package com.ibm.ws.security.jwt.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.jwt.InvalidClaimException;
import com.ibm.websphere.security.jwt.InvalidTokenException;
import com.ibm.websphere.security.jwt.JwtToken;
import com.ibm.websphere.security.jwt.KeyException;
import com.ibm.websphere.security.jwt.KeyStoreServiceException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.crypto.KeyAlgorithmChecker;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import com.ibm.ws.security.common.time.TimeUtils;
import com.ibm.ws.security.jwt.config.JwtConsumerConfig;
import com.ibm.ws.security.jwt.config.MpConfigProperties;
import com.ibm.ws.security.jwt.utils.Constants;
import com.ibm.ws.security.jwt.utils.JtiNonceCache;
import com.ibm.ws.security.jwt.utils.JweHelper;
import com.ibm.ws.security.jwt.utils.JwtUtils;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.InvalidJwtSignatureException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.HmacKey;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jwt/internal/ConsumerUtil.class */
public class ConsumerUtil {
    private AtomicServiceReference<KeyStoreService> keyStoreService;
    private final JtiNonceCache jtiCache = new JtiNonceCache();
    static final long serialVersionUID = 2110030139856161571L;
    private static final TraceComponent tc = Tr.register(ConsumerUtil.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");
    private static TimeUtils timeUtils = new TimeUtils("yyyy-MM-dd'T'HH:mm:ssZ");
    static JwtCache jwtCache = null;
    private static final MpConfigProperties NO_MP_CONFIG_PROPERTIES = new MpConfigProperties();

    public ConsumerUtil(AtomicServiceReference<KeyStoreService> atomicServiceReference) {
        this.keyStoreService = null;
        this.keyStoreService = atomicServiceReference;
    }

    public JwtToken parseJwt(String str, JwtConsumerConfig jwtConsumerConfig) throws Exception {
        return parseJwt(str, jwtConsumerConfig, null);
    }

    public JwtToken parseJwt(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws Exception {
        JwtContext jwtContextFromCache = getJwtContextFromCache(str, jwtConsumerConfig);
        boolean z = jwtContextFromCache != null;
        if (!z) {
            if (mpConfigProperties == null) {
                mpConfigProperties = NO_MP_CONFIG_PROPERTIES;
            }
            jwtContextFromCache = parseJwtAndGetJwtContext(str, jwtConsumerConfig, mpConfigProperties);
        }
        JwtTokenConsumerImpl jwtTokenConsumerImpl = new JwtTokenConsumerImpl(jwtContextFromCache);
        checkForReusedJwt(jwtTokenConsumerImpl, jwtConsumerConfig);
        if (!z) {
            cacheJwtContext(str, jwtContextFromCache, jwtConsumerConfig, mpConfigProperties);
        }
        return jwtTokenConsumerImpl;
    }

    JwtContext parseJwtAndGetJwtContext(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws Exception {
        JwtContext parseJwtWithoutValidation = parseJwtWithoutValidation(str, jwtConsumerConfig, mpConfigProperties);
        if (jwtConsumerConfig.isValidationRequired()) {
            validateJwtContext(parseJwtWithoutValidation, jwtConsumerConfig, mpConfigProperties);
        }
        return parseJwtWithoutValidation;
    }

    void checkForReusedJwt(JwtTokenConsumerImpl jwtTokenConsumerImpl, JwtConsumerConfig jwtConsumerConfig) throws InvalidTokenException {
        if (jwtConsumerConfig.getTokenReuse()) {
            return;
        }
        throwExceptionIfJwtReused(jwtTokenConsumerImpl);
    }

    void throwExceptionIfJwtReused(JwtTokenConsumerImpl jwtTokenConsumerImpl) throws InvalidTokenException {
        if (this.jtiCache.contains(jwtTokenConsumerImpl)) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JWT token can only be submitted once. The issuer is " + jwtTokenConsumerImpl.getClaims().getIssuer() + ", and JTI is " + jwtTokenConsumerImpl.getClaims().getJwtId(), new Object[0]);
            }
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_DUP_JTI_ERR", new Object[]{jwtTokenConsumerImpl.getClaims().getIssuer(), jwtTokenConsumerImpl.getClaims().getJwtId()}));
        }
    }

