package io.jans.as.server.model.token;

import io.jans.as.common.model.registration.Client;
import io.jans.as.common.util.CommonUtils;
import io.jans.as.model.common.AuthenticationMethod;
import io.jans.as.model.configuration.AppConfiguration;
import io.jans.as.model.crypto.AbstractCryptoProvider;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtType;
import io.jans.as.model.token.ClientAssertionType;
import io.jans.as.server.service.ClientService;
import io.jans.service.cdi.util.CdiUtil;
import io.jans.util.security.StringEncrypter;
import java.util.Date;
import java.util.List;
import java.util.Set;
import org.apache.commons.lang.StringUtils;

/* loaded from: input_file:io/jans/as/server/model/token/ClientAssertion.class */
public class ClientAssertion {
    private Jwt jwt;
    private String clientSecret;

    public ClientAssertion(AppConfiguration appConfiguration, AbstractCryptoProvider abstractCryptoProvider, String str, ClientAssertionType clientAssertionType, String str2) throws InvalidJwtException {
        try {
            if (load(appConfiguration, abstractCryptoProvider, str, clientAssertionType, str2)) {
            } else {
                throw new InvalidJwtException("Cannot load the JWT");
            }
        } catch (Exception e) {
            throw new InvalidJwtException("Cannot verify the JWT", e);
        } catch (StringEncrypter.EncryptionException e2) {
            throw new InvalidJwtException(e2.getMessage(), e2);
        }
    }

    public String getSubjectIdentifier() {
        return this.jwt.getClaims().getClaimAsString("sub");
    }

    public String getClientSecret() {
        return this.clientSecret;
    }

    private boolean load(AppConfiguration appConfiguration, AbstractCryptoProvider abstractCryptoProvider, String str, ClientAssertionType clientAssertionType, String str2) throws Exception {
        if (clientAssertionType != ClientAssertionType.JWT_BEARER) {
            throw new InvalidJwtException("Invalid Client Assertion Type");
        }
        if (!StringUtils.isNotBlank(str2)) {
            throw new InvalidJwtException("The Client Assertion is null or empty");
        }
        this.jwt = Jwt.parse(str2);
        String claimAsString = this.jwt.getClaims().getClaimAsString("iss");
        String claimAsString2 = this.jwt.getClaims().getClaimAsString("sub");
        List claimAsStringList = this.jwt.getClaims().getClaimAsStringList("aud");
        Date claimAsDate = this.jwt.getClaims().getClaimAsDate("exp");
        if ((str != null || !StringUtils.isNotBlank(claimAsString) || !StringUtils.isNotBlank(claimAsString2) || !claimAsString.equals(claimAsString2)) && (!StringUtils.isNotBlank(str) || !StringUtils.isNotBlank(claimAsString) || !StringUtils.isNotBlank(claimAsString2) || !str.equals(claimAsString) || !claimAsString.equals(claimAsString2))) {
            throw new InvalidJwtException("Invalid clientId");
        }
        String tokenEndpoint = appConfiguration.getTokenEndpoint();
        String parEndpoint = StringUtils.isNotBlank(appConfiguration.getParEndpoint()) ? appConfiguration.getParEndpoint() : "";
        String backchannelAuthenticationEndpoint = appConfiguration.getBackchannelAuthenticationEndpoint();
        if (claimAsStringList == null || !(claimAsStringList.contains(appConfiguration.getIssuer()) || claimAsStringList.contains(tokenEndpoint) || claimAsStringList.contains(parEndpoint) || claimAsStringList.contains(backchannelAuthenticationEndpoint))) {
            throw new InvalidJwtException("Invalid audience: " + claimAsStringList);
        }
        if (!claimAsDate.after(new Date())) {
            throw new InvalidJwtException("JWT has expired");
        }
        ClientService clientService = (ClientService) CdiUtil.bean(ClientService.class);
        Client client = clientService.getClient(claimAsString2);
        if (client == null) {
            throw new InvalidJwtException("Invalid client");
        }
        JwtType fromString = JwtType.fromString(this.jwt.getHeader().getClaimAsString("typ"));
        Set allAuthenticationMethods = client.getAllAuthenticationMethods();
        SignatureAlgorithm signatureAlgorithm = this.jwt.getHeader().getSignatureAlgorithm();
        if (fromString == null && signatureAlgorithm != null) {
            fromString = signatureAlgorithm.getJwtType();
        }
        if (fromString == null || signatureAlgorithm == null || signatureAlgorithm.getFamily() == null || !((allAuthenticationMethods.contains(AuthenticationMethod.CLIENT_SECRET_JWT) && AlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) || (allAuthenticationMethods.contains(AuthenticationMethod.PRIVATE_KEY_JWT) && (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily()) || AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily()))))) {
            throw new InvalidJwtException("Invalid authentication method");
        }
        if (client.getTokenEndpointAuthSigningAlg() != null && !SignatureAlgorithm.fromString(client.getTokenEndpointAuthSigningAlg()).equals(signatureAlgorithm)) {
            throw new InvalidJwtException("Invalid signing algorithm");
        }
        this.clientSecret = clientService.decryptSecret(client.getClientSecret());
        if (abstractCryptoProvider.verifySignature(this.jwt.getSigningInput(), this.jwt.getEncodedSignature(), this.jwt.getHeader().getKeyId(), CommonUtils.getJwks(client), clientService.decryptSecret(client.getClientSecret()), signatureAlgorithm)) {
            return true;
        }
        throw new InvalidJwtException("Invalid cryptographic segment");
    }
}
