package org.jboss.pnc.buildagent.server;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;

/* loaded from: input_file:org/jboss/pnc/buildagent/server/KeycloakOfflineTokenVerifier.class */
public class KeycloakOfflineTokenVerifier {
    public static void verify(String str, String str2, String str3, String str4) throws Exception {
        String issuer = parseJwt(str, str2).getPayload().getIssuer();
        if (!issuer.equals(str3 + "/realms/" + str4)) {
            throw new RuntimeException("Token issuer " + issuer + " doesn't match with the configured issuer: " + str3);
        }
    }

    private static Jws<Claims> parseJwt(String str, String str2) throws InvalidKeySpecException, NoSuchAlgorithmException {
        return Jwts.parser().verifyWith(getPublicKeyObject(str2)).build().parseSignedClaims(str);
    }

    private static PublicKey getPublicKeyObject(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(("-----BEGIN PUBLIC KEY-----" + str + "-----END PUBLIC KEY-----").replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", ""))));
    }
}