    Key getSigningKey(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws KeyException {
        if (jwtConsumerConfig == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "JWT consumer config object is null", new Object[0]);
            return null;
        }
        Key signingKeyBasedOnSignatureAlgorithm = getSigningKeyBasedOnSignatureAlgorithm(jwtConsumerConfig, jwtContext, mpConfigProperties);
        if (signingKeyBasedOnSignatureAlgorithm == null && tc.isDebugEnabled()) {
            Tr.debug(tc, "A signing key could not be found", new Object[0]);
        }
        return signingKeyBasedOnSignatureAlgorithm;
    }

    Key getSigningKeyBasedOnSignatureAlgorithm(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws KeyException {
        Key key = null;
        String configuredSignatureAlgorithm = mpConfigProperties.getConfiguredSignatureAlgorithm(jwtConsumerConfig);
        boolean z = false;
        if (KeyAlgorithmChecker.isHSAlgorithm(configuredSignatureAlgorithm)) {
            key = getSigningKeyForHS(configuredSignatureAlgorithm, jwtConsumerConfig);
        } else if (KeyAlgorithmChecker.isRSAlgorithm(configuredSignatureAlgorithm)) {
            key = getSigningKeyForRS(jwtConsumerConfig, jwtContext, mpConfigProperties);
            z = true;
        } else if (KeyAlgorithmChecker.isESAlgorithm(configuredSignatureAlgorithm)) {
            key = getSigningKeyForES(jwtConsumerConfig, jwtContext, mpConfigProperties);
            z = true;
        }
        if (!z || KeyAlgorithmChecker.isPublicKeyValidType(key, configuredSignatureAlgorithm)) {
            return key;
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "Public key " + key + " does not match the parameters of the " + configuredSignatureAlgorithm + " algorithm", new Object[0]);
        return null;
    }

    Key getSigningKeyForHS(String str, JwtConsumerConfig jwtConsumerConfig) throws KeyException {
        try {
            return getSharedSecretKey(jwtConsumerConfig);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "183", this, new Object[]{str, jwtConsumerConfig});
            throw new KeyException(Tr.formatMessage(tc, "JWT_ERROR_GETTING_SHARED_KEY", new Object[]{e.getLocalizedMessage()}), e);
        }
    }

    Key getSharedSecretKey(JwtConsumerConfig jwtConsumerConfig) throws KeyException {
        if (jwtConsumerConfig != null) {
            return createKeyFromSharedKey(jwtConsumerConfig.getSharedKey());
        }
        if (!tc.isDebugEnabled()) {
            return null;
        }
        Tr.debug(tc, "JWT consumer config object is null", new Object[0]);
        return null;
    }

    Key createKeyFromSharedKey(String str) throws KeyException {
        if (str == null || str.isEmpty()) {
            throw new KeyException(Tr.formatMessage(tc, "JWT_MISSING_SHARED_KEY", new Object[0]));
        }
        try {
            return new HmacKey(str.getBytes(Constants.UTF_8));
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "214", this, new Object[]{str});
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Caught exception getting shared key bytes: " + e.getLocalizedMessage(), new Object[0]);
            return null;
        }
    }

    boolean isPublicKeyPropsPresent(MpConfigProperties mpConfigProperties) {
        return (mpConfigProperties.get(MpConfigProperties.PUBLIC_KEY) == null && mpConfigProperties.get(MpConfigProperties.KEY_LOCATION) == null) ? false : true;
    }

    Key getSigningKeyForRS(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws KeyException {
        return getKeyFromJwkOrTrustStore(jwtConsumerConfig, jwtContext, mpConfigProperties);
    }

    Key getKeyFromJwkOrTrustStore(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws KeyException {
        return (jwtConsumerConfig.getJwkEnabled() || (jwtConsumerConfig.getTrustedAlias() == null && isPublicKeyPropsPresent(mpConfigProperties))) ? getKeyForJwkEnabled(jwtConsumerConfig, jwtContext, mpConfigProperties) : getKeyForJwkDisabled(jwtConsumerConfig, mpConfigProperties);
    }

