package org.apereo.cas.client.validation.jwt;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.jwk.source.ImmutableSecret;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.BadJWEException;
import com.nimbusds.jose.proc.BadJWSException;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWEDecryptionKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.text.ParseException;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;
import javax.crypto.spec.SecretKeySpec;
import org.apereo.cas.client.authentication.AttributePrincipalImpl;
import org.apereo.cas.client.validation.Assertion;
import org.apereo.cas.client.validation.AssertionImpl;
import org.apereo.cas.client.validation.TicketValidationException;
import org.apereo.cas.client.validation.TicketValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/client/validation/jwt/CasJWTTicketValidator.class */
public class CasJWTTicketValidator implements TicketValidator {
    private String signingKey;
    private String encryptionKey;
    private String expectedIssuer;
    private String expectedAudience;
    private boolean base64SigningKey;
    private ConfigurableJWTProcessor<SecurityContext> jwtProcessor;
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    private String encryptionKeyAlgorithm = "AES";
    private String signingKeyAlgorithm = "AES";
    private String requiredClaims = "sub,aud,iat,jti,exp,iss";
    private boolean base64EncryptionKey = true;
    private int maxClockSkew = 60;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apereo/cas/client/validation/jwt/CasJWTTicketValidator$CasJWTProcessor.class */
    public static class CasJWTProcessor extends DefaultJWTProcessor<SecurityContext> {
        private CasJWTProcessor() {
        }

        public JWTClaimsSet process(SignedJWT signedJWT, SecurityContext securityContext) throws BadJOSEException, JOSEException {
            getJWETypeVerifier().verify(signedJWT.getHeader().getType(), securityContext);
            List selectJWSKeys = getJWSKeySelector().selectJWSKeys(signedJWT.getHeader(), securityContext);
            if (selectJWSKeys == null || selectJWSKeys.isEmpty()) {
                throw new BadJOSEException("Signed JWT rejected: Another algorithm expected, or no matching key(s) found");
            }
            ListIterator listIterator = selectJWSKeys.listIterator();
            while (listIterator.hasNext()) {
                JWSVerifier createJWSVerifier = getJWSVerifierFactory().createJWSVerifier(signedJWT.getHeader(), (Key) listIterator.next());
                if (createJWSVerifier != null) {
                    if (signedJWT.verify(createJWSVerifier)) {
                        try {
                            if (signedJWT.getPayload() != null && signedJWT.getPayload().toJSONObject() == null) {
                                try {
                                    JWT parse = JWTParser.parse(signedJWT.getPayload().toString());
                                    if (parse instanceof EncryptedJWT) {
                                        return process((EncryptedJWT) parse, securityContext);
                                    }
                                } catch (ParseException e) {
                                    throw new BadJWSException("Unable to parse inner JWT", e);
                                }
                            }
                            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
                            if (getJWTClaimsSetVerifier() != null) {
                                getJWTClaimsSetVerifier().verify(jWTClaimsSet, securityContext);
                            }
                            return jWTClaimsSet;
                        } catch (ParseException e2) {
                            throw new BadJWSException("Unable to parse JWT", e2);
                        }
                    }
                    if (!listIterator.hasNext()) {
                        throw new BadJWSException("Signed JWT rejected: Invalid signature");
                    }
                }
            }
            throw new BadJOSEException("JWS object rejected: No matching verifier(s) found");
        }

        public JWTClaimsSet process(EncryptedJWT encryptedJWT, SecurityContext securityContext) throws BadJOSEException, JOSEException {
            getJWETypeVerifier().verify(encryptedJWT.getHeader().getType(), securityContext);
            List selectJWEKeys = getJWEKeySelector().selectJWEKeys(encryptedJWT.getHeader(), securityContext);
            if (selectJWEKeys == null || selectJWEKeys.isEmpty()) {
                throw new BadJOSEException("Encrypted JWT rejected: Another algorithm expected, or no matching key(s) found");
            }
            ListIterator listIterator = selectJWEKeys.listIterator();
            while (listIterator.hasNext()) {
                JWEDecrypter createJWEDecrypter = getJWEDecrypterFactory().createJWEDecrypter(encryptedJWT.getHeader(), (Key) listIterator.next());
                if (createJWEDecrypter != null) {
                    try {
                        encryptedJWT.decrypt(createJWEDecrypter);
                        if ("JWT".equalsIgnoreCase(encryptedJWT.getHeader().getContentType())) {
                            SignedJWT signedJWT = encryptedJWT.getPayload().toSignedJWT();
                            if (signedJWT != null) {
                                return process(signedJWT, securityContext);
                            }
                            if (encryptedJWT.getPayload().toJSONObject() == null) {
                                throw new BadJWTException("The payload is not a nested signed JWT");
                            }
                        }
                        try {
                            JWTClaimsSet jWTClaimsSet = encryptedJWT.getJWTClaimsSet();
                            if (getJWTClaimsSetVerifier() != null) {
                                getJWTClaimsSetVerifier().verify(jWTClaimsSet, securityContext);
                            }
                            return jWTClaimsSet;
                        } catch (ParseException e) {
                            throw new BadJWTException(e.getMessage(), e);
                        }
                    } catch (JOSEException e2) {
                        if (!listIterator.hasNext()) {
                            throw new BadJWEException("Encrypted JWT rejected: " + e2.getMessage(), e2);
                        }
                    }
                }
            }
            throw new BadJOSEException("Encrypted JWT rejected: No matching decrypter(s) found");
        }
    }

