package org.forgerock.openam.oauth2;

import com.google.common.annotations.VisibleForTesting;
import com.iplanet.sso.SSOException;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.forgerock.http.util.MultiValueMap;
import org.forgerock.jaspi.modules.openid.exceptions.FailedToLoadJWKException;
import org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException;
import org.forgerock.jaspi.modules.openid.helpers.JWKSetParser;
import org.forgerock.jaspi.modules.openid.resolvers.SharedSecretOpenIdResolverImpl;
import org.forgerock.jaspi.modules.openid.resolvers.service.OpenIdResolverService;
import org.forgerock.json.jose.exceptions.JweException;
import org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.json.jose.jwe.JweAlgorithm;
import org.forgerock.json.jose.jwk.JWKSet;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithmType;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.oauth2.core.ClientType;
import org.forgerock.oauth2.core.OAuth2Jwt;
import org.forgerock.oauth2.core.OAuth2ProviderSettings;
import org.forgerock.oauth2.core.PEMDecoder;
import org.forgerock.oauth2.core.exceptions.ClientAuthenticationFailureFactory;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.openam.oauth2.OAuthProblemException;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.JsonValueBuilder;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openidconnect.Client;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.restlet.Request;

/* loaded from: input_file:org/forgerock/openam/oauth2/OpenAMClientRegistration.class */
public class OpenAMClientRegistration implements OpenIdConnectClientRegistration {
    private static final String DELIMITER = "\\|";
    private static final Comparator<? super String[]> I18N_SPECIFICITY_COMPARATOR = new Comparator<String[]>() { // from class: org.forgerock.openam.oauth2.OpenAMClientRegistration.1
        @Override // java.util.Comparator
        public int compare(String[] strArr, String[] strArr2) {
            return strArr.length == strArr2.length ? strArr2[0].length() - strArr[0].length() : strArr2.length - strArr.length;
        }
    };
    private final AMIdentity amIdentity;
    private final PEMDecoder pemDecoder;
    private final OpenIdResolverService resolverService;
    private final MessageDigest digest;
    private final OAuth2ProviderSettings providerSettings;
    private final Debug logger = Debug.getInstance("OAuth2Provider");
    private final SigningManager signingManager = new SigningManager();

    /* renamed from: org.forgerock.openam.oauth2.OpenAMClientRegistration$2, reason: invalid class name */
    /* loaded from: input_file:org/forgerock/openam/oauth2/OpenAMClientRegistration$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm;

        static {
            try {
                $SwitchMap$org$forgerock$openidconnect$Client$PublicKeySelector[Client.PublicKeySelector.JWKS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$forgerock$openidconnect$Client$PublicKeySelector[Client.PublicKeySelector.JWKS_URI.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm = new int[JweAlgorithm.values().length];
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.RSAES_PKCS1_V1_5.ordinal()] = 1;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.RSA_OAEP.ordinal()] = 2;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.RSA_OAEP_256.ordinal()] = 3;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.A128KW.ordinal()] = 4;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.A192KW.ordinal()] = 5;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.A256KW.ordinal()] = 6;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[JweAlgorithm.DIRECT.ordinal()] = 7;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpenAMClientRegistration(AMIdentity aMIdentity, PEMDecoder pEMDecoder, OpenIdResolverService openIdResolverService, OAuth2ProviderSettings oAuth2ProviderSettings, ClientAuthenticationFailureFactory clientAuthenticationFailureFactory) throws InvalidClientException {
        this.amIdentity = aMIdentity;
        this.pemDecoder = pEMDecoder;
        this.resolverService = openIdResolverService;
        this.providerSettings = oAuth2ProviderSettings;
        try {
            this.digest = MessageDigest.getInstance("SHA-256");
        } catch (NoSuchAlgorithmException e) {
            throw clientAuthenticationFailureFactory.getException("SHA-256 algorithm MessageDigest not available");
        }
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Set<URI> getRedirectUris() {
        return Utils.getAttributeValuesAsUris(this.amIdentity, "com.forgerock.openam.oauth2provider.redirectionURIs", this.logger);
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Set<URI> getPostLogoutRedirectUris() {
        return Utils.getAttributeValuesAsUris(this.amIdentity, "com.forgerock.openam.oauth2provider.postLogoutRedirectURI", this.logger);
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Set<String> getAllowedResponseTypes() {
        return Utils.getAttributeValuesAsSet(this.amIdentity, "com.forgerock.openam.oauth2provider.responseTypes", this.logger);
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getClientSecret() {
        return Utils.getAttributeValueFromSet(this.amIdentity, "userpassword", this.logger);
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getClientId() {
        return this.amIdentity.getName();
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getAccessTokenType() {
        return "Bearer";
    }

