package org.wso2.carbon.apimgt.impl.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.util.DateUtils;
import java.io.IOException;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.common.gateway.dto.JWTValidationInfo;
import org.wso2.carbon.apimgt.common.gateway.dto.TokenIssuerDto;
import org.wso2.carbon.apimgt.common.gateway.exception.JWTGeneratorException;
import org.wso2.carbon.apimgt.common.gateway.jwttransformer.DefaultJWTTransformer;
import org.wso2.carbon.apimgt.common.gateway.jwttransformer.JWTTransformer;
import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.APIManagerConfiguration;
import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.impl.utils.JWTUtil;

/* loaded from: input_file:org/wso2/carbon/apimgt/impl/jwt/JWTValidatorImpl.class */
public class JWTValidatorImpl implements JWTValidator {
    TokenIssuerDto tokenIssuer;
    private Log log = LogFactory.getLog(JWTValidatorImpl.class);
    JWTTransformer jwtTransformer;
    private JWKSet jwkSet;

    @Override // org.wso2.carbon.apimgt.impl.jwt.JWTValidator
    public JWTValidationInfo validateToken(SignedJWTInfo signedJWTInfo) throws APIManagementException {
        JWTValidationInfo jWTValidationInfo = new JWTValidationInfo();
        try {
            if (!validateSignature(signedJWTInfo.getSignedJWT())) {
                jWTValidationInfo.setValid(false);
                jWTValidationInfo.setValidationCode(APIConstants.KeyValidationStatus.API_AUTH_INVALID_CREDENTIALS);
                return jWTValidationInfo;
            }
            JWTClaimsSet jwtClaimsSet = signedJWTInfo.getJwtClaimsSet();
            if (!isValidCertificateBoundAccessToken(signedJWTInfo)) {
                jWTValidationInfo.setValid(false);
                jWTValidationInfo.setValidationCode(APIConstants.KeyValidationStatus.API_AUTH_INVALID_CREDENTIALS);
                return jWTValidationInfo;
            }
            if (!validateTokenExpiry(jwtClaimsSet)) {
                jWTValidationInfo.setValid(false);
                jWTValidationInfo.setValidationCode(APIConstants.KeyValidationStatus.API_AUTH_INVALID_CREDENTIALS);
                return jWTValidationInfo;
            }
            jWTValidationInfo.setConsumerKey(getConsumerKey(jwtClaimsSet));
            jWTValidationInfo.setScopes(getScopes(jwtClaimsSet));
            jWTValidationInfo.setAppToken(getIsAppToken(jwtClaimsSet));
            createJWTValidationInfoFromJWT(jWTValidationInfo, transformJWTClaims(jwtClaimsSet));
            jWTValidationInfo.setRawPayload(signedJWTInfo.getToken());
            return jWTValidationInfo;
        } catch (ParseException | JWTGeneratorException e) {
            throw new APIManagementException("Error while parsing JWT", e);
        }
    }

    private boolean isValidCertificateBoundAccessToken(SignedJWTInfo signedJWTInfo) {
        return !isCertificateBoundAccessTokenEnabled() || signedJWTInfo.getX509ClientCertificate() == null || StringUtils.isEmpty(signedJWTInfo.getX509ClientCertificateHash()) || signedJWTInfo.getX509ClientCertificateHash().equals(signedJWTInfo.getCertificateThumbprint());
    }

    private boolean isCertificateBoundAccessTokenEnabled() {
        APIManagerConfiguration aPIManagerConfiguration = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration();
        if (aPIManagerConfiguration != null) {
            return Boolean.parseBoolean(aPIManagerConfiguration.getFirstProperty(APIConstants.ENABLE_CERTIFICATE_BOUND_ACCESS_TOKEN));
        }
        return false;
    }

