package io.avaje.oauth2.core.jwt;

import io.avaje.json.mapper.JsonMapper;
import io.avaje.oauth2.core.data.AccessToken;
import io.avaje.oauth2.core.data.JsonDataMapper;
import io.avaje.oauth2.core.data.JwtHeader;
import io.avaje.oauth2.core.jwt.JwtVerifier;
import java.net.http.HttpClient;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.function.Supplier;

/* loaded from: input_file:io/avaje/oauth2/core/jwt/DJwtVerifier.class */
final class DJwtVerifier implements JwtVerifier {
    private final Map<String, AlgorithmVerifier> map;
    private final JwtKeySource keySource;
    private final JsonDataMapper mapper;
    private final String expectedIssuer;
    private final Duration clockSkew;
    private final Clock clock;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/avaje/oauth2/core/jwt/DJwtVerifier$AlgorithmVerifier.class */
    public static final class AlgorithmVerifier {
        private final Supplier<Signature> supplier;

        AlgorithmVerifier(Supplier<Signature> supplier) {
            this.supplier = supplier;
        }

        boolean verify(PublicKey publicKey, byte[] bArr, byte[] bArr2) {
            try {
                Signature signature = this.supplier.get();
                signature.initVerify(publicKey);
                signature.update(bArr);
                return signature.verify(bArr2);
            } catch (InvalidKeyException e) {
                throw new JwtVerifyException("Invalid public key", e);
            } catch (SignatureException e2) {
                return false;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/avaje/oauth2/core/jwt/DJwtVerifier$DBuilder.class */
    public static final class DBuilder implements JwtVerifier.Builder {
        private JwtKeySource keySource;
        private JsonDataMapper mapper;
        private String jwksUri;
        private HttpClient httpClient;
        private JsonMapper simpleMapper;
        private String expectedIssuer;
        private final Map<String, AlgorithmVerifier> map = new HashMap();
        private Duration clockSkew = Duration.of(60, ChronoUnit.SECONDS);
        private Clock clock = Clock.systemDefaultZone();

        private DBuilder() {
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder addRS256() {
            return add("RS256", "SHA256withRSA");
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder add(String str, String str2) {
            this.map.put(str, new AlgorithmVerifier(new SignatureSupplier(str2)));
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder jwksUri(String str) {
            this.jwksUri = str;
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder httpClient(HttpClient httpClient) {
            this.httpClient = httpClient;
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder keySource(JwtKeySource jwtKeySource) {
            this.keySource = jwtKeySource;
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder jsonMapper(JsonDataMapper jsonDataMapper) {
            this.mapper = jsonDataMapper;
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder issuer(String str) {
            this.expectedIssuer = str;
            if (this.jwksUri == null) {
                this.jwksUri = str + "/.well-known/jwks.json";
            }
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder clock(Clock clock) {
            this.clock = clock;
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier.Builder clockSkew(Duration duration) {
            this.clockSkew = duration;
            return this;
        }

        @Override // io.avaje.oauth2.core.jwt.JwtVerifier.Builder
        public JwtVerifier build() {
            if (this.mapper == null) {
                if (this.simpleMapper == null) {
                    this.simpleMapper = JsonMapper.builder().build();
                }
                this.mapper = JsonDataMapper.builder().jsonMapper(this.simpleMapper).build();
            }
            if (this.keySource == null) {
                Objects.requireNonNull(this.jwksUri, "jwksUri is required");
                if (this.httpClient == null) {
                    this.httpClient = HttpClient.newHttpClient();
                }
                this.keySource = new RemoteKeySetSource(this.jwksUri, this.httpClient, this.mapper).build();
            }
            if (this.map.isEmpty()) {
                addRS256();
            }
            return new DJwtVerifier(this.map, this.keySource, this.mapper, this.expectedIssuer, this.clockSkew, this.clock);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/avaje/oauth2/core/jwt/DJwtVerifier$SignatureSupplier.class */
    public static final class SignatureSupplier implements Supplier<Signature> {
        private final String algorithm;

        SignatureSupplier(String str) {
            this.algorithm = str;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.function.Supplier
        public Signature get() {
            try {
                return Signature.getInstance(this.algorithm);
            } catch (NoSuchAlgorithmException e) {
                throw new JwtVerifyException("Unsupported algorithm", e);
            }
        }
    }

    private DJwtVerifier(Map<String, AlgorithmVerifier> map, JwtKeySource jwtKeySource, JsonDataMapper jsonDataMapper, String str, Duration duration, Clock clock) {
        this.map = map;
        this.keySource = jwtKeySource;
        this.mapper = jsonDataMapper;
        this.expectedIssuer = str;
        this.clockSkew = duration;
        this.clock = clock;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JwtVerifier.Builder builder() {
        return new DBuilder();
    }

    @Override // io.avaje.oauth2.core.jwt.JwtVerifier
    public AccessToken verifyAccessToken(String str) throws JwtVerifyException {
        SignedJwt parse = SignedJwt.parse(str);
        verify(parse);
        try {
            AccessToken readAccessToken = this.mapper.readAccessToken(parse.payload());
            if (this.expectedIssuer != null && !this.expectedIssuer.equals(readAccessToken.issuer())) {
                throw new JwtVerifyException("Jwt unexpected issuer");
            }
            Instant now = Instant.now(this.clock);
            long expiredAt = readAccessToken.expiredAt();
            if (expiredAt > 0) {
                Instant ofEpochSecond = Instant.ofEpochSecond(expiredAt);
                if (now.minus((TemporalAmount) this.clockSkew).isAfter(ofEpochSecond)) {
                    throw new JwtVerifyException("Jwt expired at " + String.valueOf(ofEpochSecond));
                }
            }
            long issuedAt = readAccessToken.issuedAt();
            if (issuedAt > 0) {
                Instant ofEpochSecond2 = Instant.ofEpochSecond(issuedAt);
                if (now.plus((TemporalAmount) this.clockSkew).isBefore(ofEpochSecond2)) {
                    throw new JwtVerifyException("Jwt invalid issuedAt " + String.valueOf(ofEpochSecond2));
                }
            }
            return readAccessToken;
        } catch (RuntimeException e) {
            throw new JwtVerifyException("Unable to parse Jwt access token " + String.valueOf(e));
        }
    }

    @Override // io.avaje.oauth2.core.jwt.JwtVerifier
    public void verify(SignedJwt signedJwt) {
        try {
            JwtHeader readJwtHeader = this.mapper.readJwtHeader(signedJwt.header());
            String kid = readJwtHeader.kid();
            PublicKey key = this.keySource.key(kid);
            if (key == null) {
                throw new JwtVerifyException("Public key not found for kid " + kid);
            }
            String alg = readJwtHeader.alg();
            AlgorithmVerifier algorithmVerifier = this.map.get(alg);
            if (algorithmVerifier == null) {
                throw new JwtVerifyException("Algorithm " + alg + " not supported");
            }
            if (!algorithmVerifier.verify(key, signedJwt.contentBytes(), signedJwt.signatureBytes())) {
                throw new JwtVerifyException("Signature verification failed");
            }
        } catch (RuntimeException e) {
            throw new JwtVerifyException("Unable to parse Jwt header " + String.valueOf(e));
        }
    }
}
