package org.gcube.io.jsonwebtoken.impl;

import java.io.BufferedInputStream;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
import java.io.Reader;
import java.io.SequenceInputStream;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.PublicKey;
import java.util.Collection;
import java.util.Date;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.crypto.SecretKey;
import org.gcube.io.jsonwebtoken.Claims;
import org.gcube.io.jsonwebtoken.ClaimsBuilder;
import org.gcube.io.jsonwebtoken.Clock;
import org.gcube.io.jsonwebtoken.CompressionCodecResolver;
import org.gcube.io.jsonwebtoken.ExpiredJwtException;
import org.gcube.io.jsonwebtoken.Header;
import org.gcube.io.jsonwebtoken.IncorrectClaimException;
import org.gcube.io.jsonwebtoken.Jwe;
import org.gcube.io.jsonwebtoken.JweHeader;
import org.gcube.io.jsonwebtoken.Jws;
import org.gcube.io.jsonwebtoken.JwsHeader;
import org.gcube.io.jsonwebtoken.Jwt;
import org.gcube.io.jsonwebtoken.JwtException;
import org.gcube.io.jsonwebtoken.JwtHandler;
import org.gcube.io.jsonwebtoken.JwtParser;
import org.gcube.io.jsonwebtoken.Jwts;
import org.gcube.io.jsonwebtoken.Locator;
import org.gcube.io.jsonwebtoken.MalformedJwtException;
import org.gcube.io.jsonwebtoken.MissingClaimException;
import org.gcube.io.jsonwebtoken.PrematureJwtException;
import org.gcube.io.jsonwebtoken.ProtectedHeader;
import org.gcube.io.jsonwebtoken.SigningKeyResolver;
import org.gcube.io.jsonwebtoken.UnsupportedJwtException;
import org.gcube.io.jsonwebtoken.impl.io.AbstractParser;
import org.gcube.io.jsonwebtoken.impl.io.BytesInputStream;
import org.gcube.io.jsonwebtoken.impl.io.CharSequenceReader;
import org.gcube.io.jsonwebtoken.impl.io.JsonObjectDeserializer;
import org.gcube.io.jsonwebtoken.impl.io.Streams;
import org.gcube.io.jsonwebtoken.impl.io.UncloseableInputStream;
import org.gcube.io.jsonwebtoken.impl.lang.Bytes;
import org.gcube.io.jsonwebtoken.impl.lang.Function;
import org.gcube.io.jsonwebtoken.impl.lang.RedactedSupplier;
import org.gcube.io.jsonwebtoken.impl.security.DefaultDecryptAeadRequest;
import org.gcube.io.jsonwebtoken.impl.security.DefaultDecryptionKeyRequest;
import org.gcube.io.jsonwebtoken.impl.security.DefaultVerifySecureDigestRequest;
import org.gcube.io.jsonwebtoken.impl.security.LocatingKeyResolver;
import org.gcube.io.jsonwebtoken.impl.security.ProviderKey;
import org.gcube.io.jsonwebtoken.io.CompressionAlgorithm;
import org.gcube.io.jsonwebtoken.io.Decoder;
import org.gcube.io.jsonwebtoken.io.DeserializationException;
import org.gcube.io.jsonwebtoken.io.Deserializer;
import org.gcube.io.jsonwebtoken.lang.Assert;
import org.gcube.io.jsonwebtoken.lang.Collections;
import org.gcube.io.jsonwebtoken.lang.DateFormats;
import org.gcube.io.jsonwebtoken.lang.Objects;
import org.gcube.io.jsonwebtoken.lang.Registry;
import org.gcube.io.jsonwebtoken.lang.Strings;
import org.gcube.io.jsonwebtoken.security.AeadAlgorithm;
import org.gcube.io.jsonwebtoken.security.InvalidKeyException;
import org.gcube.io.jsonwebtoken.security.KeyAlgorithm;
import org.gcube.io.jsonwebtoken.security.SecureDigestAlgorithm;
import org.gcube.io.jsonwebtoken.security.SecurityException;
import org.gcube.io.jsonwebtoken.security.SignatureException;
import org.gcube.io.jsonwebtoken.security.WeakKeyException;

