Throwable th) {
            if (xMLStreamReader != null) {
                try {
                    xMLStreamReader.close();
                } catch (XMLStreamException e6) {
                    log.error("Error while closing XML stream", e6);
                    throw th;
                }
            }
            if (fileInputStream != null) {
                IdentityIOStreamUtils.closeInputStream(fileInputStream);
            }
            throw th;
        }
    }

    private static String[] loadClaimConfig(OMElement oMElement) {
        StringBuilder sb = new StringBuilder();
        Iterator childElements = oMElement.getChildElements();
        while (childElements.hasNext()) {
            OMElement oMElement2 = (OMElement) childElements.next();
            if ("Claim".equals(oMElement2.getLocalName())) {
                String text = oMElement2.getText();
                if (StringUtils.isNotBlank(text)) {
                    sb.append(text.trim());
                }
            }
        }
        return sb.toString().split(",");
    }

    public static OAuthAppDO getAppInformationByClientId(String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        OAuthAppDO oAuthAppDO = (OAuthAppDO) AppInfoCache.getInstance().getValueFromCache(str);
        if (oAuthAppDO != null) {
            return oAuthAppDO;
        }
        OAuthAppDO appInformation = new OAuthAppDAO().getAppInformation(str);
        if (appInformation != null) {
            AppInfoCache.getInstance().addToCache(str, appInformation);
        }
        return appInformation;
    }

    public static String getTenantDomainOfOauthApp(OAuthAppDO oAuthAppDO) {
        String str = "carbon.super";
        if (oAuthAppDO != null && oAuthAppDO.getUser() != null) {
            str = oAuthAppDO.getUser().getTenantDomain();
        }
        return str;
    }

    public static String getTenantDomainOfOauthApp(String str) throws IdentityOAuth2Exception, InvalidOAuthClientException {
        return getTenantDomainOfOauthApp(getAppInformationByClientId(str));
    }

    @Deprecated
    public static String mapSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        return mapSignatureAlgorithmForJWSAlgorithm(str).getName();
    }

    public static JWEAlgorithm mapEncryptionAlgorithmForJWEAlgorithm(String str) throws IdentityOAuth2Exception {
        JWEAlgorithm parse = JWEAlgorithm.parse(str);
        if (parse.getRequirement() != null) {
            return parse;
        }
        throw new IdentityOAuth2Exception("Unsupported Encryption Algorithm: " + str);
    }

    public static EncryptionMethod mapEncryptionMethodForJWEAlgorithm(String str) throws IdentityOAuth2Exception {
        EncryptionMethod parse = EncryptionMethod.parse(str);
        if (parse.getRequirement() != null) {
            return parse;
        }
        log.error("Unsupported Encryption Method in identity.xml");
        throw new IdentityOAuth2Exception("Unsupported Encryption Method: " + str);
    }

    public static JWSAlgorithm mapSignatureAlgorithmForJWSAlgorithm(String str) throws IdentityOAuth2Exception {
        if (NONE.equalsIgnoreCase(str)) {
            return new JWSAlgorithm(JWSAlgorithm.NONE.getName());
        }
        if (SHA256_WITH_RSA.equals(str)) {
            return JWSAlgorithm.RS256;
        }
        if (SHA384_WITH_RSA.equals(str)) {
            return JWSAlgorithm.RS384;
        }
        if (SHA512_WITH_RSA.equals(str)) {
            return JWSAlgorithm.RS512;
        }
        if (SHA256_WITH_HMAC.equals(str)) {
            return JWSAlgorithm.HS256;
        }
        if (SHA384_WITH_HMAC.equals(str)) {
            return JWSAlgorithm.HS384;
        }
        if (SHA512_WITH_HMAC.equals(str)) {
            return JWSAlgorithm.HS512;
        }
        if (SHA256_WITH_EC.equals(str)) {
            return JWSAlgorithm.ES256;
        }
        if (SHA384_WITH_EC.equals(str)) {
            return JWSAlgorithm.ES384;
        }
        if (SHA512_WITH_EC.equals(str)) {
            return JWSAlgorithm.ES512;
        }
        if (SHA256_WITH_PS.equals(str)) {
            return JWSAlgorithm.PS256;
        }
        log.error("Unsupported Signature Algorithm in identity.xml");
        throw new IdentityOAuth2Exception("Unsupported Signature Algorithm in identity.xml");
    }

    public static boolean checkAudienceEnabled() {
        boolean z = false;
        OMElement configElement = IdentityConfigParser.getInstance().getConfigElement(CONFIG_ELEM_OAUTH);
        if (configElement == null) {
            log.warn("Error in OAuth Configuration. OAuth element is not available.");
            return false;
        }
        OMElement firstChildWithName = configElement.getFirstChildWithName(new QName("http://wso2.org/projects/carbon/carbon.xml", "OpenIDConnect"));
        if (firstChildWithName == null) {
            log.warn("Error in OAuth Configuration. OpenID element is not available.");
            return false;
        }
        OMElement firstChildWithName2 = firstChildWithName.getFirstChildWithName(new QName("http://wso2.org/projects/carbon/carbon.xml", ENABLE_OPENID_CONNECT_AUDIENCES));
        if (firstChildWithName2 != null) {
            String text = firstChildWithName2.getText();
            if (StringUtils.isNotBlank(text)) {
                z = Boolean.parseBoolean(text);
            }
        }
        return z;
    }

    public static String getFederatedUserDomain(String str) {
        return IdentityUtil.isNotBlank(str) ? "FEDERATED:" + str : "FEDERATED";
    }

