package com.ibm.ws.security.openidconnect.token;

import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.google.gson.JsonPrimitive;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.SignatureException;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.StringTokenizer;
import org.joda.time.Instant;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.keys.HmacKey;
import org.jose4j.lang.JoseException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/token/JWT.class */
public class JWT {
    private static final TraceComponent tc = Tr.register(JWT.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.common.internal.resources.OidcCommonMessages");
    private JWSHeader header;
    private JWTPayload payload;

    @Sensitive
    private Object key;
    private String signedAndSerializedString;
    private String tokenString;
    private String baseString;
    private static final String ALGORITHM_HEADER = "alg";
    private long clockSkewInSeconds;
    private String clientId;
    private String issuers;
    private String signingAlgorithm;
    static final long serialVersionUID = -4936895986284158662L;

    public JWT(JWSHeader jWSHeader, JWTPayload jWTPayload, @Sensitive Object obj) {
        this.clockSkewInSeconds = 0L;
        this.clientId = null;
        this.issuers = null;
        this.signingAlgorithm = "none";
        this.header = jWSHeader;
        this.payload = jWTPayload;
        setKey(obj);
    }

    public JWT(JWSHeader jWSHeader, JWTPayload jWTPayload) {
        this.clockSkewInSeconds = 0L;
        this.clientId = null;
        this.issuers = null;
        this.signingAlgorithm = "none";
        this.header = jWSHeader;
        this.payload = jWTPayload;
    }

    public JWT(String str, @Sensitive Object obj, String str2, String str3, String str4) {
        this.clockSkewInSeconds = 0L;
        this.clientId = null;
        this.issuers = null;
        this.signingAlgorithm = "none";
        this.tokenString = str;
        setKey(obj);
        this.clientId = str2;
        this.issuers = str3;
        this.signingAlgorithm = str4;
        this.header = new JWSHeader();
        initializeHeader();
    }

    public JWT(String str, String str2, String str3, String str4) {
        this.clockSkewInSeconds = 0L;
        this.clientId = null;
        this.issuers = null;
        this.signingAlgorithm = "none";
        this.tokenString = str;
        this.clientId = str2;
        this.issuers = str3;
        this.signingAlgorithm = str4;
    }

    public String getClientId() {
        return this.clientId;
    }

    public JWSHeader getHeader() {
        return this.header;
    }

    public JWTPayload getPayload() {
        return this.payload;
    }

    protected String createPlainTextJWT() {
        StringBuffer stringBuffer = new StringBuffer(computeBaseString(createHeader(), createPayload()));
        stringBuffer.append(JsonTokenUtil.DELIMITER).append("");
        return stringBuffer.toString();
    }

    protected JsonObject createHeader() {
        JsonObject jsonObject = new JsonObject();
        jsonObject.addProperty("alg", "none");
        List<String> critical = this.header.getCritical();
        if (critical != null) {
            jsonObject.add(HeaderConstants.CRITICAL, handleList(critical));
        }
        Set<String> keySet = this.header.keySet();
        if (!keySet.isEmpty()) {
            for (String str : keySet) {
                Object obj = this.header.get(str);
                if (obj instanceof List) {
                    jsonObject.add(str, handleList((List) obj));
                } else if (obj instanceof String) {
                    jsonObject.addProperty(str, (String) obj);
                } else if (obj instanceof Number) {
                    jsonObject.addProperty(str, (Number) obj);
                }
            }
        }
        return jsonObject;
    }

    protected JsonObject createPayload() {
        JsonObject jsonObject = new JsonObject();
        List<String> audienceAsList = this.payload.getAudienceAsList();
        if (audienceAsList != null) {
            jsonObject.add("aud", handleList(audienceAsList));
        }
        Set<String> keySet = this.payload.keySet();
        if (!keySet.isEmpty()) {
            for (String str : keySet) {
                Object obj = this.payload.get(str);
                if (obj instanceof List) {
                    jsonObject.add(str, handleList((List) obj));
                } else if (obj instanceof String) {
                    jsonObject.addProperty(str, (String) obj);
                } else if (obj instanceof Number) {
                    jsonObject.addProperty(str, (Number) obj);
                }
            }
        }
        long currentTimeMillis = System.currentTimeMillis();
        if (this.payload.getIssuedAtTimeSeconds() != null) {
            jsonObject.addProperty("iat", this.payload.getIssuedAtTimeSeconds());
        } else {
            jsonObject.addProperty("iat", Long.valueOf(currentTimeMillis / 1000));
        }
        if (this.payload.getExpirationTimeSeconds() != null) {
            jsonObject.addProperty("exp", this.payload.getExpirationTimeSeconds());
        } else {
            jsonObject.addProperty("exp", Long.valueOf((currentTimeMillis / 1000) + 3600));
        }
        return jsonObject;
    }

