package org.forgerock.jaspi.modules.openid.resolvers;

import java.net.URL;
import java.security.Key;
import java.util.HashMap;
import java.util.Map;
import org.forgerock.caf.authentication.framework.AuthenticationFramework;
import org.forgerock.jaspi.modules.openid.exceptions.FailedToLoadJWKException;
import org.forgerock.jaspi.modules.openid.exceptions.InvalidSignatureException;
import org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException;
import org.forgerock.jaspi.modules.openid.helpers.JWKSetParser;
import org.forgerock.jaspi.modules.openid.helpers.SimpleHTTPClient;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jws.SigningManager;

/* loaded from: input_file:org/forgerock/jaspi/modules/openid/resolvers/JWKOpenIdResolverImpl.class */
public class JWKOpenIdResolverImpl extends BaseOpenIdResolver {
    private final SigningManager signingManager;
    private final URL jwkUrl;
    private final Map<String, Key> keyMap;
    private final JWKSetParser jwkParser;

    public JWKOpenIdResolverImpl(String str, URL url, int i, int i2) throws FailedToLoadJWKException {
        super(str);
        this.keyMap = new HashMap();
        this.signingManager = new SigningManager();
        this.jwkParser = new JWKSetParser(i, i2);
        this.jwkUrl = url;
        try {
            reloadKeys();
        } catch (FailedToLoadJWKException e) {
            AuthenticationFramework.LOG.debug("Unable to load keys from the JWK over HTTP");
            throw new FailedToLoadJWKException("Unable to load keys from the JWK over HTTP", e);
        }
    }

    public JWKOpenIdResolverImpl(String str, URL url, SimpleHTTPClient simpleHTTPClient) throws FailedToLoadJWKException {
        super(str);
        this.keyMap = new HashMap();
        this.signingManager = new SigningManager();
        this.jwkParser = new JWKSetParser(simpleHTTPClient);
        this.jwkUrl = url;
        try {
            reloadKeys();
        } catch (FailedToLoadJWKException e) {
            AuthenticationFramework.LOG.debug("Unable to load keys from the JWK over HTTP");
            throw new FailedToLoadJWKException("Unable to load keys from the JWK over HTTP", e);
        }
    }

    JWKOpenIdResolverImpl(String str, URL url, JWKSetParser jWKSetParser) throws FailedToLoadJWKException {
        super(str);
        this.keyMap = new HashMap();
        this.signingManager = new SigningManager();
        this.jwkParser = jWKSetParser;
        this.jwkUrl = url;
        try {
            reloadKeys();
        } catch (FailedToLoadJWKException e) {
            AuthenticationFramework.LOG.debug("Unable to load keys from the JWK over HTTP");
            throw new FailedToLoadJWKException("Unable to load keys from the JWK over HTTP", e);
        }
    }

    @Override // org.forgerock.jaspi.modules.openid.resolvers.BaseOpenIdResolver, org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver
    public void validateIdentity(SignedJwt signedJwt) throws OpenIdConnectVerificationException {
        super.validateIdentity(signedJwt);
        verifySignature(signedJwt);
    }

    public void verifySignature(SignedJwt signedJwt) throws InvalidSignatureException, FailedToLoadJWKException {
        synchronized (this.keyMap) {
            if (!this.keyMap.containsKey(signedJwt.getHeader().getKeyId())) {
                reloadKeys();
            }
        }
        Key key = this.keyMap.get(signedJwt.getHeader().getKeyId());
        if (key == null || !signedJwt.verify(createSigningHandlerForKey(this.signingManager, key))) {
            AuthenticationFramework.LOG.debug("JWS unable to be verified");
            throw new InvalidSignatureException("JWS unable to be verified");
        }
    }

    private void reloadKeys() throws FailedToLoadJWKException {
        synchronized (this.keyMap) {
            this.keyMap.clear();
            this.keyMap.putAll(this.jwkParser.generateMapFromJWK(this.jwkUrl));
        }
    }
}