    public static boolean validateIdToken(String str) {
        try {
            try {
                String tenantDomainOfOauthApp = OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey() ? getTenantDomainOfOauthApp(getAppInformationByClientId((String) SignedJWT.parse(str).getJWTClaimsSet().getAudience().get(0))) : MultitenantUtils.getTenantDomain(SignedJWT.parse(str).getJWTClaimsSet().getSubject());
                if (StringUtils.isEmpty(tenantDomainOfOauthApp)) {
                    return false;
                }
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(IdentityTenantUtil.getTenantId(tenantDomainOfOauthApp));
                return SignedJWT.parse(str).verify(new RSASSAVerifier(!tenantDomainOfOauthApp.equals("carbon.super") ? (RSAPublicKey) keyStoreManager.getKeyStore(tenantDomainOfOauthApp.trim().replace(".", org.wso2.carbon.identity.openidconnect.model.Constants.DASH_DELIMITER) + org.wso2.carbon.identity.openidconnect.model.Constants.KEYSTORE_FILE_EXTENSION).getCertificate(tenantDomainOfOauthApp).getPublicKey() : (RSAPublicKey) keyStoreManager.getDefaultPublicKey()));
            } catch (Exception e) {
                log.error("Error occurred while validating id token signature.");
                return false;
            }
        } catch (JOSEException | ParseException e2) {
            log.error("Error occurred while validating id token signature.");
            return false;
        }
    }

    public static String mapDigestAlgorithm(Algorithm algorithm) throws IdentityOAuth2Exception {
        if (JWSAlgorithm.RS256.equals(algorithm) || JWSAlgorithm.HS256.equals(algorithm) || JWSAlgorithm.ES256.equals(algorithm) || JWSAlgorithm.PS256.equals(algorithm)) {
            return SHA256;
        }
        if (JWSAlgorithm.RS384.equals(algorithm) || JWSAlgorithm.HS384.equals(algorithm) || JWSAlgorithm.ES384.equals(algorithm)) {
            return SHA384;
        }
        if (JWSAlgorithm.RS512.equals(algorithm) || JWSAlgorithm.HS512.equals(algorithm) || JWSAlgorithm.ES512.equals(algorithm)) {
            return SHA512;
        }
        throw new RuntimeException("Provided signature algorithm: " + algorithm + " is not supported");
    }

    public static JWT encryptJWT(JWTClaimsSet jWTClaimsSet, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, String str, String str2) throws IdentityOAuth2Exception {
        if (isRSAAlgorithm(jWEAlgorithm)) {
            return encryptWithRSA(jWTClaimsSet, jWEAlgorithm, encryptionMethod, str, str2);
        }
        throw new RuntimeException("Provided encryption algorithm: " + jWEAlgorithm + " is not supported");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v20, types: [java.security.cert.Certificate] */
    private static JWT encryptWithRSA(JWTClaimsSet jWTClaimsSet, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, String str, String str2) throws IdentityOAuth2Exception {
        X509Certificate publicCertFromJWKS;
        String jwkThumbPrint;
        if (StringUtils.isBlank(str)) {
            str = "carbon.super";
            if (log.isDebugEnabled()) {
                log.debug("Assigned super tenant domain as signing domain when encrypting id token for client_id: " + str2);
            }
        }
        String sPJwksUrl = getSPJwksUrl(str2, str);
        if (StringUtils.isBlank(sPJwksUrl)) {
            if (log.isDebugEnabled()) {
                log.debug(String.format("Jwks uri is not configured for the service provider associated with client_id: %s. Checking for x509 certificate", str2));
            }
            publicCertFromJWKS = getX509CertOfOAuthApp(str2, str);
            try {
                jwkThumbPrint = getThumbPrint(publicCertFromJWKS);
            } catch (NoSuchAlgorithmException | CertificateEncodingException e) {
                throw new IdentityOAuth2Exception("Error occurred while getting the certificate thumbprint for the client_id: " + str2 + " with the tenant domain: " + str, e);
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug(String.format("Fetching public keys for the client %s from jwks uri %s", str2, sPJwksUrl));
            }
            publicCertFromJWKS = getPublicCertFromJWKS(sPJwksUrl);
            jwkThumbPrint = getJwkThumbPrint(publicCertFromJWKS);
        }
        return encryptWithPublicKey(publicCertFromJWKS.getPublicKey(), jWTClaimsSet, jWEAlgorithm, encryptionMethod, str, str2, jwkThumbPrint);
    }

    private static JWT encryptWithPublicKey(Key key, JWTClaimsSet jWTClaimsSet, JWEAlgorithm jWEAlgorithm, EncryptionMethod encryptionMethod, String str, String str2, String str3) throws IdentityOAuth2Exception {
        JWEHeader.Builder builder = new JWEHeader.Builder(jWEAlgorithm, encryptionMethod);
        try {
            builder.keyID(str3);
            JWEHeader build = builder.build();
            EncryptedJWT encryptedJWT = new EncryptedJWT(build, jWTClaimsSet);
            if (log.isDebugEnabled()) {
                log.debug("Encrypting JWT using the algorithm: " + jWEAlgorithm + ", method: " + encryptionMethod + ", tenant: " + str + " & header: " + build.toString());
            }
            encryptedJWT.encrypt(new RSAEncrypter((RSAPublicKey) key));
            return encryptedJWT;
        } catch (JOSEException e) {
            throw new IdentityOAuth2Exception("Error occurred while encrypting JWT for the client_id: " + str2 + " with the tenant domain: " + str, (Throwable) e);
        }
    }

    public static JWSSigner createJWSSigner(RSAPrivateKey rSAPrivateKey) {
        boolean parseBoolean = Boolean.parseBoolean(System.getProperty(ALLOW_WEAK_RSA_SIGNER_KEY));
        if (parseBoolean && log.isDebugEnabled()) {
            log.debug("System flag 'allow_weak_rsa_signer_key' is  enabled. So weak keys (key length less than 2048)  will be allowed for signing.");
        }
        return new RSASSASigner(rSAPrivateKey, parseBoolean);
    }

    public static JWT signJWT(JWTClaimsSet jWTClaimsSet, JWSAlgorithm jWSAlgorithm, String str) throws IdentityOAuth2Exception {
        if (JWSAlgorithm.RS256.equals(jWSAlgorithm) || JWSAlgorithm.RS384.equals(jWSAlgorithm) || JWSAlgorithm.RS512.equals(jWSAlgorithm) || JWSAlgorithm.PS256.equals(jWSAlgorithm)) {
            return signJWTWithRSA(jWTClaimsSet, jWSAlgorithm, str);
        }
        if (JWSAlgorithm.HS256.equals(jWSAlgorithm) || JWSAlgorithm.HS384.equals(jWSAlgorithm) || JWSAlgorithm.HS512.equals(jWSAlgorithm)) {
            throw new RuntimeException("Provided signature algorithm: " + jWSAlgorithm + " is not supported");
        }
        throw new RuntimeException("Provided signature algorithm: " + jWSAlgorithm + " is not supported");
    }

