package io.curity.oauth;

import java.io.StringReader;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.security.Signature;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.json.JsonObject;
import javax.json.JsonReaderFactory;

/* loaded from: input_file:io/curity/oauth/AbstractJwtValidator.class */
abstract class AbstractJwtValidator implements JwtValidator {
    private static final Logger _logger;
    private final Map<String, JsonObject> _decodedJwtBodyByEncodedBody = new HashMap(1);
    private final Map<String, JwtHeader> _decodedJwtHeaderByEncodedHeader = new HashMap(1);
    private final JsonReaderFactory _jsonReaderFactory;
    private final String _audience;
    private final String _issuer;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/curity/oauth/AbstractJwtValidator$JwtHeader.class */
    public class JwtHeader {
        private final JsonObject _jsonObject;

        JwtHeader(JsonObject jsonObject) {
            this._jsonObject = jsonObject;
        }

        String getAlgorithm() {
            return getString("alg");
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getKeyId() {
            return getString("kid");
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getString(String str) {
            return JsonUtils.getString(this._jsonObject, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractJwtValidator(String str, String str2, JsonReaderFactory jsonReaderFactory) {
        this._issuer = str;
        this._audience = str2;
        this._jsonReaderFactory = jsonReaderFactory;
    }

    @Override // io.curity.oauth.JwtValidator, io.curity.oauth.TokenValidator
    public final JsonData validate(String str) throws TokenValidationException {
        String[] split = str.split("\\.");
        if (split.length != 3) {
            throw new InvalidTokenFormatException();
        }
        JsonObject decodeJwtBody = decodeJwtBody(split[1]);
        validateSignature(decodeJwtHeader(split[0]), decodeJwtBody, Base64.getUrlDecoder().decode(split[2]), convertToBytes(split[0] + "." + split[1]));
        try {
            long j = JsonUtils.getLong(decodeJwtBody, "exp");
            long j2 = JsonUtils.getLong(decodeJwtBody, "iat");
            String string = JsonUtils.getString(decodeJwtBody, "aud");
            String string2 = JsonUtils.getString(decodeJwtBody, "iss");
            if (!$assertionsDisabled && (string == null || string.length() <= 0)) {
                throw new AssertionError("aud claim is not present in JWT");
            }
            if (!$assertionsDisabled && (string2 == null || string2.length() <= 0)) {
                throw new AssertionError("iss claim is not present in JWT");
            }
            if (!string.equals(this._audience)) {
                throw new InvalidAudienceException(this._audience, string);
            }
            if (!string2.equals(this._issuer)) {
                throw new InvalidIssuerException(this._issuer, string2);
            }
            Instant now = Instant.now();
            if (now.getEpochSecond() > j) {
                throw new ExpiredTokenException();
            }
            if (now.getEpochSecond() < j2) {
                throw new InvalidIssuanceInstantException();
            }
            return new JsonData(decodeJwtBody);
        } catch (Exception e) {
            _logger.log(Level.INFO, "Could not extract token data", (Throwable) e);
            throw new InvalidTokenFormatException("Failed to extract data from Token");
        }
    }

    private void validateSignature(JwtHeader jwtHeader, JsonObject jsonObject, byte[] bArr, byte[] bArr2) throws TokenValidationException {
        String algorithm = jwtHeader.getAlgorithm();
        if (algorithm == null || algorithm.length() <= 0) {
            throw new MissingAlgorithmException();
        }
        if (!canRecognizeAlg(algorithm)) {
            _logger.warning(() -> {
                return String.format("Requested JsonWebKey using unrecognizable alg: %s", algorithm);
            });
            throw new UnknownAlgorithmException(algorithm);
        }
        Optional<PublicKey> publicKey = getPublicKey(jwtHeader);
        if (!publicKey.isPresent()) {
            _logger.warning("Received token but could not find matching key");
            throw new UnknownSignatureVerificationKey();
        }
        if (!verifySignature(bArr2, bArr, publicKey.get())) {
            throw new InvalidSignatureException();
        }
    }

    protected abstract Optional<PublicKey> getPublicKey(JwtHeader jwtHeader);

    private byte[] convertToBytes(String str) {
        byte[] bArr = new byte[str.length()];
        for (int i = 0; i < str.length(); i++) {
            bArr[i] = ByteBuffer.allocate(4).putInt(str.charAt(i)).array()[3];
        }
        return bArr;
    }

    private boolean verifySignature(byte[] bArr, byte[] bArr2, PublicKey publicKey) {
        try {
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(publicKey);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (Exception e) {
            throw new RuntimeException("Unable to validate JWT signature", e);
        }
    }

    private boolean canRecognizeAlg(String str) {
        return str.equals("RS256");
    }

    private JsonObject decodeJwtBody(String str) {
        return this._decodedJwtBodyByEncodedBody.computeIfAbsent(str, str2 -> {
            return this._jsonReaderFactory.createReader(new StringReader(new String(Base64.getUrlDecoder().decode(str), StandardCharsets.UTF_8))).readObject();
        });
    }

    private JwtHeader decodeJwtHeader(String str) {
        return this._decodedJwtHeaderByEncodedHeader.computeIfAbsent(str, str2 -> {
            return new JwtHeader(this._jsonReaderFactory.createReader(new StringReader(new String(Base64.getDecoder().decode(str), StandardCharsets.UTF_8))).readObject());
        });
    }

    static {
        $assertionsDisabled = !AbstractJwtValidator.class.desiredAssertionStatus();
        _logger = Logger.getLogger(AbstractJwtValidator.class.getName());
    }
}
