package com.ibm.ws.security.openidconnect.common.cl;

import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import com.ibm.oauth.core.api.error.OAuthException;
import com.ibm.oauth.core.api.error.oauth20.InvalidGrantException;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.common.Constants;
import com.ibm.ws.security.openidconnect.common.TraceConstants;
import com.ibm.ws.security.openidconnect.token.JWSHeader;
import com.ibm.ws.security.openidconnect.token.JWTPayload;
import com.ibm.ws.security.openidconnect.token.JsonTokenUtil;
import com.ibm.ws.security.openidconnect.token.WSJsonToken;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.util.ArrayList;
import java.util.List;
import java.util.regex.Pattern;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.keys.HmacKey;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:com/ibm/ws/security/openidconnect/common/cl/JWTVerifier.class */
public class JWTVerifier {
    String _tokenString;
    String _clientId;

    @Sensitive
    Object _key;
    long _lSkewSeconds;
    String _signAlgorithm;
    String[] _jwtParts;
    WSJsonToken _jsonToken;
    JWSHeader _header;
    JWTPayload _payload;
    static final long serialVersionUID = 2702933660206342049L;
    private static final TraceComponent tc = Tr.register(JWTVerifier.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    static final List<String> signAlgorithms = new ArrayList();

    public JWTVerifier(String str, @Sensitive Object obj, String str2, String str3, long j) throws InvalidGrantException {
        this._tokenString = null;
        this._clientId = null;
        this._key = null;
        this._lSkewSeconds = 0L;
        this._signAlgorithm = null;
        this._jwtParts = null;
        this._jsonToken = null;
        this._tokenString = str3;
        this._clientId = str;
        this._key = obj;
        this._signAlgorithm = str2;
        this._lSkewSeconds = j;
        if (str3 != null) {
            this._jwtParts = splitTokenString(str3);
        }
    }

    public JWTVerifier(String str) throws InvalidGrantException {
        this._tokenString = null;
        this._clientId = null;
        this._key = null;
        this._lSkewSeconds = 0L;
        this._signAlgorithm = null;
        this._jwtParts = null;
        this._jsonToken = null;
        this._tokenString = str;
        if (str != null) {
            this._jwtParts = splitTokenString(str);
        }
    }

    void initJsonToken() {
        this._jsonToken = JsonTokenUtil.deserialize(this._jwtParts, this._tokenString);
        this._payload = new JWTPayload();
        JsonTokenUtil.fromJsonToken(this._jsonToken, this._payload);
        this._header = new JWSHeader();
        JsonTokenUtil.fromJsonToken(this._jsonToken, this._header);
    }

    public JWSHeader getJwsHeader() {
        if (this._jsonToken == null) {
            initJsonToken();
        }
        return this._header;
    }

    public String getAlgHeader() {
        return (String) getJwsHeader().get("alg");
    }

    public JWTPayload getPayload() {
        if (this._jsonToken == null) {
            initJsonToken();
        }
        return this._payload;
    }

    public String getIssFromPayload() {
        return (String) getPayload().get("iss");
    }

    WSJsonToken getJsonToken() {
        if (this._jsonToken == null) {
            initJsonToken();
        }
        return this._jsonToken;
    }

    public boolean verifySignature() throws OAuthException {
        return verifySignature(this._lSkewSeconds);
    }

    @FFDCIgnore({InvalidJwtException.class})
    boolean verifySignature(long j) throws OAuthException {
        if (this._jwtParts == null) {
            Tr.error(tc, "JWT_JWTTOKEN_NO_TOKEN_ERR", new Object[0]);
            throw formatException("JWT_JWTTOKEN_NO_TOKEN_ERR", null, new Object[0]);
        }
        JsonElement jsonElement = new JsonParser().parse(JsonTokenUtil.fromBase64ToJsonString(this._jwtParts[0])).getAsJsonObject().get("alg");
        String str = this._signAlgorithm;
        if (jsonElement != null) {
            String asString = jsonElement.getAsString();
            if (!asString.equalsIgnoreCase(str)) {
                Tr.error(tc, "JWT_JWTTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", new Object[]{this._clientId, asString, str});
                throw formatException("JWT_JWTTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", null, this._clientId, asString, str);
            }
        }
        if (this._jwtParts.length <= 2) {
            Tr.error(tc, "JWT_JWTTOKEN_SIGNATURE_VERIFY_SEGMENT_ERR", new Object[]{this._clientId, this._signAlgorithm});
            throw formatException("JWT_JWTTOKEN_SIGNATURE_VERIFY_SEGMENT_ERR", null, this._clientId, this._signAlgorithm);
        }
        try {
            HmacKey hmacKey = null;
            if (this._key instanceof String) {
                try {
                    hmacKey = new HmacKey(((String) this._key).getBytes(Constants.UTF_8));
                } catch (UnsupportedEncodingException e) {
                    FFDCFilter.processException(e, "com.ibm.ws.security.openidconnect.common.cl.JWTVerifier", "164", this, new Object[]{Long.valueOf(j)});
                }
            } else if (this._key instanceof byte[]) {
                hmacKey = new HmacKey((byte[]) this._key);
            } else if (this._key instanceof Key) {
                hmacKey = (Key) this._key;
            }
            JsonTokenUtil.validateTokenString(this._tokenString, this._signAlgorithm, hmacKey, this._lSkewSeconds, false);
            this._payload = new JWTPayload();
            JsonTokenUtil.fromJsonToken(getJsonToken(), this._payload);
            this._header = new JWSHeader();
            JsonTokenUtil.fromJsonToken(this._jsonToken, this._header);
            return true;
        } catch (InvalidJwtException e2) {
            Object[] objArr = new Object[2];
            objArr[0] = this._clientId;
            objArr[1] = e2.getMessage() == null ? e2.getClass().getSimpleName() : e2.getMessage();
            Tr.error(tc, "JWT_JWTTOKEN_ILLEGAL_STATE_ERR", objArr);
            throw formatException("JWT_JWTTOKEN_ILLEGAL_STATE_ERR", e2, objArr);
        }
    }

    public String[] splitTokenString(String str) throws InvalidGrantException {
        boolean z = false;
        if (str.endsWith(".")) {
            z = true;
        }
        String[] split = str.split(Pattern.quote("."));
        if (z || split.length == 3) {
            return split;
        }
        Tr.error(tc, "JWT_JWTTOKEN_BAD_SEGMENTS_ERR", new Object[]{Long.valueOf(split.length)});
        throw formatException("JWT_JWTTOKEN_BAD_SEGMENTS_ERR", null, Integer.valueOf(split.length));
    }

    private InvalidGrantException formatException(String str, Throwable th, Object... objArr) {
        return new InvalidGrantException(Tr.formatMessage(tc, str, objArr), th);
    }

    static {
        signAlgorithms.add(Constants.SIG_ALG_RS256);
        signAlgorithms.add(Constants.SIG_ALG_HS256);
    }
}
