package org.wso2.carbon.apimgt.impl.utils;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;
import org.apache.commons.io.IOUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.wso2.carbon.apimgt.api.APIManagementException;

/* loaded from: input_file:org/wso2/carbon/apimgt/impl/utils/JWTUtil.class */
public class JWTUtil {
    private static final Log log = LogFactory.getLog(JWTUtil.class);

    public static String retrieveJWKSConfiguration(String str) throws IOException {
        URL url = new URL(str);
        CloseableHttpClient httpClient = APIUtil.getHttpClient(url.getPort(), url.getProtocol());
        try {
            CloseableHttpResponse execute = httpClient.execute(new HttpGet(str));
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    if (execute != null) {
                        execute.close();
                    }
                    if (httpClient != null) {
                        httpClient.close();
                    }
                    return null;
                }
                InputStream content = execute.getEntity().getContent();
                try {
                    String iOUtils = IOUtils.toString(content);
                    if (content != null) {
                        content.close();
                    }
                    if (execute != null) {
                        execute.close();
                    }
                    if (httpClient != null) {
                        httpClient.close();
                    }
                    return iOUtils;
                } catch (Throwable th) {
                    if (content != null) {
                        try {
                            content.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (execute != null) {
                    try {
                        execute.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (Throwable th5) {
            if (httpClient != null) {
                try {
                    httpClient.close();
                } catch (Throwable th6) {
                    th5.addSuppressed(th6);
                }
            }
            throw th5;
        }
    }

    public static boolean verifyTokenSignature(SignedJWT signedJWT, RSAPublicKey rSAPublicKey) {
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        if (!JWSAlgorithm.RS256.equals(algorithm) && !JWSAlgorithm.RS512.equals(algorithm) && !JWSAlgorithm.RS384.equals(algorithm) && !JWSAlgorithm.PS256.equals(algorithm)) {
            log.error("Public key is not a RSA");
            return false;
        }
        try {
            return signedJWT.verify(new RSASSAVerifier(rSAPublicKey));
        } catch (JOSEException e) {
            log.error("Error while verifying JWT signature", e);
            return false;
        }
    }

    public static boolean verifyTokenSignature(SignedJWT signedJWT, String str) throws APIManagementException {
        try {
            Certificate certificateFromParentTrustStore = APIUtil.getCertificateFromParentTrustStore(str);
            if (certificateFromParentTrustStore == null) {
                log.error("Couldn't find a public certificate with alias " + str + " to verify the signature");
                throw new APIManagementException("Couldn't find a public certificate with alias " + str + " to verify the signature");
            }
            JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
            if (JWSAlgorithm.RS256.equals(algorithm) || JWSAlgorithm.RS512.equals(algorithm) || JWSAlgorithm.RS384.equals(algorithm)) {
                return verifyTokenSignature(signedJWT, (RSAPublicKey) certificateFromParentTrustStore.getPublicKey());
            }
            log.error("Public key is not RSA");
            throw new APIManagementException("Public key is not RSA");
        } catch (APIManagementException e) {
            throw new APIManagementException("Error retrieving certificate from truststore ", e);
        }
    }
}