    private List<String[]> getDisplayName(String str) {
        try {
            return (List) splitPipeDelimited(Utils.stripAttributeNameFromValue(this.amIdentity.getAttribute(str)), "name").get("name");
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.name", e, this.logger);
        }
    }

    @VisibleForTesting
    MultiValueMap<String, String[]> splitPipeDelimited(Set<String> set, String str) {
        MultiValueMap<String, String[]> multiValueMap = new MultiValueMap<>(new HashMap());
        for (String str2 : set) {
            if (str2 != null) {
                String[] split = str2.indexOf("|") == str2.length() ? str2.split(DELIMITER, 2) : str2.split(DELIMITER, 3);
                if (str != null) {
                    multiValueMap.add(str, split);
                } else {
                    multiValueMap.add(split[0], Arrays.copyOfRange(split, 1, split.length));
                }
            }
        }
        return multiValueMap;
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getDisplayName(Locale locale) {
        List<String[]> displayName = getDisplayName("com.forgerock.openam.oauth2provider.name");
        if (displayName == null || displayName.isEmpty()) {
            displayName = getDisplayName("com.forgerock.openam.oauth2provider.clientName");
        }
        return findLocaleSpecificString(displayName, locale);
    }

    private List<String[]> getDisplayDescription() {
        try {
            return (List) splitPipeDelimited(Utils.stripAttributeNameFromValue(this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.description")), "name").get("name");
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.description", e, this.logger);
        }
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getDisplayDescription(Locale locale) {
        return findLocaleSpecificString(getDisplayDescription(), locale);
    }

    @VisibleForTesting
    String findLocaleSpecificString(Collection<String[]> collection, Locale locale) {
        String str = null;
        if (collection == null) {
            return null;
        }
        for (String str2 : languageStrings(locale)) {
            for (String[] strArr : collection) {
                if (strArr.length != 2) {
                    str = strArr[0];
                } else if (strArr[0].equalsIgnoreCase(str2)) {
                    return strArr[1];
                }
            }
        }
        return str;
    }

    private Set<String> getAllowedGrantScopes() {
        try {
            return Utils.stripAttributeNameFromValue(this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.scopes"));
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.scopes", e, this.logger);
        }
    }

    private Set<String> getClaimStrings() {
        try {
            return Utils.stripAttributeNameFromValue(this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.claims"));
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.scopes", e, this.logger);
        }
    }

    @VisibleForTesting
    List<String> languageStrings(Locale locale) {
        ArrayList arrayList = new ArrayList();
        String locale2 = locale.toString();
        int lastIndexOf = locale2.lastIndexOf(95);
        while (true) {
            int i = lastIndexOf;
            if (i <= -1) {
                break;
            }
            if (!locale2.endsWith("_")) {
                arrayList.add(locale2);
            }
            locale2 = locale2.substring(0, i);
            lastIndexOf = locale2.lastIndexOf(95);
        }
        if (!locale2.isEmpty()) {
            arrayList.add(locale2);
        }
        return arrayList;
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Map<String, String> getScopeDescriptions(Locale locale) throws ServerException {
        HashSet hashSet = new HashSet();
        hashSet.addAll(getAllowedGrantScopes());
        hashSet.addAll(getDefaultGrantScopes());
        return getTranslations(locale, hashSet, this.providerSettings.getSupportedScopesWithTranslations());
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Map<String, String> getClaimDescriptions(Locale locale) throws ServerException {
        return getTranslations(locale, new HashSet(getClaimStrings()), this.providerSettings.getSupportedClaimsWithTranslations());
    }