/* loaded from: input_file:WEB-INF/lib/gcube-jjwt-impl-0.12.6.jar:org/gcube/io/jsonwebtoken/impl/DefaultJwtParser.class */
public class DefaultJwtParser extends AbstractParser<Jwt<?, ?>> implements JwtParser {
    static final char SEPARATOR_CHAR = '.';
    static final String PRIV_KEY_VERIFY_MSG = "PrivateKeys may not be used to verify digital signatures. PrivateKeys are used to sign, and PublicKeys are used to verify.";
    static final String PUB_KEY_DECRYPT_MSG = "PublicKeys may not be used to decrypt data. PublicKeys are used to encrypt, and PrivateKeys are used to decrypt.";
    public static final String INCORRECT_EXPECTED_CLAIM_MESSAGE_TEMPLATE = "Expected %s claim to be: %s, but was: %s.";
    public static final String MISSING_EXPECTED_CLAIM_VALUE_MESSAGE_TEMPLATE = "Missing expected '%s' value in '%s' claim %s.";
    public static final String MISSING_JWS_ALG_MSG = "JWS header does not contain a required 'alg' (Algorithm) header parameter.  This header parameter is mandatory per the JWS Specification, Section 4.1.1. See https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.1 for more information.";
    public static final String MISSING_JWE_ALG_MSG = "JWE header does not contain a required 'alg' (Algorithm) header parameter.  This header parameter is mandatory per the JWE Specification, Section 4.1.1. See https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.1 for more information.";
    public static final String MISSING_JWS_DIGEST_MSG_FMT = "The JWS header references signature algorithm '%s' but the compact JWE string is missing the required signature.";
    public static final String MISSING_JWE_DIGEST_MSG_FMT = "The JWE header references key management algorithm '%s' but the compact JWE string is missing the required AAD authentication tag.";
    private static final String MISSING_ENC_MSG = "JWE header does not contain a required 'enc' (Encryption Algorithm) header parameter.  This header parameter is mandatory per the JWE Specification, Section 4.1.2. See https://www.rfc-editor.org/rfc/rfc7516.html#section-4.1.2 for more information.";
    private static final String B64_MISSING_PAYLOAD = "Unable to verify JWS signature: the parser has encountered an Unencoded Payload JWS with detached payload, but the detached payload value required for signature verification has not been provided. If you expect to receive and parse Unencoded Payload JWSs in your application, the overloaded JwtParser.parseSignedContent or JwtParser.parseSignedClaims methods that accept a byte[] or InputStream must be used for these kinds of JWSs. Header: %s";
    private final Provider provider;
    private final SigningKeyResolver signingKeyResolver;
    private final boolean unsecured;
    private final boolean unsecuredDecompression;
    private final Function<JwsHeader, SecureDigestAlgorithm<?, ?>> sigAlgs;
    private final Function<JweHeader, AeadAlgorithm> encAlgs;
    private final Function<JweHeader, KeyAlgorithm<?, ?>> keyAlgs;
    private final Function<Header, CompressionAlgorithm> zipAlgs;
    private final Locator<? extends Key> keyLocator;
    private final Decoder<InputStream, InputStream> decoder;
    private final Deserializer<Map<String, ?>> deserializer;
    private final ClaimsBuilder expectedClaims;
    private final Clock clock;
    private final Set<String> critical;
    private final long allowedClockSkewMillis;
    private static final JwtTokenizer jwtTokenizer = new JwtTokenizer();
    private static final String UNSECURED_DISABLED_MSG_PREFIX = "Unsecured JWSs (those with an " + DefaultHeader.ALGORITHM + " header value of '" + Jwts.SIG.NONE.getId() + "') are disallowed by default as mandated by https://www.rfc-editor.org/rfc/rfc7518.html#section-3.6. If you wish to allow them to be parsed, call the JwtParserBuilder.unsecured() method, but please read the security considerations covered in that method's JavaDoc before doing so. Header: ";
    private static final String CRIT_UNSECURED_MSG = "Unsecured JWSs (those with an " + DefaultHeader.ALGORITHM + " header value of '" + Jwts.SIG.NONE.getId() + "') may not use the " + DefaultProtectedHeader.CRIT + " header parameter per https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11 (\"the [crit] Header Parameter MUST be integrity protected; therefore, it MUST occur only within [a] JWS Protected Header)\". Header: %s";
    private static final String CRIT_MISSING_MSG = "Protected Header " + DefaultProtectedHeader.CRIT + " set references header name '%s', but the header does not contain an associated '%s' header parameter as required by https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11. Header: %s";
    private static final String CRIT_UNSUPPORTED_MSG = "Protected Header " + DefaultProtectedHeader.CRIT + " set references unsupported header name '%s'. Application developers expecting to support a JWT extension using header '%s' in their application code must indicate it is supported by using the JwtParserBuilder.critical method. Header: %s";
    private static final String JWE_NONE_MSG = "JWEs do not support key management " + DefaultHeader.ALGORITHM + " header value '" + Jwts.SIG.NONE.getId() + "' per https://www.rfc-editor.org/rfc/rfc7518.html#section-4.1";
    private static final String JWS_NONE_SIG_MISMATCH_MSG = "The JWS header references signature algorithm '" + Jwts.SIG.NONE.getId() + "' yet the compact JWS string contains a signature. This is not permitted per https://tools.ietf.org/html/rfc7518#section-3.6.";
    private static final String B64_DECOMPRESSION_MSG = "The JWT header references compression algorithm '%s', but payload decompression for Unencoded JWSs (those with an " + DefaultJwsHeader.B64 + " header value of false) that rely on a SigningKeyResolver are disallowed by default to protect against [Denial of Service attacks](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-pellegrino.pdf).  If you wish to enable Unencoded JWS payload decompression, configure the JwtParserBuilder.keyLocator(Locator) and do not configure a SigningKeyResolver.";
    private static final String UNPROTECTED_DECOMPRESSION_MSG = "The JWT header references compression algorithm '%s', but payload decompression for Unprotected JWTs (those with an " + DefaultHeader.ALGORITHM + " header value of '" + Jwts.SIG.NONE.getId() + "') or Unencoded JWSs (those with a " + DefaultJwsHeader.B64 + " header value of false) that also rely on a SigningKeyResolver are disallowed by default to protect against [Denial of Service attacks](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-pellegrino.pdf).  If you wish to enable Unsecure JWS or Unencoded JWS payload decompression, call the JwtParserBuilder.unsecuredDecompression() method, but please read the security considerations covered in that method's JavaDoc before doing so.";

