package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.model.ServiceProviderProperty;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.RequestObjectException;
import org.wso2.carbon.identity.oauth2.model.OAuth2Parameters;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.jwt.JWKSBasedJWTValidator;
import org.wso2.carbon.identity.openidconnect.model.Constants;
import org.wso2.carbon.identity.openidconnect.model.RequestObject;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/RequestObjectValidatorImpl.class */
public class RequestObjectValidatorImpl implements RequestObjectValidator {
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String OIDC_ID_TOKEN_ISSUER_ID = "OAuth.OpenIDConnect.IDTokenIssuerID";
    private static Log log = LogFactory.getLog(RequestObjectValidatorImpl.class);

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean isSigned(RequestObject requestObject) {
        return requestObject.getSignedJWT() != null;
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean validateSignature(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        boolean isSignatureVerified;
        Certificate certificate = null;
        SignedJWT signedJWT = requestObject.getSignedJWT();
        try {
            certificate = getCertificateForAlias(oAuth2Parameters.getTenantDomain(), oAuth2Parameters.getClientId());
        } catch (RequestObjectException e) {
            String str = "Error retrieving public certificate for service provider checking whether a jwks endpoint is configured for the service provider with client_id: " + oAuth2Parameters.getClientId();
            log.warn(str);
            if (log.isDebugEnabled()) {
                log.debug(str, e);
            }
        }
        if (certificate == null) {
            if (log.isDebugEnabled()) {
                log.debug("Public certificate not configured for Service Provider with client_id: " + oAuth2Parameters.getClientId() + " of tenantDomain: " + oAuth2Parameters.getTenantDomain() + ". Fetching the jwks endpoint for validating request object");
            }
            isSignatureVerified = isSignatureVerified(signedJWT, getJWKSEndpoint(oAuth2Parameters));
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Public certificate configured for Service Provider with client_id: " + oAuth2Parameters.getClientId() + " of tenantDomain: " + oAuth2Parameters.getTenantDomain() + ". Using public certificate  for validating request object");
            }
            isSignatureVerified = isSignatureVerified(signedJWT, certificate);
        }
        requestObject.setIsSignatureValid(isSignatureVerified);
        return isSignatureVerified;
    }

    private String getJWKSEndpoint(OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        String str = "";
        try {
            ServiceProviderProperty[] spProperties = OAuth2Util.getServiceProvider(oAuth2Parameters.getClientId()).getSpProperties();
            if (spProperties == null) {
                return "";
            }
            int length = spProperties.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                ServiceProviderProperty serviceProviderProperty = spProperties[i];
                if (Constants.JWKS_URI.equals(serviceProviderProperty.getName())) {
                    str = serviceProviderProperty.getValue();
                    if (log.isDebugEnabled()) {
                        log.debug("Found jwks endpoint " + str + " for service provider with client id " + oAuth2Parameters.getClientId());
                    }
                } else {
                    i++;
                }
            }
            return str;
        } catch (IdentityOAuth2Exception e) {
            throw new RequestObjectException("Error while getting the service provider for client ID " + oAuth2Parameters.getClientId(), "server_error", e);
        }
    }

    protected boolean isSignatureVerified(SignedJWT signedJWT, String str) throws RequestObjectException {
        if (!StringUtils.isNotBlank(str)) {
            return false;
        }
        try {
            return new JWKSBasedJWTValidator().validateSignature(signedJWT.getParsedString(), str, signedJWT.getHeader().getAlgorithm().getName(), MapUtils.EMPTY_MAP);
        } catch (IdentityOAuth2Exception e) {
            throw new RequestObjectException("Error occurred while validating request object signature using jwks endpoint", "server_error", e);
        }
    }

    @Override // org.wso2.carbon.identity.openidconnect.RequestObjectValidator
    public boolean validateRequestObject(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        boolean z = validateClientIdAndResponseType(requestObject, oAuth2Parameters) && checkExpirationTime(requestObject);
        if (isParamPresent(requestObject, Constants.REQUEST_URI)) {
            z = false;
        } else if (isParamPresent(requestObject, Constants.REQUEST)) {
            z = false;
        } else if (requestObject.isSigned()) {
            z = isValidIssuer(requestObject, oAuth2Parameters) && isValidAudience(requestObject, oAuth2Parameters);
        }
        return z;
    }

    protected boolean isValidAudience(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        return validateAudience(getTokenEpURL(oAuth2Parameters.getTenantDomain()), requestObject.getClaimsSet().getAudience());
    }

