package com.ibm.ws.security.openidconnect.jose4j;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.openidconnect.client.internal.OidcClientConfigImpl;
import com.ibm.ws.security.openidconnect.common.OidcCommonClientRequest;
import com.ibm.ws.security.openidconnect.token.IDTokenValidationFailedException;
import com.ibm.ws.security.openidconnect.token.JWT;
import com.ibm.ws.security.openidconnect.token.JWTTokenValidationFailedException;
import com.ibm.ws.security.openidconnect.token.JsonTokenUtil;
import java.security.InvalidKeyException;
import java.security.Key;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import net.oauth.jsontoken.SystemClock;
import org.joda.time.Instant;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.InvalidJwtSignatureException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
/* loaded from: input_file:wlp/lib/com.ibm.ws.security.openidconnect.common_1.0.14.jar:com/ibm/ws/security/openidconnect/jose4j/Jose4jValidator.class */
public class Jose4jValidator {
    private static final TraceComponent tc = Tr.register((Class<?>) Jose4jValidator.class, "OpenIdConnect", "com.ibm.ws.security.openidconnect.common.internal.resources.OidcCommonMessages");
    private String clientId;
    private String issuers;
    private String signingAlgorithm;
    private Key key;
    private long clockSkewInSeconds;
    private SystemClock clock;
    boolean rpSpecifiedSigningAlgorithm = true;
    OidcCommonClientRequest oidcClientRequest;
    static final long serialVersionUID = 6803824855962033099L;

    public Jose4jValidator(Key key, long j, String str, String str2, String str3, OidcCommonClientRequest oidcCommonClientRequest) {
        this.clientId = null;
        this.issuers = null;
        this.signingAlgorithm = "none";
        this.clockSkewInSeconds = 0L;
        this.oidcClientRequest = null;
        this.key = key;
        this.clockSkewInSeconds = j;
        this.issuers = str;
        this.clientId = str2;
        this.signingAlgorithm = str3;
        this.oidcClientRequest = oidcCommonClientRequest;
    }

