package org.id4me;

import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.BoundedInputStream;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import java.io.BufferedReader;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.Hashtable;
import java.util.Properties;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.id4me.Id4meResolver;
import org.id4me.config.Id4meClaimsParameters;
import org.id4me.config.Id4meProperties;
import org.id4me.exceptions.ClientNotRegisteredException;
import org.id4me.exceptions.ClientRegistrationSecretExpiredException;
import org.id4me.exceptions.MandatoryClaimsException;
import org.id4me.exceptions.TokenNotFoundException;
import org.id4me.exceptions.TokenValidationException;
import org.id4me.util.FileReader;
import org.json.JSONArray;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/id4me/Id4meLogon.class */
public class Id4meLogon {
    private static final Logger log = LoggerFactory.getLogger(Id4meLogon.class);
    private static final String UTF_8 = StandardCharsets.UTF_8.name();
    private static final String CONTENT_TYPE = "Content-Type";
    private static final String AUTHORIZATION = "Authorization";
    private int MAX_FETCH_SIZE = 50000;
    private final Id4meIdentityAuthorityStorage2 storage = Id4meIdentityAuthorityStorage2.INSTANCE;
    private Id4meResolver resolver;
    private String clientName;
    private String redirectUri;
    private String[] redirectUris;
    private String logoUri;
    private Path registrationDataPath;
    private final Id4meClaimsConfig claimsConfig;
    private Id4meKeyPairHandler keyPairHandler;
    private boolean fallbackToScopes;

    public Id4meLogon(String str, String str2) throws Exception {
        readPropertiesFile(str);
        this.claimsConfig = readClaimsParametersFile(str2);
        initSSLSocketFactory();
    }

    public Id4meClaimsConfig getClaimsConfig() {
        return this.claimsConfig;
    }

    public Id4meLogon(Id4meProperties id4meProperties, Id4meClaimsParameters id4meClaimsParameters) throws Exception {
        readProperties(id4meProperties);
        this.claimsConfig = new Id4meClaimsConfig(id4meClaimsParameters);
        initSSLSocketFactory();
    }

    public Id4meLogon(Id4meProperties id4meProperties, Id4meClaimsParameters id4meClaimsParameters, String[] strArr) throws Exception {
        readProperties(id4meProperties);
        this.claimsConfig = new Id4meClaimsConfig(id4meClaimsParameters);
        if (strArr != null) {
            for (String str : strArr) {
                this.claimsConfig.addScope(str);
            }
        }
        initSSLSocketFactory();
    }

    private void initSSLSocketFactory() throws NoSuchAlgorithmException, KeyManagementException {
        TrustManager[] trustManagerArr = {new X509TrustManager() { // from class: org.id4me.Id4meLogon.1
            @Override // javax.net.ssl.X509TrustManager
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
            }

            @Override // javax.net.ssl.X509TrustManager
            public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
            }
        }};
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(null, trustManagerArr, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sSLContext.getSocketFactory());
    }

