package com.ibm.ws.security.openidconnect.client.jose4j.util;

import com.ibm.json.java.JSONObject;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import com.ibm.ws.security.openidconnect.clients.common.AttributeToSubject;
import com.ibm.ws.security.openidconnect.clients.common.ConvergedClientConfig;
import com.ibm.ws.security.openidconnect.clients.common.JtiNonceCache;
import com.ibm.ws.security.openidconnect.clients.common.OIDCClientAuthenticatorUtil;
import com.ibm.ws.security.openidconnect.clients.common.OidcClientRequest;
import com.ibm.ws.security.openidconnect.clients.common.OidcUtil;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest;
import com.ibm.ws.security.openidconnect.jose4j.Jose4jValidator;
import com.ibm.ws.security.openidconnect.jwk.KeyConstants;
import com.ibm.ws.security.openidconnect.token.JWTTokenValidationFailedException;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.ProviderAuthenticationResult;
import com.ibm.wsspi.ssl.SSLSupport;
import java.security.AccessController;
import java.security.Key;
import java.security.PrivilegedAction;
import java.util.Date;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.HmacKey;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/client/jose4j/util/Jose4jUtil.class */
public class Jose4jUtil {
    private static final String SIGNATURE_ALG_HS256 = "HS256";
    private static final String SIGNATURE_ALG_RS256 = "RS256";
    private static final String SIGNATURE_ALG_NONE = "none";
    private final SSLSupport sslSupport;
    static final long serialVersionUID = -309043300267708408L;
    private static final TraceComponent tc = Tr.register(Jose4jUtil.class, "OPENIDCONNECT", "com.ibm.ws.security.openidconnect.clients.common.resources.OidcClientMessages");
    private static final JtiNonceCache jtiCache = new JtiNonceCache();

    public Jose4jUtil(SSLSupport sSLSupport) {
        this.sslSupport = sSLSupport;
    }

    @FFDCIgnore({Exception.class})
    public ProviderAuthenticationResult createResultWithJose4J(String str, Map<String, String> map, ConvergedClientConfig convergedClientConfig, OidcClientRequest oidcClientRequest) {
        ProviderAuthenticationResult providerAuthenticationResult;
        String idToken = getIdToken(map, convergedClientConfig);
        String str2 = map.get(Constants.ACCESS_TOKEN);
        String str3 = map.get(Constants.REFRESH_TOKEN);
        String clientId = convergedClientConfig.getClientId();
        try {
        } catch (Exception e) {
            Tr.error(tc, "OIDC_CLIENT_IDTOKEN_VERIFY_ERR", new Object[]{e.getLocalizedMessage(), clientId});
            providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        if (idToken == null) {
            Tr.error(tc, "OIDC_CLIENT_IDTOKEN_REQUEST_FAILURE", new Object[]{clientId, convergedClientConfig.getTokenEndpointUrl()});
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        JwtContext parseJwtWithoutValidation = parseJwtWithoutValidation(idToken);
        JwtClaims parseJwtWithValidation = parseJwtWithValidation(convergedClientConfig, idToken, parseJwtWithoutValidation, oidcClientRequest);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "post jwtClaims: " + parseJwtWithValidation + " firstPass jwtClaims=" + parseJwtWithoutValidation.getJwtClaims(), new Object[0]);
        }
        OidcTokenImplBase oidcTokenImplBase = new OidcTokenImplBase(parseJwtWithValidation, str2, str3, clientId, oidcClientRequest.getTokenTypeNoSpace());
        if (oidcTokenImplBase.getSubject() == null) {
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        AttributeToSubject attributeToSubject = new AttributeToSubject(convergedClientConfig, oidcTokenImplBase);
        if (attributeToSubject.checkUserNameForNull()) {
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        boolean equals = "implicit".equals(convergedClientConfig.getGrantType());
        if (convergedClientConfig.isNonceEnabled() || equals) {
            String nonce = oidcTokenImplBase.getNonce();
            if (!OidcUtil.verifyNonce(oidcClientRequest, nonce, convergedClientConfig, str)) {
                Tr.error(tc, "OIDC_CLIENT_REQUEST_NONCE_FAILED", new Object[]{clientId, nonce});
                return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
            }
        }
        if (convergedClientConfig.isSocial()) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "social login flow, storing id token in result", new Object[0]);
            }
            Hashtable hashtable = new Hashtable();
            hashtable.put("id_token", idToken);
            hashtable.put(Constants.ACCESS_TOKEN, str2);
            if (oidcTokenImplBase != null) {
                hashtable.put(Constants.ID_TOKEN_OBJECT, oidcTokenImplBase);
            }
            return new ProviderAuthenticationResult(AuthResult.SUCCESS, 200, (String) null, (Subject) null, hashtable, (String) null);
        }
        Hashtable<String, Object> hashtable2 = new Hashtable<>();
        if (convergedClientConfig.isIncludeCustomCacheKeyInSubject() || convergedClientConfig.isDisableLtpaCookie()) {
            long time = new Date().getTime();
            String andSetCustomCacheKeyValue = oidcClientRequest.getAndSetCustomCacheKeyValue();
            hashtable2.put("com.ibm.wssi.security.oidc.client.credential.storing.utc.time.milliseconds", Long.valueOf(time));
            hashtable2.put("com.ibm.wsspi.security.cred.cacheKey", andSetCustomCacheKeyValue);
            hashtable2.put("com.ibm.ws.authentication.internal.assertion", Boolean.TRUE);
        }
        Subject subject = null;
        if (convergedClientConfig.isIncludeIdTokenInSubject()) {
            subject = new Subject();
            subject.getPrivateCredentials().add(oidcTokenImplBase);
            hashtable2.putAll(map);
        } else {
            if (str3 != null) {
                hashtable2.put(Constants.REFRESH_TOKEN, str3);
            }
            if (str2 != null) {
                hashtable2.put(Constants.ACCESS_TOKEN, str2);
            }
        }
        if (oidcTokenImplBase != null) {
            hashtable2.put(Constants.ID_TOKEN_OBJECT, oidcTokenImplBase);
        }
        providerAuthenticationResult = attributeToSubject.doMapping(hashtable2, subject);
        return providerAuthenticationResult;
    }