    private boolean checkExpirationTime(RequestObject requestObject) throws RequestObjectException {
        Date expirationTime = requestObject.getClaimsSet().getExpirationTime();
        if (expirationTime == null) {
            return true;
        }
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = expirationTime.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds <= time) {
            return true;
        }
        logAndReturnFalse("Request Object is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected.");
        throw new RequestObjectException("invalid_request", "Request Object is Expired.");
    }

    protected boolean validateClientIdAndResponseType(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) throws RequestObjectException {
        String claimValue = requestObject.getClaimValue("client_id");
        String claimValue2 = requestObject.getClaimValue("response_type");
        if (!isValidParameter(oAuth2Parameters.getClientId(), claimValue)) {
            throw new RequestObjectException("invalid_request", "Request Object and Authorization request contains unmatched client_id");
        }
        if (isValidParameter(oAuth2Parameters.getResponseType(), claimValue2)) {
            return true;
        }
        throw new RequestObjectException("invalid_request", "Request Object and Authorization request contains unmatched response_type");
    }

    protected boolean isValidParameter(String str, String str2) {
        return StringUtils.isEmpty(str2) || str2.equals(str);
    }

    protected String getTokenEpURL(String str) throws RequestObjectException {
        String str2 = "";
        try {
            Property property = IdentityApplicationManagementUtil.getProperty(IdentityApplicationManagementUtil.getFederatedAuthenticator(IdentityProviderManager.getInstance().getResidentIdP(str).getFederatedAuthenticatorConfigs(), "openidconnect").getProperties(), "IdPEntityId");
            if (property != null) {
                str2 = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Found IdPEntityID: " + str2 + " for tenantDomain: " + str);
                }
            }
            if (StringUtils.isEmpty(str2)) {
                str2 = IdentityUtil.getProperty(OIDC_ID_TOKEN_ISSUER_ID);
                if (StringUtils.isNotEmpty(str2) && log.isDebugEnabled()) {
                    log.debug("'IdPEntityID' property was empty for tenantDomain: " + str + ". Using OIDC IDToken Issuer value: " + str2 + " as alias to identify Resident IDP.");
                }
            }
            return str2;
        } catch (IdentityProviderManagementException e) {
            log.error("Error while loading OAuth2TokenEPUrl of the resident IDP of tenant:" + str, e);
            throw new RequestObjectException("server_error", "Server Error while validating audience of Request Object.");
        }
    }

    protected boolean isValidIssuer(RequestObject requestObject, OAuth2Parameters oAuth2Parameters) {
        String issuer = requestObject.getClaimsSet().getIssuer();
        return StringUtils.isNotEmpty(issuer) && issuer.equals(oAuth2Parameters.getClientId());
    }

    private boolean isParamPresent(RequestObject requestObject, String str) {
        return StringUtils.isNotEmpty(requestObject.getClaimValue(str));
    }

    protected boolean validateAudience(String str, List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (StringUtils.equals(str, it.next())) {
                return true;
            }
        }
        return logAndReturnFalse("None of the audience values matched the tokenEndpoint Alias: " + str);
    }

    @Deprecated
    protected Certificate getCertificateForAlias(String str, String str2) throws RequestObjectException {
        return getX509CertOfOAuthApp(str2, str);
    }

    /* JADX WARN: Type inference failed for: r8v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    protected Certificate getX509CertOfOAuthApp(String str, String str2) throws RequestObjectException {
        try {
            return OAuth2Util.getX509CertOfOAuthApp(str, str2);
        } catch (IdentityOAuth2Exception e) {
            String str3 = "Error retrieving application certificate of OAuth app with client_id: " + str + " , tenantDomain: " + str2;
            if (StringUtils.isNotBlank(e.getMessage())) {
                str3 = e.getMessage();
            }
            throw new RequestObjectException(str3, (Throwable) e);
        }
    }

    protected boolean isSignatureVerified(SignedJWT signedJWT, Certificate certificate) {
        JWSHeader header = signedJWT.getHeader();
        if (certificate == null) {
            return logAndReturnFalse("Unable to locate certificate for JWT " + header.toString());
        }
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the JWT Header: " + name);
        }
        if (name.indexOf(Constants.RS) != 0 && name.indexOf(Constants.PS) != 0) {
            return logAndReturnFalse("Signature Algorithm not supported yet : " + name);
        }
        PublicKey publicKey = certificate.getPublicKey();
        if (!(publicKey instanceof RSAPublicKey)) {
            return logAndReturnFalse("Public key is not an RSA public key.");
        }
        try {
            return signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
        } catch (JOSEException e) {
            return logAndReturnFalse("Unable to verify the signature of the request object: " + signedJWT.serialize());
        }
    }

    private boolean logAndReturnFalse(String str) {
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug(str);
        return false;
    }
}