    private void readPropertiesFile(String str) throws Exception {
        Path path = Paths.get(str, new String[0]);
        if (!path.toFile().exists()) {
            throw new Exception("Properties file " + path + " not found!");
        }
        Properties properties = new Properties();
        InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
        try {
            properties.load(newInputStream);
            if (newInputStream != null) {
                newInputStream.close();
            }
            if (properties.containsKey("client.max_fetch_size")) {
                try {
                    this.MAX_FETCH_SIZE = Integer.parseInt(properties.getProperty("client.max_fetch_size"));
                } catch (Exception e) {
                    log.error("Error determining MAX_FETCH_SIZE from properties: " + e.getMessage());
                }
            }
            if (!properties.containsKey("client.name")) {
                throw new Exception("property client.name not found in " + path);
            }
            this.clientName = properties.getProperty("client.name");
            if (!properties.containsKey("redirect.uri")) {
                throw new Exception("property redirect.uri not found in " + path);
            }
            this.redirectUri = properties.getProperty("redirect.uri");
            if (properties.containsKey("redirect.uris")) {
                this.redirectUris = properties.getProperty("redirect.uris").split(",");
            } else {
                this.redirectUris = new String[]{this.redirectUri};
            }
            if (properties.containsKey("logo.uri")) {
                this.logoUri = properties.getProperty("logo.uri");
            }
            String property = properties.containsKey("dnssec_root_key") ? properties.getProperty("dnssec_root_key") : properties.containsKey("dnsssec_root_key") ? properties.getProperty("dnsssec_root_key") : ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
            boolean z = true;
            if (properties.containsKey("dnssec_required")) {
                z = Boolean.parseBoolean(properties.getProperty("dnssec_required"));
            }
            String property2 = properties.containsKey("dns.resolver") ? properties.getProperty("dns.resolver") : "127.0.0.1";
            this.resolver = new Id4meResolver(property2, property, z);
            if (properties.containsKey("registration.data.path")) {
                this.registrationDataPath = Paths.get(properties.getProperty("registration.data.path", null), new String[0]);
            } else {
                this.registrationDataPath = Paths.get("./", new String[0]);
            }
            if (properties.containsKey("pub_key") && properties.containsKey("priv_key")) {
                this.keyPairHandler = new Id4meKeyPairHandler(properties.getProperty("pub_key"), properties.getProperty("priv_key"));
            }
            if (properties.containsKey("scopes_fallback")) {
                this.fallbackToScopes = Boolean.parseBoolean(properties.getProperty("scopes_fallback"));
            }
            logProperties(property, property2);
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void readProperties(Id4meProperties id4meProperties) throws Exception {
        if (id4meProperties.getMaxFetchSize() != null) {
            this.MAX_FETCH_SIZE = id4meProperties.getMaxFetchSize().intValue();
        }
        if (id4meProperties.getClientName() == null) {
            throw new Exception("Id4meProperties.clientName not set");
        }
        this.clientName = id4meProperties.getClientName();
        if (id4meProperties.getRedirectURI() == null) {
            throw new Exception("Id4meProperties.redirectURI not set");
        }
        this.redirectUri = id4meProperties.getRedirectURI();
        if (id4meProperties.getRedirectURIs() != null) {
            this.redirectUris = id4meProperties.getRedirectURIs();
        } else {
            this.redirectUris = new String[]{this.redirectUri};
        }
        if (id4meProperties.getLogoURI() != null) {
            this.logoUri = id4meProperties.getLogoURI();
        }
        String dnssecRootKey = id4meProperties.getDnssecRootKey() != null ? id4meProperties.getDnssecRootKey() : ". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5";
        String dnsResolver = id4meProperties.getDnsResolver() != null ? id4meProperties.getDnsResolver() : "127.0.0.1";
        this.resolver = new Id4meResolver(dnsResolver, dnssecRootKey, id4meProperties.isDnssecRequired());
        if (id4meProperties.getRegistrationDataPath() != null) {
            this.registrationDataPath = Paths.get(id4meProperties.getRegistrationDataPath(), new String[0]);
        } else {
            this.registrationDataPath = Paths.get("./", new String[0]);
        }
        if (id4meProperties.getPrivKeyFile() != null && id4meProperties.getPubKeyFile() != null) {
            this.keyPairHandler = new Id4meKeyPairHandler(id4meProperties.getPubKeyFile(), id4meProperties.getPrivKeyFile());
        }
        this.fallbackToScopes = id4meProperties.isFallbackToScopes();
        logProperties(dnssecRootKey, dnsResolver);
    }

    private void logProperties(String str, String str2) {
        log.info("Configured client name:     {}", this.clientName);
        log.info("Configured redirect URI:    {}", this.redirectUri);
        log.info("Configured redirect URIs:    {}", Arrays.toString(this.redirectUris));
        log.info("Configured logo URI:        {}", this.logoUri);
        log.info("Configured DNSSEC root key: {}", str);
        log.info("Configured DNS resolver:    {}", str2);
        log.info("Configured registration data path: {}", this.registrationDataPath);
        if (this.keyPairHandler != null) {
            log.info("Configured keyPairHandler: {}", this.keyPairHandler.toString());
        }
    }

    private static String readFile(String str) throws Exception {
        Path path = Paths.get(str, new String[0]);
        if (Files.exists(path, new LinkOption[0])) {
            return FileReader.readFileToString(path);
        }
        throw new Exception("File not found: " + path);
    }

    private Id4meClaimsConfig readClaimsParametersFile(String str) throws Exception {
        Path path = Paths.get(str, new String[0]);
        if (Files.exists(path, new LinkOption[0])) {
            return Id4meClaimsConfigParser.parseClaimsConfigJSON(readFile(str));
        }
        throw new Exception("Claims configuration file " + path.toAbsolutePath() + " not found!");
    }

    public Id4meSessionData createSessionData(String str, boolean z) throws Exception {
        Id4meSessionData id4meSessionData = new Id4meSessionData();
        id4meSessionData.setId4me(str);
        Id4meResolver.Id4meDnsDataWithLoginHint dataFromDns = this.resolver.getDataFromDns(str);
        Id4meDnsData dnsResponse = dataFromDns.getDnsResponse();
        id4meSessionData.setLoginHint(dataFromDns.getLoginHint());
        id4meSessionData.setIau(dnsResponse.getIau());
        id4meSessionData.setIag(dnsResponse.getIag());
        id4meSessionData.setRedirectUri(URLEncoder.encode(this.redirectUri, UTF_8));
        id4meSessionData.setLogoUri(URLEncoder.encode(this.logoUri, UTF_8));
        log.debug("Creating session data using login hint:   {}", dataFromDns.getLoginHint());
        log.debug("Creating session data using redirect URI: {}", this.redirectUri);
        log.debug("Creating session data using logo URI:     {}", this.logoUri);
        getIauData(id4meSessionData, z);
        return id4meSessionData;
    }

