package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.SecureString;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwtValidateUtil.class */
public class JwtValidateUtil {
    private static final Logger LOGGER;
    private static final JOSEObjectTypeVerifier<SecurityContext> JWT_HEADER_TYPE_VERIFIER;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static void validate(SignedJWT signedJWT, String str, List<String> list, long j, List<String> list2, List<JWK> list3) throws Exception {
        Date date = new Date();
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Validating JWT, now [{}], alg [{}], issuer [{}], audiences [{}], typ [{}], auth_time [{}], iat [{}], nbf [{}], exp [{}], kid [{}], jti [{}]", new Object[]{date, signedJWT.getHeader().getAlgorithm(), signedJWT.getJWTClaimsSet().getIssuer(), signedJWT.getJWTClaimsSet().getAudience(), signedJWT.getHeader().getType(), signedJWT.getJWTClaimsSet().getDateClaim("auth_time"), signedJWT.getJWTClaimsSet().getIssueTime(), signedJWT.getJWTClaimsSet().getNotBeforeTime(), signedJWT.getJWTClaimsSet().getExpirationTime(), signedJWT.getHeader().getKeyID(), signedJWT.getJWTClaimsSet().getJWTID()});
        }
        validateType(signedJWT);
        validateIssuer(signedJWT, str);
        validateAudiences(signedJWT, list);
        validateSignatureAlgorithm(signedJWT, list2);
        validateAuthTime(signedJWT, date, j);
        validateIssuedAtTime(signedJWT, date, j);
        validateNotBeforeTime(signedJWT, date, j);
        validateExpiredTime(signedJWT, date, j);
        validateSignature(signedJWT, list3);
    }

    public static void validateType(SignedJWT signedJWT) throws Exception {
        JOSEObjectType type = signedJWT.getHeader().getType();
        try {
            JWT_HEADER_TYPE_VERIFIER.verify(type, (SecurityContext) null);
        } catch (Exception e) {
            throw new Exception("Invalid JWT type [" + type + "].", e);
        }
    }

    public static void validateIssuer(SignedJWT signedJWT, String str) throws Exception {
        String issuer = signedJWT.getJWTClaimsSet().getIssuer();
        if (issuer == null || !str.equals(issuer)) {
            throw new Exception("Rejected issuer [" + issuer + "]. Allowed [" + str + "]");
        }
    }

    public static void validateAudiences(SignedJWT signedJWT, List<String> list) throws Exception {
        List audience = signedJWT.getJWTClaimsSet().getAudience();
        if (audience != null) {
            Stream<String> stream = list.stream();
            Objects.requireNonNull(audience);
            if (stream.anyMatch((v1) -> {
                return r1.contains(v1);
            })) {
                return;
            }
        }
        throw new Exception("Rejected audiences [" + (audience == null ? "null" : String.join(",", audience)) + "]. Allowed [" + list + "]");
    }

    public static void validateSignatureAlgorithm(SignedJWT signedJWT, List<String> list) throws Exception {
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        if (algorithm == null || !list.contains(algorithm.getName())) {
            throw new Exception("Rejected algorithm [" + algorithm + "]. Allowed [" + String.join(",", list) + "]");
        }
    }

    public static void validateAuthTime(SignedJWT signedJWT, Date date, long j) throws Exception {
        validateAuthTime(signedJWT.getJWTClaimsSet().getDateClaim("auth_time"), date, j);
    }

    static void validateAuthTime(Date date, Date date2, long j) throws Exception {
        if (date == null) {
            return;
        }
        if (date2 == null) {
            throw new Exception("Invalid now [null].");
        }
        if (j < 0) {
            throw new Exception("Invalid negative allowedClockSkewSeconds [" + j + "].");
        }
        if (date.getTime() - (j * 1000) > date2.getTime()) {
            long j2 = j * 1000;
            Exception exc = new Exception("Invalid auth_time [" + date.getTime() + "ms/" + exc + "] > now [" + date + "ms/" + date2.getTime() + "] with skew [" + exc + "ms].");
            throw exc;
        }
    }

    public static void validateIssuedAtTime(SignedJWT signedJWT, Date date, long j) throws Exception {
        validateIssuedAtTime(signedJWT.getJWTClaimsSet().getIssueTime(), date, j);
    }

    static void validateIssuedAtTime(Date date, Date date2, long j) throws Exception {
        if (date == null) {
            throw new Exception("Invalid iat [null].");
        }
        if (date2 == null) {
            throw new Exception("Invalid now [null].");
        }
        if (j < 0) {
            throw new Exception("Invalid negative allowedClockSkewSeconds [" + j + "].");
        }
        if (date.getTime() - (j * 1000) > date2.getTime()) {
            long j2 = j * 1000;
            Exception exc = new Exception("Invalid iat [" + date.getTime() + "ms/" + exc + "] > now [" + date + "ms/" + date2.getTime() + "] with skew [" + exc + "ms].");
            throw exc;
        }
    }

    public static void validateNotBeforeTime(SignedJWT signedJWT, Date date, long j) throws Exception {
        validateNotBeforeTime(signedJWT.getJWTClaimsSet().getNotBeforeTime(), date, j);
    }

    static void validateNotBeforeTime(Date date, Date date2, long j) throws Exception {
        if (date == null) {
            return;
        }
        if (date2 == null) {
            throw new Exception("Invalid now [null].");
        }
        if (j < 0) {
            throw new Exception("Invalid negative allowedClockSkewSeconds [" + j + "].");
        }
        if (date.getTime() - (j * 1000) > date2.getTime()) {
            long j2 = j * 1000;
            Exception exc = new Exception("Invalid nbf [" + date.getTime() + "ms/" + exc + "] > now [" + date + "ms/" + date2.getTime() + "] with skew [" + exc + "ms].");
            throw exc;
        }
    }