    private Map<String, String> getTranslations(Locale locale, Set<String> set, Set<String> set2) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        HashSet hashSet = new HashSet();
        if (set.isEmpty() && set2.isEmpty()) {
            return linkedHashMap;
        }
        MultiValueMap<String, String[]> splitPipeDelimited = splitPipeDelimited(set, null);
        List<String> languageStrings = languageStrings(locale);
        for (Map.Entry entry : splitPipeDelimited.entrySet()) {
            setTranslation(languageStrings, (String) entry.getKey(), (List) entry.getValue(), linkedHashMap, hashSet, false);
        }
        for (Map.Entry entry2 : splitPipeDelimited(set2, null).entrySet()) {
            String str = (String) entry2.getKey();
            if (!linkedHashMap.containsKey(str) && !hashSet.contains(str)) {
                setTranslation(languageStrings, str, (List) entry2.getValue(), linkedHashMap, hashSet, true);
            }
        }
        return linkedHashMap;
    }

    private void setTranslation(List<String> list, String str, List<String[]> list2, Map<String, String> map, Set<String> set, boolean z) {
        if (list2 == null) {
            return;
        }
        Collections.sort(list2, I18N_SPECIFICITY_COMPARATOR);
        for (String str2 : list) {
            for (String[] strArr : list2) {
                if (strArr.length == 2 && strArr[0].equals(str2)) {
                    if (StringUtils.isNotBlank(strArr[1])) {
                        map.put(str, strArr[1]);
                        return;
                    } else {
                        set.add(str);
                        return;
                    }
                }
            }
        }
        for (String[] strArr2 : list2) {
            if (strArr2.length == 1) {
                if (StringUtils.isNotBlank(strArr2[0])) {
                    map.put(str, strArr2[0]);
                    return;
                } else {
                    set.add(str);
                    return;
                }
            }
        }
        if (z) {
            map.put(str, str);
        }
    }

    private Set<String> getDefaultGrantScopes() {
        try {
            return Utils.stripAttributeNameFromValue(this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.defaultScopes"));
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.defaultScopes", e, this.logger);
        }
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Set<String> getDefaultScopes() {
        return parseScope(getDefaultGrantScopes());
    }

    private Set<String> parseScope(Set<String> set) {
        TreeSet treeSet = new TreeSet();
        for (String str : set) {
            int indexOf = str.indexOf("|");
            if (indexOf == -1) {
                treeSet.add(str);
            } else {
                treeSet.add(str.substring(0, indexOf));
            }
        }
        return treeSet;
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public Set<String> getAllowedScopes() {
        return parseScope(getAllowedGrantScopes());
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public boolean isConfidential() {
        return ClientType.CONFIDENTIAL.equals(getClientType());
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getClientSessionURI() {
        try {
            return (String) this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.clientSessionURI").iterator().next();
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.clientSessionURI", e, this.logger);
        }
    }

    public ClientType getClientType() {
        try {
            return ((String) this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.clientType").iterator().next()).equalsIgnoreCase("CONFIDENTIAL") ? ClientType.CONFIDENTIAL : ClientType.PUBLIC;
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.clientType", e, this.logger);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public long getAuthorizationCodeLifeTime(OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        return getTokenLifeTime("com.forgerock.openam.oauth2provider.authorizationCodeLifeTime", oAuth2ProviderSettings.getAuthorizationCodeLifetime());
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public long getAccessTokenLifeTime(OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        return getTokenLifeTime("com.forgerock.openam.oauth2provider.accessTokenLifeTime", oAuth2ProviderSettings.getAccessTokenLifetime());
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public long getRefreshTokenLifeTime(OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        return getTokenLifeTime("com.forgerock.openam.oauth2provider.refreshTokenLifeTime", oAuth2ProviderSettings.getRefreshTokenLifetime());
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public long getJwtTokenLifeTime(OAuth2ProviderSettings oAuth2ProviderSettings) throws ServerException {
        return getTokenLifeTime("com.forgerock.openam.oauth2provider.jwtTokenLifeTime", oAuth2ProviderSettings.getOpenIdTokenLifetime());
    }