    Key getKeyForJwkEnabled(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws KeyException {
        try {
            return getJwksKey(jwtConsumerConfig, jwtContext, mpConfigProperties);
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "253", this, new Object[]{jwtConsumerConfig, jwtContext, mpConfigProperties});
            throw new KeyException(Tr.formatMessage(tc, "JWT_ERROR_GETTING_JWK_KEY", new Object[]{jwtConsumerConfig.getJwkEndpointUrl(), e.getLocalizedMessage()}), e);
        }
    }

    protected Key getJwksKey(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws Exception {
        return createJwkRetriever(jwtConsumerConfig, mpConfigProperties).getPublicKeyFromJwk(getJwtHeader(jwtContext).getKeyIdHeaderValue(), (String) null, jwtConsumerConfig.getUseSystemPropertiesForHttpClientConnections());
    }

    JwKRetriever createJwkRetriever(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) {
        JwKRetriever jwKRetriever = null;
        String configuredSignatureAlgorithm = mpConfigProperties.getConfiguredSignatureAlgorithm(jwtConsumerConfig);
        String str = mpConfigProperties.get(MpConfigProperties.PUBLIC_KEY);
        String str2 = mpConfigProperties.get(MpConfigProperties.KEY_LOCATION);
        if (str != null || str2 != null) {
            jwKRetriever = new JwKRetriever(jwtConsumerConfig.getId(), jwtConsumerConfig.getSslRef(), jwtConsumerConfig.getJwkEndpointUrl(), jwtConsumerConfig.getJwkSet(), JwtUtils.getSSLSupportService(), jwtConsumerConfig.isHostNameVerificationEnabled(), (String) null, (String) null, configuredSignatureAlgorithm, str, str2);
        }
        if (jwKRetriever == null) {
            jwKRetriever = new JwKRetriever(jwtConsumerConfig.getId(), jwtConsumerConfig.getSslRef(), jwtConsumerConfig.getJwkEndpointUrl(), jwtConsumerConfig.getJwkSet(), JwtUtils.getSSLSupportService(), jwtConsumerConfig.isHostNameVerificationEnabled(), (String) null, (String) null, configuredSignatureAlgorithm);
        }
        return jwKRetriever;
    }

    JsonWebStructure getJwtHeader(JwtContext jwtContext) throws Exception {
        List joseObjects = jwtContext.getJoseObjects();
        if (joseObjects == null || joseObjects.isEmpty()) {
            throw new Exception("Invalid JsonWebStructure");
        }
        JsonWebStructure jsonWebStructure = (JsonWebStructure) joseObjects.get(0);
        debugJwtHeader(jsonWebStructure);
        return jsonWebStructure;
    }

    void debugJwtHeader(JsonWebStructure jsonWebStructure) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "JsonWebStructure class: " + jsonWebStructure.getClass().getName() + " data:" + jsonWebStructure, new Object[0]);
            if (jsonWebStructure instanceof JsonWebSignature) {
                JsonWebSignature jsonWebSignature = (JsonWebSignature) jsonWebStructure;
                Tr.debug(tc, "JsonWebSignature alg: " + jsonWebSignature.getAlgorithmHeaderValue() + " 3rd:'" + jsonWebSignature.getEncodedSignature() + "'", new Object[0]);
            }
        }
    }

    Key getKeyForJwkDisabled(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws KeyException {
        String trustedAlias = jwtConsumerConfig.getTrustedAlias();
        String trustStoreRef = jwtConsumerConfig.getTrustStoreRef();
        try {
            return getPublicKey(trustedAlias, trustStoreRef, mpConfigProperties.getConfiguredSignatureAlgorithm(jwtConsumerConfig));
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "326", this, new Object[]{jwtConsumerConfig, mpConfigProperties});
            throw new KeyException(Tr.formatMessage(tc, "JWT_ERROR_GETTING_PUBLIC_KEY", new Object[]{trustedAlias, trustStoreRef, e.getLocalizedMessage()}), e);
        }
    }

