package org.apache.cxf.rs.security.oidc.rp;

import java.util.concurrent.ConcurrentHashMap;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.class */
public abstract class AbstractTokenValidator {
    private JweDecryptionProvider jweDecryptor;
    private JwsSignatureVerifier jwsVerifier;
    private String issuerId;
    private int issuedAtRange;
    private WebClient jwkSetClient;
    private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<>();

    /* JADX INFO: Access modifiers changed from: protected */
    public JwtToken getJwtToken(String str, String str2, String str3, boolean z) {
        if (str == null) {
            throw new SecurityException("ID Token is missing");
        }
        if (getInitializedDecryptionProvider(z) != null) {
            if (z) {
                return new JweJwtCompactConsumer(str).decryptWith(this.jweDecryptor);
            }
            str = this.jweDecryptor.decrypt(str).getContentText();
        }
        return getTokenValidateSignature(str, str3);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateJwtClaims(JwtClaims jwtClaims, String str, boolean z) {
        if (jwtClaims.getSubject() == null) {
            throw new SecurityException("Invalid subject");
        }
        String audience = jwtClaims.getAudience();
        if ((audience == null && z) || (audience != null && !str.equals(audience))) {
            throw new SecurityException("Invalid audience");
        }
        String issuer = jwtClaims.getIssuer();
        if ((this.issuerId == null && z) || (this.issuerId != null && !this.issuerId.equals(issuer))) {
            throw new SecurityException("Invalid provider");
        }
        JwtUtils.validateJwtTimeClaims(jwtClaims, this.issuedAtRange, z);
    }

    protected JwtToken getTokenValidateSignature(String str, String str2) {
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
        JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
        JwsSignatureVerifier initializedSigVerifier = getInitializedSigVerifier();
        if (initializedSigVerifier != null) {
            return validateToken(jwsJwtCompactConsumer, jwtToken, initializedSigVerifier);
        }
        if (this.jwkSetClient == null) {
            throw new SecurityException("Provider Jwk Set Client is not available");
        }
        String keyId = str2 != null ? str2 : jwsJwtCompactConsumer.getJwtToken().getHeaders().getKeyId();
        if (keyId == null) {
            throw new SecurityException("Provider JWK key id is null");
        }
        JsonWebKey jsonWebKey = this.keyMap.get(keyId);
        if (jsonWebKey == null) {
            JsonWebKeys jsonWebKeys = (JsonWebKeys) this.jwkSetClient.get(JsonWebKeys.class);
            jsonWebKey = jsonWebKeys.getKey(keyId);
            this.keyMap.putAll(jsonWebKeys.getKeyIdMap());
        }
        if (jsonWebKey == null) {
            throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is not available");
        }
        return validateToken(jwsJwtCompactConsumer, jwtToken, JwsUtils.getSignatureVerifier(jsonWebKey));
    }

    protected JwtToken validateToken(JwsJwtCompactConsumer jwsJwtCompactConsumer, JwtToken jwtToken, JwsSignatureVerifier jwsSignatureVerifier) {
        if (jwsJwtCompactConsumer.verifySignatureWith(jwsSignatureVerifier)) {
            return jwtToken;
        }
        throw new SecurityException("Invalid Signature");
    }

    public void setJweDecryptor(JweDecryptionProvider jweDecryptionProvider) {
        this.jweDecryptor = jweDecryptionProvider;
    }

    public void setJweVerifier(JwsSignatureVerifier jwsSignatureVerifier) {
        this.jwsVerifier = jwsSignatureVerifier;
    }

    public void setIssuerId(String str) {
        this.issuerId = str;
    }

    public void setJwkSetClient(WebClient webClient) {
        this.jwkSetClient = webClient;
    }

    public void setIssuedAtRange(int i) {
        this.issuedAtRange = i;
    }

    protected JweDecryptionProvider getInitializedDecryptionProvider(boolean z) {
        return this.jweDecryptor != null ? this.jweDecryptor : JweUtils.loadDecryptionProvider(z);
    }

    protected JwsSignatureVerifier getInitializedSigVerifier() {
        return this.jwsVerifier != null ? this.jwsVerifier : JwsUtils.loadSignatureVerifier(false);
    }
}
