package org.apache.kerby.kerberos.provider.token;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;

/* loaded from: input_file:org/apache/kerby/kerberos/provider/token/JwtTokenDecoder.class */
public class JwtTokenDecoder implements TokenDecoder {
    private Object decryptionKey;
    private Object verifyKey;
    private List<String> audiences = null;
    private boolean signed = false;

    public AuthToken decodeFromBytes(byte[] bArr) throws IOException {
        return decodeFromString(new String(bArr, StandardCharsets.UTF_8));
    }

    public AuthToken decodeFromString(String str) throws IOException {
        try {
            PlainJWT parse = JWTParser.parse(str);
            if (parse instanceof PlainJWT) {
                PlainJWT plainJWT = parse;
                try {
                    if (verifyToken(parse)) {
                        return new JwtAuthToken(plainJWT.getJWTClaimsSet());
                    }
                    return null;
                } catch (ParseException e) {
                    throw new IOException("Failed to get JWT claims set", e);
                }
            }
            if (!(parse instanceof EncryptedJWT)) {
                if (!(parse instanceof SignedJWT)) {
                    throw new IOException("Unexpected JWT type: " + parse);
                }
                SignedJWT signedJWT = (SignedJWT) parse;
                if (!(verifySignedJWT(signedJWT) && verifyToken(signedJWT))) {
                    return null;
                }
                try {
                    this.signed = true;
                    return new JwtAuthToken(signedJWT.getJWTClaimsSet());
                } catch (ParseException e2) {
                    throw new IOException("Failed to get JWT claims set", e2);
                }
            }
            EncryptedJWT encryptedJWT = (EncryptedJWT) parse;
            decryptEncryptedJWT(encryptedJWT);
            SignedJWT signedJWT2 = encryptedJWT.getPayload().toSignedJWT();
            if (signedJWT2 == null) {
                try {
                    if (verifyToken(encryptedJWT)) {
                        return new JwtAuthToken(encryptedJWT.getJWTClaimsSet());
                    }
                    return null;
                } catch (ParseException e3) {
                    throw new IOException("Failed to get JWT claims set", e3);
                }
            }
            if (!(verifySignedJWT(signedJWT2) && verifyToken(signedJWT2))) {
                return null;
            }
            try {
                this.signed = true;
                return new JwtAuthToken(signedJWT2.getJWTClaimsSet());
            } catch (ParseException e4) {
                throw new IOException("Failed to get JWT claims set", e4);
            }
        } catch (ParseException e5) {
            throw new IOException("Failed to parse JWT token string", e5);
        }
    }

    public void decryptEncryptedJWT(EncryptedJWT encryptedJWT) throws IOException {
        try {
            encryptedJWT.decrypt(getDecrypter());
        } catch (JOSEException | KrbException e) {
            throw new IOException("Failed to decrypt the encrypted JWT", e);
        }
    }

    private JWEDecrypter getDecrypter() throws JOSEException, KrbException {
        if (this.decryptionKey instanceof RSAPrivateKey) {
            return new RSADecrypter((RSAPrivateKey) this.decryptionKey);
        }
        if (this.decryptionKey instanceof byte[]) {
            return new DirectDecrypter((byte[]) this.decryptionKey);
        }
        throw new KrbException("An unknown decryption key was specified");
    }

    public void setDecryptionKey(PrivateKey privateKey) {
        this.decryptionKey = privateKey;
    }

    public void setDecryptionKey(byte[] bArr) {
        if (bArr == null) {
            this.decryptionKey = new byte[0];
        } else {
            this.decryptionKey = bArr.clone();
        }
    }

    public boolean verifySignedJWT(SignedJWT signedJWT) throws IOException {
        try {
            return signedJWT.verify(getVerifier());
        } catch (JOSEException | KrbException e) {
            throw new IOException("Failed to verify the signed JWT", e);
        }
    }

    private JWSVerifier getVerifier() throws JOSEException, KrbException {
        if (this.verifyKey instanceof RSAPublicKey) {
            return new RSASSAVerifier((RSAPublicKey) this.verifyKey);
        }
        if (this.verifyKey instanceof ECPublicKey) {
            return new ECDSAVerifier((ECPublicKey) this.verifyKey);
        }
        if (this.verifyKey instanceof byte[]) {
            return new MACVerifier((byte[]) this.verifyKey);
        }
        throw new KrbException("An unknown verify key was specified");
    }

    public void setVerifyKey(PublicKey publicKey) {
        this.verifyKey = publicKey;
    }

    public void setVerifyKey(byte[] bArr) {
        if (bArr == null) {
            this.verifyKey = new byte[0];
        } else {
            this.verifyKey = bArr.clone();
        }
    }

    public void setAudiences(List<String> list) {
        this.audiences = list;
    }

    private boolean verifyToken(JWT jwt) throws IOException {
        return verifyAudiences(jwt) && verifyExpiration(jwt);
    }

    private boolean verifyAudiences(JWT jwt) throws IOException {
        boolean z = false;
        try {
            List audience = jwt.getJWTClaimsSet().getAudience();
            if (this.audiences != null) {
                Iterator it = audience.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (this.audiences.contains((String) it.next())) {
                        z = true;
                        break;
                    }
                }
            } else {
                z = true;
            }
            return z;
        } catch (ParseException e) {
            throw new IOException("Failed to get JWT claims set", e);
        }
    }

    private boolean verifyExpiration(JWT jwt) throws IOException {
        try {
            Date expirationTime = jwt.getJWTClaimsSet().getExpirationTime();
            if (expirationTime != null && new Date().after(expirationTime)) {
                return false;
            }
            Date notBeforeTime = jwt.getJWTClaimsSet().getNotBeforeTime();
            if (notBeforeTime != null) {
                return !new Date().before(notBeforeTime);
            }
            return true;
        } catch (ParseException e) {
            throw new IOException("Failed to get JWT claims set", e);
        }
    }

    public boolean isSigned() {
        return this.signed;
    }
}