    public static JWT signJWTWithRSA(JWTClaimsSet jWTClaimsSet, JWSAlgorithm jWSAlgorithm, String str) throws IdentityOAuth2Exception {
        try {
            if (StringUtils.isBlank(str)) {
                str = "carbon.super";
                if (log.isDebugEnabled()) {
                    log.debug("Assign super tenant domain as signing domain.");
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("Signing JWT using the algorithm: " + jWSAlgorithm + " & key of the tenant: " + str);
            }
            int tenantId = IdentityTenantUtil.getTenantId(str);
            JWSSigner createJWSSigner = createJWSSigner((RSAPrivateKey) getPrivateKey(str, tenantId));
            JWSHeader.Builder builder = new JWSHeader.Builder(jWSAlgorithm);
            builder.keyID(getKID(getThumbPrint(str, tenantId), jWSAlgorithm));
            builder.x509CertThumbprint(new Base64URL(getThumbPrint(str, tenantId)));
            SignedJWT signedJWT = new SignedJWT(builder.build(), jWTClaimsSet);
            signedJWT.sign(createJWSSigner);
            return signedJWT;
        } catch (JOSEException e) {
            throw new IdentityOAuth2Exception("Error occurred while signing JWT", (Throwable) e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v21, types: [java.security.Key] */
    /* JADX WARN: Type inference failed for: r0v25, types: [java.security.Key] */
    public static Key getPrivateKey(String str, int i) throws IdentityOAuth2Exception {
        PrivateKey defaultPrivateKey;
        if (privateKeys.containsKey(Integer.valueOf(i))) {
            defaultPrivateKey = privateKeys.get(Integer.valueOf(i));
        } else {
            try {
                IdentityTenantUtil.initializeRegistry(i, str);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(i);
                if (str.equals("carbon.super")) {
                    try {
                        defaultPrivateKey = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        throw new IdentityOAuth2Exception("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    defaultPrivateKey = keyStoreManager.getPrivateKey(str.trim().replace(".", org.wso2.carbon.identity.openidconnect.model.Constants.DASH_DELIMITER) + org.wso2.carbon.identity.openidconnect.model.Constants.KEYSTORE_FILE_EXTENSION, str);
                }
                privateKeys.put(Integer.valueOf(i), defaultPrivateKey);
            } catch (IdentityException e2) {
                throw new IdentityOAuth2Exception("Error occurred while loading registry for tenant " + str, (Throwable) e2);
            }
        }
        return defaultPrivateKey;
    }

    public static String getKID(String str, JWSAlgorithm jWSAlgorithm) {
        return str + "_" + jWSAlgorithm.toString();
    }

    public static String getThumbPrint(String str, int i) throws IdentityOAuth2Exception {
        try {
            return getThumbPrint(getCertificate(str, i));
        } catch (Exception e) {
            throw new IdentityOAuth2Exception("Error in obtaining certificate for tenant " + str, e);
        }
    }

    public static String getThumbPrint(Certificate certificate, String str) throws IdentityOAuth2Exception {
        try {
            return getThumbPrint(certificate);
        } catch (NoSuchAlgorithmException e) {
            throw new IdentityOAuth2Exception("Error in obtaining SHA-1 thumbprint for alias: " + str, e);
        } catch (CertificateEncodingException e2) {
            throw new IdentityOAuth2Exception("Error occurred while encoding thumbPrint for alias: " + str, e2);
        }
    }

    private static String getThumbPrint(Certificate certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        MessageDigest messageDigest = MessageDigest.getInstance(SHA256);
        messageDigest.update(certificate.getEncoded());
        return new String(new Base64(0, null, true).encode(hexify(messageDigest.digest()).getBytes(Charsets.UTF_8)), Charsets.UTF_8);
    }

    private static boolean isRSAAlgorithm(JWEAlgorithm jWEAlgorithm) {
        return JWEAlgorithm.RSA_OAEP.equals(jWEAlgorithm) || JWEAlgorithm.RSA1_5.equals(jWEAlgorithm) || JWEAlgorithm.RSA_OAEP_256.equals(jWEAlgorithm);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v25, types: [java.security.cert.Certificate] */
    /* JADX WARN: Type inference failed for: r0v29, types: [java.security.cert.Certificate] */
    private static Certificate getCertificate(String str, int i) throws Exception {
        X509Certificate defaultPrimaryCertificate;
        if (publicCerts.containsKey(Integer.valueOf(i))) {
            defaultPrimaryCertificate = publicCerts.get(Integer.valueOf(i));
        } else {
            try {
                IdentityTenantUtil.initializeRegistry(i, str);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(i);
                if (str.equals("carbon.super")) {
                    defaultPrimaryCertificate = keyStoreManager.getDefaultPrimaryCertificate();
                } else {
                    defaultPrimaryCertificate = keyStoreManager.getKeyStore(str.trim().replace(".", org.wso2.carbon.identity.openidconnect.model.Constants.DASH_DELIMITER) + org.wso2.carbon.identity.openidconnect.model.Constants.KEYSTORE_FILE_EXTENSION).getCertificate(str);
                }
                if (defaultPrimaryCertificate != null) {
                    publicCerts.put(Integer.valueOf(i), defaultPrimaryCertificate);
                }
            } catch (IdentityException e) {
                throw new IdentityOAuth2Exception("Error occurred while loading registry for tenant " + str, (Throwable) e);
            }
        }
        return defaultPrimaryCertificate;
    }

    private static String hexify(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            sb.append(cArr[(bArr[i] & 240) >> 4]);
            sb.append(cArr[bArr[i] & 15]);
        }
        return sb.toString();
    }

