package org.wso2.carbon.identity.oauth2.grant.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import net.minidev.json.JSONArray;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.IdentityProviderProperty;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.grant.jwt.cache.JWTCache;
import org.wso2.carbon.identity.oauth2.grant.jwt.cache.JWTCacheEntry;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.util.ClaimsUtil;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.jwt.JWKSBasedJWTValidator;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/grant/jwt/JWTBearerGrantHandler.class */
public class JWTBearerGrantHandler extends AbstractAuthorizationGrantHandler {
    private static final String OAUTH_SPLIT_AUTHZ_USER_3_WAY = "OAuth.SplitAuthzUser3Way";
    private static final String DEFAULT_IDP_NAME = "default";
    private static final String OIDC_IDP_ENTITY_ID = "IdPEntityId";
    private static final String ERROR_GET_RESIDENT_IDP = "Error while getting Resident Identity Provider of '%s' tenant.";
    private static final String ENFORCE_CERTIFICATE_VALIDITY = "JWTValidatorConfigs.EnforceCertificateExpiryTimeValidity";
    private String tenantDomain;
    private int validityPeriod;
    private JWTCache jwtCache;
    private boolean cacheUsedJTI;
    private static final Log log = LogFactory.getLog(JWTBearerGrantHandler.class);
    private static Map<Integer, Key> privateKeys = new ConcurrentHashMap();
    private String[] registeredClaimNames = {"iss", "sub", "aud", "exp", "nbf", "iat", "jti"};
    private boolean validateIAT = true;

    public void init() throws IdentityOAuth2Exception {
        super.init();
        String property = IdentityUtil.getProperty(JWTConstants.PROP_ENABLE_IAT_VALIDATION);
        if (StringUtils.isNotBlank(property)) {
            this.validateIAT = Boolean.parseBoolean(property);
        }
        String property2 = IdentityUtil.getProperty(JWTConstants.PROP_IAT_VALIDITY_PERIOD);
        if (this.validateIAT) {
            if (StringUtils.isNotBlank(property2)) {
                try {
                    this.validityPeriod = Integer.parseInt(property2);
                } catch (NumberFormatException e) {
                    this.validityPeriod = 30;
                    log.warn("Invalid value: " + property2 + " is set for IAT validity period. Using default value: " + this.validityPeriod + " minutes.");
                }
            } else {
                this.validityPeriod = 30;
                log.warn("Empty value is set for IAT validity period. Using default value: " + this.validityPeriod + " minutes.");
            }
        }
        String property3 = IdentityUtil.getProperty(JWTConstants.PROP_REGISTERED_JWT);
        if (StringUtils.isNotBlank(property3)) {
            this.registeredClaimNames = property3.split("\\s*,\\s*");
        }
        String property4 = IdentityUtil.getProperty(JWTConstants.PROP_ENABLE_JWT_CACHE);
        if (StringUtils.isNotBlank(property4)) {
            this.cacheUsedJTI = Boolean.parseBoolean(property4);
            if (this.cacheUsedJTI) {
                this.jwtCache = JWTCache.getInstance();
            }
        }
        if (log.isDebugEnabled()) {
            log.debug("Validate IAT is set to: " + this.validateIAT + " for JWT grant.");
            if (this.validateIAT) {
                log.debug("IAT validity period is set to: " + this.validityPeriod + " minutes for JWT grant.");
            }
            log.debug("Caching JWT is set to: " + this.cacheUsedJTI + " for JWT grant.");
        }
    }

    private IdentityProvider getResidentIDPForIssuer(String str, String str2) throws IdentityOAuth2Exception {
        try {
            IdentityProvider residentIdP = IdentityProviderManager.getInstance().getResidentIdP(str);
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(residentIdP.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (str2.equals(federatedAuthenticator != null ? IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), OIDC_IDP_ENTITY_ID).getValue() : "")) {
                return residentIdP;
            }
            return null;
        } catch (IdentityProviderManagementException e) {
            throw new IdentityOAuth2Exception(String.format(ERROR_GET_RESIDENT_IDP, str), e);
        }
    }

