package be.atbash.ee.security.octopus.nimbus.jwt.proc;

import be.atbash.ee.security.octopus.config.JwtSupportConfiguration;
import be.atbash.ee.security.octopus.jwt.InvalidJWTException;
import be.atbash.ee.security.octopus.jwt.JWTValidationConstant;
import be.atbash.ee.security.octopus.jwt.decoder.JWTVerifier;
import be.atbash.ee.security.octopus.keys.selector.AsymmetricPart;
import be.atbash.ee.security.octopus.keys.selector.KeySelector;
import be.atbash.ee.security.octopus.keys.selector.SelectorCriteria;
import be.atbash.ee.security.octopus.nimbus.jose.JOSEException;
import be.atbash.ee.security.octopus.nimbus.jose.JOSEObjectType;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.factories.DefaultJWEDecrypterFactory;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.factories.DefaultJWSVerifierFactory;
import be.atbash.ee.security.octopus.nimbus.jose.proc.BadJOSEException;
import be.atbash.ee.security.octopus.nimbus.jose.proc.JWEDecrypterFactory;
import be.atbash.ee.security.octopus.nimbus.jose.proc.JWSVerifierFactory;
import be.atbash.ee.security.octopus.nimbus.jwt.CommonJWTHeader;
import be.atbash.ee.security.octopus.nimbus.jwt.EncryptedJWT;
import be.atbash.ee.security.octopus.nimbus.jwt.JWT;
import be.atbash.ee.security.octopus.nimbus.jwt.JWTClaimsSet;
import be.atbash.ee.security.octopus.nimbus.jwt.KeyFamilyUtil;
import be.atbash.ee.security.octopus.nimbus.jwt.PlainJWT;
import be.atbash.ee.security.octopus.nimbus.jwt.SignedJWT;
import be.atbash.ee.security.octopus.nimbus.jwt.jwe.JWEDecrypter;
import be.atbash.ee.security.octopus.nimbus.jwt.jwe.JWEHeader;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSHeader;
import be.atbash.ee.security.octopus.nimbus.jwt.jws.JWSVerifier;
import java.security.Key;
import java.text.ParseException;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:be/atbash/ee/security/octopus/nimbus/jwt/proc/DefaultJWTProcessor.class */
public class DefaultJWTProcessor implements JWTProcessor {
    private static final Logger LOGGER = LoggerFactory.getLogger(KeySelector.class);
    private KeySelector jwsKeySelector;
    private KeySelector jweKeySelector;
    private Set<String> defCritHeaders;
    private JWSVerifierFactory jwsVerifierFactory = new DefaultJWSVerifierFactory();
    private JWEDecrypterFactory jweDecrypterFactory = new DefaultJWEDecrypterFactory();
    private JWTVerifier claimsVerifier = new DefaultJWTClaimsVerifier();
    private final JwtSupportConfiguration jwtSupportConfiguration = JwtSupportConfiguration.getInstance();

    @Override // be.atbash.ee.security.octopus.nimbus.jwt.proc.JWTProcessor
    public void setJWSKeySelector(KeySelector keySelector) {
        this.jwsKeySelector = keySelector;
    }

    @Override // be.atbash.ee.security.octopus.nimbus.jwt.proc.JWTProcessor
    public void setJWEKeySelector(KeySelector keySelector) {
        this.jweKeySelector = keySelector;
    }

    @Override // be.atbash.ee.security.octopus.nimbus.jwt.proc.JWTProcessor
    public void setDeferredCritHeaders(Set<String> set) {
        this.defCritHeaders = set;
    }

    public void setJWSVerifierFactory(JWSVerifierFactory jWSVerifierFactory) {
        this.jwsVerifierFactory = jWSVerifierFactory;
    }

    public void setJweDecrypterFactory(JWEDecrypterFactory jWEDecrypterFactory) {
        this.jweDecrypterFactory = jWEDecrypterFactory;
    }

    public void setJWTClaimsSetVerifier(JWTVerifier jWTVerifier) {
        this.claimsVerifier = jWTVerifier;
    }

    private JWTClaimsSet extractJWTClaimsSet(JWT jwt) {
        try {
            return jwt.getJWTClaimsSet();
        } catch (ParseException e) {
            throw new BadJWTException(e.getMessage(), e);
        }
    }

    private JWTClaimsSet verifyClaims(JWSHeader jWSHeader, JWTClaimsSet jWTClaimsSet) {
        if (this.claimsVerifier == null || this.claimsVerifier.verify(jWSHeader, jWTClaimsSet)) {
            return jWTClaimsSet;
        }
        throw new BadJWTException("JWT Claims validation failed");
    }

    private Key selectKeys(KeySelector keySelector, CommonJWTHeader commonJWTHeader, AsymmetricPart asymmetricPart) {
        return keySelector.selectSecretKey(defineKeyCriteria(commonJWTHeader, asymmetricPart));
    }

    private SelectorCriteria defineKeyCriteria(CommonJWTHeader commonJWTHeader, AsymmetricPart asymmetricPart) {
        String keyID = commonJWTHeader.getKeyID();
        SelectorCriteria.Builder withAsymmetricPart = SelectorCriteria.newBuilder().withId(keyID).withJKU(commonJWTHeader.getJWKURL()).withAsymmetricPart(asymmetricPart);
        if (commonJWTHeader instanceof JWEHeader) {
            JWEHeader jWEHeader = (JWEHeader) commonJWTHeader;
            withAsymmetricPart.withPBE2Salt(jWEHeader.getPBES2Salt()).withPBE2Count(jWEHeader.getPBES2Count()).withJWEAlgorithm(jWEHeader.getAlgorithm());
        }
        return withAsymmetricPart.build();
    }