    public static List<String> getEssentialClaims(String str, String str2) {
        JSONObject jSONObject;
        JSONObject jSONObject2 = new JSONObject(str);
        ArrayList arrayList = new ArrayList();
        if (jSONObject2.toString().contains(str2) && (jSONObject = jSONObject2.getJSONObject(str2)) != null) {
            Iterator<String> keys = jSONObject.keys();
            while (keys.hasNext()) {
                String next = keys.next();
                if (!jSONObject.isNull(next)) {
                    JSONObject jSONObject3 = new JSONObject(jSONObject.get(next).toString());
                    Iterator<String> keys2 = jSONObject3.keys();
                    while (keys2.hasNext()) {
                        String next2 = keys2.next();
                        if (Boolean.parseBoolean(jSONObject3.get(next2).toString()) && next2.equals(RequestObject.ESSENTIAL)) {
                            arrayList.add(next);
                        }
                    }
                }
            }
        }
        return arrayList;
    }

    public static String getSanitizedUserStoreDomain(String str) {
        return StringUtils.isNotBlank(str) ? str.toUpperCase() : IdentityUtil.getPrimaryDomainName();
    }

    public static String getUserStoreForFederatedUser(AuthenticatedUser authenticatedUser) throws IdentityOAuth2Exception {
        if (authenticatedUser == null) {
            throw new IllegalArgumentException("Authenticated user cannot be null");
        }
        String userStoreDomainFromUserId = getUserStoreDomainFromUserId(authenticatedUser.toString());
        if (!OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal() && authenticatedUser.isFederatedUser()) {
            userStoreDomainFromUserId = OAuth2ServiceComponentHolder.isIDPIdColumnEnabled() ? "FEDERATED" : getFederatedUserDomain(authenticatedUser.getFederatedIdPName());
        }
        return userStoreDomainFromUserId;
    }

    public static String addUsernameToToken(AuthenticatedUser authenticatedUser, String str) {
        if (authenticatedUser == null) {
            throw new IllegalArgumentException("Authenticated user cannot be null");
        }
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Token cannot be blank");
        }
        String authenticatedUser2 = authenticatedUser.toString();
        if (!OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal() && authenticatedUser.isFederatedUser()) {
            authenticatedUser2 = getFederatedUserDomain(authenticatedUser.getFederatedIdPName()) + UserCoreConstants.DOMAIN_SEPARATOR + authenticatedUser.getAuthenticatedSubjectIdentifier();
        }
        return Base64Utils.encode((str + ":" + authenticatedUser2).getBytes(Charsets.UTF_8));
    }

    public static boolean isValidJson(String str) {
        try {
            new JSONObject(str);
            return true;
        } catch (JSONException e) {
            return false;
        }
    }

    public static List<String> essentialClaimsFromRequestParam(String str, Map<String, List<RequestedClaim>> map) {
        ArrayList arrayList = new ArrayList();
        List<RequestedClaim> list = map.get(str);
        if (CollectionUtils.isNotEmpty(list)) {
            for (RequestedClaim requestedClaim : list) {
                String name = requestedClaim.getName();
                if (requestedClaim.isEssential()) {
                    arrayList.add(name);
                }
            }
        }
        return arrayList;
    }

    public static AuthenticatedUser getAuthenticatedUser(AccessTokenDO accessTokenDO) {
        AuthenticatedUser authenticatedUser = null;
        if (accessTokenDO != null) {
            authenticatedUser = accessTokenDO.getAuthzUser();
        }
        if (authenticatedUser != null) {
            authenticatedUser.setFederatedUser(isFederatedUser(authenticatedUser));
        }
        return authenticatedUser;
    }

    public static boolean isFederatedUser(AuthenticatedUser authenticatedUser) {
        return (StringUtils.startsWith(authenticatedUser.getUserStoreDomain(), "FEDERATED") || authenticatedUser.isFederatedUser()) && (!OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal());
    }

    public static ServiceProvider getServiceProvider(String str, String str2) throws IdentityOAuth2Exception {
        try {
            return OAuth2ServiceComponentHolder.getApplicationMgtService().getServiceProviderByClientId(str, OAuthApplicationMgtListener.OAUTH2, str2);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while obtaining the service provider for client_id: " + str + " of tenantDomain: " + str2, (Throwable) e);
        }
    }

    public static ServiceProvider getServiceProvider(String str) throws IdentityOAuth2Exception {
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        String str2 = null;
        try {
            str2 = getTenantDomainOfOauthApp(str);
            return applicationMgtService.getServiceProviderByClientId(str, OAuthApplicationMgtListener.OAUTH2, str2);
        } catch (IdentityApplicationManagementException e) {
            throw new IdentityOAuth2Exception("Error while obtaining the service provider for client_id: " + str + " of tenantDomain: " + str2, (Throwable) e);
        } catch (InvalidOAuthClientException e2) {
            throw new IdentityOAuth2Exception("Could not find an existing app for clientId: " + str, (Throwable) e2);
        }
    }

    public static Certificate getX509CertOfOAuthApp(String str, String str2) throws IdentityOAuth2Exception {
        try {
            String certificateContent = getServiceProvider(str, str2).getCertificateContent();
            if (StringUtils.isNotBlank(certificateContent)) {
                return IdentityUtil.convertPEMEncodedContentToCertificate(certificateContent);
            }
            throw new IdentityOAuth2Exception("Public certificate not configured for Service Provider with client_id: " + str + " of tenantDomain: " + str2);
        } catch (CertificateException e) {
            throw new IdentityOAuth2Exception("Error while building X509 cert of oauth app with client_id: " + str + " of tenantDomain: " + str2, e);
        }
    }

    public static boolean isJWT(String str) {
        return StringUtils.countMatches(str, ".") == 2;
    }