    public boolean unsubscribeIau(Id4meSessionData id4meSessionData) {
        String iau = id4meSessionData.getIau();
        JSONObject registrationData = id4meSessionData.getIauData().getRegistrationData();
        String string = registrationData.getString("registration_access_token");
        String string2 = registrationData.getString("registration_client_uri");
        String buildAuthHeader = buildAuthHeader(string);
        log.info("Unsubscribing IAU with registrationClientUri: {}", string2);
        try {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(string2).openConnection();
            httpsURLConnection.setInstanceFollowRedirects(true);
            httpsURLConnection.setRequestMethod("DELETE");
            httpsURLConnection.setRequestProperty(CONTENT_TYPE, "application/json");
            httpsURLConnection.setRequestProperty(AUTHORIZATION, buildAuthHeader);
            httpsURLConnection.setDoOutput(true);
            DataOutputStream dataOutputStream = new DataOutputStream(httpsURLConnection.getOutputStream());
            try {
                dataOutputStream.writeBytes("{}");
                dataOutputStream.flush();
                dataOutputStream.close();
                int responseCode = httpsURLConnection.getResponseCode();
                log.info("Unsubscribing IAU response code: {}", Integer.valueOf(responseCode));
                if (responseCode < 200 || responseCode >= 300) {
                    return false;
                }
                StringBuilder sb = new StringBuilder();
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
                while (true) {
                    try {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            bufferedReader.close();
                            log.info("Unsubscribing IAU response: {}", sb);
                            this.storage.removeIauData(this.registrationDataPath, iau);
                            return true;
                        }
                        sb.append(readLine);
                    } finally {
                    }
                }
            } finally {
            }
        } catch (Exception e) {
            log.error("Error unsubscribing IAU", e.getMessage());
            return false;
        }
    }

    private JSONObject fetchJwtsData(Id4meSessionData id4meSessionData) throws Exception {
        return new JSONObject(fetchUrl(id4meSessionData.getIauData().getWellKnown().getString("jwks_uri")));
    }

    public void doDynamicClientRegistration(Id4meSessionData id4meSessionData) throws Exception {
        String iau = id4meSessionData.getIau();
        log.info("Trying dynamic client registration for IAU: {}", iau);
        Id4meIdentityAuthorityData iauData = id4meSessionData.getIauData();
        if (iauData == null) {
            throw new Exception("No iau data found in session for dynamic client registration!");
        }
        JSONObject wellKnown = iauData.getWellKnown();
        if (wellKnown == null) {
            throw new Exception("well-known data not found in session for dynamic client registration!");
        }
        Id4meIdentityAuthorityData saveRegistrationData = this.storage.saveRegistrationData(this.registrationDataPath, iau, getRegistrationData(id4meSessionData));
        saveRegistrationData.setWellKnown(wellKnown);
        id4meSessionData.setIauData(saveRegistrationData);
    }

    public String authorize(Id4meSessionData id4meSessionData) throws UnsupportedEncodingException {
        Id4meIdentityAuthorityData iauData = id4meSessionData.getIauData();
        JSONObject wellKnown = id4meSessionData.getIauData().getWellKnown();
        String str = "";
        String str2 = "&scope=" + this.claimsConfig.getScopesParam();
        if (!wellKnown.has("claims_parameter_supported")) {
            str = "&claims=" + this.claimsConfig.getClaimsParam();
            log.debug("claims_parameter_supported not found in .wellKnown data for " + iauData.getIau() + ", scopes not modified");
        } else if (Boolean.valueOf(wellKnown.getBoolean("claims_parameter_supported")).booleanValue()) {
            log.debug("Claims parameter are supported.");
            str = "&claims=" + this.claimsConfig.getClaimsParam();
        } else {
            log.debug("Claims parameter are not supported.");
            if (this.fallbackToScopes) {
                str2 = "&scope=" + this.claimsConfig.getScopesForClaims();
                log.debug("claims_parameter_supported == false AND fallbackToScops == true, add missing scopes for " + iauData.getIau());
                log.info(iauData.getIau() + ", set new scopeParam: " + str2);
            } else {
                log.debug("Claims parameter not supported for " + iauData.getIau() + ", fallback to scopes == false.");
            }
        }
        String str3 = iauData.getWellKnown().getString("authorization_endpoint") + "?response_type=code" + str + str2 + "&client_id=" + id4meSessionData.getIauData().getClientId() + "&redirect_uri=" + id4meSessionData.getRedirectUri() + "&state=" + id4meSessionData.getState() + "&nonce=" + id4meSessionData.getNonce() + "&login_hint=" + id4meSessionData.getLoginHint();
        log.info("Authorizing: authorize URI: {}", str3);
        return str3;
    }

