package com.ibm.ws.security.jwt.utils;

import com.ibm.json.java.JSONArray;
import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.jwt.InvalidTokenException;
import com.ibm.websphere.ssl.JSSEHelper;
import com.ibm.websphere.ssl.SSLConfigChangeListener;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.jwt.config.JwtConfig;
import com.ibm.ws.security.jwt.config.JwtConfigUtil;
import com.ibm.ws.security.jwt.registry.RegistryClaims;
import com.ibm.ws.security.wim.VMMService;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.ConcurrentServiceReferenceMap;
import com.ibm.wsspi.ssl.SSLSupport;
import java.security.AccessController;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Random;
import java.util.TimeZone;
import java.util.regex.Pattern;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
import org.jose4j.json.JsonUtil;
import org.jose4j.lang.JoseException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jwt/utils/JwtUtils.class */
public class JwtUtils {
    public static final String CFG_KEY_ID = "id";
    public static final String CFG_KEY_ISSUER = "issuer";
    public static final String CFG_KEY_JWK_ENABLED = "jwkEnabled";
    public static final String CFG_KEY_VALID = "expiry";
    public static final String CFG_KEY_JTI = "jti";
    public static final String CFG_KEY_JTI_CHECK_ENABLED = "jtiCheckEnabled";
    public static final String CFG_KEY_SCOPE = "scope";
    public static final String CFG_KEY_AUDIENCES = "audiences";
    public static final String CFG_KEY_SIGNATURE_ALGORITHM = "signatureAlgorithm";
    public static final String CFG_KEY_CLAIMS = "claims";
    public static final String CFG_KEY_KEYSTORE_REF = "keyStoreRef";
    public static final String CFG_KEY_KEY_ALIAS_NAME = "keyAlias";
    public static final String CFG_KEY_TRUSTSTORE_REF = "trustStoreRef";
    public static final String CFG_KEY_TRUSTED_ALIAS = "trustedAlias";
    public static final String CFG_KEY_SHARED_KEY = "sharedKey";
    public static final String CFG_KEY_JWK_ROTATION_TIME = "jwkRotationTime";
    public static final String CFG_KEY_JWK_SIGNING_KEY_SIZE = "jwkSigningKeySize";
    public static final String CFG_KEY_JWK_ENDPOINT_URL = "jwkEndpointUrl";
    public static final String CFG_KEY_CLOCK_SKEW = "clockSkew";
    public static final String CFG_KEY_VALIDATION_REQUIRED = "validationRequired";
    public static final String CFG_KEY_SSL_REF = "sslRef";
    public static final String CFG_KEY_EXPIRES_IN_SECONDS = "expiresInSeconds";
    public static final String CFG_KEY_USE_SYSPROPS_FOR_HTTPCLIENT_CONNECTONS = "useSystemPropertiesForHttpClientConnections";
    public static final String CFG_KEY_NBF_OFFSET = "nbfOffset";
    public static final String CFG_AMR_CLAIM = "amrValues";
    public static final String CFG_AMR_ATTR = "amrInclude";
    public static final String CFG_KEY_KEY_MANAGEMENT_KEY_ALG = "keyManagementKeyAlgorithm";
    public static final String CFG_KEY_KEY_MANAGEMENT_KEY_ALIAS = "keyManagementKeyAlias";
    public static final String CFG_KEY_CONTENT_ENCRYPTION_ALG = "contentEncryptionAlgorithm";
    public static final String JCEPROVIDER_IBM = "IBMJCE";
    public static final String SECRANDOM_SHA1PRNG = "SHA1PRNG";
    public static final String SECRANDOM_IBM = "IBMSecureRandom";
    public static final String ISSUER = "iss";
    public static final String SUBJECT = "sub";
    public static final String AUDIENCE = "aud";
    public static final String SCOPE = "scope";
    public static final String EXPIRATION = "exp";
    public static final String NOT_BEFORE = "nbf";
    public static final String ISSUED_AT = "iat";
    public static final String ID = "jti";
    public static final String KEY = "signKey";
    public static final String ALG = "signAlg";
    public static final String KS = "KeyStore";
    public static final String KS_ALIAS = "KeyStore_ALIAS";
    public static final String TS = "TrustStore";
    public static final String TS_ALIAS = "TrustStore_ALIAS";
    public static final String DELIMITER = ".";
    public static final String KEY_KEYSTORE_SERVICE = "keyStoreService";
    private static AtomicServiceReference<KeyStoreService> keyStoreServiceRef;
    private static AtomicServiceReference<SSLSupport> sslSupportRef;
    static final long serialVersionUID = -4077155797055954876L;
    private static final TraceComponent tc = Tr.register(JwtUtils.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");
    private static final String KEY_VMM_SERVICE = "vmmService";
    private static AtomicServiceReference<VMMService> vmmServiceRef = new AtomicServiceReference<>(KEY_VMM_SERVICE);
    private static ConcurrentServiceReferenceMap<String, KeyStoreService> keyStoreServiceMapRef = new ConcurrentServiceReferenceMap<>("keyStoreService");
    private static ThreadLocal<Boolean> isJwtSsoValidationPath = new ThreadLocal<>();
    private static ThreadLocal<Boolean> isJwtSsoValidationPathExpiredToken = new ThreadLocal<>();

