package com.ebay.api.security.openid.jwt;

import com.ebay.api.security.types.EbayIdToken;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.List;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.json.JSONObject;

/* loaded from: input_file:com/ebay/api/security/openid/jwt/EbayIdTokenValidator.class */
public class EbayIdTokenValidator {
    private static final int EXPIRY_BUFFER_IN_MS = 300000;

    /* loaded from: input_file:com/ebay/api/security/openid/jwt/EbayIdTokenValidator$JWTExtractException.class */
    public static class JWTExtractException extends RuntimeException {
        public JWTExtractException(String str) {
            super(str);
        }
    }

    public static EbayIdToken validate(String str, List<String> list) {
        if (StringUtils.isEmpty(str)) {
            throw new JWTExtractException("ID token is null or empty");
        }
        String[] split = str.split("\\.");
        if (split == null || split.length != 3) {
            throw new JWTExtractException("invalid id token not all parts present");
        }
        if (StringUtils.isEmpty(split[0]) || StringUtils.isEmpty(split[1]) || StringUtils.isEmpty(split[2])) {
            throw new JWTExtractException("invalid id token not all parts present");
        }
        if (!verifySign(split[2], extractKeyId(split[0]), split[0] + "." + split[1])) {
            throw new JWTExtractException("signature verification failed");
        }
        EbayIdToken extractPayload = extractPayload(split);
        DateTime dateTime = new DateTime((extractPayload.getExpiresAt() * 1000) + 300000);
        if (DateTime.now().isAfter(dateTime)) {
            throw new JWTExtractException("IDToken has expired at: " + dateTime);
        }
        if (!list.contains(extractPayload.getAudience())) {
            throw new JWTExtractException("IDToken generated for Client: " + extractPayload.getAudience());
        }
        if (extractPayload.getIssuer().equals("oauth.ebay.com")) {
            return extractPayload;
        }
        throw new JWTExtractException("IDToken issued by: " + extractPayload.getIssuer() + " and not trusted by eBay authentication");
    }

    private static String extractKeyId(String str) {
        Object obj = new JSONObject(new String(new Base64(true).decode(str))).get("kid");
        if (obj != null) {
            return obj.toString();
        }
        return null;
    }

    private static boolean verifySign(String str, String str2, String str3) throws JWTExtractException {
        boolean z = false;
        try {
            byte[] decode = new Base64(true).decode(str);
            Certificate certificate = IdTokenCertificateHolder.getCertificate(str2);
            if (certificate != null) {
                Signature signature = Signature.getInstance("SHA256withRSA");
                signature.initVerify(certificate);
                signature.update(str3.getBytes());
                z = signature.verify(decode);
            }
            return z;
        } catch (JWTExtractException e) {
            throw e;
        } catch (IOException | CertificateException e2) {
            throw new JWTExtractException("Exception obtaining certificate: " + e2.getMessage());
        } catch (InvalidKeyException | NoSuchAlgorithmException e3) {
            throw new JWTExtractException("Exception creating signature object: " + e3.getMessage());
        } catch (SignatureException e4) {
            throw new JWTExtractException("Exception verifying signature: " + e4.getMessage());
        }
    }

    private static EbayIdToken extractPayload(String[] strArr) {
        try {
            return (EbayIdToken) new ObjectMapper().readValue(new String(Base64.decodeBase64(strArr[1])), EbayIdToken.class);
        } catch (Exception e) {
            throw new JWTExtractException("Exception converting payload to Token info:" + strArr[1] + e.getMessage());
        }
    }
}