    public static boolean isIDTokenEncrypted(String str) {
        return StringUtils.countMatches(str, ".") == 4;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer] */
    @Deprecated
    public static OauthTokenIssuer getTokenIssuer(String str) throws IdentityOAuth2Exception {
        JWTTokenIssuer jWTTokenIssuer = null;
        String str2 = null;
        if (isJWT(str) || isIDTokenEncrypted(str)) {
            jWTTokenIssuer = new JWTTokenIssuer();
        } else {
            try {
                str2 = getClientIdForAccessToken(str);
                if (str2 != null) {
                    jWTTokenIssuer = getOAuthTokenIssuerForOAuthApp(str2);
                }
            } catch (IllegalArgumentException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Consumer key is not found for token identifier: " + str, e);
                }
            } catch (InvalidOAuthClientException e2) {
                throw new IdentityOAuth2Exception("Error while retrieving oauth issuer for the app with clientId: " + str2, (Throwable) e2);
            }
        }
        return jWTTokenIssuer;
    }

    public static void triggerOnTokenExceptionListeners(Throwable th, Map<String, Object> map) {
        try {
            OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
            if (oAuthEventInterceptorProxy != null) {
                try {
                    oAuthEventInterceptorProxy.onTokenIssueException(th, map);
                } catch (IdentityOAuth2Exception e) {
                    log.error("Error while invoking OAuthEventInterceptor for onTokenIssueException", e);
                }
            }
        } catch (Throwable th2) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while executing oAuthEventInterceptorProxy for onTokenIssueException.", th2);
            }
        }
    }

    public static void triggerOnIntrospectionExceptionListeners(OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO, OAuth2IntrospectionResponseDTO oAuth2IntrospectionResponseDTO) {
        HashMap hashMap = new HashMap();
        hashMap.put(Constants.ERROR, oAuth2IntrospectionResponseDTO.getError());
        try {
            OAuthEventInterceptor oAuthEventInterceptorProxy = OAuthComponentServiceHolder.getInstance().getOAuthEventInterceptorProxy();
            if (oAuthEventInterceptorProxy != null) {
                try {
                    oAuthEventInterceptorProxy.onTokenValidationException(oAuth2TokenValidationRequestDTO, hashMap);
                } catch (IdentityOAuth2Exception e) {
                    log.error("Error while invoking OAuthEventInterceptor for onTokenValidationException", e);
                }
            }
        } catch (Throwable th) {
            if (log.isDebugEnabled()) {
                log.debug("Error occurred while executing oAuthEventInterceptorProxy for onTokenValidationException.", th);
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v11, types: [java.util.List] */
    public static List<String> getSupportedGrantTypes() {
        Map<String, AuthorizationGrantHandler> supportedGrantTypes = OAuthServerConfiguration.getInstance().getSupportedGrantTypes();
        ArrayList arrayList = new ArrayList();
        if (supportedGrantTypes != null && !supportedGrantTypes.isEmpty()) {
            arrayList = (List) supportedGrantTypes.keySet().stream().collect(Collectors.toList());
        }
        return arrayList;
    }

    public static List<String> getSupportedClientAuthenticationMethods() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(CLIENT_SECRET_BASIC);
        arrayList.add(CLIENT_SECRET_POST);
        return arrayList;
    }

    public static List<String> getRequestObjectSigningAlgValuesSupported() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(JWSAlgorithm.RS256.getName());
        arrayList.add(JWSAlgorithm.RS384.getName());
        arrayList.add(JWSAlgorithm.RS512.getName());
        arrayList.add(JWSAlgorithm.PS256.getName());
        arrayList.add(JWSAlgorithm.NONE.getName());
        return arrayList;
    }

    public static boolean isRequestParameterSupported() {
        return Boolean.TRUE.booleanValue();
    }

    public static boolean isClaimsParameterSupported() {
        return Boolean.TRUE.booleanValue();
    }

    public static String getFederatedIdPFromDomain(String str) {
        if (!StringUtils.startsWith(str, "FEDERATED")) {
            return null;
        }
        String[] split = str.split(":");
        if (split.length == 2) {
            return split[1];
        }
        return null;
    }

    @Deprecated
    public static AuthenticatedUser createAuthenticatedUser(String str, String str2, String str3) {
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        authenticatedUser.setUserName(str);
        authenticatedUser.setTenantDomain(str3);
        if (!StringUtils.startsWith(str2, "FEDERATED") || OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal()) {
            authenticatedUser.setUserStoreDomain(str2);
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Federated prefix found in domain: " + str2 + " for user: " + str + " in tenant domain: " + str3 + ". Flag user as a federated user.");
            }
            authenticatedUser.setFederatedUser(true);
            authenticatedUser.setFederatedIdPName(getFederatedIdPFromDomain(str2));
        }
        return authenticatedUser;
    }

    public static AuthenticatedUser createAuthenticatedUser(String str, String str2, String str3, String str4) {
        AuthenticatedUser authenticatedUser = new AuthenticatedUser();
        authenticatedUser.setUserName(str);
        authenticatedUser.setTenantDomain(str3);
        if (!StringUtils.startsWith(str2, "FEDERATED") || OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal()) {
            authenticatedUser.setUserStoreDomain(str2);
        } else {
            authenticatedUser.setFederatedUser(true);
            if (OAuth2ServiceComponentHolder.isIDPIdColumnEnabled()) {
                authenticatedUser.setFederatedIdPName(str4);
            } else {
                authenticatedUser.setFederatedIdPName(getFederatedIdPFromDomain(str2));
            }
            if (log.isDebugEnabled()) {
                log.debug("Federated prefix found in domain: " + str2 + " for user: " + str + " in tenant domain: " + str3 + ". Flag user as a federated user. " + authenticatedUser.getFederatedIdPName() + " is set as the authenticated idp.");
            }
        }
        return authenticatedUser;
    }

    public static String getIdTokenIssuer(String str) throws IdentityOAuth2Exception {
        return IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(getResidentIdp(str).getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), "IdPEntityId").getValue();
    }

    private static IdentityProvider getResidentIdp(String str) throws IdentityOAuth2Exception {
        try {
            return IdentityProviderManager.getInstance().getResidentIdP(str);
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format("Error while getting Resident Identity Provider of '%s' tenant.", str), (Throwable) e);
        }
    }

