package io.openliberty.security.common.jwt.jws;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import io.openliberty.security.common.jwt.JwtParsingUtils;
import io.openliberty.security.common.jwt.exceptions.JwtContextMissingJoseObjects;
import io.openliberty.security.common.jwt.exceptions.SignatureAlgorithmNotInAllowedList;
import io.openliberty.security.common.jwt.exceptions.SigningKeyNotSpecifiedException;
import java.security.Key;
import java.util.Arrays;
import java.util.List;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:io/openliberty/security/common/jwt/jws/JwsSignatureVerifier.class */
public class JwsSignatureVerifier {
    private static final TraceComponent tc = Tr.register(JwsSignatureVerifier.class, (String) null, (String) null);
    private final Key key;
    private final String signatureAlgorithm;
    private final List<String> signatureAlgorithmsSupported;
    static final long serialVersionUID = -2371047077102890785L;

    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    @TraceOptions
    /* loaded from: input_file:io/openliberty/security/common/jwt/jws/JwsSignatureVerifier$Builder.class */
    public static class Builder {
        private Key key = null;
        private String signatureAlgorithm = null;
        private List<String> signatureAlgorithmsSupported = null;
        static final long serialVersionUID = 6951115412487941774L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("io.openliberty.security.common.jwt.jws.JwsSignatureVerifier$Builder", Builder.class, (String) null, (String) null);

        public Builder key(Key key) {
            this.key = key;
            return this;
        }

        public Builder signatureAlgorithm(String str) {
            this.signatureAlgorithm = str;
            return this;
        }

        public Builder signatureAlgorithmsSupported(String... strArr) {
            this.signatureAlgorithmsSupported = Arrays.asList(strArr);
            return this;
        }

        public JwsSignatureVerifier build() {
            return new JwsSignatureVerifier(this);
        }
    }

    private JwsSignatureVerifier(Builder builder) {
        this.key = builder.key;
        this.signatureAlgorithm = builder.signatureAlgorithm;
        this.signatureAlgorithmsSupported = builder.signatureAlgorithmsSupported;
    }

    public List<String> getSignatureAlgorithmsSupported() {
        return this.signatureAlgorithm != null ? Arrays.asList(this.signatureAlgorithm) : this.signatureAlgorithmsSupported != null ? this.signatureAlgorithmsSupported : Arrays.asList("RS256");
    }

    public static String verifyJwsAlgHeaderOnly(JwtContext jwtContext, List<String> list) throws JwtContextMissingJoseObjects, SignatureAlgorithmNotInAllowedList {
        String algorithmHeaderValue = JwtParsingUtils.getJsonWebStructureFromJwtContext(jwtContext).getAlgorithmHeaderValue();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Signing algorithm from header: " + algorithmHeaderValue, new Object[0]);
        }
        if (list.contains(algorithmHeaderValue)) {
            return algorithmHeaderValue;
        }
        throw new SignatureAlgorithmNotInAllowedList(algorithmHeaderValue, list);
    }

    public JwtClaims validateJwsSignature(JwtContext jwtContext) throws JwtContextMissingJoseObjects, SignatureAlgorithmNotInAllowedList, SigningKeyNotSpecifiedException, InvalidJwtException {
        return createJwtConsumerBuilderWithConstraints(verifyJwsAlgHeaderOnly(jwtContext, getSignatureAlgorithmsSupported())).build().process(jwtContext.getJwt()).getJwtClaims();
    }

    public JwtConsumerBuilder createJwtConsumerBuilderWithConstraints(String str) throws SigningKeyNotSpecifiedException {
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        setJwsAlgorithmConstraints(jwtConsumerBuilder);
        jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        if ("none".equals(str)) {
            jwtConsumerBuilder.setDisableRequireSignature().setSkipSignatureVerification();
        } else {
            if (this.key == null) {
                throw new SigningKeyNotSpecifiedException(str);
            }
            jwtConsumerBuilder.setVerificationKey(this.key).setRelaxVerificationKeyValidation();
        }
        return jwtConsumerBuilder;
    }

    private void setJwsAlgorithmConstraints(JwtConsumerBuilder jwtConsumerBuilder) {
        List<String> signatureAlgorithmsSupported = getSignatureAlgorithmsSupported();
        jwtConsumerBuilder.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, (String[]) signatureAlgorithmsSupported.toArray(new String[signatureAlgorithmsSupported.size()])));
    }
}