    private long getTokenLifeTime(String str, long j) {
        long j2 = 0;
        try {
            Set attribute = this.amIdentity.getAttribute(str);
            if (attribute != null && !attribute.isEmpty()) {
                j2 = Long.parseLong((String) attribute.iterator().next());
            }
            if (j2 == 0) {
                j2 = j;
            }
            return j2 * 1000;
        } catch (SSOException | IdRepoException e) {
            throw Utils.createException(str, e, this.logger);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public String getIDTokenSignedResponseAlgorithm() {
        try {
            Set attribute = this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg");
            if (attribute.iterator().hasNext()) {
                return (String) attribute.iterator().next();
            }
            return null;
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.idTokenSignedResponseAlg", e, this.logger);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public boolean isIDTokenEncryptionEnabled() {
        try {
            Set attribute = this.amIdentity.getAttribute("idTokenEncryptionEnabled");
            if (attribute == null || attribute.isEmpty()) {
                return false;
            }
            return Boolean.valueOf((String) attribute.iterator().next()).booleanValue();
        } catch (Exception e) {
            throw Utils.createException("idTokenEncryptionEnabled", e, this.logger);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public String getIDTokenEncryptionResponseAlgorithm() {
        return getAttribute("idTokenEncryptionAlgorithm");
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public String getIDTokenEncryptionResponseMethod() {
        return getAttribute("idTokenEncryptionMethod");
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public Key getIDTokenEncryptionKey() {
        String iDTokenEncryptionResponseAlgorithm = getIDTokenEncryptionResponseAlgorithm();
        if (iDTokenEncryptionResponseAlgorithm == null) {
            return null;
        }
        try {
            JweAlgorithm parseAlgorithm = JweAlgorithm.parseAlgorithm(iDTokenEncryptionResponseAlgorithm);
            switch (AnonymousClass2.$SwitchMap$org$forgerock$json$jose$jwe$JweAlgorithm[parseAlgorithm.ordinal()]) {
                case 1:
                case 2:
                case 3:
                    return getRSAPublicEncryptionKey();
                case 4:
                    return getSymmetricEncryptionKey(128);
                case 5:
                    return getSymmetricEncryptionKey(192);
                case 6:
                    return getSymmetricEncryptionKey(256);
                case 7:
                    return getSymmetricEncryptionKey(EncryptionMethod.parseMethod(getIDTokenEncryptionResponseMethod()).getKeySize());
                default:
                    throw new JweException("Unknown JWE Algorithm: " + parseAlgorithm);
            }
        } catch (JweException e) {
            throw Utils.createException("encryption key", e, this.logger);
        }
    }

    private PublicKey getRSAPublicEncryptionKey() {
        try {
            Set attribute = this.amIdentity.getAttribute("idTokenPublicEncryptionKey");
            if (attribute == null || attribute.isEmpty()) {
                return null;
            }
            return this.pemDecoder.decodeRSAPublicKey((String) attribute.iterator().next());
        } catch (Exception e) {
            throw Utils.createException("idTokenPublicEncryptionKey", e, this.logger);
        }
    }