    public static OAuthRevocationRequestDTO buildOAuthRevocationRequest(OAuthClientAuthnContext oAuthClientAuthnContext, String str) {
        OAuthRevocationRequestDTO oAuthRevocationRequestDTO = new OAuthRevocationRequestDTO();
        oAuthRevocationRequestDTO.setToken(str);
        oAuthRevocationRequestDTO.setOauthClientAuthnContext(oAuthClientAuthnContext);
        oAuthRevocationRequestDTO.setConsumerKey(oAuthClientAuthnContext.getClientId());
        return oAuthRevocationRequestDTO;
    }

    public static AccessTokenDO findAccessToken(String str, boolean z) throws IdentityOAuth2Exception {
        HashMap hashMap = new HashMap(OAuthServerConfiguration.getInstance().getOauthTokenIssuerMap());
        HashMap hashMap2 = new HashMap();
        extractDefaultOauthTokenIssuers(hashMap, hashMap2);
        AccessTokenDO accessTokenDOFromMatchingTokenIssuer = getAccessTokenDOFromMatchingTokenIssuer(str, hashMap2, z);
        if (accessTokenDOFromMatchingTokenIssuer != null) {
            return accessTokenDOFromMatchingTokenIssuer;
        }
        AccessTokenDO accessTokenDOFromMatchingTokenIssuer2 = getAccessTokenDOFromMatchingTokenIssuer(str, hashMap, z);
        if (accessTokenDOFromMatchingTokenIssuer2 != null || z) {
            return accessTokenDOFromMatchingTokenIssuer2;
        }
        throw new IllegalArgumentException("Invalid Access Token. ACTIVE access token is not found.");
    }

    private static AccessTokenDO getAccessTokenDOFromMatchingTokenIssuer(String str, Map<String, OauthTokenIssuer> map, boolean z) throws IdentityOAuth2Exception {
        AccessTokenDO accessTokenDOFromTokenIdentifier;
        if (map == null) {
            return null;
        }
        for (Map.Entry<String, OauthTokenIssuer> entry : map.entrySet()) {
            try {
                OauthTokenIssuer value = entry.getValue();
                accessTokenDOFromTokenIdentifier = value.usePersistedAccessTokenAlias() ? getAccessTokenDOFromTokenIdentifier(value.getAccessTokenHash(str), z) : getAccessTokenDOFromTokenIdentifier(str, z);
            } catch (OAuthSystemException e) {
                if (log.isDebugEnabled()) {
                    if (IdentityUtil.isTokenLoggable("AccessToken")) {
                        log.debug("Token issuer: " + entry.getKey() + " was tried and failed to parse the received token: " + str);
                    } else {
                        log.debug("Token issuer: " + entry.getKey() + " was tried and failed to parse the received token.");
                    }
                }
            } catch (IllegalArgumentException e2) {
                if (log.isDebugEnabled()) {
                    if (IdentityUtil.isTokenLoggable("AccessToken")) {
                        log.debug("Token issuer: " + entry.getKey() + " was tried and failed to get the token from database: " + str);
                    } else {
                        log.debug("Token issuer: " + entry.getKey() + " was tried and failed  to get the token from database.");
                    }
                }
            }
            if (accessTokenDOFromTokenIdentifier != null) {
                return accessTokenDOFromTokenIdentifier;
            }
        }
        return null;
    }

    private static void extractDefaultOauthTokenIssuers(Map<String, OauthTokenIssuer> map, Map<String, OauthTokenIssuer> map2) {
        map2.put(OAuthServerConfiguration.JWT_TOKEN_TYPE, map.get(OAuthServerConfiguration.JWT_TOKEN_TYPE));
        map.remove(OAuthServerConfiguration.JWT_TOKEN_TYPE);
        map2.put("Default", map.get("Default"));
        map.remove("Default");
    }

    public static String getAccessTokenIdentifier(OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws UserInfoEndpointException {
        if (oAuth2TokenValidationResponseDTO.getAuthorizationContextToken().getTokenString() == null) {
            return null;
        }
        try {
            AccessTokenDO findAccessToken = findAccessToken(oAuth2TokenValidationResponseDTO.getAuthorizationContextToken().getTokenString(), false);
            if (findAccessToken != null) {
                return findAccessToken.getAccessToken();
            }
            return null;
        } catch (IdentityOAuth2Exception e) {
            throw new UserInfoEndpointException("Error occurred while obtaining access token.", (Throwable) e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v16, types: [org.wso2.carbon.identity.oauth2.model.AccessTokenDO, java.io.Serializable] */
    public static void addTokenDOtoCache(AccessTokenDO accessTokenDO) throws IdentityOAuth2Exception {
        Object obj = null;
        try {
            String accessTokenHash = getOAuthTokenIssuerForOAuthApp(accessTokenDO.getConsumerKey()).getAccessTokenHash(accessTokenDO.getAccessToken());
            OAuthCacheKey oAuthCacheKey = new OAuthCacheKey(accessTokenHash);
            ?? clone = AccessTokenDO.clone(accessTokenDO);
            clone.setAccessToken(accessTokenHash);
            OAuthCache.getInstance().addToCache(oAuthCacheKey, clone);
            if (log.isDebugEnabled()) {
                if (IdentityUtil.isTokenLoggable("AccessToken")) {
                    log.debug("Access token DO was added to OAuthCache with cache key: " + oAuthCacheKey.getCacheKeyString());
                } else {
                    log.debug("Access token DO was added to OAuthCache");
                }
            }
        } catch (InvalidOAuthClientException e) {
            if (!IdentityUtil.isTokenLoggable("AccessToken")) {
                throw new IdentityOAuth2Exception("Error while getting the token issuer", (Throwable) e);
            }
            throw new IdentityOAuth2Exception("Error while getting the token issuer for the token: " + accessTokenDO.getAccessToken(), (Throwable) e);
        } catch (OAuthSystemException e2) {
            if (!IdentityUtil.isTokenLoggable("AccessToken")) {
                throw new IdentityOAuth2Exception("Error while getting the token alias from token issuer: " + obj.toString(), (Throwable) e2);
            }
            throw new IdentityOAuth2Exception("Error while getting the token alias from token issuer: " + obj.toString() + " for the token: " + accessTokenDO.getAccessToken(), (Throwable) e2);
        }
    }