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultJwtParser(Provider provider, SigningKeyResolver signingKeyResolver, boolean z, boolean z2, Locator<? extends Key> locator, Clock clock, Set<String> set, long j, DefaultClaims defaultClaims, Decoder<InputStream, InputStream> decoder, Deserializer<Map<String, ?>> deserializer, CompressionCodecResolver compressionCodecResolver, Registry<String, CompressionAlgorithm> registry, Registry<String, SecureDigestAlgorithm<?, ?>> registry2, Registry<String, KeyAlgorithm<?, ?>> registry3, Registry<String, AeadAlgorithm> registry4) {
        this.provider = provider;
        this.unsecured = z;
        this.unsecuredDecompression = z2;
        this.signingKeyResolver = signingKeyResolver;
        this.keyLocator = (Locator) Assert.notNull(locator, "Key Locator cannot be null.");
        this.clock = (Clock) Assert.notNull(clock, "Clock cannot be null.");
        this.critical = Collections.nullSafe((Set) set);
        this.allowedClockSkewMillis = j;
        this.expectedClaims = Jwts.claims().add2(defaultClaims);
        this.decoder = (Decoder) Assert.notNull(decoder, "base64UrlDecoder cannot be null.");
        this.deserializer = (Deserializer) Assert.notNull(deserializer, "JSON Deserializer cannot be null.");
        this.sigAlgs = new IdLocator(DefaultHeader.ALGORITHM, registry2, MISSING_JWS_ALG_MSG);
        this.keyAlgs = new IdLocator(DefaultHeader.ALGORITHM, registry3, MISSING_JWE_ALG_MSG);
        this.encAlgs = new IdLocator(DefaultJweHeader.ENCRYPTION_ALGORITHM, registry4, MISSING_ENC_MSG);
        this.zipAlgs = compressionCodecResolver != null ? new CompressionCodecLocator(compressionCodecResolver) : new IdLocator<>(DefaultHeader.COMPRESSION_ALGORITHM, registry, null);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public boolean isSigned(CharSequence charSequence) {
        if (!Strings.hasText(charSequence)) {
            return false;
        }
        try {
            TokenizedJwt tokenizedJwt = jwtTokenizer.tokenize(new CharSequenceReader(charSequence));
            if (!(tokenizedJwt instanceof TokenizedJwe)) {
                if (Strings.hasText(tokenizedJwt.getDigest())) {
                    return true;
                }
            }
            return false;
        } catch (MalformedJwtException e) {
            return false;
        }
    }

