package org.wso2.carbon.identity.oauth2.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.IdentityProviderProperty;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ClientException;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2ServerException;
import org.wso2.carbon.identity.oauth2.validators.jwt.JWKSBasedJWTValidator;
import org.wso2.carbon.identity.openidconnect.model.Constants;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/JWTSignatureValidationUtils.class */
public class JWTSignatureValidationUtils {
    private static final Log log = LogFactory.getLog(JWTSignatureValidationUtils.class);
    private static final String JWKS_URI = "jwksUri";
    private static final String JWKS_VALIDATION_ENABLE_CONFIG = "JWTValidatorConfigs.Enable";
    private static final String ENFORCE_CERTIFICATE_VALIDITY = "JWTValidatorConfigs.EnforceCertificateExpiryTimeValidity";

    public static boolean validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws JOSEException, IdentityOAuth2Exception {
        String jWKSUri = getJWKSUri(identityProvider);
        return (!isJWKSEnabled() || jWKSUri == null) ? validateUsingCertificate(signedJWT, identityProvider) : validateUsingJWKSUri(signedJWT, jWKSUri);
    }

    private static boolean isJWKSEnabled() {
        boolean parseBoolean = Boolean.parseBoolean(IdentityUtil.getProperty(JWKS_VALIDATION_ENABLE_CONFIG));
        if (parseBoolean && log.isDebugEnabled()) {
            log.debug("JWKS based JWT validation enabled.");
        }
        return parseBoolean;
    }

    private static String getJWKSUri(IdentityProvider identityProvider) {
        String str = null;
        IdentityProviderProperty[] idpProperties = identityProvider.getIdpProperties();
        if (!ArrayUtils.isEmpty(idpProperties)) {
            int length = idpProperties.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                IdentityProviderProperty identityProviderProperty = idpProperties[i];
                if (StringUtils.equals(identityProviderProperty.getName(), JWKS_URI)) {
                    str = identityProviderProperty.getValue();
                    if (log.isDebugEnabled()) {
                        log.debug("JWKS endpoint set for the identity provider : " + identityProvider.getIdentityProviderName() + ", jwks_uri : " + str);
                    }
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("JWKS endpoint not specified for the identity provider : " + identityProvider.getIdentityProviderName());
                    }
                    i++;
                }
            }
        }
        return str;
    }

    private static boolean validateUsingJWKSUri(SignedJWT signedJWT, String str) throws IdentityOAuth2Exception {
        return new JWKSBasedJWTValidator().validateSignature(signedJWT.getParsedString(), str, signedJWT.getHeader().getAlgorithm().getName(), (Map<String, Object>) null);
    }

    private static boolean validateUsingCertificate(SignedJWT signedJWT, IdentityProvider identityProvider) throws IdentityOAuth2Exception, JOSEException {
        JWSVerifier jWSVerifier = null;
        JWSHeader header = signedJWT.getHeader();
        X509Certificate resolveSignerCertificate = resolveSignerCertificate(header, identityProvider);
        if (resolveSignerCertificate == null) {
            handleClientException("Unable to locate certificate for Identity Provider " + identityProvider.getDisplayName() + "; JWT " + header.toString());
        }
        checkValidity(resolveSignerCertificate);
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            handleClientException("Algorithm must not be null.");
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Signature Algorithm found in the JWT Header: " + name);
            }
            if (name.startsWith(Constants.RS)) {
                PublicKey publicKey = resolveSignerCertificate.getPublicKey();
                if (publicKey instanceof RSAPublicKey) {
                    jWSVerifier = new RSASSAVerifier((RSAPublicKey) publicKey);
                } else {
                    handleClientException("Public key is not an RSA public key.");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Signature Algorithm not supported yet : " + name);
            }
            if (jWSVerifier == null) {
                handleServerException("Could not create a signature verifier for algorithm type: " + name);
            }
        }
        return signedJWT.verify(jWSVerifier);
    }

    private static void checkValidity(X509Certificate x509Certificate) throws IdentityOAuth2Exception {
        String property = IdentityUtil.getProperty(ENFORCE_CERTIFICATE_VALIDITY);
        if (StringUtils.isNotEmpty(property) && !Boolean.parseBoolean(property)) {
            if (log.isDebugEnabled()) {
                log.debug("Check for the certificate validity is disabled.");
            }
        } else {
            try {
                x509Certificate.checkValidity();
            } catch (CertificateExpiredException e) {
                throw new IdentityOAuth2Exception("X509Certificate has expired.", e);
            } catch (CertificateNotYetValidException e2) {
                throw new IdentityOAuth2Exception("X509Certificate is not yet valid.", e2);
            }
        }
    }

    protected static X509Certificate resolveSignerCertificate(JWSHeader jWSHeader, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
        } catch (CertificateException e) {
            handleServerException("Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName());
        }
        return x509Certificate;
    }

    private static void handleClientException(String str) throws IdentityOAuth2ClientException {
        if (log.isDebugEnabled()) {
            log.debug(str);
        }
        throw new IdentityOAuth2ClientException(str);
    }

    private static void handleServerException(String str) throws IdentityOAuth2ServerException {
        log.error(str);
        throw new IdentityOAuth2ServerException(str);
    }
}