    @Override // be.atbash.ee.security.octopus.nimbus.jwt.proc.JWTProcessor
    public JWTClaimsSet process(JWT jwt) {
        if (jwt instanceof SignedJWT) {
            return process((SignedJWT) jwt);
        }
        if (jwt instanceof EncryptedJWT) {
            return process((EncryptedJWT) jwt);
        }
        if (jwt instanceof PlainJWT) {
            return process((PlainJWT) jwt);
        }
        throw new JOSEException("Unexpected JWT object type: " + jwt.getClass());
    }

    private JWTClaimsSet process(PlainJWT plainJWT) {
        throw new BadJOSEException("Unsecured (plain) JWTs are rejected, TODO Implementation needs to be done!!");
    }

    private JWTClaimsSet process(SignedJWT signedJWT) {
        JOSEObjectType type = signedJWT.getHeader().getType();
        if (type != null && !type.equals(JOSEObjectType.JWT)) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, String.format("The provided token did not specify the correct 'JWT' typ in the header (header = %s)", signedJWT.getHeader().toString()));
            throw new BadJOSEException("JOSE header \"typ\" (type) \"" + type.getType() + "\" not allowed");
        }
        if (!signedJWT.getHeader().isBase64URLEncodePayload()) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "The provided token has an unencoded payload");
            throw new BadJOSEException("Unencoded payload not allowed");
        }
        if (this.jwsKeySelector == null) {
            throw new BadJOSEException("Signed JWT rejected: No JWS key selector is configured");
        }
        if (this.jwsVerifierFactory == null) {
            throw new JOSEException("No JWS verifier is configured");
        }
        Key selectKeys = selectKeys(this.jwsKeySelector, signedJWT.getHeader(), AsymmetricPart.PUBLIC);
        if (selectKeys == null) {
            selectKeys = selectKeys(this.jwsKeySelector, signedJWT.getHeader(), AsymmetricPart.SYMMETRIC);
        }
        if (selectKeys == null) {
            if (LOGGER.isErrorEnabled()) {
                LOGGER.error(String.format("(OCT-KEY-010) No or multiple keys found for criteria :%n %s", defineKeyCriteria(signedJWT.getHeader(), AsymmetricPart.PUBLIC)));
            }
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, String.format("No key found that matches the information from the header (%s)", signedJWT.getHeader().toString()));
            throw new InvalidJWTException(String.format("No key found for keyId '%s'", signedJWT.getHeader().getKeyID()));
        }
        JWSVerifier createJWSVerifier = this.jwsVerifierFactory.createJWSVerifier(signedJWT.getHeader(), selectKeys, this.defCritHeaders);
        if (createJWSVerifier == null) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, String.format("No token verifier found for the header and matching secret key (header = %s, secretKey type = %s)", signedJWT.getHeader().toString(), defineType(selectKeys)));
            throw new InvalidJWTException("Signed JWT rejected: Another algorithm expected, or no matching key(s) found");
        }
        if (signedJWT.verify(createJWSVerifier)) {
            return verifyClaims(signedJWT.getHeader(), extractJWTClaimsSet(signedJWT));
        }
        if (!MDC.getCopyOfContextMap().containsKey(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON)) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "Token signature verification failed");
        }
        throw new InvalidJWTException("Signed JWT rejected: Invalid signature");
    }

    private String defineType(Key key) {
        return KeyFamilyUtil.INSTANCE.determineKeyFamily(key).toString();
    }

    /* JADX WARN: Type inference failed for: r13v0, types: [java.lang.Throwable, be.atbash.ee.security.octopus.nimbus.jose.JOSEException] */
    private JWTClaimsSet process(EncryptedJWT encryptedJWT) {
        if (this.jweKeySelector == null) {
            throw new BadJOSEException("Encrypted JWT rejected: No JWE key selector is configured");
        }
        if (this.jweDecrypterFactory == null) {
            throw new JOSEException("No JWE decrypter is configured");
        }
        Key selectKeys = selectKeys(this.jweKeySelector, encryptedJWT.getHeader(), AsymmetricPart.PRIVATE);
        if (selectKeys == null) {
            selectKeys = selectKeys(this.jweKeySelector, encryptedJWT.getHeader(), AsymmetricPart.SYMMETRIC);
        }
        if (selectKeys == null) {
            if (LOGGER.isErrorEnabled()) {
                LOGGER.error(String.format("(OCT-KEY-010) No or multiple keys found for criteria :%n %s", defineKeyCriteria(encryptedJWT.getHeader(), AsymmetricPart.PRIVATE)));
            }
            throw new InvalidJWTException(String.format("No key found for keyId '%s'", encryptedJWT.getHeader().getKeyID()));
        }
        JWEDecrypter createJWEDecrypter = this.jweDecrypterFactory.createJWEDecrypter(encryptedJWT.getHeader(), selectKeys);
        if (createJWEDecrypter == null) {
            throw new BadJOSEException("Encrypted JWT rejected: No matching decrypter(s) found");
        }
        try {
            encryptedJWT.decrypt(createJWEDecrypter);
            if (!"JWT".equalsIgnoreCase(encryptedJWT.getHeader().getContentType())) {
                if (this.jwtSupportConfiguration.isContentTypeRequiredForJWE()) {
                    throw new InvalidJWTException("Missing Content Type in the header 'cty=JWT' ");
                }
                return verifyClaims(null, extractJWTClaimsSet(encryptedJWT));
            }
            SignedJWT signedJWT = encryptedJWT.getPayload().toSignedJWT();
            if (signedJWT == null) {
                throw new BadJWTException("The payload is not a nested signed JWT");
            }
            return process(signedJWT);
        } catch (JOSEException e) {
            throw new BadJWEException("Encrypted JWT rejected: " + e.getMessage(), e);
        }
    }
}
