package org.xdi.oxd.server.op;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.util.Date;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xdi.oxauth.client.OpenIdConfigurationResponse;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.jws.RSASigner;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxd.common.ErrorResponseCode;
import org.xdi.oxd.common.ErrorResponseException;
import org.xdi.oxd.server.service.PublicOpKeyService;
import org.xdi.oxd.server.service.StateService;

/* loaded from: input_file:org/xdi/oxd/server/op/Validator.class */
public class Validator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) Validator.class);
    private final Jwt idToken;
    private final OpenIdConfigurationResponse discoveryResponse;
    private final PublicOpKeyService keyService;
    private RSASigner rsaSigner;

    public Validator(Jwt jwt, OpenIdConfigurationResponse openIdConfigurationResponse, PublicOpKeyService publicOpKeyService) {
        Preconditions.checkNotNull(jwt);
        Preconditions.checkNotNull(openIdConfigurationResponse);
        this.idToken = jwt;
        this.discoveryResponse = openIdConfigurationResponse;
        this.keyService = publicOpKeyService;
        this.rsaSigner = createRSASigner(jwt, openIdConfigurationResponse, publicOpKeyService);
    }

    public void validateAccessToken(String str) {
        if (!Strings.isNullOrEmpty(str) && !this.rsaSigner.validateAccessToken(str, this.idToken)) {
            throw new ErrorResponseException(ErrorResponseCode.INVALID_ACCESS_TOKEN_BAD_HASH);
        }
    }

    public void validateAuthorizationCode(String str) {
        if (!Strings.isNullOrEmpty(str) && !this.rsaSigner.validateAuthorizationCode(str, this.idToken)) {
            throw new ErrorResponseException(ErrorResponseCode.INVALID_AUTHORIZATION_CODE_BAD_HASH);
        }
    }

    public static RSASigner createRSASigner(Jwt jwt, OpenIdConfigurationResponse openIdConfigurationResponse, PublicOpKeyService publicOpKeyService) {
        return new RSASigner(SignatureAlgorithm.fromString(jwt.getHeader().getClaimAsString("alg")), publicOpKeyService.getRSAPublicKey(openIdConfigurationResponse.getJwksUri(), jwt.getHeader().getClaimAsString("kid")));
    }

    public void validateNonce(StateService stateService) {
        if (!stateService.isNonceValid(this.idToken.getClaims().getClaimAsString("nonce"))) {
            throw new ErrorResponseException(ErrorResponseCode.INVALID_NONCE);
        }
    }

    public boolean isIdTokenValid(String str) {
        try {
            validateIdToken(str);
            return true;
        } catch (Exception e) {
            return false;
        }
    }

    public void validateIdToken(String str) {
        validateIdToken(null, str);
    }

    public void validateIdToken(String str, String str2) {
        try {
            String claimAsString = this.idToken.getClaims().getClaimAsString("iss");
            String claimAsString2 = this.idToken.getClaims().getClaimAsString("nonce");
            String claimAsString3 = this.idToken.getClaims().getClaimAsString("aud");
            if (!Strings.isNullOrEmpty(str) && !claimAsString2.endsWith(str)) {
                LOG.error("ID Token has invalid nonce. Expected nonce: " + str + ", nonce from token is: " + claimAsString2);
                throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_NONCE);
            }
            if (!str2.equalsIgnoreCase(claimAsString3)) {
                List<String> claimAsStringList = this.idToken.getClaims().getClaimAsStringList("aud");
                if (claimAsStringList == null || claimAsStringList.size() != 1 || str2.equalsIgnoreCase(claimAsStringList.get(0))) {
                    LOG.error("ID Token has invalid audience. Expected audience: " + str2 + ", audience from token is: " + claimAsString3);
                    throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUDIENCE);
                }
                LOG.error("ID Token has invalid audience. Expected audience: " + str2 + ", audience from token is: " + claimAsStringList);
                throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_AUDIENCE);
            }
            Date claimAsDate = this.idToken.getClaims().getClaimAsDate("exp");
            Date date = new Date();
            if (date.after(claimAsDate)) {
                LOG.error("ID Token is expired. (It is after " + date + ").");
                throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_EXPIRED);
            }
            if (!claimAsString.equals(this.discoveryResponse.getIssuer())) {
                LOG.error("ID Token issuer is invalid. Token issuer: " + claimAsString + ", discovery issuer: " + this.discoveryResponse.getIssuer());
                throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_ISSUER);
            }
            if (!this.rsaSigner.validate(this.idToken)) {
                this.keyService.refetchKey(this.discoveryResponse.getJwksUri(), this.idToken.getHeader().getClaimAsString("kid"));
                RSASigner createRSASigner = createRSASigner(this.idToken, this.discoveryResponse, this.keyService);
                if (!createRSASigner.validate(this.idToken)) {
                    LOG.error("ID Token signature is invalid.");
                    throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_BAD_SIGNATURE);
                }
                this.rsaSigner = createRSASigner;
            }
        } catch (Exception e) {
            LOG.error(e.getMessage(), (Throwable) e);
            throw new ErrorResponseException(ErrorResponseCode.INVALID_ID_TOKEN_UNKNOWN);
        }
    }

    public Jwt getIdToken() {
        return this.idToken;
    }
}
