package org.wso2.carbon.identity.oauth2.validators.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.proc.SimpleSecurityContext;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.text.ParseException;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/validators/jwt/JWKSBasedJWTValidator.class */
public class JWKSBasedJWTValidator implements JWTValidator {
    private static final Log log = LogFactory.getLog(JWKSBasedJWTValidator.class);
    private ConfigurableJWTProcessor<SecurityContext> jwtProcessor = new DefaultJWTProcessor();
    private static final String ENFORCE_CERTIFICATE_VALIDITY = "JWTValidatorConfigs.EnforceCertificateExpiryTimeValidity";

    @Override // org.wso2.carbon.identity.oauth2.validators.jwt.JWTValidator
    public boolean validateSignature(String str, String str2, String str3, Map<String, Object> map) throws IdentityOAuth2Exception {
        try {
            JWT parse = JWTParser.parse(str);
            checkCertificateValidity(str2, (SignedJWT) parse);
            return validateSignature(parse, str2, str3, map);
        } catch (KeySourceException e) {
            throw new IdentityOAuth2Exception("Error occurred while accessing remote JWKS endpoint: " + str2, (Throwable) e);
        } catch (MalformedURLException e2) {
            throw new IdentityOAuth2Exception("Provided jwks_uri: " + str2 + " is malformed.", e2);
        } catch (CertificateExpiredException e3) {
            throw new IdentityOAuth2Exception("X509Certificate has expired.", e3);
        } catch (CertificateNotYetValidException e4) {
            throw new IdentityOAuth2Exception("X509Certificate is not yet valid.", e4);
        } catch (ParseException e5) {
            throw new IdentityOAuth2Exception("Error occurred while parsing JWT string.", e5);
        } catch (BadJOSEException e6) {
            throw new IdentityOAuth2Exception("Signature validation failed for the provided JWT.", (Throwable) e6);
        }
    }

    private void checkCertificateValidity(String str, SignedJWT signedJWT) throws MalformedURLException, CertificateNotYetValidException, CertificateExpiredException, KeySourceException, BadJOSEException {
        String property = IdentityUtil.getProperty(ENFORCE_CERTIFICATE_VALIDITY);
        if (StringUtils.isNotEmpty(property) && !Boolean.parseBoolean(property)) {
            if (log.isDebugEnabled()) {
                log.debug("Check for the certificate validity is disabled.");
                return;
            }
            return;
        }
        X509Certificate x509Certificate = null;
        RemoteJWKSet<SecurityContext> jWKSource = JWKSourceDataProvider.getInstance().getJWKSource(str);
        String str2 = (String) Optional.ofNullable(signedJWT.getHeader()).map(obj -> {
            return ((JWSHeader) obj).getKeyID();
        }).orElse(null);
        if (str2 == null) {
            throw new BadJOSEException("Value of the \"kid\" property in JWS header is null.");
        }
        if (jWKSource == null) {
            throw new KeySourceException("Remote JWK set not found in the JWKS endpoint: " + str);
        }
        List list = jWKSource.get(new JWKSelector(new JWKMatcher.Builder().keyID(str2).build()), (SecurityContext) null);
        if (!CollectionUtils.isNotEmpty(list)) {
            throw new KeySourceException("No matching keys found in JWKS endpoint: " + str);
        }
        if (log.isDebugEnabled()) {
            log.debug("Matching key found in JWKS endpoint: " + str);
        }
        JWK jwk = (JWK) list.get(0);
        if (CollectionUtils.isNotEmpty(jwk.getX509CertChain())) {
            x509Certificate = X509CertUtils.parse(((Base64) jwk.getX509CertChain().get(0)).decode());
        } else if (log.isDebugEnabled()) {
            log.debug("x5c parameter is undefined in JWK having the kid: " + str2);
        }
        if (x509Certificate != null) {
            x509Certificate.checkValidity();
        } else if (log.isDebugEnabled()) {
            log.debug("X509Certificate is null. Hence, certificate expiry date validation is skipped.");
        }
    }

    @Override // org.wso2.carbon.identity.oauth2.validators.jwt.JWTValidator
    public boolean validateSignature(JWT jwt, String str, String str2, Map<String, Object> map) throws IdentityOAuth2Exception {
        if (log.isDebugEnabled()) {
            log.debug("validating JWT signature using jwks_uri: " + str + " , for signing algorithm: " + str2);
        }
        try {
            setJWKeySelector(str, str2);
            SimpleSecurityContext simpleSecurityContext = null;
            if (MapUtils.isNotEmpty(map)) {
                simpleSecurityContext = new SimpleSecurityContext();
                simpleSecurityContext.putAll(map);
            }
            if (jwt instanceof PlainJWT) {
                this.jwtProcessor.process((PlainJWT) jwt, simpleSecurityContext);
                return true;
            }
            if (jwt instanceof SignedJWT) {
                this.jwtProcessor.process((SignedJWT) jwt, simpleSecurityContext);
                return true;
            }
            if (jwt instanceof EncryptedJWT) {
                this.jwtProcessor.process((EncryptedJWT) jwt, simpleSecurityContext);
                return true;
            }
            this.jwtProcessor.process(jwt, simpleSecurityContext);
            return true;
        } catch (BadJOSEException e) {
            throw new IdentityOAuth2Exception("Signature validation failed for the provided JWT", (Throwable) e);
        } catch (JOSEException e2) {
            throw new IdentityOAuth2Exception("Signature validation failed for the provided JWT.", (Throwable) e2);
        } catch (MalformedURLException e3) {
            throw new IdentityOAuth2Exception("Provided jwks_uri is malformed.", e3);
        }
    }

    private void setJWKeySelector(String str, String str2) throws MalformedURLException {
        this.jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.parse(str2), JWKSourceDataProvider.getInstance().getJWKSource(str)));
    }
}