    protected JsonArray handleList(List<String> list) {
        JsonArray jsonArray = null;
        if (list != null) {
            jsonArray = new JsonArray();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                jsonArray.add(new JsonPrimitive(it.next()));
            }
        }
        return jsonArray;
    }

    protected String computeBaseString(JsonObject jsonObject, JsonObject jsonObject2) {
        if (this.baseString != null && !this.baseString.isEmpty()) {
            return this.baseString;
        }
        this.baseString = JsonTokenUtil.toDotFormat(JsonTokenUtil.toBase64(jsonObject), JsonTokenUtil.toBase64(jsonObject2));
        return this.baseString;
    }

    protected void createSignedJWT() throws SignatureException, InvalidKeyException {
        createJsonToken();
    }

    protected WSJsonToken createJsonToken() throws SignatureException {
        WSJsonToken wSJsonToken = new WSJsonToken();
        Set<String> keySet = this.header.keySet();
        if (!keySet.isEmpty()) {
            JsonObject header = wSJsonToken.getHeader();
            for (String str : keySet) {
                Object obj = this.header.get(str);
                if (obj instanceof List) {
                    header.add(str, handleList((List) obj));
                } else if (obj instanceof String) {
                    header.addProperty(str, (String) obj);
                } else if (obj instanceof Number) {
                    header.addProperty(str, (Number) obj);
                }
            }
        }
        Set<String> keySet2 = this.payload.keySet();
        if (!keySet2.isEmpty()) {
            JsonObject payload = wSJsonToken.getPayload();
            for (String str2 : keySet2) {
                Object obj2 = this.payload.get(str2);
                if (obj2 instanceof List) {
                    payload.add(str2, handleList((List) obj2));
                } else if (obj2 instanceof String) {
                    payload.addProperty(str2, (String) obj2);
                } else if (obj2 instanceof Number) {
                    payload.addProperty(str2, (Number) obj2);
                }
            }
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (this.payload.getIssuedAtTimeSeconds() != null) {
            wSJsonToken.setIssuedAt(this.payload.getIssuedAtTimeSeconds().longValue());
        } else {
            wSJsonToken.setIssuedAt(currentTimeMillis);
        }
        if (this.payload.getExpirationTimeSeconds() != null) {
            wSJsonToken.setExpiration(this.payload.getExpirationTimeSeconds().longValue());
        } else {
            wSJsonToken.setExpiration(currentTimeMillis + 3600);
        }
        try {
            this.signedAndSerializedString = serializeAndSign(wSJsonToken);
            return wSJsonToken;
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.token.JWT", "340", this, new Object[0]);
            FFDCFilter.processException(e, getClass().getName(), "createJsonToken", new Object[]{this.header.getAlgorithm()});
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = this.header.getAlgorithm();
            objArr[1] = e.getMessage() != null ? e.getMessage() : e.getClass().getSimpleName();
            Tr.error(traceComponent, "OIDC_IDTOKEN_SIGNATURE_ERR", objArr);
            throw new SignatureException(e);
        }
    }

    private String serializeAndSign(WSJsonToken wSJsonToken) throws InvalidKeyException, UnsupportedEncodingException, JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(JsonTokenUtil.toJson(wSJsonToken.getPayload()));
        String asString = wSJsonToken.getHeader().get("alg").getAsString();
        jsonWebSignature.setAlgorithmHeaderValue(asString);
        JsonElement jsonElement = wSJsonToken.getHeader().get("typ");
        if (jsonElement != null) {
            jsonWebSignature.setHeader("typ", jsonElement.getAsString());
        }
        jsonWebSignature.setKey(getKey(asString));
        return jsonWebSignature.getCompactSerialization();
    }

    public String getSignedJWTString() throws SignatureException, InvalidKeyException {
        if (this.signedAndSerializedString != null) {
            return this.signedAndSerializedString;
        }
        createSignedJWT();
        return this.signedAndSerializedString;
    }