    public void authenticate(Id4meSessionData id4meSessionData, String str) throws Exception {
        JSONObject token = getToken(id4meSessionData, str);
        log.info("Authenticating with token: {}", token);
        if (token.has("token_type") && !token.getString("token_type").equalsIgnoreCase("bearer")) {
            throw new TokenNotFoundException("Bearer token not found in response!");
        }
        String str2 = null;
        if (token.has("id_token")) {
            String string = token.getString("id_token");
            try {
                EncryptedJWT parse = EncryptedJWT.parse(string);
                if (parse.getIV() != null) {
                    if (this.keyPairHandler == null) {
                        throw new Exception("id token seem to be encrypted but no KeyPair found!");
                    }
                    parse.decrypt(new RSADecrypter(this.keyPairHandler.getKeyPair().getPrivate()));
                    string = parse.getPayload().toString();
                }
            } catch (ParseException e) {
                log.debug(e.toString());
            }
            id4meSessionData.setIdToken(string);
            if (0 == 0) {
                str2 = identityHandleFromIdToken(id4meSessionData, string);
            }
        }
        if (token.has("access_token")) {
            String string2 = token.getString("access_token");
            id4meSessionData.setAccessToken(string2);
            if (str2 == null) {
                str2 = identityHandleFromAccessToken(id4meSessionData, string2);
            }
        }
        if (str2 != null) {
            id4meSessionData.setIdentityHandle(str2);
        }
        id4meSessionData.setBearerToken(token);
        id4meSessionData.setUserinfo(id4meSessionData.getAccessTokenUserinfo());
        if (id4meSessionData.getUserinfo() == null) {
            id4meSessionData.setUserinfo(id4meSessionData.getIdTokenUserinfo());
        }
        if (getExpired(token) != null) {
            id4meSessionData.setTokenExpires(getExpired(token));
        }
    }

    public Long getExpired(JSONObject jSONObject) {
        if (!jSONObject.has("expires_in")) {
            return null;
        }
        long j = jSONObject.getLong("expires_in");
        long currentTimeMillis = System.currentTimeMillis() + (j * 1000);
        log.debug("Authenticate: Set token to expire in {} sec", Long.valueOf(j));
        return Long.valueOf(currentTimeMillis);
    }

    public String identityHandleFromAccessToken(Id4meSessionData id4meSessionData, String str) throws Exception {
        log.info("Try to get identity handle from access_token");
        String str2 = null;
        switch (str.split("\\.").length) {
            case 1:
                log.debug("AccessToken contains only a header");
                break;
            case 2:
                log.debug("AccessToken contains header and payload");
                break;
            case 3:
                log.debug("AccessToken contains header, payload and signature");
                SignedJWT signedJWT = (SignedJWT) JWTParser.parse(str);
                validateSignedToken(fetchJwtsData(id4meSessionData), signedJWT);
                JSONObject jSONObject = new JSONObject(signedJWT.getPayload().toString());
                id4meSessionData.setAccessTokenUserinfo(jSONObject);
                if (jSONObject.has("iss") && jSONObject.has("sub")) {
                    str2 = jSONObject.getString("iss") + "#" + jSONObject.getString("sub");
                    break;
                }
                break;
        }
        return str2;
    }

    public String identityHandleFromIdToken(Id4meSessionData id4meSessionData, String str) throws Exception {
        String identityHandle = id4meSessionData.getIdentityHandle();
        switch (str.split("\\.").length) {
            case 1:
                log.info("IdToken contains only a header");
                break;
            case 2:
                log.info("IdToken contains header and payload");
                break;
            case 3:
                log.info("IdToken contains header, payload and signature");
                SignedJWT signedJWT = (SignedJWT) JWTParser.parse(str);
                validateSignedToken(fetchJwtsData(id4meSessionData), signedJWT);
                validateIdTokenPayload(id4meSessionData, signedJWT);
                JSONObject jSONObject = new JSONObject(signedJWT.getPayload().toString());
                id4meSessionData.setIdTokenUserinfo(jSONObject);
                if (jSONObject.has("iss") && jSONObject.has("sub")) {
                    String str2 = jSONObject.getString("iss") + "#" + jSONObject.getString("sub");
                    if (identityHandle != null && !str2.equals(identityHandle)) {
                        throw new Exception("claims sub + iss from access_token and id_token are different!");
                    }
                    identityHandle = str2;
                    break;
                }
                break;
        }
        return identityHandle;
    }

    public JSONObject userinfo(Id4meSessionData id4meSessionData) throws Exception {
        JSONObject userinfo = getUserinfo(id4meSessionData);
        if (userinfo.has("claims")) {
            JSONObject jSONObject = new JSONObject();
            for (String str : JSONObject.getNames(userinfo)) {
                if (!str.equals("claims")) {
                    jSONObject.put(str, userinfo.get(str));
                }
            }
            JSONObject jSONObject2 = userinfo.getJSONObject("claims");
            for (String str2 : JSONObject.getNames(jSONObject2)) {
                jSONObject.put(str2, jSONObject2.get(str2));
            }
            userinfo = jSONObject;
        }
        checkMandatoryClaims(userinfo);
        id4meSessionData.setUserinfo(userinfo);
        id4meSessionData.setState("userinfo");
        return userinfo;
    }