    @FFDCIgnore({InvalidJwtSignatureException.class, InvalidJwtException.class})
    public JwtClaims parseJwtWithValidation(String str, JwtContext jwtContext, JsonWebSignature jsonWebSignature) throws JWTTokenValidationFailedException, IllegalStateException, Exception {
        setupClock(this.clockSkewInSeconds);
        JwtClaims jwtClaims = jwtContext.getJwtClaims();
        String issuer = jwtClaims.getIssuer();
        List<String> audience = jwtClaims.getAudience();
        boolean isEmpty = audience.isEmpty();
        String str2 = this.clientId;
        String tokenType = this.oidcClientRequest.getTokenType();
        OidcCommonClientRequest oidcCommonClientRequest = this.oidcClientRequest;
        if (tokenType.equalsIgnoreCase("Json Web Token")) {
            if (!this.oidcClientRequest.disableIssChecking()) {
                checkIssuer(this.clientId, this.issuers, issuer);
            } else if (issuer != null && !issuer.isEmpty()) {
                throw JWTTokenValidationFailedException.format("PROPAGATION_TOKEN_ISS_CLAIM_NOT_REQUIRED_ERR", new Object[]{"iss", OidcClientConfigImpl.CFG_KEY_DISABLE_ISS_CHECKING}, "CWWKS1781E: The resource server failed the authentication request because the token has the [iss] claim, but the [disableIssChecking] attribute is set to true.");
            }
            String[] audiences = this.oidcClientRequest.getAudiences();
            if (!isEmpty) {
                String jwtAudienceElementCheck = this.oidcClientRequest.allowedAllAudiences() ? audience.get(0) : jwtAudienceElementCheck(audiences, audience);
                if (jwtAudienceElementCheck == null) {
                    Object[] objArr = new Object[3];
                    objArr[0] = array2String(audience);
                    objArr[1] = this.clientId;
                    objArr[2] = audiences == null ? null : array2String(audiences);
                    throw JWTTokenValidationFailedException.format("OIDC_JWT_VERIFY_AUD_ERR", objArr);
                }
                str2 = jwtAudienceElementCheck;
            } else if (!this.oidcClientRequest.allowedAllAudiences() && audiences != null) {
                throw JWTTokenValidationFailedException.format("OIDC_JWT_MISSING_AUD", this.clientId, array2String(audiences));
            }
        } else {
            if (!JWT.checkIssuer(this.clientId, this.issuers, issuer)) {
                OidcCommonClientRequest oidcCommonClientRequest2 = this.oidcClientRequest;
                throw new InvalidJwtException("ID Token".equals(this.oidcClientRequest.getTokenType()) ? "ID token validation Error[issuer]" : "Json Web Token validation Error[issuer]");
            }
            if (!isEmpty && !multipleAudienceElementCheck(this.clientId, audience)) {
                throw IDTokenValidationFailedException.format("OIDC_IDTOKEN_VERIFY_AUD_ERR", array2String(audience), this.clientId);
            }
        }
        String str3 = (String) jwtClaims.getClaimValue("azp");
        if (str3 != null && !str3.equals(this.clientId)) {
            throw this.oidcClientRequest.errorCommon(true, tc, new String[]{"OIDC_IDTOKEN_VERIFY_AUD_AZP_ERR", "OIDC_JWT_VERIFY_AUD_AZP_ERR"}, new Object[]{str3, this.clientId});
        }
        NumericDate issuedAt = jwtClaims.getIssuedAt();
        NumericDate expirationTime = jwtClaims.getExpirationTime();
        Instant instant = null;
        Instant instant2 = null;
        if (issuedAt != null) {
            instant = new Instant(issuedAt.getValueInMillis());
            instant2 = expirationTime == null ? new Instant(Long.MAX_VALUE) : new Instant(expirationTime.getValueInMillis());
        } else if (expirationTime != null) {
            instant = new Instant(0L);
            instant2 = new Instant(expirationTime.getValueInMillis());
        }
        if (instant != null && (instant.isAfter(instant2) || !this.clock.isCurrentTimeInInterval(instant, instant2))) {
            Object[] objArr2 = {this.clientId, this.clock.now(), instant2, instant};
            this.oidcClientRequest.setRsFailMsg(OidcCommonClientRequest.EXPIRED_TOKEN, Tr.formatMessage(tc, "OIDC_JWT_VERIFY_STATE_ERR", objArr2));
            throw this.oidcClientRequest.errorCommon(true, tc, "OIDC_JWT_VERIFY_STATE_ERR", objArr2);
        }
        verifySignAlgOnly(jsonWebSignature);
        JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
        jwtConsumerBuilder.setRequireExpirationTime().setAllowedClockSkewInSeconds(Long.valueOf(this.clockSkewInSeconds).intValue()).setExpectedAudience(str2).setExpectedIssuer(false, issuer).setRequireSubject();
        if (isEmpty) {
            jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        }
        if (this.rpSpecifiedSigningAlgorithm) {
            jwtConsumerBuilder.setVerificationKey(this.key).setRelaxVerificationKeyValidation();
        } else {
            jwtConsumerBuilder.setDisableRequireSignature().setSkipSignatureVerification();
        }
        try {
            return jwtConsumerBuilder.build().process(str).getJwtClaims();
        } catch (InvalidJwtSignatureException e) {
            this.oidcClientRequest.errorCommon(new String[]{"OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR", "OIDC_JWT_SIGNATURE_VERIFY_ERR"}, new Object[]{this.clientId, e.getLocalizedMessage(), this.signingAlgorithm});
            if ("ID Token".equals(this.oidcClientRequest.getTokenType())) {
                throw new IDTokenValidationFailedException(e.getMessage(), e);
            }
            throw new JWTTokenValidationFailedException(e.getMessage(), e);
        } catch (InvalidJwtException e2) {
            Throwable rootCause = getRootCause(e2);
            if (!(rootCause instanceof InvalidKeyException)) {
                throw e2;
            }
            if (!rootCause.getMessage().contains("No installed provider")) {
                throw e2;
            }
            this.oidcClientRequest.errorCommon("JWK_ENDPOINT_MISSING_ERR", new Object[0]);
            if ("ID Token".equals(this.oidcClientRequest.getTokenType())) {
                throw new IDTokenValidationFailedException(e2.getMessage(), e2);
            }
            throw new JWTTokenValidationFailedException(e2.getMessage(), e2);
        }
    }

