package com.auth0.jwt;

import com.auth0.jwt.internal.com.fasterxml.jackson.databind.JsonNode;
import com.auth0.jwt.internal.com.fasterxml.jackson.databind.ObjectMapper;
import com.auth0.jwt.internal.org.apache.commons.codec.binary.Base64;
import com.auth0.jwt.internal.org.apache.commons.lang3.Validate;
import com.auth0.jwt.internal.org.bouncycastle.jce.provider.BouncyCastleProvider;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PublicKey;
import java.security.Security;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Iterator;
import java.util.Map;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.postgresql.jdbc.EscapedFunctions;

/* loaded from: input_file:com/auth0/jwt/JWTVerifier.class */
public class JWTVerifier {
    private byte[] secret;
    private PublicKey publicKey;
    private final String audience;
    private final String issuer;
    private final Base64 decoder;
    private final ObjectMapper mapper;

    public JWTVerifier(String str, String str2, String str3) {
        this(str.getBytes(Charset.forName("UTF-8")), str2, str3);
    }

    public JWTVerifier(String str, String str2) {
        this(str, str2, (String) null);
    }

    public JWTVerifier(String str) {
        this(str, (String) null, (String) null);
    }

    public JWTVerifier(byte[] bArr, String str) {
        this(bArr, str, (String) null);
    }

    public JWTVerifier(byte[] bArr) {
        this(bArr, (String) null, (String) null);
    }

    public JWTVerifier(byte[] bArr, String str, String str2) {
        this.decoder = new Base64(true);
        if (bArr == null || bArr.length == 0) {
            throw new IllegalArgumentException("Secret cannot be null or empty");
        }
        this.mapper = new ObjectMapper();
        this.secret = bArr;
        this.audience = str;
        this.issuer = str2;
    }

    public JWTVerifier(PublicKey publicKey, String str, String str2) {
        this.decoder = new Base64(true);
        Validate.notNull(publicKey);
        this.mapper = new ObjectMapper();
        this.publicKey = publicKey;
        this.audience = str;
        this.issuer = str2;
    }

    public JWTVerifier(PublicKey publicKey, String str) {
        this(publicKey, str, (String) null);
    }

    public JWTVerifier(PublicKey publicKey) {
        this(publicKey, (String) null, (String) null);
    }

    public Map<String, Object> verify(String str) throws NoSuchAlgorithmException, InvalidKeyException, IllegalStateException, IOException, SignatureException, JWTVerifyException {
        if (str == null || "".equals(str)) {
            throw new IllegalStateException("token not set");
        }
        String[] split = str.split("\\.");
        if (split.length != 3) {
            throw new IllegalStateException("Wrong number of segments: " + split.length);
        }
        Algorithm algorithm = getAlgorithm(decodeAndParse(split[0]));
        JsonNode decodeAndParse = decodeAndParse(split[1]);
        verifySignature(split, algorithm);
        verifyExpiration(decodeAndParse);
        verifyIssuer(decodeAndParse);
        verifyAudience(decodeAndParse);
        return (Map) this.mapper.treeToValue(decodeAndParse, Map.class);
    }

    void verifySignature(String[] strArr, Algorithm algorithm) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, JWTAlgorithmException, IllegalStateException {
        Validate.notNull(strArr);
        Validate.notNull(algorithm);
        if (strArr.length != 3) {
            throw new IllegalStateException("Wrong number of segments: " + strArr.length);
        }
        switch (algorithm) {
            case HS256:
            case HS384:
            case HS512:
                verifyHmac(algorithm, strArr, this.secret);
                return;
            case RS256:
            case RS384:
            case RS512:
                verifyRs(algorithm, strArr, this.publicKey);
                return;
            default:
                throw new JWTAlgorithmException("Unsupported signing method");
        }
    }

