package org.xdi.oxauth.model.token;

import java.util.Date;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.jboss.seam.Component;
import org.xdi.oxauth.model.common.AuthenticationMethod;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.crypto.CryptoProviderFactory;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtType;
import org.xdi.oxauth.model.registration.Client;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.service.ClientService;
import org.xdi.util.security.StringEncrypter;

/* loaded from: input_file:org/xdi/oxauth/model/token/ClientAssertion.class */
public class ClientAssertion {
    private Jwt jwt;
    private String clientSecret;

    public ClientAssertion(String str, ClientAssertionType clientAssertionType, String str2) throws InvalidJwtException {
        try {
            if (load(str, clientAssertionType, str2)) {
            } else {
                throw new InvalidJwtException("Cannot load the JWT");
            }
        } catch (StringEncrypter.EncryptionException e) {
            throw new InvalidJwtException(e.getMessage(), e);
        } catch (Exception e2) {
            throw new InvalidJwtException("Cannot verify the JWT", e2);
        }
    }

    public String getSubjectIdentifier() {
        return this.jwt.getClaims().getClaimAsString("sub");
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    private boolean load(String str, ClientAssertionType clientAssertionType, String str2) throws Exception {
        if (clientAssertionType != ClientAssertionType.JWT_BEARER) {
            throw new InvalidJwtException("Invalid Client Assertion Type");
        }
        if (!StringUtils.isNotBlank(str2)) {
            throw new InvalidJwtException("The Client Assertion is null or empty");
        }
        this.jwt = Jwt.parse(str2);
        String claimAsString = this.jwt.getClaims().getClaimAsString("iss");
        String claimAsString2 = this.jwt.getClaims().getClaimAsString("sub");
        List claimAsStringList = this.jwt.getClaims().getClaimAsStringList("aud");
        Date claimAsDate = this.jwt.getClaims().getClaimAsDate("exp");
        if ((str != null || !StringUtils.isNotBlank(claimAsString) || !StringUtils.isNotBlank(claimAsString2) || !claimAsString.equals(claimAsString2)) && (!StringUtils.isNotBlank(str) || !StringUtils.isNotBlank(claimAsString) || !StringUtils.isNotBlank(claimAsString2) || !str.equals(claimAsString) || !claimAsString.equals(claimAsString2))) {
            throw new InvalidJwtException("Invalid clientId");
        }
        String tokenEndpoint = ConfigurationFactory.instance().getConfiguration().getTokenEndpoint();
        if (claimAsStringList == null || !claimAsStringList.contains(tokenEndpoint)) {
            throw new InvalidJwtException("Invalid audience: " + claimAsStringList + ", tokenUrl: " + tokenEndpoint);
        }
        if (!claimAsDate.after(new Date())) {
            throw new InvalidJwtException("JWT has expired");
        }
        Client client = ((ClientService) Component.getInstance(ClientService.class)).getClient(claimAsString2);
        if (client == null) {
            throw new InvalidJwtException("Invalid client");
        }
        JwtType fromString = JwtType.fromString(this.jwt.getHeader().getClaimAsString("typ"));
        AuthenticationMethod authenticationMethod = client.getAuthenticationMethod();
        SignatureAlgorithm algorithm = this.jwt.getHeader().getAlgorithm();
        if (fromString == null && algorithm != null) {
            fromString = algorithm.getJwtType();
        }
        if (fromString == null || algorithm == null || algorithm.getFamily() == null || !((authenticationMethod == AuthenticationMethod.CLIENT_SECRET_JWT && algorithm.getFamily().equals("HMAC")) || (authenticationMethod == AuthenticationMethod.PRIVATE_KEY_JWT && (algorithm.getFamily().equals("RSA") || algorithm.getFamily().equals("EC"))))) {
            throw new InvalidJwtException("Invalid authentication method");
        }
        this.clientSecret = client.getClientSecret();
        String keyId = this.jwt.getHeader().getKeyId();
        if (CryptoProviderFactory.getCryptoProvider(ConfigurationFactory.instance().getConfiguration(), ConfigurationFactory.instance().getWebKeys()).verifySignature(this.jwt.getSigningInput(), this.jwt.getEncodedSignature(), keyId, JwtUtil.getJsonKey(client.getJwksUri(), client.getJwks(), keyId), client.getClientSecret(), algorithm)) {
            return true;
        }
        throw new InvalidJwtException("Invalid cryptographic segment");
    }
}