    private void checkMandatoryClaims(JSONObject jSONObject) throws MandatoryClaimsException {
        for (String str : this.claimsConfig.getEssentialClaims()) {
            if (!jSONObject.has(str)) {
                log.info("Mandatory claim \"{}\" not found in userinfo: {}", str, jSONObject);
                throw new MandatoryClaimsException("Mandatory claim \"" + str + "\" not found!");
            }
        }
    }

    public Id4meSessionData registerClient(String str) throws Exception {
        Id4meSessionData id4meSessionData = new Id4meSessionData();
        Id4meResolver.Id4meDnsDataWithLoginHint dataFromDns = this.resolver.getDataFromDns(str);
        Id4meDnsData dnsResponse = dataFromDns.getDnsResponse();
        id4meSessionData.setLoginHint(dataFromDns.getLoginHint());
        id4meSessionData.setIau(dnsResponse.getIau());
        id4meSessionData.setIag(dnsResponse.getIag());
        id4meSessionData.setRedirectUri(URLEncoder.encode(this.redirectUri, UTF_8));
        id4meSessionData.setLogoUri(URLEncoder.encode(this.logoUri, UTF_8));
        synchronized (this.storage) {
            String iau = id4meSessionData.getIau();
            Id4meIdentityAuthorityData iauData = this.storage.getIauData(this.registrationDataPath, iau);
            JSONObject jSONObject = new JSONObject(fetchUrl("https://" + iau + "/.well-known/openid-configuration"));
            if (iauData == null) {
                Id4meIdentityAuthorityData id4meIdentityAuthorityData = new Id4meIdentityAuthorityData();
                id4meIdentityAuthorityData.setIau(iau);
                id4meIdentityAuthorityData.setWellKnown(jSONObject);
                id4meSessionData.setIauData(id4meIdentityAuthorityData);
                doDynamicClientRegistration(id4meSessionData);
            }
        }
        return id4meSessionData;
    }

    private void getIauData(Id4meSessionData id4meSessionData, boolean z) throws Exception {
        String iau = id4meSessionData.getIau();
        log.info("Retrieving identity authority: {}", iau);
        Id4meIdentityAuthorityData iauData = this.storage.getIauData(this.registrationDataPath, iau);
        synchronized (this.storage) {
            JSONObject jSONObject = new JSONObject(fetchUrl("https://" + iau + "/.well-known/openid-configuration"));
            log.debug(jSONObject.toString(2));
            if (iauData == null) {
                if (!z) {
                    throw new ClientNotRegisteredException("Client is not registered at " + iau);
                }
                Id4meIdentityAuthorityData id4meIdentityAuthorityData = new Id4meIdentityAuthorityData();
                id4meIdentityAuthorityData.setWellKnown(jSONObject);
                id4meSessionData.setIauData(id4meIdentityAuthorityData);
                doDynamicClientRegistration(id4meSessionData);
                return;
            }
            log.info("Identity authority used: {}", iau);
            long j = iauData.getRegistrationData().getLong("client_secret_expires_at");
            if (j != 0) {
                long currentTimeMillis = (j * 1000) - System.currentTimeMillis();
                log.info("client_secret valid for : " + (currentTimeMillis * 0.001d) + " seconds.");
                if (currentTimeMillis < 600000) {
                    if (!z) {
                        throw new ClientRegistrationSecretExpiredException("Client registration secret is is expired at " + iau);
                    }
                    this.storage.removeIauData(this.registrationDataPath, iau);
                    Id4meIdentityAuthorityData id4meIdentityAuthorityData2 = new Id4meIdentityAuthorityData();
                    id4meIdentityAuthorityData2.setWellKnown(jSONObject);
                    id4meSessionData.setIauData(id4meIdentityAuthorityData2);
                    doDynamicClientRegistration(id4meSessionData);
                    return;
                }
            }
            iauData.setWellKnown(jSONObject);
            id4meSessionData.setIauData(iauData);
        }
    }

    private String fetchUrl(String str) throws IOException {
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(str).openConnection();
        httpsURLConnection.setInstanceFollowRedirects(true);
        log.debug("fetchUrl: " + httpsURLConnection.getResponseCode() + ", " + httpsURLConnection.getResponseMessage());
        BoundedInputStream boundedInputStream = new BoundedInputStream(httpsURLConnection.getInputStream(), this.MAX_FETCH_SIZE);
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(boundedInputStream));
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    log.debug("Fetched from URL:          {}", str);
                    log.debug("Fetched from URL response: {}", sb);
                    return sb.toString();
                }
                sb.append(readLine);
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
    }