    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        SignedJWT signedJWT = null;
        IdentityProvider identityProvider = null;
        String str = null;
        JWTClaimsSet jWTClaimsSet = null;
        this.tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isEmpty(this.tenantDomain)) {
            this.tenantDomain = "carbon.super";
        }
        EncryptedJWT encryptedJWT = getEncryptedJWT(oAuthTokenReqMessageContext);
        if (encryptedJWT == null) {
            if (log.isDebugEnabled()) {
                log.debug("The assertion is not encrypted.");
            }
            signedJWT = getSignedJWT(oAuthTokenReqMessageContext);
            if (signedJWT == null) {
                handleException("No Valid Assertion was found for urn:ietf:params:oauth:grant-type:jwt-bearer");
            } else {
                jWTClaimsSet = getClaimSet(signedJWT);
            }
        } else {
            try {
                encryptedJWT.decrypt(new RSADecrypter(getPrivateKey(this.tenantDomain)));
                if (log.isDebugEnabled()) {
                    log.debug("The assertion is successfully decrypted.");
                }
                try {
                    String str2 = null;
                    if (encryptedJWT.getPayload() != null) {
                        str2 = encryptedJWT.getPayload().toString();
                    }
                    if (isEncryptedJWTSigned(str2)) {
                        signedJWT = SignedJWT.parse(str2);
                        jWTClaimsSet = getClaimSet(signedJWT);
                        if (log.isDebugEnabled()) {
                            log.debug("The encrypted JWT is signed. Obtained the claim set of the encrypted JWT.");
                        }
                    } else {
                        try {
                            jWTClaimsSet = encryptedJWT.getJWTClaimsSet();
                            if (log.isDebugEnabled()) {
                                log.debug("The encrypted JWT is not signed. Obtained the claim set of the encrypted JWT.");
                            }
                        } catch (ParseException e) {
                            throw new IdentityOAuth2Exception("Error when trying to retrieve claimsSet from the encrypted JWT." + e.getMessage(), e);
                        }
                    }
                } catch (ParseException e2) {
                    throw new IdentityOAuth2Exception("Unexpected number of Base64URL parts of the nested JWT payload. Expected number of parts must be three. ", e2);
                }
            } catch (JOSEException e3) {
                throw new IdentityOAuth2Exception("Error when decrypting the encrypted JWT." + e3.getMessage(), e3);
            }
        }
        if (jWTClaimsSet == null) {
            handleException("Claim values are empty in the given JSON Web Token");
        }
        String issuer = jWTClaimsSet.getIssuer();
        String resolveSubject = resolveSubject(jWTClaimsSet);
        List audience = jWTClaimsSet.getAudience();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        oAuthTokenReqMessageContext.addProperty(JWTConstants.EXPIRY_TIME, expirationTime);
        Date notBeforeTime = jWTClaimsSet.getNotBeforeTime();
        Date issueTime = jWTClaimsSet.getIssueTime();
        String jwtid = jWTClaimsSet.getJWTID();
        Map<String, Object> claims = jWTClaimsSet.getClaims();
        boolean z = false;
        long currentTimeMillis = System.currentTimeMillis();
        long timeStampSkewInSeconds = OAuthServerConfiguration.getInstance().getTimeStampSkewInSeconds() * 1000;
        if (StringUtils.isEmpty(issuer) || StringUtils.isEmpty(resolveSubject) || expirationTime == null || audience == null) {
            handleException("Mandatory fields(Issuer, Subject, Expiration time or Audience) are empty in the given JSON Web Token.");
        }
        try {
            identityProvider = IdentityProviderManager.getInstance().getIdPByName(issuer, this.tenantDomain);
            if (identityProvider != null) {
                if (StringUtils.equalsIgnoreCase(identityProvider.getIdentityProviderName(), DEFAULT_IDP_NAME)) {
                    identityProvider = getResidentIDPForIssuer(this.tenantDomain, issuer);
                    if (identityProvider == null) {
                        handleException("No Registered IDP found for the JWT with issuer name : " + issuer);
                    }
                }
                str = getTokenEndpointAlias(identityProvider);
            } else {
                handleException("No Registered IDP found for the JWT with issuer name : " + issuer);
            }
            if (signedJWT != null) {
                if (!validateSignature(signedJWT, identityProvider)) {