    public static String getAuthenticatedIDP(AuthenticatedUser authenticatedUser) {
        String federatedIdPName;
        if (!OAuth2ServiceComponentHolder.isIDPIdColumnEnabled()) {
            federatedIdPName = authenticatedUser.getFederatedIdPName();
            if (log.isDebugEnabled()) {
                log.debug("IDP_ID column is not available. Authenticated IDP is set to:" + federatedIdPName + " for user:" + authenticatedUser.toString());
            }
        } else if (OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal() || !authenticatedUser.isFederatedUser()) {
            federatedIdPName = "LOCAL";
            if (log.isDebugEnabled()) {
                log.debug("IDP_ID column is available. Authenticated IDP is set to:" + federatedIdPName + " for user:" + authenticatedUser.toString());
            }
        } else {
            federatedIdPName = authenticatedUser.getFederatedIdPName();
            if (log.isDebugEnabled()) {
                log.debug("IDP_ID column is available. User is federated and not mapped to local users. Authenticated IDP is set to:" + federatedIdPName + " for user:" + authenticatedUser.toString());
            }
        }
        return federatedIdPName;
    }

    public static String getUserStoreDomain(AuthenticatedUser authenticatedUser) {
        String userStoreDomain;
        if (OAuth2ServiceComponentHolder.isIDPIdColumnEnabled() && !OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal() && authenticatedUser.isFederatedUser()) {
            if (log.isDebugEnabled()) {
                log.debug("IDP_ID column is available. User is federated and not mapped to local users.");
            }
            userStoreDomain = "FEDERATED";
        } else if (OAuthServerConfiguration.getInstance().isMapFederatedUsersToLocal() || !authenticatedUser.isFederatedUser()) {
            userStoreDomain = authenticatedUser.getUserStoreDomain();
            if (log.isDebugEnabled()) {
                if (OAuth2ServiceComponentHolder.isIDPIdColumnEnabled()) {
                    log.debug("IDP_ID column is available. User is not federated or mapped to local users.");
                } else {
                    log.debug("IDP_ID column is not available. User is not federated or mapped to local users.");
                }
            }
        } else {
            if (log.isDebugEnabled()) {
                log.debug("IDP_ID column is not available. User is federated and not mapped to local users.");
            }
            userStoreDomain = getFederatedUserDomain(authenticatedUser.getFederatedIdPName());
        }
        String sanitizedUserStoreDomain = getSanitizedUserStoreDomain(userStoreDomain);
        if (log.isDebugEnabled()) {
            log.debug("User domain is set to:" + sanitizedUserStoreDomain + " for user:" + authenticatedUser.toString());
        }
        return sanitizedUserStoreDomain;
    }

    public static boolean checkIDPIdColumnAvailable() {
        boolean z;
        boolean isTableColumnExists = FrameworkUtils.isTableColumnExists("IDN_OAUTH2_AUTHORIZATION_CODE", "IDP_ID");
        boolean isTableColumnExists2 = FrameworkUtils.isTableColumnExists("IDN_OAUTH2_ACCESS_TOKEN", "IDP_ID");
        if (OAuthServerConfiguration.getInstance().useRetainOldAccessTokens()) {
            z = FrameworkUtils.isTableColumnExists("IDN_OAUTH2_ACCESS_TOKEN_AUDIT", "IDP_ID");
        } else {
            z = true;
            if (log.isDebugEnabled()) {
                log.debug("Retaining old access tokens in IDN_OAUTH2_ACCESS_TOKEN_AUDIT is disabled, therefore ignoring the availability of IDP_ID column in IDN_OAUTH2_ACCESS_TOKEN_AUDIT table.");
            }
        }
        return isTableColumnExists && isTableColumnExists2 && z;
    }

    public static void initiateOAuthScopePermissionsBindings(int i) {
        try {
            if (!hasScopesAlreadyAdded(i)) {
                Iterator<Scope> it = loadOauthScopeBinding().iterator();
                while (it.hasNext()) {
                    OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO().addScope(it.next(), i);
                }
                if (log.isDebugEnabled()) {
                    log.debug("OAuth scopes are loaded for the tenant : " + i);
                }
            } else if (log.isDebugEnabled()) {
                log.debug("OAuth scopes are already loaded");
            }
        } catch (IdentityOAuth2ScopeException e) {
            log.error("Error while registering OAuth scopes with permissions bindings", e);
        }
    }

    private static boolean hasScopesAlreadyAdded(int i) throws IdentityOAuth2ScopeServerException {
        Scope scopeByName = OAuthTokenPersistenceFactory.getInstance().getOAuthScopeDAO().getScopeByName(INTERNAL_LOGIN_SCOPE, i);
        if (scopeByName == null) {
            return false;
        }
        Iterator<ScopeBinding> it = scopeByName.getScopeBindings().iterator();
        while (it.hasNext()) {
            if (Oauth2ScopeConstants.PERMISSIONS_BINDING_TYPE.equalsIgnoreCase(it.next().getBindingType())) {
                return true;
            }
        }
        return false;
    }

