package org.wso2.carbon.identity.oauth2.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Optional;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.context.PrivilegedCarbonContext;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.central.log.mgt.utils.LoggerUtils;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.organization.management.service.OrganizationManager;
import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementConfigUtil;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.utils.DiagnosticLog;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/util/JWTUtils.class */
public class JWTUtils {
    private static final Log log = LogFactory.getLog(JWTUtils.class);
    private static final String DOT_SEPARATOR = ".";
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String ALGO_PREFIX = "RS";
    private static final String ALGO_PREFIX_PS = "PS";
    private static final String MUTUAL_TLS_ALIASES_ENABLED = "OAuth.MutualTLSAliases.Enabled";

    public static SignedJWT parseJWT(String str) throws ParseException {
        return SignedJWT.parse(str);
    }

    public static boolean isJWT(String str) {
        return StringUtils.countMatches(str, ".") == 2;
    }

    public static Optional<JWTClaimsSet> getJWTClaimSet(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        try {
            return Optional.ofNullable(signedJWT.getJWTClaimsSet());
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error while retrieving claim set from Token.", e);
        }
    }

    public static boolean validateRequiredFields(JWTClaimsSet jWTClaimsSet) {
        String resolveSubject = resolveSubject(jWTClaimsSet);
        List audience = jWTClaimsSet.getAudience();
        String jwtid = jWTClaimsSet.getJWTID();
        if (!StringUtils.isEmpty(jWTClaimsSet.getIssuer()) && !StringUtils.isEmpty(resolveSubject) && jWTClaimsSet.getExpirationTime() != null && audience != null && jwtid != null) {
            return true;
        }
        if (!log.isDebugEnabled()) {
            return false;
        }
        log.debug("Mandatory fields(Issuer, Subject, Expiration time, jtl or Audience) are empty in the given Token.");
        return false;
    }

    public static String resolveSubject(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getSubject();
    }

    public static IdentityProvider getIDPForIssuer(String str, String str2, String str3) throws IdentityOAuth2Exception, OrganizationManagementException {
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str2);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (!str.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "IdPEntityId").getValue() : "")) {
                if (Boolean.parseBoolean(IdentityUtil.getProperty(MUTUAL_TLS_ALIASES_ENABLED)) && str.equals(OAuth2Util.OAuthURL.getOAuth2MTLSTokenEPUrl())) {
                    return residentIdP;
                }
                if (!OAuth2ServiceComponentHolder.getInstance().isOrganizationManagementEnabled()) {
                    throw new IdentityOAuth2Exception("No registered IDP found for the token with issuer name : " + str);
                }
                OrganizationManager organizationManager = OAuth2ServiceComponentHolder.getInstance().getOrganizationManager();
                String resolveOrganizationId = organizationManager.resolveOrganizationId(str2);
                List ancestorOrganizationIds = organizationManager.getAncestorOrganizationIds(str3);
                int subOrgStartLevel = getSubOrgStartLevel() - 1;
                String organizationId = PrivilegedCarbonContext.getThreadLocalCarbonContext().getOrganizationId();
                if (!resolveOrganizationId.equals(ancestorOrganizationIds.get(subOrgStartLevel)) || !organizationId.equals(str3)) {
                    throw new IdentityOAuth2Exception("No registered IDP found for the token with issuer name : " + str);
                }
            }
            return residentIdP;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format("Error while getting Resident Identity Provider of '%s' tenant.", str2), (Throwable) e);
        }
    }

    public static IdentityProvider getResidentIDPForIssuer(JWTClaimsSet jWTClaimsSet, String str) throws IdentityOAuth2Exception, OrganizationManagementException {
        String str2;
        try {
            str2 = jWTClaimsSet.getStringClaim("org_id");
        } catch (ParseException e) {
            str2 = "";
        }
        return getIDPForIssuer(jWTClaimsSet.getIssuer(), str, str2);
    }

    public static int getSubOrgStartLevel() {
        String property = OrganizationManagementConfigUtil.getProperty("SubOrganizationStartLevel");
        if (StringUtils.isNotEmpty(property)) {
            return Integer.parseInt(property);
        }
        return 1;
    }