    @Override // org.wso2.carbon.apimgt.impl.jwt.JWTValidator
    public void loadTokenIssuerConfiguration(TokenIssuerDto tokenIssuerDto) {
        this.tokenIssuer = tokenIssuerDto;
        JWTTransformer jWTTransformer = ServiceReferenceHolder.getInstance().getJWTTransformer(this.tokenIssuer.getIssuer());
        if (jWTTransformer != null) {
            this.jwtTransformer = jWTTransformer;
        } else {
            this.jwtTransformer = new DefaultJWTTransformer();
        }
        this.jwtTransformer.loadConfiguration(this.tokenIssuer);
    }

    protected boolean validateSignature(SignedJWT signedJWT) throws APIManagementException {
        try {
            String keyID = signedJWT.getHeader().getKeyID();
            if (StringUtils.isNotEmpty(keyID)) {
                if (!this.tokenIssuer.getJwksConfigurationDTO().isEnabled() || !StringUtils.isNotEmpty(this.tokenIssuer.getJwksConfigurationDTO().getUrl())) {
                    if (this.tokenIssuer.getCertificate() == null) {
                        return JWTUtil.verifyTokenSignature(signedJWT, keyID);
                    }
                    this.log.debug("Retrieve certificate from Token issuer and validating");
                    return JWTUtil.verifyTokenSignature(signedJWT, (RSAPublicKey) this.tokenIssuer.getCertificate().getPublicKey());
                }
                if (this.jwkSet == null) {
                    this.jwkSet = retrieveJWKSet();
                }
                if (this.jwkSet.getKeyByKeyId(keyID) == null) {
                    this.jwkSet = retrieveJWKSet();
                }
                if (!(this.jwkSet.getKeyByKeyId(keyID) instanceof RSAKey)) {
                    if (!this.log.isDebugEnabled()) {
                        return false;
                    }
                    this.log.debug("Key Algorithm not supported");
                    return false;
                }
                RSAPublicKey rSAPublicKey = this.jwkSet.getKeyByKeyId(keyID).toRSAPublicKey();
                if (rSAPublicKey != null) {
                    return JWTUtil.verifyTokenSignature(signedJWT, rSAPublicKey);
                }
            }
            return JWTUtil.verifyTokenSignature(signedJWT, APIConstants.GATEWAY_PUBLIC_CERTIFICATE_ALIAS);
        } catch (ParseException | JOSEException | IOException e) {
            this.log.error("Error while parsing JWT", e);
            return true;
        }
    }

    protected boolean validateTokenExpiry(JWTClaimsSet jWTClaimsSet) {
        long timeStampSkewInSeconds = ServiceReferenceHolder.getInstance().getOauthServerConfiguration().getTimeStampSkewInSeconds();
        Date date = new Date();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        return expirationTime == null || DateUtils.isAfter(expirationTime, date, timeStampSkewInSeconds);
    }

    protected JWTClaimsSet transformJWTClaims(JWTClaimsSet jWTClaimsSet) throws JWTGeneratorException {
        return this.jwtTransformer.transform(jWTClaimsSet);
    }

    protected String getConsumerKey(JWTClaimsSet jWTClaimsSet) throws JWTGeneratorException {
        return this.jwtTransformer.getTransformedConsumerKey(jWTClaimsSet);
    }

    protected List<String> getScopes(JWTClaimsSet jWTClaimsSet) throws JWTGeneratorException {
        return this.jwtTransformer.getTransformedScopes(jWTClaimsSet);
    }

    protected Boolean getIsAppToken(JWTClaimsSet jWTClaimsSet) throws JWTGeneratorException {
        return this.jwtTransformer.getTransformedIsAppTokenType(jWTClaimsSet);
    }

    private void createJWTValidationInfoFromJWT(JWTValidationInfo jWTValidationInfo, JWTClaimsSet jWTClaimsSet) throws ParseException {
        jWTValidationInfo.setIssuer(jWTClaimsSet.getIssuer());
        jWTValidationInfo.setValid(true);
        jWTValidationInfo.setClaims(new HashMap(jWTClaimsSet.getClaims()));
        if (jWTClaimsSet.getExpirationTime() != null) {
            jWTValidationInfo.setExpiryTime(jWTClaimsSet.getExpirationTime().getTime());
        }
        if (jWTClaimsSet.getIssueTime() != null) {
            jWTValidationInfo.setIssuedTime(jWTClaimsSet.getIssueTime().getTime());
        }
        jWTValidationInfo.setUser(jWTClaimsSet.getSubject());
        jWTValidationInfo.setJti(jWTClaimsSet.getJWTID());
    }

    private JWKSet retrieveJWKSet() throws IOException, ParseException {
        this.jwkSet = JWKSet.parse(JWTUtil.retrieveJWKSConfiguration(this.tokenIssuer.getJwksConfigurationDTO().getUrl()));
        return this.jwkSet;
    }
}
