package io.polyglotted.esjwt.impl;

import java.io.IOException;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.apache.http.HttpException;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;

/* loaded from: input_file:io/polyglotted/esjwt/impl/JwtVerifier.class */
public abstract class JwtVerifier {
    static final String RSA = "RSA";
    static final String RSA_ALGO = "SHA256withRSA";

    /* loaded from: input_file:io/polyglotted/esjwt/impl/JwtVerifier$VerificationException.class */
    public static class VerificationException extends Exception {
        VerificationException(String str) {
            super(str);
        }

        VerificationException(String str, Throwable th) {
            super(str, th);
        }
    }

    public static void verifyRs256(String str, JsonWebToken jsonWebToken) throws VerificationException {
        Map<String, Object> map = fetchJwks(str).get(jsonWebToken.keyCode());
        if (map == null) {
            throw new VerificationException("could not find public key for " + jsonWebToken.keyCode());
        }
        PublicKey publicKey = getPublicKey((String) CommonUtil.deepGet(map, "kty"), (String) CommonUtil.deepGet(map, "n"), (String) CommonUtil.deepGet(map, "e"));
        if (publicKey != null && !verifySignatureFor(publicKey, jsonWebToken.contentBytes(), jsonWebToken.signatureBytes())) {
            throw new VerificationException("invalid signature");
        }
    }

    private static boolean verifySignatureFor(PublicKey publicKey, byte[] bArr, byte[] bArr2) throws VerificationException {
        try {
            Signature signature = Signature.getInstance(RSA_ALGO);
            signature.initVerify(publicKey);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new VerificationException("failed signature verify", e);
        }
    }

    static PublicKey getPublicKey(String str, String str2, String str3) throws VerificationException {
        if (!RSA.equalsIgnoreCase(str)) {
            return null;
        }
        try {
            return KeyFactory.getInstance(RSA).generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.decodeBase64(str2)), new BigInteger(1, Base64.decodeBase64(str3))));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new VerificationException("Unable to generate public key", e);
        }
    }

    private static Map<String, Map<String, Object>> fetchJwks(String str) throws VerificationException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        try {
            CloseableHttpClient httpClient = CommonUtil.httpClient();
            Throwable th = null;
            try {
                try {
                    for (Map map : (List) CommonUtil.parseJson(CommonUtil.readFrom(httpClient, new HttpGet(str))).get("keys")) {
                        linkedHashMap.put(CommonUtil.deepGet(map, "alg") + ":" + CommonUtil.deepGet(map, "kid"), map);
                    }
                    if (httpClient != null) {
                        if (0 != 0) {
                            try {
                                httpClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            httpClient.close();
                        }
                    }
                    return linkedHashMap;
                } finally {
                }
            } finally {
            }
        } catch (IOException | HttpException e) {
            throw new VerificationException("unable to fetch key from jwks", e);
        }
    }
}