    public static void setJwtSsoValidationPath() {
        isJwtSsoValidationPath.set(true);
    }

    public static boolean setJwtSsoValidationPathExiredToken() {
        if (isJwtSsoValidationPath.get() == null || !isJwtSsoValidationPath.get().booleanValue()) {
            return false;
        }
        isJwtSsoValidationPathExpiredToken.set(true);
        return true;
    }

    public static boolean isJwtSsoValidationExpiredTokenCodePath() {
        return isJwtSsoValidationPathExpiredToken.get() != null ? isJwtSsoValidationPathExpiredToken.get().booleanValue() : false;
    }

    public static String decodeFromBase64String(String str) {
        return new String(Base64.decodeBase64(str));
    }

    public static boolean isBase64Encoded(String str) {
        if (isNullEmpty(str)) {
            return false;
        }
        return Base64.isArrayByteBase64(StringUtils.getBytesUtf8(str));
    }

    public static String fromBase64ToJsonString(String str) {
        return StringUtils.newStringUtf8(Base64.decodeBase64(str));
    }

    public static boolean isNullEmpty(String str) {
        return str == null || str.isEmpty();
    }

    public static boolean isJson(String str) {
        boolean z = false;
        if (!isNullEmpty(str) && ((str.startsWith("{") && str.endsWith("}")) || (str.startsWith("[") && str.endsWith("]")))) {
            z = true;
        }
        return z;
    }

    public static Object claimFromJsonObject(String str, String str2) throws JoseException {
        Object obj = null;
        Map parseJson = JsonUtil.parseJson(str);
        if (parseJson != null) {
            obj = parseJson.get(str2);
        }
        return obj;
    }

    public static Map claimsFromJsonObject(String str) throws JoseException {
        Map synchronizedMap = Collections.synchronizedMap(new HashMap());
        synchronizedMap.putAll(JsonUtil.parseJson(str));
        return synchronizedMap;
    }

    public static Map<String, Object> claimsFromJson(String str) throws Exception {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "JSON String =" + str, new Object[0]);
        }
        JSONObject parse = JSONObject.parse(str);
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : parse.entrySet()) {
            String str2 = (String) entry.getKey();
            Object value = entry.getValue();
            if (isJsonArray(value)) {
                handleJsonArray(value, str2, hashMap);
            } else if (isJsonObject(value)) {
                hashMap.put(str2, claimsFromJson(value.toString()));
            } else {
                hashMap.put(str2, value.toString());
            }
        }
        return hashMap;
    }

    @FFDCIgnore({Exception.class})
    public static void handleJsonArray(Object obj, String str, HashMap<String, Object> hashMap) {
        if (!isJsonArray(obj)) {
            hashMap.put(str, obj.toString());
            return;
        }
        try {
            JSONArray parse = JSONArray.parse(obj.toString());
            if (parse == null || parse.isEmpty()) {
                return;
            }
            hashMap.put(str, parse);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "array list of objects, Key : " + str + ", Value: " + parse.toString(), new Object[0]);
            }
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception handling provided object [" + obj.toString() + "]: " + e.getMessage(), new Object[0]);
            }
            hashMap.put(str, obj.toString());
        }
    }

    @FFDCIgnore({Exception.class})
    static boolean isJsonObject(Object obj) {
        if (obj == null) {
            return false;
        }
        try {
            JSONObject.parse(obj.toString());
            return true;
        } catch (Exception e) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Value [" + obj + "] is not a valid JSON object: " + e.getMessage(), new Object[0]);
            return false;
        }
    }

