package io.gravitee.am.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
import com.nimbusds.jose.jca.JCASupport;
import com.nimbusds.jwt.SignedJWT;
import io.gravitee.am.common.exception.jwt.ExpiredJWTException;
import io.gravitee.am.common.exception.jwt.MalformedJWTException;
import io.gravitee.am.common.exception.jwt.PrematureJWTException;
import io.gravitee.am.common.exception.jwt.SignatureException;
import io.gravitee.am.common.jwt.JWT;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Instant;
import java.util.Map;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/gravitee/am/jwt/DefaultJWTParser.class */
public class DefaultJWTParser implements JWTParser {
    private static final Logger logger = LoggerFactory.getLogger(DefaultJWTParser.class);
    public static final String NO_MATCHING_JWT_PARSER_FOR_KEY = "No matching JWT parser for key : ";
    private JWSVerifier verifier;

    public DefaultJWTParser(Key key) throws InvalidKeyException {
        if (key instanceof PublicKey) {
            initialiseVerifier((PublicKey) key);
            if (JCASupport.isSupported(JWSAlgorithm.PS256)) {
                return;
            }
            this.verifier.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
            return;
        }
        if (!(key instanceof SecretKey)) {
            throw new InvalidKeyException("No matching JWT parser for key : " + key);
        }
        try {
            this.verifier = new MACVerifier((SecretKey) key);
        } catch (JOSEException e) {
            throw new InvalidKeyException((Throwable) e);
        }
    }

    private void initialiseVerifier(PublicKey publicKey) throws InvalidKeyException {
        if (publicKey instanceof RSAPublicKey) {
            this.verifier = new RSASSAVerifier((RSAPublicKey) publicKey);
        } else {
            if (!(publicKey instanceof ECPublicKey)) {
                throw new InvalidKeyException("No matching JWT parser for key : " + publicKey);
            }
            try {
                this.verifier = new ECDSAVerifier((ECPublicKey) publicKey);
            } catch (JOSEException e) {
                throw new InvalidKeyException((Throwable) e);
            }
        }
    }

    @Override // io.gravitee.am.jwt.JWTParser
    public JWT parse(String str) {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (!parse.verify(this.verifier)) {
                throw new JOSEException("The signature was not verified");
            }
            JWT jwt = new JWT((Map) parse.getPayload().toJSONObject().entrySet().stream().collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            })));
            Instant now = Instant.now();
            evaluateExp(jwt.getExp(), now, 0L);
            evaluateNbf(jwt.getNbf(), now, 0L);
            return jwt;
        } catch (ParseException e) {
            logger.debug("The following JWT token : {} is malformed", str);
            throw new MalformedJWTException("Token is malformed", e);
        } catch (JOSEException e2) {
            logger.debug("Verifying JWT token signature : {} has failed", str);
            throw new SignatureException("Token's signature is invalid", e2);
        } catch (PrematureJWTException e3) {
            logger.debug("The following JWT token : {} must not be accepted (nbf)", str);
            throw new PrematureJWTException("Token must not be accepted (nbf)", e3);
        } catch (Exception e4) {
            logger.error("An error occurs while parsing JWT token : {}", str, e4);
            throw e4;
        } catch (ExpiredJWTException e5) {
            logger.debug("The following JWT token : {} is expired", str);
            throw new ExpiredJWTException("Token is expired", e5);
        }
    }

    public static void evaluateNbf(long j, Instant instant, long j2) {
        if (j > 0) {
            Instant ofEpochSecond = Instant.ofEpochSecond(j);
            if (instant.isBefore(ofEpochSecond)) {
                throw new PrematureJWTException("JWT must not be accepted before " + ofEpochSecond + ". Current time: " + instant + ", a difference of " + (ofEpochSecond.toEpochMilli() - instant.toEpochMilli()) + " milliseconds.  Allowed clock skew: " + ofEpochSecond + " milliseconds.");
            }
        }
    }

    public static void evaluateExp(long j, Instant instant, long j2) {
        if (j > 0) {
            Instant ofEpochSecond = Instant.ofEpochSecond(j);
            if (instant.isAfter(ofEpochSecond)) {
                throw new ExpiredJWTException("JWT expired at " + ofEpochSecond + ". Current time: " + instant + ", a difference of " + (instant.toEpochMilli() - ofEpochSecond.toEpochMilli()) + " milliseconds.  Allowed clock skew: " + ofEpochSecond + " milliseconds.");
            }
        }
    }
}
