package io.cellery.security.extensions.util;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;

/* loaded from: input_file:io/cellery/security/extensions/util/Utils.class */
public class Utils {
    private static final Log log = LogFactory.getLog(Utils.class);
    public static final String OPENID_IDP_ENTITY_ID = "IdPEntityId";
    private static final Set<String> FILTERED_CLAIMS;

    private Utils() {
    }

    public static IdentityProvider getCelleryIDP() throws IdentityProviderManagementException {
        return IdentityProviderManager.getInstance().getResidentIdP("carbon.super");
    }

    public static boolean isSignedJWT(String str) {
        return StringUtils.countMatches(str, ".") == 2;
    }

    public static Map<String, Object> getCustomClaims(SignedJWT signedJWT) throws ParseException {
        return (Map) signedJWT.getJWTClaimsSet().getClaims().entrySet().stream().filter(entry -> {
            return !FILTERED_CLAIMS.contains(entry.getKey());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    public static boolean validateSignature(SignedJWT signedJWT, IdentityProvider identityProvider) throws IdentityOAuth2Exception {
        try {
            X509Certificate certToValidateJwt = getCertToValidateJwt(identityProvider);
            validateSignatureAlgorithm(signedJWT.getHeader().getAlgorithm().getName());
            PublicKey publicKey = certToValidateJwt.getPublicKey();
            if (publicKey instanceof RSAPublicKey) {
                return signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
            }
            throw new IdentityOAuth2Exception("Public key is not an RSA public key.");
        } catch (JOSEException | CertificateException e) {
            throw new IdentityOAuth2Exception("Error while validating signature of jwt.", e);
        }
    }

    private static void validateSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        if (StringUtils.isEmpty(str)) {
            throw new IdentityOAuth2Exception("Algorithm must not be null.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Signature Algorithm found in the Token Header: " + str);
        }
        if (!StringUtils.startsWithIgnoreCase(str, "RS")) {
            throw new IdentityOAuth2Exception("Signature validation for algorithm: " + str + " is not supported.");
        }
    }

    private static X509Certificate getCertToValidateJwt(IdentityProvider identityProvider) throws IdentityOAuth2Exception, CertificateException {
        X509Certificate x509Certificate = (X509Certificate) IdentityApplicationManagementUtil.decodeCertificate(identityProvider.getCertificate());
        if (x509Certificate == null) {
            throw new IdentityOAuth2Exception("Unable to locate certificate for Identity Provider: " + identityProvider.getDisplayName());
        }
        return x509Certificate;
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add("iss");
        hashSet.add("aud");
        hashSet.add("exp");
        hashSet.add("nbf");
        hashSet.add("iat");
        hashSet.add("jti");
        hashSet.add("scope");
        hashSet.add("keytype");
        FILTERED_CLAIMS = Collections.unmodifiableSet(hashSet);
    }
}