    @FFDCIgnore({Exception.class})
    static boolean isJsonArray(Object obj) {
        if (obj == null) {
            return false;
        }
        try {
            JSONArray.parse(obj.toString());
            return true;
        } catch (Exception e) {
            if (!tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(tc, "Value [" + obj + "] is not a valid JSON array: " + e.getMessage(), new Object[0]);
            return false;
        }
    }

    public static List<String> trimIt(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            String trimIt = trimIt(str);
            if (trimIt != null) {
                arrayList.add(trimIt);
            }
        }
        if (arrayList.size() > 0) {
            return arrayList;
        }
        return null;
    }

    public static String trimIt(String str) {
        if (str == null) {
            return null;
        }
        String trim = str.trim();
        if (trim.isEmpty()) {
            return null;
        }
        return trim;
    }

    public static JwtConfig getTheAtomicService(String str, ConcurrentServiceReferenceMap<String, JwtConfig> concurrentServiceReferenceMap) {
        Iterator services = concurrentServiceReferenceMap.getServices();
        while (services.hasNext()) {
            JwtConfig jwtConfig = (JwtConfig) services.next();
            if (str.equals(jwtConfig.getId())) {
                return jwtConfig;
            }
        }
        return null;
    }

    public static JwtConfig getTheService(String str, ConcurrentServiceReferenceMap<String, JwtConfig> concurrentServiceReferenceMap) {
        Iterator services = concurrentServiceReferenceMap.getServices();
        while (services.hasNext()) {
            JwtConfig jwtConfig = (JwtConfig) services.next();
            if (str.equals(jwtConfig.getId())) {
                return jwtConfig;
            }
        }
        return null;
    }

    public static String[] splitTokenString(String str) {
        boolean z = false;
        if (str.endsWith(DELIMITER)) {
            z = true;
        }
        String[] split = str.split(Pattern.quote(DELIMITER));
        if (z || split.length == 3 || split.length == 5) {
            return split;
        }
        return null;
    }

    public static String getPayload(String str) {
        String[] splitTokenString = splitTokenString(str);
        if (splitTokenString != null) {
            return splitTokenString.length > 3 ? splitTokenString[3] : splitTokenString[1];
        }
        return null;
    }

    public static String getRandom(int i) {
        StringBuffer stringBuffer = new StringBuffer(i);
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z'};
        Random random = getRandom();
        for (int i2 = 0; i2 < i; i2++) {
            stringBuffer.append(cArr[random.nextInt(62)]);
        }
        return stringBuffer.toString();
    }

    @FFDCIgnore({Exception.class})
    static Random getRandom() {
        SecureRandom secureRandom;
        try {
            secureRandom = Security.getProvider(JCEPROVIDER_IBM) != null ? SecureRandom.getInstance(SECRANDOM_IBM) : SecureRandom.getInstance(SECRANDOM_SHA1PRNG);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "OLGH24469 - encountered exception : " + e.getMessage() + ", try without algorithm ", new Object[0]);
            }
            secureRandom = new SecureRandom();
        }
        return secureRandom;
    }

    public static long calculate(long j) {
        return (System.currentTimeMillis() / 1000) + (j * 60 * 60);
    }

    public static String toJson(Map<String, Object> map) {
        return JsonUtil.toJson(map);
    }

    public static void setVMMService(AtomicServiceReference<VMMService> atomicServiceReference) {
        vmmServiceRef = atomicServiceReference;
    }

    public static VMMService getVMMService() {
        return (VMMService) vmmServiceRef.getService();
    }

    public static Object fetch(String str, String str2) throws Exception {
        return new RegistryClaims(str2).fetchClaim(str);
    }

    public static void setSSLSupportService(AtomicServiceReference<SSLSupport> atomicServiceReference) {
        sslSupportRef = atomicServiceReference;
    }

    public static SSLSupport getSSLSupportService() {
        return (SSLSupport) sslSupportRef.getService();
    }

    public static void setKeyStoreService(AtomicServiceReference<KeyStoreService> atomicServiceReference) {
        keyStoreServiceRef = atomicServiceReference;
    }

    public static void setKeyStoreService2(ConcurrentServiceReferenceMap<String, KeyStoreService> concurrentServiceReferenceMap) {
        keyStoreServiceMapRef = concurrentServiceReferenceMap;
    }

    public static KeyStoreService getKeyStoreService() {
        if (keyStoreServiceRef != null) {
            return (KeyStoreService) keyStoreServiceRef.getService();
        }
        return null;
    }

    public static String getDefaultKeyStoreName(String str) {
        String str2 = null;
        SSLSupport sSLSupportService = getSSLSupportService();
        JSSEHelper jSSEHelper = null;
        if (sSLSupportService != null) {
            jSSEHelper = sSLSupportService.getJSSEHelper();
        }
        Properties properties = null;
        final JSSEHelper jSSEHelper2 = jSSEHelper;
        final HashMap hashMap = new HashMap();
        hashMap.put("com.ibm.ssl.direction", "inbound");
        if (jSSEHelper2 != null) {
            try {
                properties = (Properties) AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() { // from class: com.ibm.ws.security.jwt.utils.JwtUtils.1
                    static final long serialVersionUID = 613296464331805325L;
                    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("com.ibm.ws.security.jwt.utils.JwtUtils$1", AnonymousClass1.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");