    String jwtAudienceElementCheck(String[] strArr, List<String> list) {
        if (strArr == null) {
            for (String str : list) {
                if (this.oidcClientRequest.isPreServiceUrl(str)) {
                    return str;
                }
            }
            return null;
        }
        for (String str2 : list) {
            for (String str3 : strArr) {
                if (str3.equals(str2)) {
                    return str2;
                }
            }
        }
        return null;
    }

    Throwable getRootCause(Exception exc) {
        Throwable th = null;
        Throwable th2 = exc;
        while (true) {
            Throwable th3 = th2;
            if (th3 == null) {
                return th;
            }
            th = th3;
            th2 = th.getCause();
        }
    }

    public void verifySignAlgOnly(JsonWebSignature jsonWebSignature) throws JWTTokenValidationFailedException {
        String algorithmHeaderValue = jsonWebSignature.getAlgorithmHeaderValue();
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "Signing Algorithm from header: " + algorithmHeaderValue, new Object[0]);
        }
        this.rpSpecifiedSigningAlgorithm = !this.signingAlgorithm.equals("none");
        if (this.rpSpecifiedSigningAlgorithm) {
            if (jsonWebSignature.getEncodedSignature().isEmpty()) {
                throw this.oidcClientRequest.errorCommon(true, tc, new String[]{"OIDC_IDTOKEN_SIGNATURE_VERIFY_MISSING_SIGNATURE_ERR", "OIDC_JWT_SIGNATURE_VERIFY_MISSING_SIGNATURE_ERR"}, new Object[]{this.clientId, this.signingAlgorithm});
            }
            if (!this.signingAlgorithm.equals(algorithmHeaderValue)) {
                throw this.oidcClientRequest.errorCommon(true, tc, new String[]{"OIDC_IDTOKEN_SIGNATURE_VERIFY_ERR_ALG_MISMATCH", "OIDC_JWT_SIGNATURE_VERIFY_ERR_ALG_MISMATCH"}, new Object[]{this.clientId, this.signingAlgorithm, algorithmHeaderValue});
            }
        }
    }

    boolean multipleAudienceElementCheck(String str, List<String> list) {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().equals(str)) {
                return true;
            }
        }
        return false;
    }

    public void setupClock(long j) {
        this.clock = JsonTokenUtil.getSysClock(j);
    }

    String array2String(List<String> list) {
        String str = "";
        for (String str2 : list) {
            str = str.isEmpty() ? str2 : str + ", " + str2;
        }
        return str;
    }

    String array2String(String[] strArr) {
        String str = "";
        for (String str2 : strArr) {
            str = str.isEmpty() ? str2 : str + ", " + str2;
        }
        return str;
    }

    protected boolean checkIssuer(String str, String str2, String str3) throws JWTTokenValidationFailedException {
        boolean z = false;
        if (str3 != null) {
            if (str3.equals(str2)) {
                z = true;
            } else if (str2 != null) {
                StringTokenizer stringTokenizer = new StringTokenizer(str2, " ,");
                while (true) {
                    if (!stringTokenizer.hasMoreTokens()) {
                        break;
                    }
                    String nextToken = stringTokenizer.nextToken();
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "Token:" + nextToken, new Object[0]);
                    }
                    if (str3.equals(nextToken)) {
                        z = true;
                        break;
                    }
                }
            }
        }
        if (z) {
            return z;
        }
        throw JWTTokenValidationFailedException.format("OIDC_JWT_VERIFY_ISSUER_ERR", new Object[]{str, str3, str2, "issuerIdentifier"}, "CWWKS1780E: Validation failed for the token requested by [" + str + "] because the (iss) issuer [" + str3 + "] that is specified in the token does not match any of the trusted issuers [" + str2 + "] that are specified by the [issuerIdentifier] attribute of the OpenID Connect client configuration.");
    }
}