    private void verifyHmac(Algorithm algorithm, String[] strArr, byte[] bArr) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException {
        if (bArr == null || bArr.length == 0) {
            throw new IllegalStateException("Secret cannot be null or empty when using algorithm: " + algorithm.getValue());
        }
        Mac mac = Mac.getInstance(algorithm.getValue());
        mac.init(new SecretKeySpec(bArr, algorithm.getValue()));
        if (!MessageDigest.isEqual(mac.doFinal((strArr[0] + "." + strArr[1]).getBytes()), this.decoder.decode(strArr[2]))) {
            throw new SignatureException("signature verification failed");
        }
    }

    private void verifyRs(Algorithm algorithm, String[] strArr, PublicKey publicKey) throws SignatureException, NoSuchAlgorithmException, InvalidKeyException, JWTAlgorithmException {
        if (publicKey == null) {
            throw new IllegalStateException("PublicKey cannot be null when using algorithm: " + algorithm.getValue());
        }
        if (!verifySignatureWithPublicKey(this.publicKey, (strArr[0] + "." + strArr[1]).getBytes(), new Base64(true).decode(strArr[2]), algorithm)) {
            throw new SignatureException("signature verification failed");
        }
    }

    private boolean verifySignatureWithPublicKey(PublicKey publicKey, byte[] bArr, byte[] bArr2, Algorithm algorithm) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, JWTAlgorithmException {
        Validate.notNull(publicKey);
        Validate.notNull(bArr);
        Validate.notNull(bArr2);
        Validate.notNull(algorithm);
        try {
            Signature signature = Signature.getInstance(algorithm.getValue(), BouncyCastleProvider.PROVIDER_NAME);
            signature.initVerify(publicKey);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (NoSuchProviderException e) {
            throw new JWTAlgorithmException(e.getMessage(), e.getCause());
        }
    }

    void verifyExpiration(JsonNode jsonNode) throws JWTExpiredException {
        Validate.notNull(jsonNode);
        long asLong = jsonNode.has(EscapedFunctions.EXP) ? jsonNode.get(EscapedFunctions.EXP).asLong(0L) : 0L;
        if (asLong != 0 && System.currentTimeMillis() / 1000 >= asLong) {
            throw new JWTExpiredException("jwt expired", asLong);
        }
    }

    void verifyIssuer(JsonNode jsonNode) throws JWTIssuerException {
        Validate.notNull(jsonNode);
        if (this.issuer == null) {
            return;
        }
        String asText = jsonNode.has("iss") ? jsonNode.get("iss").asText() : null;
        if (asText == null || !this.issuer.equals(asText)) {
            throw new JWTIssuerException("jwt issuer invalid", asText);
        }
    }

    void verifyAudience(JsonNode jsonNode) throws JWTAudienceException {
        Validate.notNull(jsonNode);
        if (this.audience == null) {
            return;
        }
        JsonNode jsonNode2 = jsonNode.get("aud");
        if (jsonNode2 == null) {
            throw new JWTAudienceException("jwt audience invalid", null);
        }
        if (jsonNode2.isArray()) {
            Iterator<JsonNode> it = jsonNode2.iterator();
            while (it.hasNext()) {
                if (this.audience.equals(it.next().textValue())) {
                    return;
                }
            }
        } else if (jsonNode2.isTextual() && this.audience.equals(jsonNode2.textValue())) {
            return;
        }
        throw new JWTAudienceException("jwt audience invalid", jsonNode2);
    }

    Algorithm getAlgorithm(JsonNode jsonNode) throws JWTAlgorithmException {
        Validate.notNull(jsonNode);
        String asText = jsonNode.has("alg") ? jsonNode.get("alg").asText() : null;
        if (jsonNode.get("alg") == null) {
            throw new IllegalStateException("algorithm not set");
        }
        return Algorithm.findByName(asText);
    }

    JsonNode decodeAndParse(String str) throws IOException {
        Validate.notNull(str);
        return (JsonNode) this.mapper.readValue(new String(this.decoder.decode(str), "UTF-8"), JsonNode.class);
    }

    static {
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }
}