                    handleException("Signature or Message Authentication invalid.");
                } else if (log.isDebugEnabled()) {
                    log.debug("Signature/MAC validated successfully.");
                }
            }
            setAuthorizedUser(oAuthTokenReqMessageContext, identityProvider, resolveSubject);
            if (log.isDebugEnabled()) {
                log.debug("Subject(sub) found in JWT: " + resolveSubject);
                log.debug(resolveSubject + " set as the Authorized User.");
            }
            oAuthTokenReqMessageContext.setScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope());
            if (StringUtils.isEmpty(str)) {
                handleException("Token Endpoint alias of the local Identity Provider has not been configured for " + identityProvider.getIdentityProviderName());
            }
            Iterator it = audience.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (StringUtils.equals(str, (String) it.next())) {
                    if (log.isDebugEnabled()) {
                        log.debug(str + " of IDP was found in the list of audiences.");
                    }
                    z = true;
                }
            }
            if (!z) {
                handleException("None of the audience values matched the tokenEndpoint Alias " + str);
            }
            if (checkExpirationTime(expirationTime, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                log.debug("Expiration Time(exp) of JWT was validated successfully.");
            }
            if (notBeforeTime == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Not Before Time(nbf) not found in JWT. Continuing Validation");
                }
            } else if (checkNotBeforeTime(notBeforeTime, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                log.debug("Not Before Time(nbf) of JWT was validated successfully.");
            }
            if (issueTime == null) {
                if (log.isDebugEnabled()) {
                    log.debug("Issued At Time(iat) not found in JWT. Continuing Validation");
                }
            } else if (this.validateIAT) {
                if (checkValidityOfTheToken(issueTime, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                    log.debug("Issued At Time(iat) of JWT was validated successfully.");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Issued At Time (iat) validation is disabled for the JWT.");
            }
            if (this.cacheUsedJTI && jwtid != null) {
                JWTCacheEntry jWTCacheEntry = (JWTCacheEntry) this.jwtCache.getValueFromCache(jwtid);
                if (jWTCacheEntry != null && checkCachedJTI(jwtid, signedJWT, jWTCacheEntry, currentTimeMillis, timeStampSkewInSeconds) && log.isDebugEnabled()) {
                    log.debug("JWT id: " + jwtid + " not found in the cache.");
                    log.debug("jti of the JWT has been validated successfully.");
                }
            } else if (log.isDebugEnabled()) {
                if (!this.cacheUsedJTI) {
                    log.debug("List of used JSON Web Token IDs are not maintained. Continue Validation");
                }
                if (jwtid == null) {
                    log.debug("JSON Web Token ID(jti) not found in JWT. Continuing Validation");
                }
            }
            if (claims == null) {
                if (log.isDebugEnabled()) {
                    log.debug("No custom claims found. Continue validating other claims.");
                }
            } else if (!validateCustomClaims(jWTClaimsSet.getClaims())) {
                handleException("Custom Claims in the JWT were invalid");
            }
            if (log.isDebugEnabled()) {
                log.debug("JWT Token was validated successfully");
            }
            if (this.cacheUsedJTI && jwtid != null) {
                this.jwtCache.addToCache(jwtid, new JWTCacheEntry(signedJWT));
            }
            if (log.isDebugEnabled()) {
                log.debug("JWT Token was added to the cache successfully");
            }
        } catch (JOSEException e4) {
            handleException("Error when verifying signature");
        } catch (IdentityProviderManagementException e5) {
            handleException("Error while getting the Federated Identity Provider ");
        }
        if (log.isDebugEnabled()) {
            log.debug("Issuer(iss) of the JWT validated successfully");
        }
        if (!OAuth2Util.isOIDCAuthzRequest(oAuthTokenReqMessageContext.getScope())) {
            return true;
        }
        handleCustomClaims(oAuthTokenReqMessageContext, claims, identityProvider);
        return true;
    }