    private JSONObject getRegistrationData(Id4meSessionData id4meSessionData) throws Exception {
        Id4meIdentityAuthorityData iauData = id4meSessionData.getIauData();
        String string = iauData.getWellKnown().getString("registration_endpoint");
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(string).openConnection();
        httpsURLConnection.setInstanceFollowRedirects(true);
        httpsURLConnection.setRequestMethod("POST");
        httpsURLConnection.setRequestProperty(CONTENT_TYPE, "application/json");
        httpsURLConnection.setDoOutput(true);
        String[] strArr = new String[this.redirectUris.length];
        int i = 0;
        for (String str : this.redirectUris) {
            int i2 = i;
            i++;
            strArr[i2] = URLDecoder.decode(str, UTF_8);
        }
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("redirect_uris", strArr);
        jSONObject.put("client_name", this.clientName);
        if (this.logoUri != null && !"".equals(this.logoUri.trim())) {
            jSONObject.put("logo_uri", this.logoUri);
        }
        jSONObject.put("application_type", "web");
        if (this.keyPairHandler != null && iauData.getWellKnown().getJSONArray("id_token_encryption_alg_values_supported").toList().contains("RSA-OAEP-256")) {
            iauData.getWellKnown().getJSONArray("id_token_encryption_enc_values_supported");
            jSONObject.put("id_token_encrypted_response_alg", "RSA-OAEP-256");
            jSONObject.put("jwks", this.keyPairHandler.generateJwks());
        }
        String jSONObject2 = jSONObject.toString();
        log.info("Registration data request: {}", jSONObject2);
        DataOutputStream dataOutputStream = new DataOutputStream(httpsURLConnection.getOutputStream());
        try {
            dataOutputStream.writeBytes(jSONObject2);
            dataOutputStream.flush();
            dataOutputStream.close();
            int responseCode = httpsURLConnection.getResponseCode();
            log.info("Registration data request response code: {}, message: {}", Integer.valueOf(responseCode), httpsURLConnection.getResponseMessage());
            if (responseCode != 200 && responseCode != 201) {
                throw new Exception("Error " + responseCode + " on url " + string);
            }
            StringBuilder sb = new StringBuilder();
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        JSONObject jSONObject3 = new JSONObject(sb.toString());
                        log.info("Registration data:\n{}", jSONObject3.toString(2));
                        return jSONObject3;
                    }
                    sb.append(readLine);
                } catch (Throwable th) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            }
        } catch (Throwable th3) {
            try {
                dataOutputStream.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    private JSONObject getToken(Id4meSessionData id4meSessionData, String str) throws Exception {
        String string = id4meSessionData.getIauData().getWellKnown().getString("token_endpoint");
        String str2 = "grant_type=authorization_code&code=" + str + "&redirect_uri=" + id4meSessionData.getRedirectUri() + "&nonce=" + id4meSessionData.getNonce();
        String encodeToString = Base64.getEncoder().encodeToString((id4meSessionData.getIauData().getClientId() + ":" + id4meSessionData.getIauData().getClientSecret()).getBytes(UTF_8));
        URL url = new URL(string);
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
        httpsURLConnection.setInstanceFollowRedirects(true);
        httpsURLConnection.setRequestMethod("POST");
        httpsURLConnection.setRequestProperty(CONTENT_TYPE, "application/x-www-form-urlencoded");
        httpsURLConnection.setRequestProperty(AUTHORIZATION, "Basic " + encodeToString);
        httpsURLConnection.setDoOutput(true);
        log.info("Get token: sending 'POST' request to URL: {} with parameters: {}", url, str2);
        DataOutputStream dataOutputStream = new DataOutputStream(httpsURLConnection.getOutputStream());
        try {
            dataOutputStream.writeBytes(str2);
            dataOutputStream.flush();
            dataOutputStream.close();
            int responseCode = httpsURLConnection.getResponseCode();
            if (responseCode != 200) {
                String responseMessage = httpsURLConnection.getResponseMessage();
                log.warn("Get token: Error response code: {}", Integer.valueOf(responseCode), responseMessage);
                throw new Exception("Error " + responseCode + ", " + responseMessage + " on url " + string);
            }
            StringBuilder sb = new StringBuilder();
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpsURLConnection.getInputStream()));
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        log.info("Get token: Response: {}", sb);
                        return new JSONObject(sb.toString());
                    }
                    sb.append(readLine);
                } catch (Throwable th) {
                    try {
                        bufferedReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            }
        } catch (Throwable th3) {
            try {
                dataOutputStream.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    private JSONObject getUserinfo(Id4meSessionData id4meSessionData) throws Exception {
        String str = "_443._tcp." + id4meSessionData.getIag() + ".";
        Id4meResolver.LookupResponse lookupDane = this.resolver.lookupDane(str);
        if (lookupDane != null) {
            log.info("TLSA lookup response: {} = \"{}\", DNSSEC = {}", new Object[]{str, lookupDane.getData(), Boolean.valueOf(lookupDane.isDnssec())});
        } else {
            log.info("TLSA lookup failed");
        }
        String string = id4meSessionData.getIauData().getWellKnown().getString("userinfo_endpoint");
        log.info("Userinfo endpoint: " + string);
        String fetchUserinfo = fetchUserinfo(string, id4meSessionData.getAccessToken());
        JSONObject jSONObject = fetchUserinfo.trim().indexOf(123) == 0 ? new JSONObject(fetchUserinfo) : getPayloadFromJwt(fetchUserinfo.trim());
        if (jSONObject.has("_claim_sources") && jSONObject.has("_claim_names")) {
            jSONObject = getDistributedClaims(jSONObject);
        }
        if (!jSONObject.has("error")) {
            return jSONObject;
        }
        if (jSONObject.has("error_description")) {
            throw new Exception(jSONObject.getString("error_description"));
        }
        throw new Exception(jSONObject.toString(2));
    }