    Key getPublicKey(String str, String str2, String str3) throws KeyStoreServiceException, KeyException {
        Key publicKeyFromKeystore = getPublicKeyFromKeystore(str, str2, str3);
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Trusted alias: " + str + ", Truststore: " + str2, new Object[0]);
            Tr.debug(tc, "RSAPublicKey: " + (publicKeyFromKeystore instanceof RSAPublicKey), new Object[0]);
        }
        if (publicKeyFromKeystore != null && !(publicKeyFromKeystore instanceof PublicKey)) {
            publicKeyFromKeystore = null;
        }
        return publicKeyFromKeystore;
    }

    Key getPublicKeyFromKeystore(String str, String str2, String str3) throws KeyException {
        try {
            if (this.keyStoreService == null) {
                throw new KeyStoreServiceException(Tr.formatMessage(tc, "JWT_TRUSTSTORE_SERVICE_NOT_AVAILABLE", new Object[0]));
            }
            return JwtUtils.getPublicKey(str, str2, (KeyStoreService) this.keyStoreService.getService());
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "359", this, new Object[]{str, str2, str3});
            throw new KeyException(Tr.formatMessage(tc, "JWT_NULL_SIGNING_KEY_WITH_ERROR", new Object[]{str3, Constants.SIGNING_KEY_X509, e.getLocalizedMessage()}), e);
        }
    }

    Key getSigningKeyForES(JwtConsumerConfig jwtConsumerConfig, JwtContext jwtContext, MpConfigProperties mpConfigProperties) throws KeyException {
        return getKeyFromJwkOrTrustStore(jwtConsumerConfig, jwtContext, mpConfigProperties);
    }

    protected JwtContext parseJwtWithoutValidation(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws Exception {
        if (str == null || str.isEmpty()) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_CONSUMER_NULL_OR_EMPTY_STRING", new Object[]{jwtConsumerConfig.getId(), str}));
        }
        return parseNewJwtWithoutValidation(str, jwtConsumerConfig, mpConfigProperties);
    }

    void checkJwtFormatAgainstConfigRequirements(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws InvalidTokenException {
        JwtClaims jwtClaims = null;
        boolean isJwe = JweHelper.isJwe(str);
        if (isJwe) {
            jwtClaims = JweHelper.getJweHeaderParams(str);
        }
        checkJwtFormatAgainstConfigRequirements(str, jwtConsumerConfig, mpConfigProperties, isJwe, jwtClaims);
    }

    private void checkJwtFormatAgainstConfigRequirements(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, boolean z, JwtClaims jwtClaims) throws InvalidTokenException {
        if (JweHelper.isJwsRequired(jwtConsumerConfig, mpConfigProperties) && !JweHelper.isJws(str)) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWS_REQUIRED_BUT_TOKEN_NOT_JWS", new Object[]{jwtConsumerConfig.getId()}));
        }
        if (JweHelper.isJweRequired(jwtConsumerConfig, mpConfigProperties) && !z) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWE_REQUIRED_BUT_TOKEN_NOT_JWE", new Object[]{jwtConsumerConfig.getId()}));
        }
        if (z) {
            validateHeaders(jwtConsumerConfig, mpConfigProperties, jwtClaims);
        }
    }

    JwtContext getJwtContextFromCache(@Sensitive String str, JwtConsumerConfig jwtConsumerConfig) {
        initializeCache();
        return (JwtContext) jwtCache.get(str, jwtConsumerConfig.getId());
    }

    private synchronized void initializeCache() {
        if (jwtCache == null) {
            jwtCache = new JwtCache(300000L);
        }
    }

    void cacheJwtContext(@Sensitive String str, JwtContext jwtContext, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) {
        initializeCache();
        jwtCache.put(str, jwtConsumerConfig.getId(), jwtContext, getClockSkew(jwtConsumerConfig, mpConfigProperties));
    }