    protected void setAuthorizedUser(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, IdentityProvider identityProvider, String str) {
        AuthenticatedUser createLocalAuthenticatedUserFromSubjectIdentifier;
        if (Boolean.parseBoolean(IdentityUtil.getProperty(OAUTH_SPLIT_AUTHZ_USER_3_WAY))) {
            createLocalAuthenticatedUserFromSubjectIdentifier = OAuth2Util.getUserFromUserName(str);
            createLocalAuthenticatedUserFromSubjectIdentifier.setAuthenticatedSubjectIdentifier(str);
        } else {
            createLocalAuthenticatedUserFromSubjectIdentifier = AuthenticatedUser.createLocalAuthenticatedUserFromSubjectIdentifier(str);
        }
        createLocalAuthenticatedUserFromSubjectIdentifier.setFederatedUser(true);
        createLocalAuthenticatedUserFromSubjectIdentifier.setFederatedIdPName(identityProvider.getIdentityProviderName());
        oAuthTokenReqMessageContext.setAuthorizedUser(createLocalAuthenticatedUserFromSubjectIdentifier);
    }

    protected void handleCustomClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, Map<String, Object> map, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        try {
            Map handleClaimMapping = ClaimsUtil.handleClaimMapping(identityProvider, getCustomClaims(map), this.tenantDomain, oAuthTokenReqMessageContext);
            AuthenticatedUser authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
            if (MapUtils.isNotEmpty(handleClaimMapping)) {
                authorizedUser.setUserAttributes(FrameworkUtils.buildClaimMappings(handleClaimMapping));
            }
            oAuthTokenReqMessageContext.setAuthorizedUser(authorizedUser);
        } catch (IdentityApplicationManagementException | IdentityException e) {
            throw new IdentityOAuth2Exception("Error while handling custom claim mapping for the tenant domain, " + this.tenantDomain, e);
        }
    }

    public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        OAuth2AccessTokenRespDTO issue = super.issue(oAuthTokenReqMessageContext);
        Map userAttributes = oAuthTokenReqMessageContext.getAuthorizedUser().getUserAttributes();
        if (MapUtils.isNotEmpty(userAttributes)) {
            ClaimsUtil.addUserAttributesToCache(issue, oAuthTokenReqMessageContext, userAttributes);
        }
        return issue;
    }

    protected Map<String, String> getCustomClaims(Map<String, Object> map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            String key = entry.getKey();
            boolean z = false;
            for (int i = 0; i < this.registeredClaimNames.length; i++) {
                if (this.registeredClaimNames[i].equals(key)) {
                    z = true;
                }
            }
            if (!z) {
                Object value = entry.getValue();
                if (value instanceof JSONArray) {
                    hashMap.put(entry.getKey(), StringUtils.join((Collection) value, FrameworkUtils.getMultiAttributeSeparator()));
                } else {
                    hashMap.put(entry.getKey(), value.toString());
                }
            }
        }
        return hashMap;
    }

    protected String resolveSubject(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getSubject();
    }

    private SignedJWT getSignedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str = null;
        int length = requestParameters.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            RequestParameter requestParameter = requestParameters[i];
            if (requestParameter.getKey().equals(JWTConstants.OAUTH_JWT_ASSERTION)) {
                str = requestParameter.getValue()[0];
                break;
            }
            i++;
        }
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (log.isDebugEnabled()) {
                logJWT(parse);
            }
            return parse;
        } catch (ParseException e) {
            throw new IdentityOAuth2Exception("Error while parsing the JWT.", e);
        }
    }

    private JWTClaimsSet getClaimSet(SignedJWT signedJWT) throws IdentityOAuth2Exception {
        JWTClaimsSet jWTClaimsSet = null;
        try {
            jWTClaimsSet = signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            handleException("Error when trying to retrieve claimsSet from the JWT");
        }
        return jWTClaimsSet;
    }

    private String getTokenEndpointAlias(IdentityProvider identityProvider) {
        Property property = null;
        String str = null;
        if ("LOCAL".equals(identityProvider.getIdentityProviderName())) {
            try {
                identityProvider = IdentityProviderManager.getInstance().getResidentIdP(this.tenantDomain);
            } catch (IdentityProviderManagementException e) {
                if (log.isDebugEnabled()) {
                    log.debug("Error while getting Resident IDP :" + e.getMessage());
                }
            }
            FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(identityProvider.getFederatedAuthenticatorConfigs(), "openidconnect");
            if (federatedAuthenticator != null) {
                property = IdentityApplicationManagementUtil.getProperty(federatedAuthenticator.getProperties(), "OAuth2TokenEPUrl");
            }
            if (property != null) {
                str = property.getValue();
                if (log.isDebugEnabled()) {
                    log.debug("Token End Point Alias of Resident IDP :" + str);
                }
            }
        } else {
            str = identityProvider.getAlias();
            if (log.isDebugEnabled()) {
                log.debug("Token End Point Alias of the Federated IDP: " + str);
            }
        }
        return str;
    }