    private JSONObject fetchAgentJwts(String str) throws Exception {
        return new JSONObject(fetchUrl(new JSONObject(fetchUrl("https://" + str + "/.well-known/openid-configuration")).getString("jwks_uri")));
    }

    private JSONObject getDistributedClaims(JSONObject jSONObject) throws Exception {
        JSONObject jSONObject2 = new JSONObject();
        JSONObject jSONObject3 = jSONObject.getJSONObject("_claim_sources");
        String[] names = JSONObject.getNames(jSONObject3);
        Hashtable hashtable = new Hashtable();
        for (String str : names) {
            String host = new URL(jSONObject3.getJSONObject(str).getString("endpoint")).getHost();
            if (hashtable.containsKey(host)) {
                log.debug(host);
            } else {
                JSONObject fetchAgentJwts = fetchAgentJwts(host);
                hashtable.put(host, fetchAgentJwts);
                log.debug("+" + host);
                log.debug("+" + fetchAgentJwts.toString(2));
            }
        }
        for (String str2 : names) {
            JSONObject jSONObject4 = jSONObject3.getJSONObject(str2);
            String string = jSONObject4.getString("endpoint");
            String string2 = jSONObject4.getString("access_token");
            String host2 = new URL(string).getHost();
            log.debug("Get distributed claims: accessToken: {}", string2);
            log.debug("Get distributed claims: endpoint:    {}", string);
            log.debug("Get distributed claims: host:    {}", host2);
            String fetchUserinfo = fetchUserinfo(string, string2);
            SignedJWT signedJWT = (SignedJWT) JWTParser.parse(fetchUserinfo);
            JSONObject jSONObject5 = (JSONObject) hashtable.get(host2);
            log.debug(signedJWT.toString());
            validateSignedToken(jSONObject5, signedJWT);
            log.debug("Get distributed claims: response:    {}", fetchUserinfo);
            JSONObject jSONObject6 = fetchUserinfo.startsWith("{") ? new JSONObject(fetchUserinfo) : getPayloadFromJwt(fetchUserinfo);
            for (String str3 : JSONObject.getNames(jSONObject6)) {
                jSONObject2.put(str3, jSONObject6.get(str3));
            }
        }
        return jSONObject2;
    }

    public JSONObject getPayloadFromJwt(String str) throws TokenValidationException {
        try {
            if (str.indexOf(46) < 0) {
                throw new TokenValidationException("No payload in token found.");
            }
            String[] split = str.split("\\.");
            String str2 = new String(Base64.getDecoder().decode(split[0]));
            String str3 = new String(Base64.getDecoder().decode(split[1]));
            if (split.length == 3) {
            }
            log.info("Userinfo extracted from token: header:  {}", str2);
            log.info("Userinfo extracted from token: payload: {}", str3);
            return new JSONObject(str3);
        } catch (Exception e) {
            throw new TokenValidationException(e.getMessage());
        }
    }

    private String fetchUserinfo(String str, String str2) throws Exception {
        URL url = new URL(str);
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
        httpsURLConnection.setInstanceFollowRedirects(true);
        httpsURLConnection.setRequestMethod("GET");
        String buildAuthHeader = buildAuthHeader(str2);
        httpsURLConnection.setRequestProperty(AUTHORIZATION, buildAuthHeader);
        log.info("Fetch userinfo: URL:         {}", url);
        log.info("Fetch userinfo: authHeader:  {}", buildAuthHeader);
        int responseCode = httpsURLConnection.getResponseCode();
        if (responseCode != 200) {
            throw new Exception("Error " + responseCode + ": " + httpsURLConnection.getResponseMessage() + ", " + str);
        }
        InputStream inputStream = httpsURLConnection.getInputStream();
        StringBuilder sb = new StringBuilder();
        InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
        try {
            BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
            while (true) {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        bufferedReader.close();
                        inputStreamReader.close();
                        log.info("Fetch userinfo: response:    {}", sb);
                        return sb.toString().trim();
                    }
                    sb.append(readLine);
                } finally {
                }
            }
        } catch (Throwable th) {
            try {
                inputStreamReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private String buildAuthHeader(String str) {
        return "Bearer " + str;
    }