    private static boolean hasContentType(Header header) {
        return header != null && Strings.hasText(header.getContentType());
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v108, types: [java.io.InputStream] */
    private byte[] verifySignature(TokenizedJwt tokenizedJwt, JwsHeader jwsHeader, String str, SigningKeyResolver signingKeyResolver, Claims claims, Payload payload) {
        SequenceInputStream sequenceInputStream;
        Assert.notNull(signingKeyResolver, "SigningKeyResolver instance cannot be null.");
        try {
            SecureDigestAlgorithm<?, ?> apply = this.sigAlgs.apply(jwsHeader);
            Assert.stateNotNull(apply, "JWS Signature Algorithm cannot be null.");
            InputStream resolveSigningKey = claims != null ? signingKeyResolver.resolveSigningKey(jwsHeader, claims) : signingKeyResolver.resolveSigningKey(jwsHeader, payload.getBytes());
            if (resolveSigningKey == null) {
                throw new UnsupportedJwtException("Cannot verify JWS signature: unable to locate signature verification key for JWS with header: " + jwsHeader);
            }
            Provider provider = ProviderKey.getProvider(resolveSigningKey, this.provider);
            Assert.stateNotNull(r0, "ProviderKey cannot be null.");
            if (r0 instanceof PrivateKey) {
                throw new InvalidKeyException(PRIV_KEY_VERIFY_MSG);
            }
            byte[] decode = decode(tokenizedJwt.getDigest(), "JWS signature");
            resolveSigningKey = null;
            if (jwsHeader.isPayloadEncoded()) {
                CharBuffer allocate = CharBuffer.allocate(tokenizedJwt.getProtected().length() + 1 + tokenizedJwt.getPayload().length());
                allocate.put(Strings.wrap(tokenizedJwt.getProtected()));
                allocate.put('.');
                allocate.put(Strings.wrap(tokenizedJwt.getPayload()));
                allocate.rewind();
                ByteBuffer encode = StandardCharsets.US_ASCII.encode(allocate);
                encode.rewind();
                byte[] bArr = new byte[encode.remaining()];
                encode.get(bArr);
                sequenceInputStream = Streams.of(bArr);
            } else {
                ByteBuffer encode2 = StandardCharsets.US_ASCII.encode(Strings.wrap(tokenizedJwt.getProtected()));
                encode2.rewind();
                ByteBuffer allocate2 = ByteBuffer.allocate(encode2.remaining() + 1);
                allocate2.put(encode2);
                allocate2.put((byte) 46);
                allocate2.rewind();
                byte[] bArr2 = new byte[allocate2.remaining()];
                allocate2.get(bArr2);
                InputStream of = Streams.of(bArr2);
                resolveSigningKey = payload.toInputStream();
                sequenceInputStream = new SequenceInputStream(of, new UncloseableInputStream(resolveSigningKey));
            }
            try {
                try {
                    try {
                        if (apply.verify(new DefaultVerifySecureDigestRequest(sequenceInputStream, provider, null, r0, decode))) {
                            return decode;
                        }
                        throw new SignatureException("JWT signature does not match locally computed signature. JWT validity cannot be asserted and should not be trusted.");
                    } finally {
                        Streams.reset(resolveSigningKey);
                    }
                } catch (IllegalArgumentException | InvalidKeyException e) {
                    String id = apply.getId();
                    throw new UnsupportedJwtException("The parsed JWT indicates it was signed with the '" + id + "' signature algorithm, but the provided " + r0.getClass().getName() + " key may not be used to verify " + id + " signatures.  Because the specified key reflects a specific and expected algorithm, and the JWT does not reflect this algorithm, it is likely that the JWT was not expected and therefore should not be trusted.  Another possibility is that the parser was provided the incorrect signature verification key, but this cannot be assumed for security reasons.", e);
                }
            } catch (WeakKeyException e2) {
                throw e2;
            }
        } catch (UnsupportedJwtException e3) {
            throw new SignatureException("Unsupported signature algorithm '" + str + "'", e3);
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.gcube.io.jsonwebtoken.io.Parser
    public Jwt<?, ?> parse(Reader reader) {
        Assert.notNull(reader, "Reader cannot be null.");
        return parse(reader, Payload.EMPTY);
    }