    public static void validateExpiredTime(SignedJWT signedJWT, Date date, long j) throws Exception {
        validateExpiredTime(signedJWT.getJWTClaimsSet().getExpirationTime(), date, j);
    }

    static void validateExpiredTime(Date date, Date date2, long j) throws Exception {
        if (date == null) {
            throw new Exception("Invalid exp [null].");
        }
        if (date2 == null) {
            throw new Exception("Invalid now [null].");
        }
        if (j < 0) {
            throw new Exception("Invalid allowedClockSkewSeconds [" + j + "] < 0.");
        }
        if (date2.getTime() - (j * 1000) >= date.getTime()) {
            long j2 = j * 1000;
            Exception exc = new Exception("Invalid exp [" + date.getTime() + "ms/" + exc + "] < now [" + date + "ms/" + date2.getTime() + "] with skew [" + exc + "ms].");
            throw exc;
        }
    }

    public static void validateSignature(SignedJWT signedJWT, List<JWK> list) throws Exception {
        if (!$assertionsDisabled && (list == null || list.isEmpty())) {
            throw new AssertionError("Caller must provide a non-empty JWK list");
        }
        String keyID = signedJWT.getHeader().getKeyID();
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        LOGGER.trace("JWKs [{}], JWT KID [{}], and JWT Algorithm [{}] before filters.", Integer.valueOf(list.size()), keyID, algorithm.getName());
        List<JWK> list2 = list.stream().filter(jwk -> {
            return keyID == null || jwk.getKeyID() == null || keyID.equals(jwk.getKeyID());
        }).toList();
        LOGGER.trace("JWKs [{}] after KID [{}](|null) filter.", Integer.valueOf(list2.size()), keyID);
        List<JWK> list3 = list2.stream().filter(jwk2 -> {
            return jwk2.getAlgorithm() == null || algorithm.equals(jwk2.getAlgorithm());
        }).toList();
        LOGGER.trace("JWKs [{}] after Algorithm [{}](|null) filter.", Integer.valueOf(list3.size()), algorithm.getName());
        List<JWK> list4 = list3.stream().filter(jwk3 -> {
            return JwkValidateUtil.isMatch(jwk3, algorithm.getName());
        }).toList();
        LOGGER.debug("JWKs [{}] after Algorithm [{}] match filter.", Integer.valueOf(list4.size()), algorithm);
        Iterator<JWK> it = list4.iterator();
        while (it.hasNext()) {
            if (signedJWT.verify(createJwsVerifier(it.next()))) {
                return;
            }
        }
        throw new Exception("Verify failed using " + list4.size() + " of " + list.size() + " provided JWKs.");
    }

    public static JWSVerifier createJwsVerifier(JWK jwk) throws JOSEException {
        if (jwk instanceof RSAKey) {
            return new RSASSAVerifier((RSAKey) jwk);
        }
        if (jwk instanceof ECKey) {
            return new ECDSAVerifier((ECKey) jwk);
        }
        if (jwk instanceof OctetSequenceKey) {
            return new MACVerifier((OctetSequenceKey) jwk);
        }
        throw createExceptionInvalidJwkClass(jwk);
    }

    public static JWSSigner createJwsSigner(JWK jwk) throws JOSEException {
        if (jwk instanceof RSAKey) {
            return new RSASSASigner((RSAKey) jwk);
        }
        if (jwk instanceof ECKey) {
            return new ECDSASigner((ECKey) jwk);
        }
        if (jwk instanceof OctetSequenceKey) {
            return new MACSigner((OctetSequenceKey) jwk);
        }
        throw createExceptionInvalidJwkClass(jwk);
    }

    private static JOSEException createExceptionInvalidJwkClass(JWK jwk) {
        return new JOSEException("Unsupported JWK class [" + (jwk == null ? "null" : jwk.getClass().getCanonicalName()) + "]. Supported classes are [" + RSAKey.class.getCanonicalName() + ", " + ECKey.class.getCanonicalName() + ", " + OctetSequenceKey.class.getCanonicalName() + "].");
    }

    public static SecureString buildJwt(JWSHeader jWSHeader, JWTClaimsSet jWTClaimsSet, Base64URL base64URL) throws Exception {
        return new SecureString(new SignedJWT(jWSHeader.toBase64URL(), jWTClaimsSet.toPayload().toBase64URL(), base64URL).serialize().toCharArray());
    }

    public static SignedJWT buildUnsignedJwt(JWSHeader jWSHeader, JWTClaimsSet jWTClaimsSet) {
        return new SignedJWT(jWSHeader, jWTClaimsSet);
    }

    public static boolean verifyJwt(JWK jwk, SignedJWT signedJWT) throws Exception {
        return signedJWT.verify(createJwsVerifier(jwk));
    }

    public static SecureString signJwt(JWK jwk, SignedJWT signedJWT) throws Exception {
        SignedJWT signedJWT2 = new SignedJWT(signedJWT.getHeader(), signedJWT.getJWTClaimsSet());
        signedJWT2.sign(createJwsSigner(jwk));
        return new SecureString(signedJWT2.serialize().toCharArray());
    }

    static {
        $assertionsDisabled = !JwtValidateUtil.class.desiredAssertionStatus();
        LOGGER = LogManager.getLogger(JwtValidateUtil.class);
        JWT_HEADER_TYPE_VERIFIER = new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{JOSEObjectType.JWT, null});
    }
}
