package com.networknt.security;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.networknt.client.oauth.OauthHelper;
import com.networknt.client.oauth.SignKeyRequest;
import com.networknt.client.oauth.TokenKeyRequest;
import com.networknt.config.Config;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.utility.FingerPrintUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.ErrorCodeValidator;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.owasp.encoder.Encode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/security/JwtHelper.class */
public class JwtHelper {
    public static final String KID = "kid";
    public static final String JWT_CONFIG = "jwt";
    public static final String JWT_CERTIFICATE = "certificate";
    public static final String ENABLE_VERIFY_JWT = "enableVerifyJwt";
    private static final int CACHE_EXPIRED_IN_MINUTES = 15;
    static Map<String, X509Certificate> certMap;
    static List<String> fingerPrints;
    static Cache<String, JwtClaims> cache;
    static final Logger logger = LoggerFactory.getLogger((Class<?>) JwtHelper.class);
    public static final String SECURITY_CONFIG = "security";
    static Map<String, Object> securityConfig = Config.getInstance().getJsonMapConfig(SECURITY_CONFIG);
    static Map<String, Object> securityJwtConfig = (Map) securityConfig.get("jwt");
    public static final String JWT_CLOCK_SKEW_IN_SECONDS = "clockSkewInSeconds";
    static int secondsOfAllowedClockSkew = ((Integer) securityJwtConfig.get(JWT_CLOCK_SKEW_IN_SECONDS)).intValue();
    private static final String ENABLE_JWT_CACHE = "enableJwtCache";
    static Boolean enableJwtCache = (Boolean) securityConfig.get(ENABLE_JWT_CACHE);
    private static final String BOOTSTRAP_FROM_KEY_SERVICE = "bootstrapFromKeyService";
    static Boolean bootstrapFromKeyService = (Boolean) securityConfig.get(BOOTSTRAP_FROM_KEY_SERVICE);

    public static X509Certificate readCertificate(String str) throws Exception {
        InputStream inputStream = null;
        X509Certificate x509Certificate = null;
        try {
            try {
                InputStream inputStreamFromFile = Config.getInstance().getInputStreamFromFile(str);
                if (inputStreamFromFile != null) {
                    x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStreamFromFile);
                } else {
                    logger.info("Certificate " + Encode.forJava(str) + " not found.");
                }
                if (inputStreamFromFile != null) {
                    try {
                        inputStreamFromFile.close();
                    } catch (IOException e) {
                        logger.error("Exception: ", (Throwable) e);
                    }
                }
            } catch (Exception e2) {
                logger.error("Exception: ", (Throwable) e2);
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e3) {
                        logger.error("Exception: ", (Throwable) e3);
                    }
                }
            }
            return x509Certificate;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e4) {
                    logger.error("Exception: ", (Throwable) e4);
                }
            }
            throw th;
        }
    }

    public static String getJwtFromAuthorization(String str) {
        String str2 = null;
        if (str != null) {
            String[] split = str.split(" ");
            if (split.length == 2) {
                String str3 = split[0];
                String str4 = split[1];
                if (Pattern.compile("^Bearer$", 2).matcher(str3).matches()) {
                    str2 = str4;
                }
            }
        }
        return str2;
    }

    @Deprecated
    public static JwtClaims verifyJwt(String str, boolean z) throws InvalidJwtException, ExpiredTokenException {
        return verifyJwt(str, z, true);
    }

    public static JwtClaims verifyJwt(String str, boolean z, boolean z2) throws InvalidJwtException, ExpiredTokenException {
        JwtClaims ifPresent;
        if (Boolean.TRUE.equals(enableJwtCache) && (ifPresent = cache.getIfPresent(str)) != null) {
            if (!z) {
                try {
                    if (NumericDate.now().getValue() - secondsOfAllowedClockSkew >= ifPresent.getExpirationTime().getValue()) {
                        logger.info("Cached jwt token is expired!");
                        throw new ExpiredTokenException("Token is expired");
                    }
                } catch (MalformedClaimException e) {
                    logger.error("MalformedClaimException:", (Throwable) e);
                }
            }
            return ifPresent;
        }
        JwtContext process = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build().process(str);
        JwtClaims jwtClaims = process.getJwtClaims();
        String keyIdHeaderValue = process.getJoseObjects().get(0).getKeyIdHeaderValue();
        if (!z) {
            try {
                if (NumericDate.now().getValue() - secondsOfAllowedClockSkew >= jwtClaims.getExpirationTime().getValue()) {
                    logger.info("jwt token is expired!");
                    throw new ExpiredTokenException("Token is expired");
                }
            } catch (MalformedClaimException e2) {
                logger.error("MalformedClaimException:", (Throwable) e2);
                throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(18, "Invalid ExpirationTime Format"), e2, process);
            }
        }
        X509Certificate x509Certificate = certMap == null ? null : certMap.get(keyIdHeaderValue);
        if (x509Certificate == null) {
            x509Certificate = z2 ? getCertForToken(keyIdHeaderValue) : getCertForSign(keyIdHeaderValue);
            if (certMap == null) {
                certMap = new HashMap();
            }
            certMap.put(keyIdHeaderValue, x509Certificate);
        }
        X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(x509Certificate);
        x509VerificationKeyResolver.setTryAllOnNoThumbHeader(true);
        JwtClaims jwtClaims2 = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(315360000).setSkipDefaultAudienceValidation().setVerificationKeyResolver(x509VerificationKeyResolver).build().process(str).getJwtClaims();
        if (Boolean.TRUE.equals(enableJwtCache)) {
            cache.put(str, jwtClaims2);
        }
        return jwtClaims2;
    }

    public static X509Certificate getCertForToken(String str) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(OauthHelper.getKey(new TokenKeyRequest(str)).getBytes(StandardCharsets.UTF_8)));
        } catch (Exception e) {
            logger.error("Exception: ", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public static X509Certificate getCertForSign(String str) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(OauthHelper.getKey(new SignKeyRequest(str)).getBytes(StandardCharsets.UTF_8)));
        } catch (Exception e) {
            logger.error("Exception: ", (Throwable) e);
            throw new RuntimeException(e);
        }
    }

    public static List getFingerPrints() {
        return fingerPrints;
    }

    static {
        if (Boolean.TRUE.equals(enableJwtCache)) {
            cache = Caffeine.newBuilder().expireAfterWrite(15L, TimeUnit.MINUTES).build();
        }
        if (bootstrapFromKeyService == null || Boolean.FALSE.equals(bootstrapFromKeyService)) {
            certMap = new HashMap();
            fingerPrints = new ArrayList();
            Map map = (Map) securityJwtConfig.get(JWT_CERTIFICATE);
            for (String str : map.keySet()) {
                X509Certificate x509Certificate = null;
                try {
                    x509Certificate = readCertificate((String) map.get(str));
                } catch (Exception e) {
                    logger.error("Exception:", (Throwable) e);
                }
                certMap.put(str, x509Certificate);
                fingerPrints.add(FingerPrintUtil.getCertFingerPrint(x509Certificate));
            }
        }
    }
}