    JwtContext parseNewJwtWithoutValidation(@Sensitive String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws InvalidTokenException, InvalidJwtException {
        JwtClaims jwtClaims = null;
        boolean isJwe = JweHelper.isJwe(str);
        if (isJwe) {
            jwtClaims = JweHelper.getJweHeaderParams(str);
        }
        checkJwtFormatAgainstConfigRequirements(str, jwtConsumerConfig, mpConfigProperties, isJwe, jwtClaims);
        if (isJwe) {
            str = JweHelper.extractJwsFromJweToken(str, jwtConsumerConfig, mpConfigProperties, jwtClaims);
        }
        return initializeJwtConsumerBuilderWithoutValidation(jwtConsumerConfig).build().process(str);
    }

    protected void validateJwtContext(JwtContext jwtContext, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws Exception {
        Key signingKey = getSigningKey(jwtConsumerConfig, jwtContext, mpConfigProperties);
        JwtClaims jwtClaims = jwtContext.getJwtClaims();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Key from config: " + signingKey, new Object[0]);
        }
        validateClaims(jwtClaims, jwtContext, jwtConsumerConfig, mpConfigProperties);
        validateSignatureAlgorithmWithKey(jwtConsumerConfig, signingKey, mpConfigProperties);
        processJwtContextWithConsumer(initializeJwtConsumerBuilderWithValidation(jwtConsumerConfig, jwtClaims, signingKey).build(), jwtContext);
    }

    private void validateHeaders(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, JwtClaims jwtClaims) throws InvalidTokenException {
        String str;
        String keyManagementKeyAlgorithm = jwtConsumerConfig.getKeyManagementKeyAlgorithm();
        if (keyManagementKeyAlgorithm == null && (str = mpConfigProperties.get(MpConfigProperties.DECRYPT_KEY_ALGORITHM)) != null) {
            keyManagementKeyAlgorithm = str;
        }
        if (keyManagementKeyAlgorithm != null) {
            validateKeyManagementKeyAlgorithm(keyManagementKeyAlgorithm, (String) jwtClaims.getClaimValue("alg"));
        }
    }

    void validateKeyManagementKeyAlgorithm(String str, String str2) throws InvalidTokenException {
        if (str2 == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Decrypt key algorithm was not found in the JWE", new Object[0]);
            }
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWE_MISSING_ALG_HEADER", new Object[]{str}));
        }
        if (!str.equals(str2)) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWE_ALGORITHM_MISMATCH", new Object[]{str2, str}));
        }
    }

    JwtConsumerBuilder initializeJwtConsumerBuilderWithoutValidation(JwtConsumerConfig jwtConsumerConfig) {
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        jwtConsumerBuilder.setSkipAllValidators();
        jwtConsumerBuilder.setDisableRequireSignature();
        jwtConsumerBuilder.setSkipSignatureVerification();
        jwtConsumerBuilder.setAllowedClockSkewInSeconds((int) (jwtConsumerConfig.getClockSkew() / 1000));
        return jwtConsumerBuilder;
    }

    JwtConsumerBuilder initializeJwtConsumerBuilderWithValidation(JwtConsumerConfig jwtConsumerConfig, JwtClaims jwtClaims, Key key) throws MalformedClaimException {
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        jwtConsumerBuilder.setExpectedIssuer(jwtClaims.getIssuer());
        jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        jwtConsumerBuilder.setRequireExpirationTime();
        jwtConsumerBuilder.setVerificationKey(key);
        jwtConsumerBuilder.setRelaxVerificationKeyValidation();
        jwtConsumerBuilder.setAllowedClockSkewInSeconds((int) (jwtConsumerConfig.getClockSkew() / 1000));
        return jwtConsumerBuilder;
    }

    private long getClockSkew(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) {
        long clockSkew = jwtConsumerConfig.getClockSkew();
        if (clockSkew < 0) {
            String str = mpConfigProperties.get(MpConfigProperties.CLOCK_SKEW);
            clockSkew = str != null ? Long.valueOf(str).longValue() * 1000 : 0L;
        }
        return clockSkew;
    }

