package org.forgerock.oauth2.core;

import com.google.common.annotations.VisibleForTesting;
import java.util.concurrent.TimeUnit;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.util.time.TimeService;

/* loaded from: input_file:org/forgerock/oauth2/core/OAuth2Jwt.class */
public class OAuth2Jwt {
    private static final JwtReconstruction JWT_PARSER = new JwtReconstruction();
    private static final long SKEW_ALLOWANCE = TimeUnit.MINUTES.toMillis(5);
    private static final long UNREASONABLE_LIFETIME_LIMIT = TimeUnit.DAYS.toMillis(1);
    private final SignedJwt jwt;
    private final TimeService timeService;
    private Boolean isSignatureValid;

    public static OAuth2Jwt create(String str) {
        return new OAuth2Jwt(JWT_PARSER.reconstructJwt(str, SignedJwt.class), TimeService.SYSTEM);
    }

    @VisibleForTesting
    OAuth2Jwt(SignedJwt signedJwt, TimeService timeService) {
        this.jwt = signedJwt;
        this.timeService = timeService;
    }

    public boolean isValid(SigningHandler signingHandler) {
        if (this.isSignatureValid == null) {
            this.isSignatureValid = Boolean.valueOf(this.jwt.verify(signingHandler));
        }
        return this.isSignatureValid.booleanValue() && isContentValid();
    }

    public boolean isContentValid() {
        return (!contains("iss", "sub", "aud", "exp") || isExpiryUnreasonable() || isExpired() || isNowBeforeNbf() || isIssuedAtUnreasonable()) ? false : true;
    }

    private boolean contains(String... strArr) {
        for (String str : strArr) {
            if (this.jwt.getClaimsSet().getClaim(str) == null) {
                return false;
            }
        }
        return true;
    }

    private boolean isExpiryUnreasonable() {
        return this.jwt.getClaimsSet().getExpirationTime().getTime() > this.timeService.now() + UNREASONABLE_LIFETIME_LIMIT;
    }

    public boolean isExpired() {
        return this.jwt.getClaimsSet().getExpirationTime().getTime() <= this.timeService.now() - SKEW_ALLOWANCE;
    }

    private boolean isNowBeforeNbf() {
        return (this.jwt.getClaimsSet().get("nbf").getObject() != null) && this.timeService.now() + SKEW_ALLOWANCE < this.jwt.getClaimsSet().getNotBeforeTime().getTime();
    }

    private boolean isIssuedAtUnreasonable() {
        return (this.jwt.getClaimsSet().get("iat").getObject() != null) && this.jwt.getClaimsSet().getIssuedAtTime().getTime() < this.timeService.now() - UNREASONABLE_LIFETIME_LIMIT;
    }

    public boolean isIntendedForAudience(String str) {
        return this.jwt.getClaimsSet().getAudience().contains(str);
    }

    public String getSubject() {
        return this.jwt.getClaimsSet().getSubject();
    }

    public SignedJwt getSignedJwt() {
        return this.jwt;
    }
}
