package org.wso2.carbon.identity.application.authenticator.google;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.Arrays;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException;
import org.wso2.carbon.identity.application.authenticator.google.GoogleErrorConstants;

/* loaded from: input_file:org/wso2/carbon/identity/application/authenticator/google/Utils.class */
public class Utils {
    private static final List<String> ISSUER = Arrays.asList("https://accounts.google.com", "accounts.google.com");
    private static final String JWS_RS256_URI = "https://www.googleapis.com/oauth2/v3/certs";
    private static final String JWS_ES256_URI = "https://www.gstatic.com/iap/verify/public_key-jwk";
    public static final String NONCE = "nonce";

    private Utils() {
    }

    public static boolean validateGoogleJWT(String str, String str2, String str3, boolean z) throws AuthenticationFailedException {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(generateKeySelector(str));
        try {
            JWTClaimsSet process = defaultJWTProcessor.process(str, (SecurityContext) null);
            if (process == null || process.toJSONObject() == null || process.toJSONObject().isEmpty()) {
                return false;
            }
            if (z) {
                String valueOf = String.valueOf(process.getClaim(NONCE));
                if (StringUtils.isEmpty(str3) || !str3.equals(valueOf)) {
                    throw new AuthenticationFailedException(GoogleErrorConstants.ErrorMessages.JWT_NONCE_ERROR.getCode(), GoogleErrorConstants.ErrorMessages.JWT_NONCE_ERROR.getMessage());
                }
            }
            return ISSUER.contains(process.getIssuer()) && process.getAudience().contains(str2);
        } catch (ParseException | BadJOSEException | JOSEException e) {
            throw new AuthenticationFailedException(GoogleErrorConstants.ErrorMessages.JWT_PROCESS_ERROR.getCode(), e.getMessage());
        }
    }

    private static JWSKeySelector<SecurityContext> generateKeySelector(String str) throws AuthenticationFailedException {
        try {
            JWSAlgorithm algorithm = JWTParser.parse(str).getHeader().getAlgorithm();
            String str2 = null;
            if (JWSAlgorithm.RS256.equals(algorithm)) {
                str2 = JWS_RS256_URI;
            } else if (JWSAlgorithm.ES256.equals(algorithm)) {
                str2 = JWS_ES256_URI;
            }
            if (str2 == null) {
                throw new AuthenticationFailedException(GoogleErrorConstants.ErrorMessages.INVALID_JWK_SOURCE_URL.getCode(), String.format(GoogleErrorConstants.ErrorMessages.INVALID_JWK_SOURCE_URL.getMessage(), str2));
            }
            try {
                return new JWSVerificationKeySelector(algorithm, new RemoteJWKSet(new URL(str2)));
            } catch (MalformedURLException e) {
                throw new AuthenticationFailedException(GoogleErrorConstants.ErrorMessages.INVALID_JWK_SOURCE_URL.getCode(), String.format(GoogleErrorConstants.ErrorMessages.INVALID_JWK_SOURCE_URL.getMessage(), str2));
            }
        } catch (ParseException e2) {
            throw new AuthenticationFailedException(GoogleErrorConstants.ErrorMessages.JWT_PARSE_ERROR.getCode(), e2.getMessage());
        }
    }
}