    void validateClaims(JwtClaims jwtClaims, JwtContext jwtContext, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws MalformedClaimException, InvalidClaimException, InvalidTokenException {
        String str;
        String issuer = jwtConsumerConfig.getIssuer();
        if (issuer == null) {
            issuer = mpConfigProperties.get(MpConfigProperties.ISSUER);
        }
        long clockSkew = getClockSkew(jwtConsumerConfig, mpConfigProperties);
        long tokenAge = jwtConsumerConfig.getTokenAge();
        if (tokenAge == 0 && (str = mpConfigProperties.get(MpConfigProperties.TOKEN_AGE)) != null) {
            tokenAge = Long.valueOf(str).longValue() * 1000;
        }
        validateIssuer(jwtConsumerConfig.getId(), issuer, jwtClaims.getIssuer());
        validateAudience(jwtConsumerConfig, jwtClaims.getAudience(), mpConfigProperties);
        if (!validateAMRClaim(jwtConsumerConfig.getAMRClaim(), getJwtAMRList(jwtClaims))) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_AMR_CLAIM_NOT_VALID", new Object[]{getJwtAMRList(jwtClaims), jwtConsumerConfig.getId(), jwtConsumerConfig.getAMRClaim()}));
        }
        validateIatAndExp(jwtClaims, clockSkew, tokenAge);
        validateNbf(jwtClaims, clockSkew);
        validateAlgorithm(jwtContext, mpConfigProperties.getConfiguredSignatureAlgorithm(jwtConsumerConfig));
    }

    void validateSignatureAlgorithmWithKey(JwtConsumerConfig jwtConsumerConfig, Key key, MpConfigProperties mpConfigProperties) throws InvalidClaimException {
        String configuredSignatureAlgorithm = mpConfigProperties.getConfiguredSignatureAlgorithm(jwtConsumerConfig);
        if (key == null && configuredSignatureAlgorithm != null && !configuredSignatureAlgorithm.equalsIgnoreCase("none")) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_MISSING_KEY", new Object[]{configuredSignatureAlgorithm}));
        }
    }

    boolean validateIssuer(String str, String str2, String str3) throws InvalidClaimException {
        boolean z = false;
        if (str2 == null || str2.isEmpty()) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_TRUSTED_ISSUERS_NULL", new Object[]{str3, str}));
        }
        StringTokenizer stringTokenizer = new StringTokenizer(str2, ",");
        while (stringTokenizer.hasMoreTokens()) {
            String trim = stringTokenizer.nextToken().trim();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Trusted issuer: " + trim, new Object[0]);
            }
            if (Constants.ALL_ISSUERS.equals(trim) || (str3 != null && str3.equals(trim))) {
                z = true;
                break;
            }
        }
        if (z) {
            return z;
        }
        throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_ISSUER_NOT_TRUSTED", new Object[]{str3, str, str2}));
    }

    void validateAudience(JwtConsumerConfig jwtConsumerConfig, List<String> list, MpConfigProperties mpConfigProperties) throws InvalidClaimException {
        List<String> configuredAudiences = mpConfigProperties.getConfiguredAudiences(jwtConsumerConfig);
        if ((configuredAudiences != null || !jwtConsumerConfig.ignoreAudClaimIfNotConfigured()) && !validateAudience(configuredAudiences, list)) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_AUDIENCE_NOT_TRUSTED", new Object[]{list, jwtConsumerConfig.getId(), configuredAudiences}));
        }
    }

    boolean validateAudience(List<String> list, List<String> list2) {
        boolean z = false;
        if (list != null && list.contains(Constants.ALL_AUDIENCES)) {
            return true;
        }
        if (list != null && list2 != null) {
            for (String str : list2) {
                Iterator<String> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().equals(str)) {
                        z = true;
                        break;
                    }
                }
            }
        } else if (list == null && (list2 == null || list2.isEmpty())) {
            z = true;
        }
        return z;
    }

    void validateIatAndExp(JwtClaims jwtClaims, long j, long j2) throws InvalidClaimException {
        if (jwtClaims == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Missing JwtClaims object", new Object[0]);
            }
        } else {
            NumericDate issuedAtClaim = getIssuedAtClaim(jwtClaims);
            NumericDate expirationClaim = getExpirationClaim(jwtClaims);
            debugCurrentTimes(j, issuedAtClaim, expirationClaim);
            validateIssuedAtClaim(issuedAtClaim, expirationClaim, j, j2);
            validateExpirationClaim(expirationClaim, j);
        }
    }