    private static List<Scope> loadOauthScopeBinding() {
        ArrayList arrayList = new ArrayList();
        String path = Paths.get(CarbonUtils.getCarbonConfigDirPath(), IDENTITY_PATH, "oauth-scope-bindings.xml").toString();
        File file = new File(path);
        if (!file.exists()) {
            log.warn("OAuth scope binding File is not present at: " + path);
            return new ArrayList();
        }
        XMLStreamReader xMLStreamReader = null;
        FileInputStream fileInputStream = null;
        try {
            try {
                try {
                    fileInputStream = new FileInputStream(file);
                    xMLStreamReader = XMLInputFactory.newInstance().createXMLStreamReader(fileInputStream);
                    Iterator childElements = new StAXOMBuilder(xMLStreamReader).getDocumentElement().getChildElements();
                    while (childElements.hasNext()) {
                        OMElement oMElement = (OMElement) childElements.next();
                        String attributeValue = oMElement.getAttributeValue(new QName(NAME));
                        String attributeValue2 = oMElement.getAttributeValue(new QName(DISPLAY_NAME));
                        String attributeValue3 = oMElement.getAttributeValue(new QName(DESCRIPTION));
                        ScopeBinding scopeBinding = new ScopeBinding(Oauth2ScopeConstants.PERMISSIONS_BINDING_TYPE, loadScopePermissions(oMElement));
                        ArrayList arrayList2 = new ArrayList();
                        arrayList2.add(scopeBinding);
                        arrayList.add(new Scope(attributeValue, attributeValue2, arrayList2, attributeValue3));
                    }
                    if (xMLStreamReader != null) {
                        try {
                            xMLStreamReader.close();
                        } catch (XMLStreamException e) {
                            log.error("Error while closing XML stream", e);
                        }
                    }
                    if (fileInputStream != null) {
                        IdentityIOStreamUtils.closeInputStream(fileInputStream);
                    }
                } catch (XMLStreamException e2) {
                    log.warn("Error while loading scope config.", e2);
                    if (xMLStreamReader != null) {
                        try {
                            xMLStreamReader.close();
                        } catch (XMLStreamException e3) {
                            log.error("Error while closing XML stream", e3);
                        }
                    }
                    if (fileInputStream != null) {
                        IdentityIOStreamUtils.closeInputStream(fileInputStream);
                    }
                }
            } catch (Throwable th) {
                if (xMLStreamReader != null) {
                    try {
                        xMLStreamReader.close();
                    } catch (XMLStreamException e4) {
                        log.error("Error while closing XML stream", e4);
                        throw th;
                    }
                }
                if (fileInputStream != null) {
                    IdentityIOStreamUtils.closeInputStream(fileInputStream);
                }
                throw th;
            }
        } catch (FileNotFoundException e5) {
            log.warn("Error while loading email config.", e5);
            if (xMLStreamReader != null) {
                try {
                    xMLStreamReader.close();
                } catch (XMLStreamException e6) {
                    log.error("Error while closing XML stream", e6);
                }
            }
            if (fileInputStream != null) {
                IdentityIOStreamUtils.closeInputStream(fileInputStream);
            }
        }
        return arrayList;
    }

    private static List<String> loadScopePermissions(OMElement oMElement) {
        ArrayList arrayList = new ArrayList();
        Iterator childElements = oMElement.getChildElements();
        while (childElements.hasNext()) {
            Iterator childElements2 = ((OMElement) childElements.next()).getChildElements();
            while (childElements2.hasNext()) {
                OMElement oMElement2 = (OMElement) childElements2.next();
                if (PERMISSION.equals(oMElement2.getLocalName())) {
                    arrayList.add(oMElement2.getText());
                }
            }
        }
        return arrayList;
    }

    public static boolean isValidTokenBinding(TokenBinding tokenBinding, HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null || tokenBinding == null || StringUtils.isBlank(tokenBinding.getBindingReference()) || StringUtils.isBlank(tokenBinding.getBindingType())) {
            return true;
        }
        Optional<TokenBinder> tokenBinder = OAuth2ServiceComponentHolder.getInstance().getTokenBinder(tokenBinding.getBindingType());
        if (tokenBinder.isPresent()) {
            return tokenBinder.get().isValidTokenBinding(httpServletRequest, tokenBinding.getBindingReference());
        }
        log.warn("Token binder with type: " + tokenBinding.getBindingType() + " is not available.");
        return false;
    }

    private static X509Certificate getPublicCertFromJWKS(String str) throws IdentityOAuth2Exception {
        if (log.isDebugEnabled()) {
            log.debug(String.format("Attempting to retrieve public certificate from the Jwks uri: %s.", str));
        }
        try {
            JWK jwk = null;
            Iterator it = JWKSet.load(new URL(str)).getKeys().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                JWK jwk2 = (JWK) it.next();
                if (KeyUse.SIGNATURE == jwk2.getKeyUse()) {
                    jwk = jwk2;
                    break;
                }
            }
            if (jwk == null) {
                throw new IdentityOAuth2Exception(String.format("Failed to retrieve public certificate from jwks uri: %s", str));
            }
            X509Certificate x509Certificate = (X509Certificate) jwk.getParsedX509CertChain().get(0);
            if (log.isDebugEnabled()) {
                log.debug(String.format("Retrieved the public signing certificate successfully from the jwks uri: %s", str));
            }
            return x509Certificate;
        } catch (IOException | ParseException e) {
            throw new IdentityOAuth2Exception(String.format("Failed to retrieve public certificate from jwks uri: %s", str), e);
        }
    }

    private static String getSPJwksUrl(String str, String str2) throws IdentityOAuth2Exception {
        String str3 = null;
        ServiceProviderProperty[] spProperties = getServiceProvider(str, str2).getSpProperties();
        int length = spProperties.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            ServiceProviderProperty serviceProviderProperty = spProperties[i];
            if (org.wso2.carbon.identity.openidconnect.model.Constants.JWKS_URI.equals(serviceProviderProperty.getName())) {
                str3 = serviceProviderProperty.getValue();
                break;
            }
            i++;
        }
        if (log.isDebugEnabled()) {
            log.debug(String.format("Retrieved jwks uri: %s for the service provider associated with client_id: %s", str3, str));
        }
        return str3;
    }

    public static String getJwkThumbPrint(Certificate certificate) throws IdentityOAuth2Exception {
        if (log.isDebugEnabled()) {
            log.debug(String.format("Calculating SHA-1 JWK thumb-print for certificate: %s", certificate.toString()));
        }
        try {
            String base64URL = RSAKey.parse((X509Certificate) CertificateFactory.getInstance(org.wso2.carbon.identity.openidconnect.model.Constants.X509).generateCertificate(new ByteArrayInputStream(certificate.getEncoded()))).computeThumbprint(org.wso2.carbon.identity.openidconnect.model.Constants.SHA1).toString();
            if (log.isDebugEnabled()) {
                log.debug(String.format("Calculated SHA-1 JWK thumbprint %s from the certificate", base64URL));
            }
            return base64URL;
        } catch (CertificateException | JOSEException e) {
            throw new IdentityOAuth2Exception("Error occurred while generating SHA-1 JWK thumbprint", e);
        }
    }
}