                    @Override // java.security.PrivilegedExceptionAction
                    public Object run() throws Exception {
                        return jSSEHelper2.getProperties("", hashMap, (SSLConfigChangeListener) null, true);
                    }
                });
            } catch (PrivilegedActionException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jwt.utils.JwtUtils", "496", (Object) null, new Object[]{str});
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "Exception getting properties from jssehelper!!!", new Object[0]);
                }
            }
            if (properties != null) {
                str2 = properties.getProperty(str);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(tc, "KeyStore name from default ssl config = " + str2, new Object[0]);
                }
            }
        }
        return str2;
    }

    @Sensitive
    public static PrivateKey getPrivateKey(String str, String str2) throws KeyStoreException, CertificateException {
        return getPrivateKey(str, str2, getKeyStoreService());
    }

    @Sensitive
    public static PrivateKey getPrivateKey(String str, String str2, KeyStoreService keyStoreService) throws KeyStoreException, CertificateException {
        if (keyStoreService == null) {
            return null;
        }
        if (str2 == null) {
            str2 = getDefaultKeyStoreName("com.ibm.ssl.keyStoreName");
        }
        if (str2 != null) {
            return str != null ? keyStoreService.getPrivateKeyFromKeyStore(str2, str, (String) null) : keyStoreService.getPrivateKeyFromKeyStore(str2);
        }
        return null;
    }

    public static PublicKey getPublicKey(String str, String str2) throws KeyStoreException, CertificateException, InvalidTokenException {
        return getPublicKey(str, str2, getKeyStoreService());
    }

    public static PublicKey getPublicKey(String str, String str2, KeyStoreService keyStoreService) throws KeyStoreException, CertificateException, InvalidTokenException {
        if (keyStoreService == null) {
            return null;
        }
        if (str2 == null) {
            str2 = getDefaultKeyStoreName("com.ibm.ssl.trustStoreName");
            if (str2 == null) {
                return null;
            }
        }
        if (str != null) {
            X509Certificate x509CertificateFromKeyStore = keyStoreService.getX509CertificateFromKeyStore(str2, str);
            if (x509CertificateFromKeyStore == null) {
                return null;
            }
            return x509CertificateFromKeyStore.getPublicKey();
        }
        Collection trustedCertEntriesInKeyStore = keyStoreService.getTrustedCertEntriesInKeyStore(str2);
        if (trustedCertEntriesInKeyStore == null || trustedCertEntriesInKeyStore.size() == 0) {
            X509Certificate x509CertificateFromKeyStore2 = keyStoreService.getX509CertificateFromKeyStore(str2);
            if (x509CertificateFromKeyStore2 != null) {
                return x509CertificateFromKeyStore2.getPublicKey();
            }
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_SIGNER_CERT_NOT_AVAILABLE", new Object[0]));
        }
        if (trustedCertEntriesInKeyStore.size() > 1) {
            X509Certificate x509CertificateFromKeyStore3 = keyStoreService.getX509CertificateFromKeyStore(str2);
            if (x509CertificateFromKeyStore3 != null) {
                return x509CertificateFromKeyStore3.getPublicKey();
            }
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_SIGNER_CERT_AMBIGUOUS", new Object[0]));
        }
        X509Certificate x509CertificateFromKeyStore4 = keyStoreService.getX509CertificateFromKeyStore(str2, (String) trustedCertEntriesInKeyStore.iterator().next());
        if (x509CertificateFromKeyStore4 != null) {
            return x509CertificateFromKeyStore4.getPublicKey();
        }
        throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_SIGNER_CERT_NOT_AVAILABLE", new Object[0]));
    }

    public static String getDate(long j) {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss'Z'");
        simpleDateFormat.setTimeZone(TimeZone.getTimeZone("GMT"));
        return simpleDateFormat.format(new Date(j));
    }

    @Sensitive
    public static String processProtectedString(Map<String, Object> map, String str) {
        return JwtConfigUtil.processProtectedString(map, str);
    }
}
