package net.oauth.jsontoken;

import com.google.common.base.Preconditions;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import java.security.SignatureException;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import net.oauth.jsontoken.crypto.AsciiStringVerifier;
import net.oauth.jsontoken.crypto.SignatureAlgorithm;
import net.oauth.jsontoken.crypto.Verifier;
import net.oauth.jsontoken.discovery.VerifierProviders;
import org.apache.commons.codec.binary.Base64;
import org.joda.time.Instant;

/* loaded from: input_file:net/oauth/jsontoken/JsonTokenParser.class */
public class JsonTokenParser {
    private final Clock clock;
    private final VerifierProviders locators;
    private final Checker[] checkers;

    public JsonTokenParser(VerifierProviders verifierProviders, Checker checker) {
        this(new SystemClock(), verifierProviders, checker);
    }

    public JsonTokenParser(Clock clock, VerifierProviders verifierProviders, Checker... checkerArr) {
        this.clock = (Clock) Preconditions.checkNotNull(clock);
        this.locators = (VerifierProviders) Preconditions.checkNotNull(verifierProviders);
        this.checkers = (Checker[]) Preconditions.checkNotNull(checkerArr);
    }

    public JsonToken verifyAndDeserialize(String str) throws SignatureException {
        String[] split = str.split(Pattern.quote(JsonTokenUtil.DELIMITER));
        if (split.length != 3) {
            throw new IllegalArgumentException("Expected JWT to have 3 segments separated by '.', but it has " + split.length + " segments");
        }
        String str2 = split[0];
        String str3 = split[1];
        byte[] decodeBase64 = Base64.decodeBase64(split[2]);
        JsonParser jsonParser = new JsonParser();
        JsonObject asJsonObject = jsonParser.parse(JsonTokenUtil.fromBase64ToJsonString(str2)).getAsJsonObject();
        JsonObject asJsonObject2 = jsonParser.parse(JsonTokenUtil.fromBase64ToJsonString(str3)).getAsJsonObject();
        JsonElement jsonElement = asJsonObject.get(JsonToken.ALGORITHM_HEADER);
        if (jsonElement == null) {
            throw new SignatureException("JWT header is missing the required 'alg' parameter");
        }
        SignatureAlgorithm fromJsonName = SignatureAlgorithm.getFromJsonName(jsonElement.getAsString());
        JsonElement jsonElement2 = asJsonObject.get(JsonToken.KEY_ID_HEADER);
        String asString = jsonElement2 == null ? null : jsonElement2.getAsString();
        String dotFormat = JsonTokenUtil.toDotFormat(str2, str3);
        JsonToken jsonToken = new JsonToken(asJsonObject2, this.clock);
        List<Verifier> findVerifier = this.locators.getVerifierProvider(fromJsonName).findVerifier(jsonToken.getIssuer(), asString);
        if (findVerifier == null) {
            throw new SignatureException("No valid verifier for issuer: " + jsonToken.getIssuer());
        }
        boolean z = false;
        Iterator<Verifier> it = findVerifier.iterator();
        while (it.hasNext()) {
            try {
                new AsciiStringVerifier(it.next()).verifySignature(dotFormat, decodeBase64);
                z = true;
                break;
            } catch (SignatureException e) {
            }
        }
        if (!z) {
            throw new SignatureException("Signature verification failed for issuer: " + jsonToken.getIssuer());
        }
        Instant now = this.clock.now();
        Instant expiration = jsonToken.getExpiration();
        if (expiration != null && now.isAfter(expiration)) {
            throw new SignatureException("token expired at " + expiration + ", now is " + now);
        }
        Instant issuedAt = jsonToken.getIssuedAt();
        if (issuedAt != null && now.isBefore(issuedAt)) {
            throw new SignatureException("token claims it was issued in the future at " + issuedAt + ", now is " + now);
        }
        for (Checker checker : this.checkers) {
            checker.check(asJsonObject2);
        }
        return jsonToken;
    }
}