    void debugCurrentTimes(long j, NumericDate numericDate, NumericDate numericDate2) {
        if (tc.isDebugEnabled()) {
            long time = new Date().getTime();
            NumericDate fromMilliseconds = NumericDate.fromMilliseconds(time - j);
            NumericDate fromMilliseconds2 = NumericDate.fromMilliseconds(time + j);
            Tr.debug(tc, "Checking iat [" + createDateString(numericDate) + "] and exp [" + createDateString(numericDate2) + "]", new Object[0]);
            Tr.debug(tc, "Comparing against current time (minus clock skew of " + (j / 1000) + " seconds) [" + createDateString(fromMilliseconds) + "]", new Object[0]);
            Tr.debug(tc, "Comparing against current time (plus clock skew of " + (j / 1000) + " seconds) [" + createDateString(fromMilliseconds2) + "]", new Object[0]);
        }
    }

    void validateIssuedAtClaim(NumericDate numericDate, NumericDate numericDate2, long j, long j2) throws InvalidClaimException {
        NumericDate fromMilliseconds = NumericDate.fromMilliseconds(new Date().getTime() + j);
        if (numericDate == null || numericDate2 == null) {
            return;
        }
        if (numericDate.isAfter(fromMilliseconds)) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_IAT_AFTER_CURRENT_TIME", new Object[]{createDateString(numericDate), createDateString(fromMilliseconds), Long.valueOf(j / 1000)}));
        }
        if (numericDate.isOnOrAfter(numericDate2)) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_IAT_AFTER_EXP", new Object[]{createDateString(numericDate), createDateString(numericDate2)}));
        }
        checkTokenAge(numericDate, j, j2, fromMilliseconds);
    }

    void checkTokenAge(NumericDate numericDate, long j, long j2, NumericDate numericDate2) throws InvalidClaimException {
        if (j2 <= 0) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "The JWT's token age verification is disabled because the tokenAge attribute and mp.jwt.verify.token.age property are both 0 or less.", new Object[]{Long.valueOf(j2)});
            }
        } else {
            long time = new Date().getTime();
            numericDate.addSeconds(j2 / 1000);
            NumericDate fromMilliseconds = NumericDate.fromMilliseconds(time - j);
            if (numericDate.isBefore(fromMilliseconds)) {
                throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_TOKEN_AGED", new Object[]{createDateString(numericDate), createDateString(fromMilliseconds), Long.valueOf(j / 1000), Long.valueOf(j2 / 1000)}));
            }
        }
    }

    void validateExpirationClaim(NumericDate numericDate, long j) throws InvalidClaimException {
        NumericDate fromMilliseconds = NumericDate.fromMilliseconds(new Date().getTime() - j);
        if (numericDate == null || !numericDate.isAfter(fromMilliseconds)) {
            JwtUtils.setJwtSsoValidationPathExiredToken();
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_TOKEN_EXPIRED", new Object[]{createDateString(numericDate), createDateString(fromMilliseconds), Long.valueOf(j / 1000)}));
        }
    }

    void validateNbf(JwtClaims jwtClaims, long j) throws InvalidClaimException {
        if (jwtClaims != null) {
            validateNotBeforeClaim(getNotBeforeClaim(jwtClaims), j);
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Missing JwtClaims object", new Object[0]);
        }
    }

    void validateNotBeforeClaim(NumericDate numericDate, long j) throws InvalidClaimException {
        NumericDate fromMilliseconds = NumericDate.fromMilliseconds(new Date().getTime() + j);
        if (numericDate != null && numericDate.isOnOrAfter(fromMilliseconds)) {
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_TOKEN_BEFORE_NBF", new Object[]{createDateString(numericDate), createDateString(fromMilliseconds), Long.valueOf(j / 1000)}));
        }
    }

    NumericDate getIssuedAtClaim(JwtClaims jwtClaims) throws InvalidClaimException {
        try {
            return jwtClaims.getIssuedAt();
        } catch (MalformedClaimException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "795", this, new Object[]{jwtClaims});
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_CONSUMER_MALFORMED_CLAIM", new Object[]{"iat", e.getLocalizedMessage()}), e);
        }
    }

    NumericDate getExpirationClaim(JwtClaims jwtClaims) throws InvalidClaimException {
        try {
            return jwtClaims.getExpirationTime();
        } catch (MalformedClaimException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "807", this, new Object[]{jwtClaims});
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_CONSUMER_MALFORMED_CLAIM", new Object[]{"exp", e.getLocalizedMessage()}), e);
        }
    }

