package com.networknt.security;

import ch.qos.logback.core.net.ssl.SSL;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.networknt.config.Config;
import com.networknt.exception.ExpiredTokenException;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.http.cookie.ClientCookie;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.owasp.encoder.Encode;
import org.slf4j.ext.XLogger;
import org.slf4j.ext.XLoggerFactory;

/* loaded from: input_file:com/networknt/security/JwtHelper.class */
public class JwtHelper {
    public static final String KEY = "key";
    public static final String FILENAME = "filename";
    public static final String PASSWORD = "password";
    public static final String KEY_NAME = "keyName";
    public static final String KID = "kid";
    public static final String JWT_CERTIFICATE = "certificate";
    public static final String ENABLE_VERIFY_JWT = "enableVerifyJwt";
    static final XLogger logger = XLoggerFactory.getXLogger((Class<?>) JwtHelper.class);
    public static final String SECURITY_CONFIG = "security";
    static Map<String, Object> securityConfig = Config.getInstance().getJsonMapConfig(SECURITY_CONFIG);
    public static final String JWT_CONFIG = "jwt";
    static Map<String, Object> securityJwtConfig = (Map) securityConfig.get(JWT_CONFIG);
    static JwtConfig jwtConfig = (JwtConfig) Config.getInstance().getJsonObjectConfig(JWT_CONFIG, JwtConfig.class);
    public static final String JwT_CLOCK_SKEW_IN_SECONDS = "clockSkewInSeconds";
    static int secondsOfAllowedClockSkew = ((Integer) securityJwtConfig.get(JwT_CLOCK_SKEW_IN_SECONDS)).intValue();
    static Cache<String, JwtClaims> cache = CacheBuilder.newBuilder().expireAfterWrite(jwtConfig.expiredInMinutes + 5, TimeUnit.MINUTES).build();
    static Map<String, X509Certificate> certMap = new HashMap();

    public static String getJwt(JwtClaims jwtClaims) throws JoseException {
        RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) getPrivateKey(jwtConfig.getKey().getFilename(), jwtConfig.getKey().getPassword(), jwtConfig.getKey().getKeyName());
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(jwtClaims.toJson());
        jsonWebSignature.setKey(rSAPrivateKey);
        jsonWebSignature.setKeyIdHeaderValue(jwtConfig.getKey().getKid());
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        return jsonWebSignature.getCompactSerialization();
    }

    public static JwtClaims getDefaultJwtClaims() {
        JwtConfig jwtConfig2 = (JwtConfig) Config.getInstance().getJsonObjectConfig(JWT_CONFIG, JwtConfig.class);
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setIssuer(jwtConfig2.getIssuer());
        jwtClaims.setAudience(jwtConfig2.getAudience());
        jwtClaims.setExpirationTimeMinutesInTheFuture(jwtConfig2.getExpiredInMinutes());
        jwtClaims.setGeneratedJwtId();
        jwtClaims.setIssuedAtToNow();
        jwtClaims.setNotBeforeMinutesInThePast(2.0f);
        jwtClaims.setClaim(ClientCookie.VERSION_ATTR, jwtConfig2.getVersion());
        return jwtClaims;
    }

    private static PrivateKey getPrivateKey(String str, String str2, String str3) {
        PrivateKey privateKey = null;
        try {
            KeyStore keyStore = KeyStore.getInstance(SSL.DEFAULT_KEYSTORE_TYPE);
            keyStore.load(JwtHelper.class.getResourceAsStream(str), str2.toCharArray());
            privateKey = (PrivateKey) keyStore.getKey(str3, str2.toCharArray());
        } catch (Exception e) {
            logger.error("Exception:", (Throwable) e);
        }
        if (privateKey == null) {
            logger.error("Failed to retrieve private key from keystore");
        }
        return privateKey;
    }

    public static X509Certificate readCertificate(String str) throws Exception {
        InputStream inputStream = null;
        X509Certificate x509Certificate = null;
        try {
            try {
                InputStream inputStreamFromFile = Config.getInstance().getInputStreamFromFile(str);
                if (inputStreamFromFile != null) {
                    x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStreamFromFile);
                } else {
                    logger.info("Certificate " + Encode.forJava(str) + " not found.");
                }
                if (inputStreamFromFile != null) {
                    try {
                        inputStreamFromFile.close();
                    } catch (IOException e) {
                        logger.error("Exception: ", (Throwable) e);
                    }
                }
            } catch (Exception e2) {
                logger.error("Exception: ", (Throwable) e2);
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e3) {
                        logger.error("Exception: ", (Throwable) e3);
                    }
                }
            }
            return x509Certificate;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e4) {
                    logger.error("Exception: ", (Throwable) e4);
                }
            }
            throw th;
        }
    }

    public static String getJwtFromAuthorization(String str) {
        String str2 = null;
        if (str != null) {
            String[] split = str.split(" ");
            if (split.length == 2) {
                String str3 = split[0];
                String str4 = split[1];
                if (Pattern.compile("^Bearer$", 2).matcher(str3).matches()) {
                    str2 = str4;
                }
            }
        }
        return str2;
    }

    public static JwtClaims verifyJwt(String str) throws InvalidJwtException, ExpiredTokenException {
        JwtClaims ifPresent = cache.getIfPresent(str);
        if (ifPresent != null) {
            try {
                if (NumericDate.now().getValue() - secondsOfAllowedClockSkew < ifPresent.getExpirationTime().getValue()) {
                    return ifPresent;
                }
                logger.info("jwt token is expired!");
                throw new ExpiredTokenException("Token is expired");
            } catch (MalformedClaimException e) {
                logger.error("MalformedClaimException:", (Throwable) e);
                throw new InvalidJwtException("MalformedClaimException", e);
            }
        }
        JwtContext process = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build().process(str);
        JwtClaims jwtClaims = process.getJwtClaims();
        String keyIdHeaderValue = process.getJoseObjects().get(0).getKeyIdHeaderValue();
        try {
            if (NumericDate.now().getValue() - secondsOfAllowedClockSkew >= jwtClaims.getExpirationTime().getValue()) {
                logger.info("jwt token is expired!");
                throw new ExpiredTokenException("Token is expired");
            }
            X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(certMap.get(keyIdHeaderValue));
            x509VerificationKeyResolver.setTryAllOnNoThumbHeader(true);
            JwtClaims jwtClaims2 = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(secondsOfAllowedClockSkew).setSkipDefaultAudienceValidation().setVerificationKeyResolver(x509VerificationKeyResolver).build().process(str).getJwtClaims();
            cache.put(str, jwtClaims2);
            return jwtClaims2;
        } catch (MalformedClaimException e2) {
            logger.error("MalformedClaimException:", (Throwable) e2);
            throw new InvalidJwtException("MalformedClaimException", e2);
        }
    }

    static {
        Map map = (Map) securityJwtConfig.get(JWT_CERTIFICATE);
        for (String str : map.keySet()) {
            X509Certificate x509Certificate = null;
            try {
                x509Certificate = readCertificate((String) map.get(str));
            } catch (Exception e) {
                logger.error("Exception:", (Throwable) e);
            }
            certMap.put(str, x509Certificate);
        }
    }
}