    public String getJWTString() {
        if (this.baseString != null) {
            return this.baseString;
        }
        this.baseString = createPlainTextJWT();
        return this.baseString;
    }

    protected void fromJsonToken(WSJsonToken wSJsonToken) {
        this.payload = new JWTPayload();
        JsonTokenUtil.fromJsonToken(wSJsonToken, this.payload);
        this.header = new JWSHeader();
        JsonTokenUtil.fromJsonToken(wSJsonToken, this.header);
    }

    protected boolean verifyTokenIssueAndExpTime(WSJsonToken wSJsonToken) throws IDTokenValidationFailedException {
        boolean z = true;
        Instant instant = new Instant(wSJsonToken.getIssuedAt() * 1000);
        Instant instant2 = new Instant(wSJsonToken.getExpiration() * 1000);
        if (instant == null || (!instant.isAfter(instant2) && JsonTokenUtil.isCurrentTimeInInterval(this.clockSkewInSeconds, instant.getMillis(), instant2.getMillis()))) {
            if (!checkIssuer(this.clientId, this.issuers, wSJsonToken.getIssuer())) {
                z = false;
            }
            return z;
        }
        Object[] objArr = {this.clientId, "Token expired", Long.valueOf(System.currentTimeMillis()), instant2, instant};
        Tr.error(tc, "OIDC_IDTOKEN_VERIFY_STATE_ERR", objArr);
        throw new IllegalStateException(Tr.formatMessage(tc, "OIDC_IDTOKEN_VERIFY_STATE_ERR", objArr));
    }

    public static boolean checkIssuer(String str, String str2, String str3) throws IDTokenValidationFailedException {
        boolean z = false;
        if (str3 != null) {
            if (!str3.equals(str2)) {
                StringTokenizer stringTokenizer = new StringTokenizer(str2, " ,");
                while (true) {
                    if (!stringTokenizer.hasMoreTokens()) {
                        break;
                    }
                    String nextToken = stringTokenizer.nextToken();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Token:" + nextToken, new Object[0]);
                    }
                    if (str3.equals(nextToken)) {
                        z = true;
                        break;
                    }
                }
            } else {
                z = true;
            }
            if (!z) {
                Tr.error(tc, "OIDC_IDTOKEN_VERIFY_ISSUER_ERR", new Object[]{str, str3, str2});
                throw IDTokenValidationFailedException.format("OIDC_IDTOKEN_VERIFY_ISSUER_ERR", str, str3, str2);
            }
        }
        return z;
    }

    public boolean verify() throws IDTokenValidationFailedException {
        return verify(180L);
    }

    @FFDCIgnore({InvalidKeyException.class, InvalidJwtException.class})
    public boolean verifySignatureOnly() throws IDTokenValidationFailedException {
        JsonObject asJsonObject;
        String str;
        String[] splitTokenString = JsonTokenUtil.splitTokenString(this.tokenString);
        boolean z = true;
        if (this.signingAlgorithm.equals("none")) {
            z = false;
        }
        if (z) {
            asJsonObject = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(splitTokenString[0])).getAsJsonObject();
            String asString = asJsonObject.get("alg").getAsString();
            if (!this.signingAlgorithm.equals(asString)) {
                Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", new Object[]{this.clientId, this.signingAlgorithm, asString});
                throw IDTokenValidationFailedException.format("OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", this.clientId, this.signingAlgorithm, asString);
            }
            str = this.signingAlgorithm;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "RP specified Signing Algorithm : " + str, new Object[0]);
            }
        } else {
            asJsonObject = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(splitTokenString[0])).getAsJsonObject();
            str = asJsonObject.get("alg").getAsString();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Signing Algorithm from header: " + str, new Object[0]);
            }
        }
        fromJsonToken(new WSJsonToken(asJsonObject, new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(splitTokenString[1])).getAsJsonObject()));
        try {
            JsonTokenUtil.validateTokenString(this.tokenString, str, getKey(str), this.clockSkewInSeconds, true);
            return true;
        } catch (InvalidJwtException e) {
            Object[] objArr = new Object[3];
            objArr[0] = this.clientId;
            objArr[1] = e.getMessage() == null ? e.getClass().getSimpleName() : e.getMessage();
            objArr[2] = this.signingAlgorithm;
            Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR", objArr);
            throw new IDTokenValidationFailedException("SignatureException Message:" + e.getMessage(), e);
        } catch (InvalidKeyException e2) {
            Object[] objArr2 = new Object[3];
            objArr2[0] = this.clientId;
            objArr2[1] = e2.getMessage() == null ? e2.getClass().getSimpleName() : e2.getMessage();
            objArr2[2] = this.signingAlgorithm;
            Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_INVALIDKEY_ERR", objArr2);
            throw new IDTokenValidationFailedException("InvalidKeyException Message:" + e2.getMessage(), e2);
        } catch (Exception e3) {
            FFDCFilter.processException(e3, "com.ibm.ws.security.openidconnect.token.JWT", "506", this, new Object[0]);
            throw new IDTokenValidationFailedException("Exception Message:" + e3.getMessage(), e3);
        }
    }