    NumericDate getNotBeforeClaim(JwtClaims jwtClaims) throws InvalidClaimException {
        try {
            return jwtClaims.getNotBefore();
        } catch (MalformedClaimException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "819", this, new Object[]{jwtClaims});
            throw new InvalidClaimException(Tr.formatMessage(tc, "JWT_CONSUMER_MALFORMED_CLAIM", new Object[]{"nbf", e.getLocalizedMessage()}), e);
        }
    }

    void validateAlgorithm(JwtContext jwtContext, String str) throws InvalidTokenException {
        if (str != null) {
            validateAlgorithm(str, getAlgorithmFromJwtHeader(jwtContext));
        } else if (tc.isDebugEnabled()) {
            Tr.debug(tc, "No required signature algorithm was specified", new Object[0]);
        }
    }

    void validateAlgorithm(String str, String str2) throws InvalidTokenException {
        if (str2 == null) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Signature algorithm was not found in the JWT", new Object[0]);
            }
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_MISSING_ALG_HEADER", new Object[]{str}));
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "JWT is signed with algorithm: ", new Object[]{str2});
            Tr.debug(tc, "JWT is required to be signed with algorithm: ", new Object[]{str});
        }
        if (!str.equals(str2)) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_ALGORITHM_MISMATCH", new Object[]{str2, str}));
        }
    }

    void processJwtContextWithConsumer(JwtConsumer jwtConsumer, JwtContext jwtContext) throws InvalidTokenException, InvalidJwtException {
        try {
            jwtConsumer.processContext(jwtContext);
        } catch (InvalidJwtException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "863", this, new Object[]{jwtConsumer, jwtContext});
            Throwable rootCause = getRootCause(e);
            if (rootCause != null && (rootCause instanceof InvalidKeyException)) {
                throw e;
            }
            throw e;
        } catch (InvalidJwtSignatureException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "860", this, new Object[]{jwtConsumer, jwtContext});
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWT_INVALID_SIGNATURE", new Object[]{e2.getLocalizedMessage()}), e2);
        }
    }

    String getAlgorithmFromJwtHeader(JwtContext jwtContext) {
        if (jwtContext == null) {
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "JwtContext is null", new Object[0]);
            return null;
        }
        try {
            String algorithmHeaderValue = getJwtHeader(jwtContext).getAlgorithmHeaderValue();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "JWT is signed with algorithm: ", new Object[]{algorithmHeaderValue});
            }
            return algorithmHeaderValue;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.jwt.internal.ConsumerUtil", "885", this, new Object[]{jwtContext});
            if (!tc.isDebugEnabled()) {
                return null;
            }
            Tr.debug(tc, "Failed to obtain JWT header", new Object[0]);
            return null;
        }
    }

    Throwable getRootCause(Exception exc) {
        Throwable th = null;
        Throwable th2 = exc;
        while (true) {
            Throwable th3 = th2;
            if (th3 == null) {
                return th;
            }
            th = th3;
            th2 = th.getCause();
        }
    }

    String createDateString(NumericDate numericDate) {
        if (numericDate == null) {
            return null;
        }
        return timeUtils.createDateString(1000 * numericDate.getValue());
    }

    List<String> getJwtAMRList(JwtClaims jwtClaims) throws MalformedClaimException {
        Object claimValue = jwtClaims.getClaimValue("amr");
        if (claimValue instanceof String) {
            return Collections.singletonList(jwtClaims.getStringClaimValue("amr"));
        }
        if ((claimValue instanceof List) || claimValue == null) {
            return jwtClaims.getStringListClaimValue("amr");
        }
        throw new MalformedClaimException("The value of the 'amr' claim is not an array of strings or a single string value.");
    }

    boolean validateAMRClaim(List<String> list, List<String> list2) {
        boolean z = false;
        if (list == null || list2 == null) {
            if (list == null) {
                z = true;
            }
        } else if (list.size() != 1) {
            Iterator<String> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (list2.equals(Arrays.asList(it.next().split(" ")))) {
                    z = true;
                    break;
                }
            }
        } else if (list2.containsAll(Arrays.asList(list.get(0).split(" ")))) {
            z = true;
        }
        return z;
    }
}