    private boolean checkExpirationTime(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        if (j + j2 <= time) {
            return true;
        }
        handleException("JSON Web Token is expired., Expiration Time(ms) : " + time + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated");
        return true;
    }

    private boolean checkNotBeforeTime(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        if (j + j2 >= time) {
            return true;
        }
        handleException("JSON Web Token is used before Not_Before_Time., Not Before Time(ms) : " + time + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated");
        return true;
    }

    private boolean checkValidityOfTheToken(Date date, long j, long j2) throws IdentityOAuth2Exception {
        long time = date.getTime();
        long j3 = 60000 * this.validityPeriod;
        if ((j + j2) - time <= j3) {
            return true;
        }
        handleException("JSON Web Token is issued before the allowed time., Issued At Time(ms) : " + time + ", Reject before limit(ms) : " + j3 + ", TimeStamp Skew : " + j2 + ", Current Time : " + j + ". JWT Rejected and validation terminated");
        return true;
    }

    private boolean checkCachedJTI(String str, SignedJWT signedJWT, JWTCacheEntry jWTCacheEntry, long j, long j2) throws IdentityOAuth2Exception {
        try {
            SignedJWT jwt = jWTCacheEntry.getJwt();
            if (j + j2 > jwt.getJWTClaimsSet().getExpirationTime().getTime()) {
                if (log.isDebugEnabled()) {
                    log.debug("JWT Token has been reused after the allowed expiry time : " + jwt.getJWTClaimsSet().getExpirationTime());
                }
                this.jwtCache.addToCache(str, new JWTCacheEntry(signedJWT));
                if (log.isDebugEnabled()) {
                    log.debug("jti of the JWT has been validated successfully and cache updated");
                }
            } else {
                handleException("JWT Token \n" + signedJWT.getHeader().toJSONObject().toString() + "\n" + signedJWT.getPayload().toJSONObject().toString() + "\nHas been replayed before the allowed expiry time : " + jwt.getJWTClaimsSet().getExpirationTime());
            }
            return true;
        } catch (ParseException e) {
            handleException("Unable to parse the cached jwt assertion : " + jWTCacheEntry.getEncodedJWt());
            return true;
        }
    }

    private void logJWT(SignedJWT signedJWT) {
        log.debug("JWT Header: " + signedJWT.getHeader().toJSONObject().toString());
        log.debug("JWT Payload: " + signedJWT.getPayload().toJSONObject().toString());
        log.debug("Signature: " + signedJWT.getSignature().toString());
    }

    private boolean validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws JOSEException, IdentityOAuth2Exception {
        boolean z = false;
        String str = null;
        boolean parseBoolean = Boolean.parseBoolean(IdentityUtil.getProperty(JWTConstants.JWKS_VALIDATION_ENABLE_CONFIG));
        if (parseBoolean && log.isDebugEnabled()) {
            log.debug("JWKS based JWT validation enabled.");
        }
        IdentityProviderProperty[] idpProperties = identityProvider.getIdpProperties();
        if (!ArrayUtils.isEmpty(idpProperties)) {
            int length = idpProperties.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                IdentityProviderProperty identityProviderProperty = idpProperties[i];
                if (StringUtils.equals(identityProviderProperty.getName(), JWTConstants.JWKS_URI)) {
                    z = true;
                    str = identityProviderProperty.getValue();
                    if (log.isDebugEnabled()) {
                        log.debug("JWKS endpoint set for the identity provider : " + identityProvider.getIdentityProviderName() + ", jwks_uri : " + str);
                    }
                } else {
                    if (log.isDebugEnabled()) {
                        log.debug("JWKS endpoint not specified for the identity provider : " + identityProvider.getIdentityProviderName());
                    }
                    i++;
                }
            }
        }
        if (parseBoolean && z) {
            return new JWKSBasedJWTValidator().validateSignature(signedJWT.getParsedString(), str, signedJWT.getHeader().getAlgorithm().getName(), (Map) null);
        }
        JWSVerifier jWSVerifier = null;
        JWSHeader header = signedJWT.getHeader();
        X509Certificate resolveSignerCertificate = resolveSignerCertificate(header, identityProvider);
        if (resolveSignerCertificate == null) {
            handleException("Unable to locate certificate for Identity Provider " + identityProvider.getDisplayName() + "; JWT " + header.toString());
        }
        checkValidity(resolveSignerCertificate);
        String name = signedJWT.getHeader().getAlgorithm().getName();
        if (StringUtils.isEmpty(name)) {
            handleException("Algorithm must not be null.");
        } else {
            if (log.isDebugEnabled()) {
                log.debug("Signature Algorithm found in the JWT Header: " + name);
            }
            if (name.startsWith("RS")) {
                PublicKey publicKey = resolveSignerCertificate.getPublicKey();
                if (publicKey instanceof RSAPublicKey) {
                    jWSVerifier = new RSASSAVerifier((RSAPublicKey) publicKey);
                } else {
                    handleException("Public key is not an RSA public key.");
                }
            } else if (log.isDebugEnabled()) {
                log.debug("Signature Algorithm not supported yet : " + name);
            }
            if (jWSVerifier == null) {
                handleException("Could not create a signature verifier for algorithm type: " + name);
            }
        }
        return signedJWT.verify(jWSVerifier);
    }

