package org.xdi.oxd.server.op;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.inject.Injector;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.util.Date;
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xdi.oxauth.client.JwkClient;
import org.xdi.oxauth.client.JwkResponse;
import org.xdi.oxauth.client.OpenIdConfigurationResponse;
import org.xdi.oxauth.model.crypto.PublicKey;
import org.xdi.oxauth.model.crypto.signature.RSAPublicKey;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.jws.RSASigner;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxd.common.Command;
import org.xdi.oxd.common.CommandResponse;
import org.xdi.oxd.common.CoreUtils;
import org.xdi.oxd.common.params.CheckIdTokenParams;
import org.xdi.oxd.common.response.CheckIdTokenResponse;

/* loaded from: input_file:org/xdi/oxd/server/op/CheckIdTokenOperation.class */
public class CheckIdTokenOperation extends BaseOperation {
    private static final Logger LOG = LoggerFactory.getLogger(CheckIdTokenOperation.class);

    /* JADX INFO: Access modifiers changed from: protected */
    public CheckIdTokenOperation(Command command, Injector injector) {
        super(command, injector);
    }

    @Override // org.xdi.oxd.server.op.IOperation
    public CommandResponse execute() {
        try {
            CheckIdTokenParams checkIdTokenParams = (CheckIdTokenParams) asParams(CheckIdTokenParams.class);
            if (checkIdTokenParams != null) {
                OpenIdConfigurationResponse openIdConfigurationResponse = null;
                if (!Strings.isNullOrEmpty(checkIdTokenParams.getDiscoveryUrl())) {
                    openIdConfigurationResponse = getDiscoveryService().getConnectDiscoveryResponse(checkIdTokenParams.getDiscoveryUrl());
                }
                if (!Strings.isNullOrEmpty(checkIdTokenParams.getOxdId())) {
                    openIdConfigurationResponse = getDiscoveryService().getConnectDiscoveryResponse();
                }
                Preconditions.checkNotNull(openIdConfigurationResponse, "Failed to identify discovery response, params: " + checkIdTokenParams);
                Jwt parse = Jwt.parse(checkIdTokenParams.getIdToken());
                Date claimAsDate = parse.getClaims().getClaimAsDate("iat");
                Date claimAsDate2 = parse.getClaims().getClaimAsDate("exp");
                CheckIdTokenResponse checkIdTokenResponse = new CheckIdTokenResponse();
                checkIdTokenResponse.setActive(isValid(parse, openIdConfigurationResponse));
                checkIdTokenResponse.setIssuedAt(claimAsDate != null ? claimAsDate.getTime() / 1000 : 0L);
                checkIdTokenResponse.setExpiresAt(claimAsDate2 != null ? claimAsDate2.getTime() / 1000 : 0L);
                checkIdTokenResponse.setClaims(parse.getClaims().toMap());
                return okResponse(checkIdTokenResponse);
            }
        } catch (Throwable th) {
            LOG.error(th.getMessage(), th);
        }
        return CommandResponse.INTERNAL_ERROR_RESPONSE;
    }

    public static boolean isValid(Jwt jwt, OpenIdConfigurationResponse openIdConfigurationResponse) {
        try {
            String claimAsString = jwt.getHeader().getClaimAsString("alg");
            String jwksUri = openIdConfigurationResponse.getJwksUri();
            String claimAsString2 = jwt.getHeader().getClaimAsString("kid");
            String claimAsString3 = jwt.getClaims().getClaimAsString("iss");
            Date claimAsDate = jwt.getClaims().getClaimAsDate("exp");
            Date date = new Date();
            if (date.after(claimAsDate)) {
                LOG.trace("ID Token is expired. (It is after " + date + ").");
                return false;
            }
            if (!claimAsString3.equals(openIdConfigurationResponse.getIssuer())) {
                LOG.trace("ID Token issuer is invalid. Token issuer: " + claimAsString3 + ", discovery issuer: " + openIdConfigurationResponse.getIssuer());
                return false;
            }
            boolean validate = new RSASigner(SignatureAlgorithm.fromName(claimAsString), getRSAPublicKey(jwksUri, claimAsString2)).validate(jwt);
            if (!validate) {
                LOG.trace("ID Token signature is invalid.");
            }
            return validate;
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            return false;
        }
    }

    public static RSAPublicKey getRSAPublicKey(String str, String str2) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException {
        RSAPublicKey rSAPublicKey = null;
        JwkClient jwkClient = new JwkClient(str);
        jwkClient.setExecutor(new ApacheHttpClient4Executor(CoreUtils.createHttpClientTrustAll()));
        JwkResponse exec = jwkClient.exec();
        if (exec != null && exec.getStatus() == 200) {
            PublicKey publicKey = exec.getPublicKey(str2);
            if (publicKey instanceof RSAPublicKey) {
                rSAPublicKey = (RSAPublicKey) publicKey;
            }
        }
        return rSAPublicKey;
    }
}