    public static String getSigningTenantDomain(JWTClaimsSet jWTClaimsSet, AccessTokenDO accessTokenDO) throws ParseException, IdentityOAuth2Exception {
        HashMap hashMap = (HashMap) jWTClaimsSet.getClaim("realm");
        if (MapUtils.isNotEmpty(hashMap)) {
            if (hashMap.get("signing_tenant") != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Getting signing tenant domain from JWT's 'signing_tenant' claim.");
                }
                return (String) hashMap.get("signing_tenant");
            }
            if (hashMap.get("tenant") != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Getting signing tenant domain from JWT's 'tenant' claim.");
                }
                return (String) hashMap.get("tenant");
            }
        }
        if (accessTokenDO == null) {
            return getTenantDomain();
        }
        if (!OAuthServerConfiguration.getInstance().isJWTSignedWithSPKey()) {
            if (log.isDebugEnabled()) {
                log.debug("Getting signing tenant domain from authenticated user.");
            }
            return accessTokenDO.getAuthzUser().getTenantDomain();
        }
        try {
            if (log.isDebugEnabled()) {
                log.debug("Getting signing tenant domain from OAuth app.");
            }
            return OAuth2Util.getTenantDomainOfOauthApp(accessTokenDO.getConsumerKey());
        } catch (InvalidOAuthClientException e) {
            throw new IdentityOAuth2Exception("Error while getting tenant domain from OAuth app with consumer key: " + accessTokenDO.getConsumerKey());
        }
    }

    private static String getTenantDomain() {
        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        return tenantDomain;
    }

    public static void checkNotBeforeTime(Date date) throws IdentityOAuth2Exception {
        if (date != null) {
            long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
            long time = date.getTime();
            long currentTimeMillis = System.currentTimeMillis();
            if (currentTimeMillis + timeStampSkewInSeconds >= time) {
                if (log.isDebugEnabled()) {
                    log.debug("Not Before Time(nbf) of Token was validated successfully.");
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("Token is used before Not_Before_Time., Not Before Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected and validation terminated.");
                }
                if (LoggerUtils.isDiagnosticLogsEnabled()) {
                    LoggerUtils.triggerDiagnosticLogEvent(new DiagnosticLog.DiagnosticLogBuilder("oauth-inbound-service", "validate-jwt-access-token").inputParam("not before time (ms)", Long.valueOf(time)).inputParam("timestamp skew (ms)", Long.valueOf(timeStampSkewInSeconds)).inputParam("current time (ms)", Long.valueOf(currentTimeMillis)).resultMessage("Token is used before Not_Before_Time.").logDetailLevel(DiagnosticLog.LogDetailLevel.APPLICATION).resultStatus(DiagnosticLog.ResultStatus.FAILED));
                }
                throw new IdentityOAuth2Exception("Token is used before Not_Before_Time.");
            }
        }
    }

    public static Optional<X509Certificate> getCertificateFromClaims(JWTClaimsSet jWTClaimsSet) throws IdentityOAuth2Exception {
        X509Certificate x509Certificate = null;
        HashMap hashMap = (HashMap) jWTClaimsSet.getClaim("realm");
        if (MapUtils.isNotEmpty(hashMap)) {
            String str = null;
            if (hashMap.get("signing_tenant") != null) {
                str = (String) hashMap.get("signing_tenant");
            } else if (hashMap.get("tenant") != null) {
                str = (String) hashMap.get("tenant");
            }
            if (str != null) {
                x509Certificate = (X509Certificate) OAuth2Util.getCertificate(str, IdentityTenantUtil.getTenantId(str));
            }
        }
        return Optional.ofNullable(x509Certificate);
    }

    public static boolean verifySignature(SignedJWT signedJWT, X509Certificate x509Certificate, String str) throws IdentityOAuth2Exception, JOSEException {
        JWSVerifier jWSVerifier = null;
        if (str.indexOf("RS") == 0 || str.indexOf("PS") == 0) {
            PublicKey publicKey = x509Certificate.getPublicKey();
            if (!(publicKey instanceof RSAPublicKey)) {
                throw new IdentityOAuth2Exception("Public key is not an RSA public key.");
            }
            jWSVerifier = new RSASSAVerifier((RSAPublicKey) publicKey);
        } else if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm not supported yet: " + str);
        }
        if (jWSVerifier == null) {
            throw new IdentityOAuth2Exception("Could not create a signature verifier for algorithm type: " + str);
        }
        boolean verify = signedJWT.verify(jWSVerifier);
        if (log.isDebugEnabled()) {
            log.debug("Signature verified: " + verify);
        }
        return verify;
    }

    public static String verifyAlgorithm(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            throw new IdentityOAuth2Exception("Algorithm must not be null.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the Token Header: " + name);
        }
        return name;
    }

    public static X509Certificate resolveSignerCertificate(IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        String tenantDomain = getTenantDomain();
        try {
            return (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
        } catch (CertificateException e) {
            throw new IdentityOAuth2Exception("Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + tenantDomain, e);
        }
    }

    public static boolean checkExpirationTime(Date date) {
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        long time = date.getTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis + timeStampSkewInSeconds > time) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("Token is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + timeStampSkewInSeconds + ", Current Time : " + currentTimeMillis + ". Token Rejected and validation terminated.");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        log.debug("Expiration Time(exp) of Token was validated successfully.");
        return true;
    }
}
