package de.samply.auth.client.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import de.samply.common.config.OAuth2Client;
import java.io.Serializable;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/samply/auth/client/jwt/AbstractJwt.class */
public abstract class AbstractJwt implements Serializable {
    private static final long serialVersionUID = -6242591976053763039L;
    private static final Logger logger = LoggerFactory.getLogger(AbstractJwt.class);
    private final String serialized;
    private boolean signatureValid;
    private boolean externalValidation;
    private transient JWTClaimsSet claimsSet;
    private PublicKey publicKey;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJwt(OAuth2Client oAuth2Client, String str) throws JwtException {
        this(KeyLoader.loadKey(oAuth2Client.getHostPublicKey()), str, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJwt(OAuth2Client oAuth2Client, String str, boolean z) throws JwtException {
        this(KeyLoader.loadKey(oAuth2Client.getHostPublicKey()), str, z);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJwt(PublicKey publicKey, String str) throws JwtException {
        this(publicKey, str, false);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJwt(PublicKey publicKey, String str, boolean z) throws JwtException {
        this.signatureValid = false;
        this.serialized = str;
        this.publicKey = publicKey;
        this.externalValidation = z;
        try {
            reloadClaimsSet();
        } catch (ParseException e) {
            throw new JwtParseException(e);
        } catch (JOSEException e2) {
            throw new JwtInvalidSignatureFormatException();
        }
    }

    private void reloadClaimsSet() throws ParseException, JOSEException, JwtKeyMismatchException {
        RSASSAVerifier eCDSAVerifier;
        Base64URL[] parsedParts = JWTParser.parse(this.serialized).getParsedParts();
        SignedJWT signedJWT = new SignedJWT(parsedParts[0], parsedParts[1], parsedParts[2]);
        this.claimsSet = signedJWT.getJWTClaimsSet();
        if (this.externalValidation) {
            this.signatureValid = true;
            return;
        }
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        boolean z = algorithm == JWSAlgorithm.RS256 || algorithm == JWSAlgorithm.RS384 || algorithm == JWSAlgorithm.RS512;
        boolean z2 = algorithm == JWSAlgorithm.ES256 || algorithm == JWSAlgorithm.ES384 || algorithm == JWSAlgorithm.ES512;
        boolean z3 = algorithm == JWSAlgorithm.HS256 || algorithm == JWSAlgorithm.HS384 || algorithm == JWSAlgorithm.HS512;
        if ((this.publicKey instanceof RSAPublicKey) && z) {
            eCDSAVerifier = new RSASSAVerifier((RSAPublicKey) this.publicKey);
        } else {
            if (!(this.publicKey instanceof ECPublicKey) || !z2) {
                if (!z3) {
                    throw new JwtKeyMismatchException();
                }
                logger.warn("HMAC signature can't be verified. Verification must be done server-sided. Deal with verification in calling application and pass externalValidation=true to the JWT constructor.");
                this.signatureValid = this.externalValidation;
                return;
            }
            eCDSAVerifier = new ECDSAVerifier((ECPublicKey) this.publicKey);
        }
        this.signatureValid = signedJWT.verify(eCDSAVerifier);
    }

    public boolean isValid() {
        Date date = new Date();
        return this.signatureValid && date.before(getClaimsSet().getExpirationTime()) && (getClaimsSet().getNotBeforeTime() == null || date.after(getClaimsSet().getNotBeforeTime()));
    }

    public JWTClaimsSet getClaimsSet() {
        if (this.claimsSet == null) {
            try {
                reloadClaimsSet();
            } catch (Exception e) {
                return null;
            }
        }
        return this.claimsSet;
    }

    public String getSerialized() {
        return this.serialized;
    }

    public String getSubject() {
        return getClaimsSet().getSubject();
    }

    public PublicKey getPublicKey() {
        return this.publicKey;
    }

    protected abstract String getTokenType();
}