    public boolean verify(long j) throws IDTokenValidationFailedException {
        return verify(j, getKey());
    }

    @FFDCIgnore({InvalidKeyException.class, IllegalStateException.class})
    public boolean verify(long j, Object obj) throws IDTokenValidationFailedException {
        String str;
        Throwable th;
        boolean z = false;
        setKey(obj);
        this.clockSkewInSeconds = j;
        String[] splitTokenString = JsonTokenUtil.splitTokenString(this.tokenString);
        boolean z2 = true;
        if (this.signingAlgorithm.equals("none")) {
            z2 = false;
        }
        if (splitTokenString.length == 2) {
            if (z2) {
                Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_MISSING_SIGNATURE_ERR", new Object[]{this.clientId, this.signingAlgorithm});
                throw IDTokenValidationFailedException.format("OIDC_IDTOKEN_SIGNATURE_VERIFY_MISSING_SIGNATURE_ERR", this.clientId, this.signingAlgorithm);
            }
            WSJsonToken deserialize = JsonTokenUtil.deserialize(splitTokenString, this.tokenString);
            fromJsonToken(deserialize);
            if (this.payload.get("aud") != null) {
                new CheckAudience(this.clientId, this.payload).check();
            }
            return verifyTokenIssueAndExpTime(deserialize);
        }
        if (splitTokenString.length > 2) {
            if (z2) {
                String asString = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(splitTokenString[0])).getAsJsonObject().get("alg").getAsString();
                if (!this.signingAlgorithm.equals(asString)) {
                    Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", new Object[]{this.clientId, this.signingAlgorithm, asString});
                    throw IDTokenValidationFailedException.format("OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", this.clientId, this.signingAlgorithm, asString);
                }
                str = this.signingAlgorithm;
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "RP specified Signing Algorithm : " + str, new Object[0]);
                }
            } else {
                str = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(splitTokenString[0])).getAsJsonObject().get("alg").getAsString();
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "Signing Algorithm from header: " + str, new Object[0]);
                }
            }
            try {
                JsonTokenUtil.validateTokenString(this.tokenString, str, getKey(str), this.clockSkewInSeconds, false);
                WSJsonToken deserialize2 = JsonTokenUtil.deserialize(JsonTokenUtil.splitTokenString(this.tokenString), this.tokenString);
                fromJsonToken(deserialize2);
                if (deserialize2.getExpiration() > 0 && deserialize2.getIssuedAt() > 0) {
                    verifyTokenIssueAndExpTime(deserialize2);
                }
                if (checkIssuer(this.clientId, this.issuers, deserialize2.getIssuer())) {
                    if (this.payload.get("aud") != null) {
                        new CheckAudience(this.clientId, this.payload).check();
                    }
                    z = true;
                }
            } catch (IllegalStateException e) {
                Throwable th2 = e;
                while (true) {
                    th = th2;
                    if (th.getCause() == null) {
                        break;
                    }
                    th2 = th.getCause();
                }
                WSJsonToken deserialize3 = JsonTokenUtil.deserialize(splitTokenString, this.tokenString);
                Object[] objArr = new Object[5];
                objArr[0] = this.clientId;
                objArr[1] = th.getMessage() == null ? e.getClass().getSimpleName() : th.getMessage();
                objArr[2] = Long.valueOf(System.currentTimeMillis());
                objArr[3] = Long.valueOf(deserialize3.getExpiration());
                objArr[4] = Long.valueOf(deserialize3.getIssuedAt());
                if (th.getMessage().contains("No installed provider")) {
                    Tr.error(tc, "JWK_ENDPOINT_MISSING_ERR", objArr);
                } else {
                    Tr.error(tc, "OIDC_IDTOKEN_VERIFY_STATE_ERR", objArr);
                }
                throw new IDTokenValidationFailedException("IllegalStateException Message:" + e.getMessage(), e);
            } catch (InvalidKeyException e2) {
                Object[] objArr2 = new Object[3];
                objArr2[0] = this.clientId;
                objArr2[1] = e2.getMessage() == null ? e2.getClass().getSimpleName() : e2.getMessage();
                objArr2[2] = this.signingAlgorithm;
                Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_INVALIDKEY_ERR", objArr2);
                throw new IDTokenValidationFailedException("InvalidKeyException Message:" + e2.getMessage(), e2);
            } catch (Exception e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.openidconnect.token.JWT", "647", this, new Object[]{Long.valueOf(j), obj});
                TraceComponent traceComponent = tc;
                Object[] objArr3 = new Object[3];
                objArr3[0] = this.clientId;
                objArr3[1] = e3.getMessage() == null ? e3.getClass().getSimpleName() : e3.getMessage();
                objArr3[2] = this.signingAlgorithm;
                Tr.error(traceComponent, "OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR", objArr3);
                throw new IDTokenValidationFailedException(new StringBuilder().append(e3.getClass().getName()).append(" Message:").append(e3.getMessage()).toString() == null ? "" : e3.getMessage(), e3);
            } catch (InvalidJwtException e4) {
                FFDCFilter.processException(e4, "com.ibm.ws.security.openidconnect.token.JWT", "630", this, new Object[]{Long.valueOf(j), obj});
                Object[] objArr4 = new Object[3];
                objArr4[0] = this.clientId;
                objArr4[1] = e4.getMessage() == null ? e4.getClass().getSimpleName() : e4.getMessage();
                objArr4[2] = this.signingAlgorithm;
                Tr.error(tc, "OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR", objArr4);
                throw new IDTokenValidationFailedException("SignatureException Message:" + e4.getMessage(), e4);
            }
        }
        return z;
    }