    String getIdToken(Map<String, String> map, ConvergedClientConfig convergedClientConfig) {
        if (map == null) {
            return null;
        }
        String str = map.get("id_token");
        if (str == null && useAccessTokenAsIdToken(convergedClientConfig)) {
            str = map.get(Constants.ACCESS_TOKEN);
        }
        return str;
    }

    boolean useAccessTokenAsIdToken(ConvergedClientConfig convergedClientConfig) {
        return convergedClientConfig.getUseAccessTokenAsIdToken();
    }

    protected static JwtContext parseJwtWithoutValidation(String str) throws InvalidJwtException {
        return new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build().process(str);
    }

    @FFDCIgnore({Exception.class})
    protected JwtClaims parseJwtWithValidation(ConvergedClientConfig convergedClientConfig, String str, JwtContext jwtContext, OidcClientRequest oidcClientRequest) throws JWTTokenValidationFailedException, IllegalStateException, Exception {
        try {
            List joseObjects = jwtContext.getJoseObjects();
            if (joseObjects == null || joseObjects.isEmpty()) {
                throw new InvalidJwtException("Invalid JsonWebStructure");
            }
            JsonWebSignature jsonWebSignature = (JsonWebStructure) joseObjects.get(0);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "JsonWebStructure class: " + jsonWebSignature.getClass().getName() + " data:" + jsonWebSignature, new Object[0]);
                if (jsonWebSignature instanceof JsonWebSignature) {
                    JsonWebSignature jsonWebSignature2 = jsonWebSignature;
                    Tr.debug(tc, "JsonWebSignature alg: " + jsonWebSignature2.getAlgorithmHeaderValue() + " 3rd:'" + jsonWebSignature2.getEncodedSignature() + "'", new Object[0]);
                }
            }
            Key key = null;
            Exception exc = null;
            try {
                key = getVerifyKey(convergedClientConfig, jsonWebSignature.getKeyIdHeaderValue(), jsonWebSignature.getX509CertSha1ThumbprintHeaderValue());
            } catch (Exception e) {
                exc = e;
            }
            if (key != null) {
                return new Jose4jValidator(key, convergedClientConfig.getClockSkewInSeconds(), new OIDCClientAuthenticatorUtil().getIssuerIdentifier(convergedClientConfig), convergedClientConfig.getClientId(), convergedClientConfig.getSignatureAlgorithm(), oidcClientRequest).parseJwtWithValidation(str, jwtContext, jsonWebSignature);
            }
            Object[] objArr = {convergedClientConfig.getSignatureAlgorithm(), ""};
            if (exc != null) {
                objArr = new Object[]{convergedClientConfig.getSignatureAlgorithm(), exc.getLocalizedMessage()};
            }
            oidcClientRequest.setRsFailMsg(OidcCommonClientRequest.NO_KEY, Tr.formatMessage(tc, "OIDC_CLIENT_NO_VERIFYING_KEY", objArr));
            throw oidcClientRequest.error(true, tc, "OIDC_CLIENT_NO_VERIFYING_KEY", objArr);
        } catch (Exception e2) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught an unexpected exception.", new Object[]{e2});
            }
            throw e2;
        }
    }

    protected Key getVerifyKey(ConvergedClientConfig convergedClientConfig, String str, String str2) throws Exception {
        HmacKey hmacKey = null;
        String signatureAlgorithm = convergedClientConfig.getSignatureAlgorithm();
        if ("HS256".equals(signatureAlgorithm)) {
            hmacKey = new HmacKey(convergedClientConfig.getSharedKey().getBytes("UTF-8"));
        } else if ("RS256".equals(signatureAlgorithm)) {
            hmacKey = (convergedClientConfig.getJwkEndpointUrl() == null && convergedClientConfig.getJsonWebKey() == null) ? convergedClientConfig.getPublicKey() : createJwkRetriever(convergedClientConfig).getPublicKeyFromJwk(str, str2, KeyConstants.sig, convergedClientConfig.getUseSystemPropertiesForHttpClientConnections());
        } else if ("none".equals(signatureAlgorithm)) {
            hmacKey = new HmacKey(convergedClientConfig.getSharedKey().getBytes("UTF-8"));
        }
        return hmacKey;
    }