    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v195, types: [byte[]] */
    private Jwt<?, ?> parse(Reader reader, Payload payload) {
        Payload payload2;
        Assert.notNull(reader, "Compact reader cannot be null.");
        Assert.stateNotNull(payload, "internal error: unencodedPayload is null.");
        TokenizedJwt tokenizedJwt = jwtTokenizer.tokenize(reader);
        CharSequence charSequence = tokenizedJwt.getProtected();
        if (!Strings.hasText(charSequence)) {
            throw new MalformedJwtException("Compact JWT strings MUST always have a Base64Url protected header per https://tools.ietf.org/html/rfc7519#section-7.2 (steps 2-4).");
        }
        try {
            Header createHeader = tokenizedJwt.createHeader(deserialize(Streams.of(decode(charSequence, "protected header")), "protected header"));
            String clean = Strings.clean(createHeader.getAlgorithm());
            if (!Strings.hasText(clean)) {
                throw new MalformedJwtException(tokenizedJwt instanceof TokenizedJwe ? MISSING_JWE_ALG_MSG : MISSING_JWS_ALG_MSG);
            }
            boolean equalsIgnoreCase = Jwts.SIG.NONE.getId().equalsIgnoreCase(clean);
            CharSequence digest = tokenizedJwt.getDigest();
            boolean hasText = Strings.hasText(digest);
            if (equalsIgnoreCase) {
                if (tokenizedJwt instanceof TokenizedJwe) {
                    throw new MalformedJwtException(JWE_NONE_MSG);
                }
                if (!this.unsecured) {
                    throw new UnsupportedJwtException(UNSECURED_DISABLED_MSG_PREFIX + createHeader);
                }
                if (hasText) {
                    throw new MalformedJwtException(JWS_NONE_SIG_MISMATCH_MSG);
                }
                if (createHeader.containsKey(DefaultProtectedHeader.CRIT.getId())) {
                    throw new MalformedJwtException(String.format(CRIT_UNSECURED_MSG, createHeader));
                }
            } else if (!hasText) {
                throw new MalformedJwtException(String.format(tokenizedJwt instanceof TokenizedJwe ? MISSING_JWE_DIGEST_MSG_FMT : MISSING_JWS_DIGEST_MSG_FMT, clean));
            }
            if (createHeader instanceof ProtectedHeader) {
                Set<String> nullSafe = Collections.nullSafe((Set) ((ProtectedHeader) createHeader).getCritical());
                Set<String> set = this.critical;
                String id = DefaultJwsHeader.B64.getId();
                if (!payload.isEmpty() && !this.critical.contains(id)) {
                    set = new LinkedHashSet(Collections.size(this.critical) + 1);
                    set.add(DefaultJwsHeader.B64.getId());
                    set.addAll(this.critical);
                }
                for (String str : nullSafe) {
                    if (!createHeader.containsKey(str)) {
                        throw new MalformedJwtException(String.format(CRIT_MISSING_MSG, str, str, createHeader));
                    }
                    if (!set.contains(str)) {
                        throw new UnsupportedJwtException(String.format(CRIT_UNSUPPORTED_MSG, str, str, createHeader));
                    }
                }
            }
            CharSequence payload3 = tokenizedJwt.getPayload();
            boolean z = false;
            boolean z2 = !(createHeader instanceof JwsHeader) || ((JwsHeader) createHeader).isPayloadEncoded();
            if (z2) {
                payload2 = new Payload(decode(tokenizedJwt.getPayload(), "payload"), createHeader.getContentType());
            } else if (Strings.hasText(payload3)) {
                payload2 = new Payload(payload3, createHeader.getContentType());
            } else {
                if (payload.isEmpty()) {
                    throw new SignatureException(String.format(B64_MISSING_PAYLOAD, createHeader));
                }
                payload2 = payload;
            }
            if ((tokenizedJwt instanceof TokenizedJwe) && payload2.isEmpty()) {
                throw new MalformedJwtException("Compact JWE strings MUST always contain a payload (ciphertext).");
            }
            byte[] bArr = null;
            if (tokenizedJwt instanceof TokenizedJwe) {
                TokenizedJwe tokenizedJwe = (TokenizedJwe) tokenizedJwt;
                JweHeader jweHeader = (JweHeader) Assert.stateIsInstance(JweHeader.class, createHeader, "Not a JweHeader. ");
                byte[] bArr2 = Bytes.EMPTY;
                CharSequence encryptedKey = tokenizedJwe.getEncryptedKey();
                if (Strings.hasText(encryptedKey)) {
                    bArr2 = decode(encryptedKey, "JWE encrypted key");
                    if (Bytes.isEmpty(bArr2)) {
                        throw new MalformedJwtException("Compact JWE string represents an encrypted key, but the key is empty.");
                    }
                }
                CharSequence iv = tokenizedJwe.getIv();
                r25 = Strings.hasText(iv) ? decode(iv, "JWE Initialization Vector") : null;
                if (Bytes.isEmpty(r25)) {
                    throw new MalformedJwtException("Compact JWE strings must always contain an Initialization Vector.");
                }
                ByteBuffer encode = StandardCharsets.US_ASCII.encode(Strings.wrap(charSequence));
                byte[] bArr3 = new byte[encode.remaining()];
                encode.get(bArr3);
                InputStream of = Streams.of(bArr3);
                Assert.hasText(digest, "JWE AAD Authentication Tag cannot be null or empty.");
                bArr = decode(digest, "JWE AAD Authentication Tag");
                if (Bytes.isEmpty(bArr)) {
                    throw new MalformedJwtException("Compact JWE strings must always contain an AAD Authentication Tag.");
                }
                if (!Strings.hasText(jweHeader.getEncryptionAlgorithm())) {
                    throw new MalformedJwtException(MISSING_ENC_MSG);
                }
                AeadAlgorithm apply = this.encAlgs.apply(jweHeader);
                Assert.stateNotNull(apply, "JWE Encryption Algorithm cannot be null.");
                KeyAlgorithm<?, ?> apply2 = this.keyAlgs.apply(jweHeader);
                Assert.stateNotNull(apply2, "JWE Key Algorithm cannot be null.");
                Key locate = this.keyLocator.locate(jweHeader);
                if (locate == null) {