    private SecretKey getSymmetricEncryptionKey(int i) {
        if (i > 512) {
            throw new JweException("Cannot derive symmetric key for keySize > 512 bits");
        }
        if (!isConfidential()) {
            throw new JweException("Symmetric encryption can only be used by confidential clients");
        }
        String str = i <= 256 ? "SHA-256" : i <= 384 ? "SHA-384" : "SHA-512";
        String clientSecret = getClientSecret();
        if (StringUtils.isEmpty(clientSecret)) {
            throw new IllegalArgumentException("client secret must not be null.");
        }
        try {
            return new SecretKeySpec(Arrays.copyOfRange(MessageDigest.getInstance(str).digest(clientSecret.getBytes(StandardCharsets.UTF_8)), 0, i / 8), "AES");
        } catch (GeneralSecurityException e) {
            throw new JweException(e);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public String getTokenEndpointAuthMethod() {
        try {
            Set attribute = this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.tokenEndPointAuthMethod");
            return CollectionUtils.isNotEmpty(attribute) ? (String) attribute.iterator().next() : Client.TokenEndpointAuthMethod.CLIENT_SECRET_BASIC.getType();
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.tokenEndPointAuthMethod", e, this.logger);
        }
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public String getSubjectType() {
        try {
            return (String) CollectionUtils.getFirstItem(this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.subjectType"), Client.SubjectType.PUBLIC.getType());
        } catch (Exception e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.subjectType", e, this.logger);
        }
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public boolean verifyJwtIdentity(OAuth2Jwt oAuth2Jwt) {
        if (JwsAlgorithm.valueOf(getIDTokenSignedResponseAlgorithm()).getAlgorithmType() == JwsAlgorithmType.HMAC) {
            return verifyJwtBySharedSecret(oAuth2Jwt);
        }
        try {
            switch (getClientPublicKeySelector()) {
                case JWKS:
                    return byJWKs(oAuth2Jwt);
                case JWKS_URI:
                    return byJWKsURI(oAuth2Jwt);
                default:
                    return byX509Key(oAuth2Jwt);
            }
        } catch (Exception e) {
            throw Utils.createException("Client Bearer Jwt Public key", e, this.logger);
        }
    }

    @Override // org.forgerock.oauth2.core.ClientRegistration
    public boolean isConsentImplied() {
        return Boolean.parseBoolean(getAttribute("isConsentImplied"));
    }

    private boolean verifyJwtBySharedSecret(OAuth2Jwt oAuth2Jwt) {
        try {
            new SharedSecretOpenIdResolverImpl(oAuth2Jwt.getSignedJwt().getClaimsSet().getIssuer(), getClientSecret()).validateIdentity(oAuth2Jwt.getSignedJwt());
            if (oAuth2Jwt.isContentValid()) {
                if (oAuth2Jwt.isIntendedForAudience(getClientId())) {
                    return true;
                }
            }
            return false;
        } catch (OpenIdConnectVerificationException e) {
            return false;
        }
    }

    private boolean byJWKs(OAuth2Jwt oAuth2Jwt) throws IdRepoException, SSOException, MalformedURLException, FailedToLoadJWKException {
        String str = (String) CollectionUtils.getFirstItem(this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.jwks"));
        if (str == null) {
            throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(Request.getCurrent(), "No Client Bearer JWK set.");
        }
        Key key = (Key) new JWKSetParser(0, 0).jwkSetToMap(new JWKSet(JsonValueBuilder.toJsonValue(str).get("keys"))).get(oAuth2Jwt.getSignedJwt().getHeader().getKeyId());
        return key != null && oAuth2Jwt.isValid(getSigningHandlerForKey(key));
    }

    private SigningHandler getSigningHandlerForKey(Key key) {
        if (key instanceof RSAPublicKey) {
            return this.signingManager.newRsaSigningHandler(key);
        }
        if (key instanceof ECPublicKey) {
            return this.signingManager.newEcdsaVerificationHandler((ECPublicKey) key);
        }
        if (key instanceof SecretKey) {
            return this.signingManager.newHmacSigningHandler(key.getEncoded());
        }
        throw new IllegalArgumentException("Unsupported verification key type");
    }