    private void checkValidity(X509Certificate x509Certificate) throws IdentityOAuth2Exception {
        String property = IdentityUtil.getProperty(ENFORCE_CERTIFICATE_VALIDITY);
        if (StringUtils.isNotEmpty(property) && !Boolean.parseBoolean(property)) {
            if (log.isDebugEnabled()) {
                log.debug("Check for the certificate validity is disabled.");
            }
        } else {
            try {
                x509Certificate.checkValidity();
            } catch (CertificateExpiredException e) {
                throw new IdentityOAuth2Exception("X509Certificate has expired.", e);
            } catch (CertificateNotYetValidException e2) {
                throw new IdentityOAuth2Exception("X509Certificate is not yet valid.", e2);
            }
        }
    }

    protected X509Certificate resolveSignerCertificate(JWSHeader jWSHeader, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
        } catch (CertificateException e) {
            handleException("Error occurred while decoding public certificate of Identity Provider " + identityProvider.getIdentityProviderName() + " for tenant domain " + this.tenantDomain);
        }
        return x509Certificate;
    }

    protected boolean validateCustomClaims(Map<String, Object> map) {
        return true;
    }

    private void handleException(String str) throws IdentityOAuth2Exception {
        log.error(str);
        throw new IdentityOAuth2Exception(str);
    }

    private EncryptedJWT getEncryptedJWT(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        RequestParameter[] requestParameters = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters();
        String str = null;
        if (requestParameters != null) {
            int length = requestParameters.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                RequestParameter requestParameter = requestParameters[i];
                if (JWTConstants.OAUTH_JWT_ASSERTION.equals(requestParameter.getKey())) {
                    str = requestParameter.getValue()[0];
                    break;
                }
                i++;
            }
        }
        if (StringUtils.isEmpty(str)) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("The assertion is empty.");
            return null;
        }
        try {
            return EncryptedJWT.parse(str);
        } catch (ParseException e) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Error while parsing the assertion. The assertion is not encrypted.");
            return null;
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v23, types: [java.security.Key] */
    /* JADX WARN: Type inference failed for: r0v28, types: [java.security.Key] */
    private static RSAPrivateKey getPrivateKey(String str) throws IdentityOAuth2Exception {
        PrivateKey defaultPrivateKey;
        int tenantId = OAuth2Util.getTenantId(str);
        if (privateKeys.containsKey(Integer.valueOf(tenantId))) {
            defaultPrivateKey = privateKeys.get(Integer.valueOf(tenantId));
        } else {
            try {
                IdentityTenantUtil.initializeRegistry(tenantId, str);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if ("carbon.super".equals(str)) {
                    try {
                        defaultPrivateKey = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        throw new IdentityOAuth2Exception("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    defaultPrivateKey = keyStoreManager.getPrivateKey(str.trim().replace(".", "-") + ".jks", str);
                }
                privateKeys.put(Integer.valueOf(tenantId), defaultPrivateKey);
            } catch (IdentityException e2) {
                throw new IdentityOAuth2Exception("Error occurred while loading registry for tenant " + str, e2);
            }
        }
        return (RSAPrivateKey) defaultPrivateKey;
    }

    private boolean isEncryptedJWTSigned(String str) {
        if (!StringUtils.isNotEmpty(str)) {
            return false;
        }
        String[] split = str.split(".");
        return split.length == 3 && StringUtils.isNotEmpty(split[2]);
    }
}