    private void validateSignedToken(JSONObject jSONObject, SignedJWT signedJWT) throws Exception {
        log.debug("Validate signed token:          {}", signedJWT.toString());
        JSONObject jSONObject2 = new JSONObject(signedJWT.getHeader().toString());
        JSONObject jSONObject3 = new JSONObject(signedJWT.getPayload().toString());
        log.debug("Validate token: header:  {}", jSONObject2.toString());
        log.debug("Validate token: payload: {}", jSONObject3.toString());
        String str = null;
        if (jSONObject2.has("kid")) {
            str = jSONObject2.getString("kid");
        }
        if (!jSONObject2.has("alg")) {
            throw new Exception("Field alg missing in token payload!");
        }
        String string = jSONObject2.getString("alg");
        if (!string.equalsIgnoreCase("RS256")) {
            throw new Exception("JWTS signature algorithm mismatch, expected RS256, found " + string);
        }
        validateTokenSignature(jSONObject, signedJWT, str, string);
    }

    private void validateTokenSignature(JSONObject jSONObject, SignedJWT signedJWT, String str, String str2) throws Exception {
        JSONArray jSONArray = jSONObject.getJSONArray("keys");
        if (jSONArray == null || jSONArray.length() <= 0) {
            throw new IllegalArgumentException("Error on validating the token, keys == NULL");
        }
        for (int i = 0; i < jSONArray.length(); i++) {
            JSONObject jSONObject2 = jSONArray.getJSONObject(i);
            String string = jSONObject2.getString("kid");
            log.debug("Validating token signature: kid: {}", string);
            if (str == null || string.equals(str)) {
                String upperCase = str2.toUpperCase();
                boolean z = -1;
                switch (upperCase.hashCode()) {
                    case 78251122:
                        if (upperCase.equals("RS256")) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        if (!signedJWT.verify(new RSASSAVerifier((RSAPublicKey) RSAKey.parse(jSONObject2.toString()).toPublicKey()))) {
                            throw new Exception("Error on validating the token signature, kid=RS256, alg=RSA");
                        }
                        log.debug("Validating token signature: token RS256 signature valid");
                        return;
                    default:
                        throw new IllegalArgumentException("Unhandled value for header_alg: " + str2);
                }
            }
        }
        throw new TokenValidationException("No valid public key for token validation found!");
    }

    private void validateStandardClaims(Id4meSessionData id4meSessionData, JSONObject jSONObject) throws Exception {
        log.debug("Validate userinfo standard claims: ", jSONObject.toString());
        if (!jSONObject.has("nonce")) {
            throw new Exception("Field nonce missing!");
        }
        if (!id4meSessionData.getNonce().equals(jSONObject.getString("nonce"))) {
            throw new Exception("Error on validating standard claims, the session nonce != nonce!");
        }
        if (!jSONObject.has("exp")) {
            throw new Exception("Field exp missing!");
        }
        if (!jSONObject.has("iss")) {
            throw new Exception("Field iss missing!");
        }
        if (!id4meSessionData.getIauData().getWellKnown().getString("issuer").equals(jSONObject.getString("iss"))) {
            throw new Exception("Error on validating standard claims, the session iss != iss!");
        }
        if (!jSONObject.has("sub")) {
            throw new Exception("Field sub missing!");
        }
        if (!jSONObject.has("aud")) {
            throw new Exception("Field aud missing!");
        }
        Object obj = jSONObject.get("aud");
        if ((obj instanceof String) && !id4meSessionData.getIauData().getRegistrationData().getString("client_id").equals(obj)) {
            throw new Exception("Error on validating standard claims, the session audience != aud!");
        }
        if (!jSONObject.has("iat")) {
            throw new Exception("Field iat missing!");
        }
    }

    private void validateIdTokenPayload(Id4meSessionData id4meSessionData, SignedJWT signedJWT) throws Exception {
        JSONObject jSONObject = new JSONObject(signedJWT.getPayload().toString());
        log.debug("Validate Id token payload: ", jSONObject.toString());
        validateStandardClaims(id4meSessionData, jSONObject);
        if (jSONObject.has("exp")) {
            long j = jSONObject.getLong("exp");
            if (j != 0) {
                long j2 = j * 1000;
                log.debug("Validate Id token: token expiration threshold: {}", new Date(j2));
                if (System.currentTimeMillis() > j2) {
                    throw new Exception("Token is expired!");
                }
                if (id4meSessionData.getTokenExpires() != 0) {
                    id4meSessionData.setTokenExpires(Long.valueOf(j2));
                }
            }
        }
        id4meSessionData.setStandardClaimsValidated(true);
    }
}