    public JwKRetriever createJwkRetriever(ConvergedClientConfig convergedClientConfig) {
        JwKRetriever jwKRetriever = null;
        if (convergedClientConfig != null) {
            jwKRetriever = new JwKRetriever(convergedClientConfig.getId(), convergedClientConfig.getSslRef(), convergedClientConfig.getJwkEndpointUrl(), convergedClientConfig.getJwkSet(), this.sslSupport, convergedClientConfig.isHostNameVerificationEnabled(), convergedClientConfig.getJwkClientId(), convergedClientConfig.getJwkClientSecret());
        }
        return jwKRetriever;
    }

    protected ProviderAuthenticationResult createProviderAuthenticationResult(JSONObject jSONObject, ConvergedClientConfig convergedClientConfig, String str) {
        AttributeToSubject attributeToSubject = new AttributeToSubject(convergedClientConfig, jSONObject, str);
        if (attributeToSubject.checkUserNameForNull()) {
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        Hashtable<String, Object> handleCustomProperties = attributeToSubject.handleCustomProperties();
        if (str != null) {
            handleCustomProperties.put(Constants.ACCESS_TOKEN, str);
        }
        return attributeToSubject.doMapping(handleCustomProperties, new Subject());
    }

    @FFDCIgnore({Exception.class})
    public ProviderAuthenticationResult createResultWithJose4JForJwt(String str, ConvergedClientConfig convergedClientConfig, OidcClientRequest oidcClientRequest) {
        ProviderAuthenticationResult providerAuthenticationResult;
        OidcTokenImplBase oidcTokenImplBase;
        ProviderAuthenticationResult checkForReusedJwt;
        String clientId = convergedClientConfig.getClientId();
        try {
            JwtClaims parseJwtWithValidation = parseJwtWithValidation(convergedClientConfig, str, parseJwtWithoutValidation(str), oidcClientRequest);
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "jwtClaims: " + parseJwtWithValidation, new Object[0]);
            }
            oidcTokenImplBase = new OidcTokenImplBase(parseJwtWithValidation, str, null, clientId, oidcClientRequest.getTokenTypeNoSpace());
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "jwt token(idToken):" + oidcTokenImplBase.toString(), new Object[0]);
            }
            checkForReusedJwt = checkForReusedJwt(convergedClientConfig, oidcTokenImplBase);
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Get exception", new Object[]{e});
            }
            Object[] objArr = {e.getLocalizedMessage(), clientId};
            Tr.error(tc, "OIDC_CLIENT_JWT_VERIFY_ERR", objArr);
            oidcClientRequest.setRsFailMsg(null, Tr.formatMessage(tc, "OIDC_CLIENT_JWT_VERIFY_ERR", objArr));
            providerAuthenticationResult = new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        if (checkForReusedJwt != null) {
            return checkForReusedJwt;
        }
        AttributeToSubject attributeToSubject = new AttributeToSubject(convergedClientConfig, oidcTokenImplBase);
        if (attributeToSubject.checkUserNameForNull()) {
            return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
        }
        Hashtable<String, Object> hashtable = new Hashtable<>();
        Subject subject = null;
        if (convergedClientConfig.isIncludeIdTokenInSubject()) {
            subject = new Subject();
            subject.getPrivateCredentials().add(oidcTokenImplBase);
        }
        if (str != null) {
            hashtable.put(Constants.ACCESS_TOKEN, str);
        }
        providerAuthenticationResult = attributeToSubject.doMapping(hashtable, subject);
        return providerAuthenticationResult;
    }

    ProviderAuthenticationResult checkForReusedJwt(ConvergedClientConfig convergedClientConfig, OidcTokenImplBase oidcTokenImplBase) {
        if (convergedClientConfig.getTokenReuse() || !jtiCache.contain(oidcTokenImplBase)) {
            return null;
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Jwt token can only be submitted once. The issuer is " + oidcTokenImplBase.getIssuer() + ", and JTI is " + oidcTokenImplBase.getJwtId(), new Object[0]);
        }
        Tr.error(tc, Tr.formatMessage(tc, "JWT_DUP_JTI_ERR", new Object[]{oidcTokenImplBase.getIssuer(), oidcTokenImplBase.getJwtId()}), new Object[0]);
        return new ProviderAuthenticationResult(AuthResult.SEND_401, 401);
    }

    static {
        AccessController.doPrivileged(new PrivilegedAction<String>() { // from class: com.ibm.ws.security.openidconnect.client.jose4j.util.Jose4jUtil.1
            static final long serialVersionUID = 939135952528860596L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(AnonymousClass1.class);

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public String run() {
                return System.setProperty("org.jose4j.jws.default-allow-none", "true");
            }
        });
    }
}