                    throw new UnsupportedJwtException("Cannot decrypt JWE payload: unable to locate key for JWE with header: " + jweHeader);
                }
                if (locate instanceof PublicKey) {
                    throw new InvalidKeyException(PUB_KEY_DECRYPT_MSG);
                }
                SecretKey decryptionKey = apply2.getDecryptionKey(new DefaultDecryptionKeyRequest(bArr2, ProviderKey.getProvider(locate, this.provider), null, jweHeader, apply, ProviderKey.getKey(locate)));
                if (decryptionKey == null) {
                    throw new IllegalStateException("The '" + apply2.getId() + "' JWE key algorithm did not return a decryption key. Unable to perform '" + apply.getId() + "' decryption.");
                }
                InputStream inputStream = payload2.toInputStream();
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(8192);
                apply.decrypt(new DefaultDecryptAeadRequest(inputStream, decryptionKey, of, r25, bArr), byteArrayOutputStream);
                payload2 = new Payload(byteArrayOutputStream.toByteArray(), createHeader.getContentType());
                z = true;
            } else if (hasText && this.signingKeyResolver == null) {
                bArr = verifySignature(tokenizedJwt, (JwsHeader) Assert.stateIsInstance(JwsHeader.class, createHeader, "Not a JwsHeader. "), clean, new LocatingKeyResolver(this.keyLocator), null, payload2);
                z = true;
            }
            CompressionAlgorithm apply3 = this.zipAlgs.apply(createHeader);
            if (apply3 != null) {
                if (!z) {
                    if (!z2) {
                        throw new UnsupportedJwtException(String.format(B64_DECOMPRESSION_MSG, apply3.getId()));
                    }
                    if (!this.unsecuredDecompression) {
                        throw new UnsupportedJwtException(String.format(UNPROTECTED_DECOMPRESSION_MSG, apply3.getId()));
                    }
                }
                payload2 = payload2.decompress(apply3);
            }
            DefaultClaims defaultClaims = null;
            Claims bytes = payload2.getBytes();
            if (payload2.isConsumable()) {
                InputStream inputStream2 = null;
                try {
                    inputStream2 = payload2.toInputStream();
                    if (!hasContentType(createHeader)) {
                        Map<String, ?> map = null;
                        try {
                            try {
                                if (!inputStream2.markSupported()) {
                                    inputStream2 = new BufferedInputStream(inputStream2);
                                    inputStream2.mark(0);
                                }
                                map = deserialize(new UncloseableInputStream(inputStream2), "claims");
                                Streams.reset(inputStream2);
                            } catch (MalformedJwtException | DeserializationException e) {
                                Streams.reset(inputStream2);
                            }
                            if (map != null) {
                                try {
                                    defaultClaims = new DefaultClaims(map);
                                } catch (Throwable th) {
                                    throw new MalformedJwtException("Invalid claims: " + th.getMessage());
                                }
                            }
                        } catch (Throwable th2) {
                            Streams.reset(inputStream2);
                            throw th2;
                        }
                    }
                    if (defaultClaims == null) {
                        bytes = Streams.bytes(inputStream2, "Unable to convert payload to byte array.");
                    }
                    Objects.nullSafeClose(inputStream2);
                } catch (Throwable th3) {
                    Objects.nullSafeClose(inputStream2);
                    throw th3;
                }
            }
            if (hasText && this.signingKeyResolver != null) {
                bArr = verifySignature(tokenizedJwt, (JwsHeader) Assert.stateIsInstance(JwsHeader.class, createHeader, "Not a JwsHeader. "), clean, this.signingKeyResolver, defaultClaims, payload2);
            }
            Claims claims = defaultClaims != null ? defaultClaims : bytes;
            DefaultJwt defaultJwe = createHeader instanceof JweHeader ? new DefaultJwe((JweHeader) createHeader, claims, r25, bArr) : hasText ? new DefaultJws((JwsHeader) Assert.isInstanceOf(JwsHeader.class, createHeader, "JwsHeader required."), claims, bArr, digest.toString()) : new DefaultJwt(createHeader, claims);
            boolean z3 = this.allowedClockSkewMillis > 0;
            if (defaultClaims != null) {
                Date now = this.clock.now();
                long time = now.getTime();
                Date expiration = defaultClaims.getExpiration();
                if (expiration != null) {
                    if ((z3 ? new Date(time - this.allowedClockSkewMillis) : now).after(expiration)) {
                        throw new ExpiredJwtException(createHeader, defaultClaims, "JWT expired " + (time - expiration.getTime()) + " milliseconds ago at " + DateFormats.formatIso8601(expiration, true) + ". Current time: " + DateFormats.formatIso8601(now, true) + ". Allowed clock skew: " + this.allowedClockSkewMillis + " milliseconds.");
                    }
                }
                Date notBefore = defaultClaims.getNotBefore();
                if (notBefore != null) {
                    if ((z3 ? new Date(time + this.allowedClockSkewMillis) : now).before(notBefore)) {
                        throw new PrematureJwtException(createHeader, defaultClaims, "JWT early by " + (notBefore.getTime() - time) + " milliseconds before " + DateFormats.formatIso8601(notBefore, true) + ". Current time: " + DateFormats.formatIso8601(now, true) + ". Allowed clock skew: " + this.allowedClockSkewMillis + " milliseconds.");
                    }
                }
                validateExpectedClaims(createHeader, defaultClaims);
            }
            return defaultJwe;
        } catch (Exception e2) {
            throw new MalformedJwtException("Invalid protected header: " + e2.getMessage(), e2);
        }
    }

