package com.floragunn.searchguard.jwt;

import com.floragunn.searchsupport.PrivilegedCode;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.factories.DefaultJWEDecrypterFactory;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.SecretJWK;
import com.nimbusds.jose.proc.JWEDecrypterFactory;
import com.nimbusds.jose.proc.JWSVerifierFactory;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import java.text.ParseException;
import java.time.Instant;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;

/* loaded from: input_file:com/floragunn/searchguard/jwt/JwtVerifier.class */
public class JwtVerifier {
    public static final String PRODUCER_CLAIM = "sg_p";
    public static final String PRODUCER_CLAIM_NIMBUS = "n";
    private static final JWEDecrypterFactory JWE_DECRYPTER_FACTORY = new DefaultJWEDecrypterFactory();
    private static final JWSVerifierFactory JWS_VERIFIER_FACTORY = new DefaultJWSVerifierFactory();
    private final JWK signingKey;
    private final JWK encryptionKey;
    private final JWTClaimsSetVerifier<SecurityContext> jwtClaimsVerifier;
    private final CxfBased cxfBased;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/floragunn/searchguard/jwt/JwtVerifier$CxfBased.class */
    public static class CxfBased {
        private final JwsSignatureVerifier jwsSignatureVerifier;
        private final JweDecryptionProvider jweDecryptionProvider;
        private final String requiredJwtAudience;

        CxfBased(JWK jwk, JWK jwk2, String str) {
            this.requiredJwtAudience = str;
            this.jwsSignatureVerifier = JwsUtils.getSignatureVerifier(NimbusUtils.convertToCxf(jwk));
            this.jweDecryptionProvider = jwk2 != null ? JweUtils.createJweDecryptionProvider(NimbusUtils.convertToCxf(jwk2), ContentAlgorithm.A256CBC_HS512) : null;
        }

        private CxfBased(JwsSignatureVerifier jwsSignatureVerifier, JweDecryptionProvider jweDecryptionProvider, String str) {
            this.jwsSignatureVerifier = jwsSignatureVerifier;
            this.jweDecryptionProvider = jweDecryptionProvider;
            this.requiredJwtAudience = str;
        }

        CxfBased requiredAudience(String str) {
            return new CxfBased(this.jwsSignatureVerifier, this.jweDecryptionProvider, str);
        }

        JWT getVerifiedJwt(String str) {
            if (this.jweDecryptionProvider != null) {
                str = this.jweDecryptionProvider.decrypt(str).getContentText();
            }
            JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
            JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
            if (!validateAudience(jwtToken.getClaims())) {
                return null;
            }
            if (this.jwsSignatureVerifier != null && !jwsJwtCompactConsumer.verifySignatureWith(this.jwsSignatureVerifier)) {
                throw new JwtException("Invalid JWT signature for token " + jwtToken.getClaims().asMap());
            }
            validateClaims(jwtToken);
            return (JWT) PrivilegedCode.execute(() -> {
                return new SignedJWT(cxfHeaderToNimbusHeader(jwtToken.getJwsHeaders()), cxfClaimsToNimbusClaims(jwtToken.getClaims()));
            });
        }

        static JWSHeader cxfHeaderToNimbusHeader(JwsHeaders jwsHeaders) {
            JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.parse(jwsHeaders.getAlgorithm()));
            if (jwsHeaders.getType() != null) {
                builder.type(new JOSEObjectType(jwsHeaders.getType().toString()));
            }
            if (jwsHeaders.getContentType() != null) {
                builder.contentType(jwsHeaders.getContentType());
            }
            if (jwsHeaders.getCritical() != null) {
                builder.criticalParams(new HashSet(jwsHeaders.getCritical()));
            }
            if (jwsHeaders.getKeyId() != null) {
                builder.keyID(jwsHeaders.getKeyId());
            }
            for (Map.Entry entry : jwsHeaders.asMap().entrySet()) {
                if (!JWSHeader.getRegisteredParameterNames().contains(entry.getKey())) {
                    builder.customParam((String) entry.getKey(), entry.getValue());
                }
            }
            return builder.build();
        }

