package org.wso2.carbon.identity.oauth2.validators;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/OAuth2JWTTokenValidator.class */
public class OAuth2JWTTokenValidator extends DefaultOAuth2TokenValidator {
    private static final String ALGO_PREFIX = "RS";
    private static final String ALGO_PREFIX_PS = "PS";
    private static final Log log = LogFactory.getLog(OAuth2JWTTokenValidator.class);
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String DOT_SEPARATOR = ".";

    @Override // org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator, org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator
    public boolean validateAccessToken(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        if (!isJWT(oAuth2TokenValidationMessageContext.getRequestDTO().getAccessToken().getIdentifier())) {
            return false;
        }
        try {
            SignedJWT signedJWT = getSignedJWT(oAuth2TokenValidationMessageContext);
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            if (jWTClaimsSet == null) {
                throw new IdentityOAuth2Exception("Claim values are empty in the given Token.");
            }
            if (!validateRequiredFields(jWTClaimsSet) || !validateSignature(signedJWT, getResidentIDPForIssuer(jWTClaimsSet.getIssuer())) || !checkExpirationTime(jWTClaimsSet.getExpirationTime())) {
                return false;
            }
            checkNotBeforeTime(jWTClaimsSet.getNotBeforeTime());
            return true;
        } catch (JOSEException | ParseException e) {
            throw new IdentityOAuth2Exception("Error while validating Token.", (Throwable) e);
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator, org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator
    public String getTokenType() {
        return "JWT";
    }

    protected X509Certificate resolveSignerCertificate(JWSHeader jWSHeader, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        String tenantDomain = getTenantDomain();
        try {
            return (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
        } catch (CertificateException e) {
            throw new IdentityOAuth2Exception("Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain, e);
        }
    }

    private SignedJWT getSignedJWT(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws ParseException {
        return SignedJWT.parse(oAuth2TokenValidationMessageContext.getRequestDTO().getAccessToken().getIdentifier());
    }

    private String resolveSubject(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getSubject();
    }

    private IdentityProvider getResidentIDPForIssuer(String str) throws IdentityOAuth2Exception {
        String tenantDomain = getTenantDomain();
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(tenantDomain);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (str.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "IdPEntityId").getValue() : "")) {
                return residentIdP;
            }
            throw new IdentityOAuth2Exception("No Registered IDP found for the token with issuer name : " + str);
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format("Error while getting Resident Identity Provider of '%s' tenant.", tenantDomain), (Throwable) e);
        }
    }

    private boolean validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws JOSEException, IdentityOAuth2Exception {
        JWSVerifier jWSVerifier = null;
        X509Certificate resolveSignerCertificate = resolveSignerCertificate(signedJWT.getHeader(), identityProvider);
        if (resolveSignerCertificate == null) {
            throw new IdentityOAuth2Exception("Unable to locate certificate for Identity Provider: " + identityProvider.getDisplayName());
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            throw new IdentityOAuth2Exception("Algorithm must not be null.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the Token Header: " + name);
        }
        if (name.indexOf("RS") == 0 || name.indexOf("PS") == 0) {
            PublicKey publicKey = resolveSignerCertificate.getPublicKey();
            if (!(publicKey instanceof RSAPublicKey)) {
                throw new IdentityOAuth2Exception("Public key is not an RSA public key.");
            }
            jWSVerifier = new RSASSAVerifier((RSAPublicKey) publicKey);
        } else if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm not supported yet: " + name);
        }
        if (jWSVerifier == null) {
            throw new IdentityOAuth2Exception("Could not create a signature verifier for algorithm type: " + name);
        }
        boolean verify = signedJWT.verify(jWSVerifier);
        if (log.isDebugEnabled()) {
            log.debug("Signature verified: " + verify);
        }
        return verify;
    }

    private boolean checkExpirationTime(Date date) {
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = date.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds > time) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Token is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected and validation terminated.");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Expiration Time(exp) of Token was validated successfully.");
        return true;
    }

    private boolean checkNotBeforeTime(Date date) throws IdentityOAuth2Exception {
        if (date == null) {
            return true;
        }
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = date.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds < time) {
            if (log.isDebugEnabled()) {
                log.debug("Token is used before Not_Before_Time., Not Before Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected and validation terminated.");
            }
            throw new IdentityOAuth2Exception("Token is used before Not_Before_Time.");
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Not Before Time(nbf) of Token was validated successfully.");
        return true;
    }

    private boolean validateRequiredFields(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        String resolveSubject = resolveSubject(jWTClaimsSet);
        List audience = jWTClaimsSet.getAudience();
        String jwtid = jWTClaimsSet.getJWTID();
        if (!StringUtils.isEmpty(jWTClaimsSet.getIssuer()) && !StringUtils.isEmpty(resolveSubject) && jWTClaimsSet.getExpirationTime() != null && audience != null && jwtid != null) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Mandatory fields(Issuer, Subject, Expiration time, jtl or Audience) are empty in the given Token.");
        return false;
    }

    private String getTenantDomain() {
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        return tenantDomain;
    }

    private boolean isJWT(String str) {
        return StringUtils.countMatches(str, ".") == 2;
    }
}