    private static Object normalize(Object obj) {
        if (obj instanceof Integer) {
            obj = Long.valueOf(((Integer) obj).longValue());
        }
        return obj;
    }

    private void validateExpectedClaims(Header header, Claims claims) {
        Claims build = this.expectedClaims.build();
        for (String str : build.keySet()) {
            Object normalize = normalize(build.get(str));
            Object normalize2 = normalize(claims.get(str));
            if (normalize instanceof Date) {
                try {
                    normalize2 = claims.get(str, Date.class);
                } catch (Exception e) {
                    throw new IncorrectClaimException(header, claims, str, normalize, "JWT Claim '" + str + "' was expected to be a Date, but its value cannot be converted to a Date using current heuristics.  Value: " + normalize2);
                }
            }
            if (normalize2 == null) {
                boolean z = normalize instanceof Collection;
                String str2 = "Missing '" + str + "' claim. Expected value";
                throw new MissingClaimException(header, claims, str, normalize, z ? str2 + "s: " + normalize : str2 + ": " + normalize);
            }
            if (normalize instanceof Collection) {
                Collection collection = (Collection) normalize;
                Collection of = normalize2 instanceof Collection ? (Collection) normalize2 : Collections.setOf(normalize2);
                for (Object obj : collection) {
                    if (!Collections.contains(of.iterator(), obj)) {
                        throw new IncorrectClaimException(header, claims, str, normalize, String.format(MISSING_EXPECTED_CLAIM_VALUE_MESSAGE_TEMPLATE, obj, str, of));
                    }
                }
            } else if (!normalize.equals(normalize2)) {
                throw new IncorrectClaimException(header, claims, str, normalize, String.format("Expected %s claim to be: %s, but was: %s.", str, normalize, normalize2));
            }
        }
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public <T> T parse(CharSequence charSequence, JwtHandler<T> jwtHandler) {
        return (T) parse(charSequence, Payload.EMPTY).accept(jwtHandler);
    }