    @Override // org.apereo.cas.client.validation.TicketValidator
    public Assertion validate(String str, String str2) throws TicketValidationException {
        try {
            if (this.jwtProcessor == null) {
                initialize();
            }
            JWTClaimsSet process = this.jwtProcessor.process(str, (SecurityContext) null);
            this.logger.debug("Validated claims are {}", process);
            return new AssertionImpl(new AttributePrincipalImpl(process.getSubject(), process.getClaims()), process.getIssueTime(), process.getExpirationTime(), process.getIssueTime(), new HashMap());
        } catch (Exception e) {
            throw new TicketValidationException(e);
        }
    }

    public void initialize() {
        this.logger.debug("Initializing JWT processor...");
        this.jwtProcessor = new CasJWTProcessor();
        this.jwtProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{JOSEObjectType.JWT}));
        configureKeySelectors(this.jwtProcessor, new ImmutableSecret(new SecretKeySpec(this.base64EncryptionKey ? Base64.getDecoder().decode(this.encryptionKey) : this.encryptionKey.getBytes(StandardCharsets.UTF_8), this.encryptionKeyAlgorithm)), new ImmutableSecret(new SecretKeySpec(this.base64SigningKey ? Base64.getDecoder().decode(this.signingKey) : this.signingKey.getBytes(StandardCharsets.UTF_8), this.signingKeyAlgorithm)));
        DefaultJWTClaimsVerifier defaultJWTClaimsVerifier = new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().issuer(this.expectedIssuer).audience(this.expectedAudience).build(), Set.of((Object[]) this.requiredClaims.split(",")));
        defaultJWTClaimsVerifier.setMaxClockSkew(this.maxClockSkew);
        this.jwtProcessor.setJWTClaimsSetVerifier(defaultJWTClaimsVerifier);
    }

    private static void configureKeySelectors(ConfigurableJWTProcessor<SecurityContext> configurableJWTProcessor, final ImmutableSecret<SecurityContext> immutableSecret, final ImmutableSecret<SecurityContext> immutableSecret2) {
        JWSVerificationKeySelector<SecurityContext> jWSVerificationKeySelector = new JWSVerificationKeySelector<SecurityContext>(JWSAlgorithm.RS256, immutableSecret2) { // from class: org.apereo.cas.client.validation.jwt.CasJWTTicketValidator.1
            public List<Key> selectJWSKeys(JWSHeader jWSHeader, SecurityContext securityContext) {
                return List.of(immutableSecret2.getSecretKey());
            }
        };
        JWEDecryptionKeySelector<SecurityContext> jWEDecryptionKeySelector = new JWEDecryptionKeySelector<SecurityContext>(JWEAlgorithm.DIR, EncryptionMethod.A128CBC_HS256, immutableSecret) { // from class: org.apereo.cas.client.validation.jwt.CasJWTTicketValidator.2
            public List<Key> selectJWEKeys(JWEHeader jWEHeader, SecurityContext securityContext) {
                return List.of(immutableSecret.getSecretKey());
            }
        };
        configurableJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
        configurableJWTProcessor.setJWEKeySelector(jWEDecryptionKeySelector);
    }

    public void setBase64EncryptionKey(boolean z) {
        this.base64EncryptionKey = z;
    }

    public void setBase64SigningKey(boolean z) {
        this.base64SigningKey = z;
    }

    public void setRequiredClaims(String str) {
        this.requiredClaims = str;
    }

    public void setEncryptionKeyAlgorithm(String str) {
        this.encryptionKeyAlgorithm = str;
    }

    public void setSigningKeyAlgorithm(String str) {
        this.signingKeyAlgorithm = str;
    }

    public void setExpectedAudience(String str) {
        this.expectedAudience = str;
    }

    public void setExpectedIssuer(String str) {
        this.expectedIssuer = str;
    }

    public void setSigningKey(String str) {
        this.signingKey = str;
    }

    public void setEncryptionKey(String str) {
        this.encryptionKey = str;
    }

    public void setMaxClockSkew(int i) {
        this.maxClockSkew = i;
    }
}