    private void initializeHeader() {
        String asString;
        String asString2;
        String asString3;
        String asString4;
        String asString5;
        JsonObject asJsonObject = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(JsonTokenUtil.splitTokenString(this.tokenString)[0])).getAsJsonObject();
        if (this.header == null) {
            this.header = new JWSHeader();
        }
        JsonElement jsonElement = asJsonObject.get("alg");
        if (jsonElement != null && (asString5 = jsonElement.getAsString()) != null) {
            this.header.setAlgorithm(asString5);
        }
        JsonElement jsonElement2 = asJsonObject.get("kid");
        if (jsonElement2 != null && (asString4 = jsonElement2.getAsString()) != null) {
            this.header.setKeyId(asString4);
        }
        JsonElement jsonElement3 = asJsonObject.get("x5t");
        if (jsonElement3 != null && (asString3 = jsonElement3.getAsString()) != null) {
            this.header.setX509Thumbprint(asString3);
        }
        JsonElement jsonElement4 = asJsonObject.get(HeaderConstants.X509_CERT);
        if (jsonElement4 != null && (asString2 = jsonElement4.getAsString()) != null) {
            this.header.setX509Certificate(asString2);
        }
        JsonElement jsonElement5 = asJsonObject.get(HeaderConstants.X509_URL);
        if (jsonElement5 == null || (asString = jsonElement5.getAsString()) == null) {
            return;
        }
        this.header.setX509Url(asString);
    }

    private Key getKey(String str) throws UnsupportedEncodingException, InvalidKeyException {
        byte[] bArr;
        Key key = null;
        if ("RS256".equals(str)) {
            key = (Key) getKey();
        } else if ("HS256".equals(str)) {
            if (getKey() instanceof String) {
                bArr = ((String) getKey()).getBytes("UTF-8");
            } else {
                if (!(getKey() instanceof byte[])) {
                    throw new InvalidKeyException("Not a valid key");
                }
                bArr = (byte[]) getKey();
            }
            key = new HmacKey(bArr);
        }
        return key;
    }

    public String parseAndVerify(JWT jwt) {
        return null;
    }

    public Payload createPayloadFromString(String str) {
        return null;
    }

    public Object getKey() {
        return this.key;
    }

    public void setKey(Object obj) {
        this.key = obj;
    }
}