    private Jwt<?, ?> parse(CharSequence charSequence, Payload payload) {
        Assert.hasText(charSequence, "JWT String argument cannot be null or empty.");
        return parse(new CharSequenceReader(charSequence), payload);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jwt<Header, byte[]> parseContentJwt(CharSequence charSequence) {
        return (Jwt) parse(charSequence).accept(Jwt.UNSECURED_CONTENT);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jwt<Header, Claims> parseClaimsJwt(CharSequence charSequence) {
        return (Jwt) parse(charSequence).accept(Jwt.UNSECURED_CLAIMS);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<byte[]> parseContentJws(CharSequence charSequence) {
        return parseSignedContent(charSequence);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<Claims> parseClaimsJws(CharSequence charSequence) {
        return parseSignedClaims(charSequence);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jwt<Header, byte[]> parseUnsecuredContent(CharSequence charSequence) throws JwtException, IllegalArgumentException {
        return (Jwt) parse(charSequence).accept(Jwt.UNSECURED_CONTENT);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jwt<Header, Claims> parseUnsecuredClaims(CharSequence charSequence) throws JwtException, IllegalArgumentException {
        return (Jwt) parse(charSequence).accept(Jwt.UNSECURED_CLAIMS);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<byte[]> parseSignedContent(CharSequence charSequence) {
        return (Jws) parse(charSequence).accept(Jws.CONTENT);
    }

    private Jws<byte[]> parseSignedContent(CharSequence charSequence, Payload payload) {
        return (Jws) parse(charSequence, payload).accept(Jws.CONTENT);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<Claims> parseSignedClaims(CharSequence charSequence) {
        return (Jws) parse(charSequence).accept(Jws.CLAIMS);
    }

    private Jws<Claims> parseSignedClaims(CharSequence charSequence, Payload payload) {
        payload.setClaimsExpected(true);
        return (Jws) parse(charSequence, payload).accept(Jws.CLAIMS);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<byte[]> parseSignedContent(CharSequence charSequence, byte[] bArr) {
        Assert.notEmpty(bArr, "unencodedPayload argument cannot be null or empty.");
        return parseSignedContent(charSequence, new Payload(bArr, (String) null));
    }

    private static Payload payloadFor(InputStream inputStream) {
        return inputStream instanceof BytesInputStream ? new Payload(Streams.bytes(inputStream, "Unable to obtain payload InputStream bytes."), (String) null) : new Payload(inputStream, (String) null);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<byte[]> parseSignedContent(CharSequence charSequence, InputStream inputStream) {
        Assert.notNull(inputStream, "unencodedPayload InputStream cannot be null.");
        return parseSignedContent(charSequence, payloadFor(inputStream));
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<Claims> parseSignedClaims(CharSequence charSequence, byte[] bArr) {
        Assert.notEmpty(bArr, "unencodedPayload argument cannot be null or empty.");
        return parseSignedClaims(charSequence, new Payload(bArr, (String) null));
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jws<Claims> parseSignedClaims(CharSequence charSequence, InputStream inputStream) {
        Assert.notNull(inputStream, "unencodedPayload InputStream cannot be null.");
        return parseSignedClaims(charSequence, new Payload(Streams.bytes(inputStream, "Unable to obtain Claims bytes from unencodedPayload InputStream"), (String) null));
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jwe<byte[]> parseEncryptedContent(CharSequence charSequence) throws JwtException {
        return (Jwe) parse(charSequence).accept(Jwe.CONTENT);
    }

    @Override // org.gcube.io.jsonwebtoken.JwtParser
    public Jwe<Claims> parseEncryptedClaims(CharSequence charSequence) throws JwtException {
        return (Jwe) parse(charSequence).accept(Jwe.CLAIMS);
    }

    protected byte[] decode(CharSequence charSequence, String str) {
        try {
            return Streams.bytes(this.decoder.decode(Streams.of(Strings.utf8(charSequence))), "Unable to Base64Url-decode input.");
        } catch (Throwable th) {
            throw new MalformedJwtException("Invalid Base64Url " + str + ": " + ("payload".equals(str) ? RedactedSupplier.REDACTED_VALUE : charSequence.toString()), th);
        }
    }

    protected Map<String, ?> deserialize(InputStream inputStream, String str) {
        try {
            Map<String, ?> apply = new JsonObjectDeserializer(this.deserializer, str).apply(Streams.reader(inputStream));
            Objects.nullSafeClose(inputStream);
            return apply;
        } catch (Throwable th) {
            Objects.nullSafeClose(inputStream);
            throw th;
        }
    }

    @Override // org.gcube.io.jsonwebtoken.impl.io.AbstractParser, org.gcube.io.jsonwebtoken.io.Parser
    public /* bridge */ /* synthetic */ Jwt<?, ?> parse(CharSequence charSequence) throws ExpiredJwtException, MalformedJwtException, SignatureException, SecurityException, IllegalArgumentException {
        return (Jwt) super.parse(charSequence);
    }
}