        static JWTClaimsSet cxfClaimsToNimbusClaims(JwtClaims jwtClaims) {
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            if (jwtClaims.getIssuer() != null) {
                builder.issuer(jwtClaims.getIssuer());
            }
            if (jwtClaims.getSubject() != null) {
                builder.subject(jwtClaims.getSubject());
            }
            if (jwtClaims.getAudience() != null) {
                builder.audience(jwtClaims.getAudience());
            }
            if (jwtClaims.getExpiryTime() != null) {
                builder.expirationTime(Date.from(Instant.ofEpochMilli(jwtClaims.getExpiryTime().longValue() * 1000)));
            }
            if (jwtClaims.getNotBefore() != null) {
                builder.notBeforeTime(Date.from(Instant.ofEpochMilli(jwtClaims.getNotBefore().longValue() * 1000)));
            }
            if (jwtClaims.getIssuedAt() != null) {
                builder.issueTime(Date.from(Instant.ofEpochMilli(jwtClaims.getIssuedAt().longValue() * 1000)));
            }
            if (jwtClaims.getTokenId() != null) {
                builder.jwtID(jwtClaims.getTokenId());
            }
            for (Map.Entry entry : jwtClaims.asMap().entrySet()) {
                if (!JWTClaimsSet.getRegisteredNames().contains(entry.getKey())) {
                    builder.claim((String) entry.getKey(), entry.getValue());
                }
            }
            return builder.build();
        }

        private void validateClaims(JwtToken jwtToken) throws JwtException {
            JwtClaims claims = jwtToken.getClaims();
            if (claims == null) {
                throw new JwtException("The JWT does not have any claims");
            }
            JwtUtils.validateJwtExpiry(claims, 0, false);
            JwtUtils.validateJwtNotBefore(claims, 0, false);
        }

        private boolean validateAudience(JwtClaims jwtClaims) throws JwtException {
            if (this.requiredJwtAudience == null) {
                return false;
            }
            Iterator it = jwtClaims.getAudiences().iterator();
            while (it.hasNext()) {
                if (this.requiredJwtAudience.equals((String) it.next())) {
                    return true;
                }
            }
            return false;
        }
    }

    public JwtVerifier(JWK jwk, JWK jwk2, String str) {
        this.signingKey = jwk;
        this.encryptionKey = jwk2;
        this.jwtClaimsVerifier = new DefaultJWTClaimsVerifier(str, (JWTClaimsSet) null, (Set) null);
        this.cxfBased = new CxfBased(jwk, jwk2, str);
    }

    public JWT getVerfiedJwt(String str) throws ParseException, JOSEException, BadJWTException {
        return getVerfiedJwt(str, this.jwtClaimsVerifier, this.cxfBased);
    }

    public JWT getVerfiedJwt(String str, String str2) throws ParseException, JOSEException, BadJWTException {
        return getVerfiedJwt(str, new DefaultJWTClaimsVerifier(str2, (JWTClaimsSet) null, (Set) null), this.cxfBased.requiredAudience(str2));
    }

    private JWT getVerfiedJwt(String str, JWTClaimsSetVerifier<SecurityContext> jWTClaimsSetVerifier, CxfBased cxfBased) throws ParseException, JOSEException, BadJWTException {
        if (this.encryptionKey != null) {
            JWEObject parse = JWEObject.parse(str);
            if (parse.getHeader().getCustomParam(PRODUCER_CLAIM) == null) {
                return cxfBased.getVerifiedJwt(str);
            }
            parse.decrypt(decrypter(parse));
            str = parse.getPayload().toSignedJWT().serialize();
        }
        SignedJWT parse2 = SignedJWT.parse(str);
        if (!parse2.verify(verifier(parse2))) {
            throw new JOSEException("Invalid JWT signature");
        }
        jWTClaimsSetVerifier.verify(parse2.getJWTClaimsSet(), (SecurityContext) null);
        return parse2;
    }

    JWEDecrypter decrypter(JWEObject jWEObject) throws JOSEException {
        if (this.encryptionKey == null) {
            return null;
        }
        if (this.encryptionKey instanceof AsymmetricJWK) {
            return JWE_DECRYPTER_FACTORY.createJWEDecrypter(jWEObject.getHeader(), this.encryptionKey.toPrivateKey());
        }
        if (this.encryptionKey instanceof SecretJWK) {
            return JWE_DECRYPTER_FACTORY.createJWEDecrypter(jWEObject.getHeader(), this.encryptionKey.toSecretKey());
        }
        throw new RuntimeException("Unknown key type: " + this.encryptionKey);
    }

    JWSVerifier verifier(SignedJWT signedJWT) throws JOSEException {
        if (this.signingKey instanceof AsymmetricJWK) {
            return JWS_VERIFIER_FACTORY.createJWSVerifier(signedJWT.getHeader(), this.signingKey.toPublicKey());
        }
        if (this.signingKey instanceof SecretJWK) {
            return JWS_VERIFIER_FACTORY.createJWSVerifier(signedJWT.getHeader(), this.signingKey.toSecretKey());
        }
        throw new RuntimeException("Unknown key type: " + this.signingKey);
    }
}
