package org.apache.cxf.rs.security.jose.jwt;

import java.time.Instant;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.PhaseInterceptorChain;

/* loaded from: input_file:lib/cxf-rt-rs-security-jose-3.3.8.jar:org/apache/cxf/rs/security/jose/jwt/JwtUtils.class */
public final class JwtUtils {
    private JwtUtils() {
    }

    public static String claimsToJson(JwtClaims jwtClaims) {
        return claimsToJson(jwtClaims, null);
    }

    public static String claimsToJson(JwtClaims jwtClaims, JsonMapObjectReaderWriter jsonMapObjectReaderWriter) {
        if (jsonMapObjectReaderWriter == null) {
            jsonMapObjectReaderWriter = new JsonMapObjectReaderWriter();
        }
        return jsonMapObjectReaderWriter.toJson(jwtClaims);
    }

    public static JwtClaims jsonToClaims(String str) {
        return new JwtClaims(new JsonMapObjectReaderWriter().fromJson(str));
    }

    public static void validateJwtExpiry(JwtClaims jwtClaims, int i, boolean z) {
        Long expiryTime = jwtClaims.getExpiryTime();
        if (expiryTime == null) {
            if (z) {
                throw new JwtException("The token has expired");
            }
            return;
        }
        Instant now = Instant.now();
        Instant ofEpochMilli = Instant.ofEpochMilli(expiryTime.longValue() * 1000);
        if (i != 0) {
            ofEpochMilli = ofEpochMilli.plusSeconds(i);
        }
        if (ofEpochMilli.isBefore(now)) {
            throw new JwtException("The token has expired");
        }
    }

    public static void validateJwtNotBefore(JwtClaims jwtClaims, int i, boolean z) {
        Long notBefore = jwtClaims.getNotBefore();
        if (notBefore == null) {
            if (z) {
                throw new JwtException("The token cannot be accepted yet");
            }
            return;
        }
        Instant now = Instant.now();
        if (i != 0) {
            now = now.plusSeconds(i);
        }
        if (Instant.ofEpochMilli(notBefore.longValue() * 1000).isAfter(now)) {
            throw new JwtException("The token cannot be accepted yet");
        }
    }

    public static void validateJwtIssuedAt(JwtClaims jwtClaims, int i, int i2, boolean z) {
        Long issuedAt = jwtClaims.getIssuedAt();
        if (issuedAt == null) {
            if (z) {
                throw new JwtException("Invalid issuedAt");
            }
            return;
        }
        Instant ofEpochMilli = Instant.ofEpochMilli(issuedAt.longValue() * 1000);
        Instant now = Instant.now();
        if (i2 != 0) {
            now = now.plusSeconds(i2);
        }
        if (ofEpochMilli.isAfter(now)) {
            throw new JwtException("Invalid issuedAt");
        }
        if (i > 0 && ofEpochMilli.isBefore(now.minusSeconds(i))) {
            throw new JwtException("Invalid issuedAt");
        }
    }

    public static void validateJwtAudienceRestriction(JwtClaims jwtClaims, Message message) {
        String str = (String) message.getContextualProperty(JwtConstants.EXPECTED_CLAIM_AUDIENCE);
        if (str != null) {
            if (!jwtClaims.getAudiences().contains(str)) {
                throw new JwtException("Invalid audience restriction");
            }
        } else {
            if (jwtClaims.getAudiences().isEmpty()) {
                return;
            }
            String str2 = (String) message.getContextualProperty(Message.REQUEST_URL);
            if (str2 == null || !jwtClaims.getAudiences().contains(str2)) {
                throw new JwtException("Invalid audience restriction");
            }
        }
    }

    public static void validateTokenClaims(JwtClaims jwtClaims, int i, int i2, boolean z) {
        validateJwtExpiry(jwtClaims, i2, jwtClaims.getIssuedAt() == null);
        validateJwtNotBefore(jwtClaims, i2, false);
        validateJwtIssuedAt(jwtClaims, i, i2, jwtClaims.getExpiryTime() == null);
        if (z) {
            validateJwtAudienceRestriction(jwtClaims, PhaseInterceptorChain.getCurrentMessage());
        }
    }
}
