package com.funambol.client.controller;

import com.funambol.client.customization.Customization;
import com.funambol.util.Base64;
import com.funambol.util.Log;
import com.funambol.util.StringUtil;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.Map;
import java.util.UUID;

/* loaded from: classes2.dex */
public class OAuth2NonceValidator {
    private static final String TAG_LOG = "OAuth2NonceValidator";
    private Customization customization;
    private String nonce;

    /* loaded from: classes2.dex */
    public static class InvalidNonceException extends Exception {
        public InvalidNonceException(String str) {
            super(str);
        }

        public InvalidNonceException(Throwable th) {
            super(th);
        }
    }

    /* loaded from: classes2.dex */
    public static class InvalidSignatureException extends Exception {
        public InvalidSignatureException(String str) {
            super(str);
        }

        public InvalidSignatureException(Throwable th) {
            super(th);
        }
    }

    public OAuth2NonceValidator(Customization customization) {
        this.customization = customization;
    }

    private void validateNonce(SignedJWT signedJWT) throws InvalidNonceException {
        try {
            String asString = signedJWT.getPayload().toJSONObject().getAsString("nonce");
            if (asString == null || !asString.equals(this.nonce)) {
                throw new InvalidNonceException("Nonce mismatch. Expected:'" + this.nonce + "' actual:'" + asString + "'");
            }
        } catch (Throwable th) {
            Log.error(TAG_LOG, "Failed to validate nonce", th);
            throw new InvalidNonceException(th);
        }
    }

    private void validateSignature(SignedJWT signedJWT) throws InvalidSignatureException {
        String keyID = signedJWT.getHeader().getKeyID();
        Map<String, String> oAuth2SignatureValidationKeys = this.customization.getOAuth2SignatureValidationKeys();
        String str = (oAuth2SignatureValidationKeys == null || !oAuth2SignatureValidationKeys.containsKey(keyID)) ? null : oAuth2SignatureValidationKeys.get(keyID);
        if (StringUtil.isNullOrEmpty(str)) {
            throw new InvalidSignatureException("Can't find public key for kid='" + keyID + "'");
        }
        try {
            RSAPublicKey rSAPublicKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.decode(str)));
            if (!"RS256".equalsIgnoreCase(signedJWT.getHeader().getAlgorithm().getName())) {
                throw new InvalidSignatureException("Invalid signature. Token must be signed with RS256 algorithm.");
            }
            try {
                if (signedJWT.verify(new RSASSAVerifier(rSAPublicKey))) {
                } else {
                    throw new InvalidSignatureException("JWT signature verification failed");
                }
            } catch (JOSEException e) {
                throw new InvalidSignatureException(e);
            }
        } finally {
            InvalidSignatureException invalidSignatureException = new InvalidSignatureException(e);
        }
    }

    public final String generateNewNonce() {
        this.nonce = generateNewNonceValue();
        return this.nonce;
    }

    protected String generateNewNonceValue() {
        return UUID.randomUUID().toString();
    }

    public void validateIDToken(String str) throws InvalidNonceException, InvalidSignatureException {
        if (StringUtil.isNullOrEmpty(str)) {
            throw new InvalidSignatureException("Empty token");
        }
        try {
            SignedJWT m43parse = SignedJWT.m43parse(str);
            if (m43parse == null) {
                throw new InvalidSignatureException("Failed to parse id token");
            }
            validateNonce(m43parse);
            validateSignature(m43parse);
        } catch (Throwable th) {
            throw new InvalidSignatureException(th);
        }
    }
}