    private boolean byJWKsURI(OAuth2Jwt oAuth2Jwt) throws IdRepoException, SSOException, MalformedURLException {
        Set attribute = this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.jwksURI");
        if (attribute == null || attribute.isEmpty()) {
            throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(Request.getCurrent(), "No Client Bearer JWKs_URI set.");
        }
        String str = (String) attribute.iterator().next();
        try {
            if (this.resolverService.getResolverForIssuer(oAuth2Jwt.getSignedJwt().getClaimsSet().getIssuer()) == null && !this.resolverService.configureResolverWithJWK(oAuth2Jwt.getSignedJwt().getClaimsSet().getIssuer(), new URL(str))) {
                throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(Request.getCurrent(), "Unable to configure internal JWK resolver service.");
            }
            this.resolverService.getResolverForIssuer(oAuth2Jwt.getSignedJwt().getClaimsSet().getIssuer()).validateIdentity(oAuth2Jwt.getSignedJwt());
            return oAuth2Jwt.isContentValid();
        } catch (OpenIdConnectVerificationException e) {
            return false;
        }
    }

    private boolean byX509Key(OAuth2Jwt oAuth2Jwt) throws IdRepoException, SSOException, CertificateException {
        Set attribute = this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.clientJwtPublicKey");
        if (attribute == null || attribute.isEmpty()) {
            throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(Request.getCurrent(), "No Client Bearer Jwt Public key certificate set");
        }
        return oAuth2Jwt.isValid(this.signingManager.newRsaSigningHandler(this.pemDecoder.decodeX509Certificate((String) attribute.iterator().next()).getPublicKey()));
    }

    private Client.PublicKeySelector getClientPublicKeySelector() {
        try {
            return Client.PublicKeySelector.fromString((String) this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.publicKeyLocation").iterator().next());
        } catch (IdRepoException | SSOException e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.publicKeyLocation", e, this.logger);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public URI getSectorIdentifierUri() {
        try {
            Set attribute = this.amIdentity.getAttribute("com.forgerock.openam.oauth2provider.sectorIdentifierURI");
            if (attribute.iterator().hasNext()) {
                return new URI((String) attribute.iterator().next());
            }
            return null;
        } catch (SSOException | IdRepoException | URISyntaxException e) {
            throw Utils.createException("com.forgerock.openam.oauth2provider.sectorIdentifierURI", e, this.logger);
        }
    }

    @Override // org.forgerock.openidconnect.OpenIdConnectClientRegistration
    public String getSubValue(String str, OAuth2ProviderSettings oAuth2ProviderSettings) {
        String host;
        if (Client.SubjectType.fromString(getSubjectType()) != Client.SubjectType.PAIRWISE) {
            return str;
        }
        if (getSectorIdentifierUri() != null) {
            host = getSectorIdentifierUri().getHost();
        } else {
            if (getRedirectUris().size() != 1 && containsMultipleRedirectUriHosts(getRedirectUris())) {
                this.logger.message("Must configure sector identifier uri when multiple redirect uris are specified.");
                return null;
            }
            host = getRedirectUris().iterator().next().getHost();
        }
        return subValueFromHost(host, str, oAuth2ProviderSettings);
    }

    private String subValueFromHost(String str, String str2, OAuth2ProviderSettings oAuth2ProviderSettings) {
        try {
            return Base64.encode(this.digest.digest((str + str2 + oAuth2ProviderSettings.getHashSalt()).getBytes("UTF-8")));
        } catch (UnsupportedEncodingException e) {
            this.logger.message("Unable to encrypt the sub value for user.");
            return null;
        } catch (ServerException e2) {
            this.logger.message("Unable to encrypt the sub value for user.");
            return null;
        }
    }

    private boolean containsMultipleRedirectUriHosts(Set<URI> set) {
        String host = set.iterator().next().getHost();
        Iterator<URI> it = set.iterator();
        while (it.hasNext()) {
            if (!it.next().getHost().equals(host)) {
                return false;
            }
        }
        return true;
    }

    private String getAttribute(String str) {
        try {
            Set attribute = this.amIdentity.getAttribute(str);
            if (attribute.iterator().hasNext()) {
                return (String) attribute.iterator().next();
            }
            return null;
        } catch (Exception e) {
            this.logger.error("Unable to get {} from repository", new Object[]{str, e});
            throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(Request.getCurrent(), "Unable to get " + str + " from repository");
        }
    }
}
