package org.wildfly.security.auth.realm.token.validator;

import java.io.IOException;
import java.math.BigInteger;
import java.net.URL;
import java.net.URLConnection;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Base64;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.realm.token._private.ElytronMessages;
import org.wildfly.security.x500.cert.acme.Acme;

/* loaded from: input_file:org/wildfly/security/auth/realm/token/validator/JwkManager.class */
class JwkManager {
    private final Map<URL, Map<String, RSAPublicKey>> keys = new LinkedHashMap();
    private final Map<URL, Long> timeouts = new ConcurrentHashMap();
    private final SSLContext sslContext;
    private final HostnameVerifier hostnameVerifier;
    private final long updateTimeout;
    private static final int CONNECTION_TIMEOUT = 2000;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwkManager(SSLContext sSLContext, HostnameVerifier hostnameVerifier, long j) {
        this.sslContext = sSLContext;
        this.hostnameVerifier = hostnameVerifier;
        this.updateTimeout = j;
    }

    public PublicKey getPublicKey(String str, URL url) {
        Map<String, RSAPublicKey> checkRemote = checkRemote(url);
        if (checkRemote == null) {
            return null;
        }
        RSAPublicKey rSAPublicKey = checkRemote.get(str);
        if (rSAPublicKey != null) {
            return rSAPublicKey;
        }
        ElytronMessages.log.warn("Unknown kid: " + str);
        return null;
    }

    private Map<String, RSAPublicKey> checkRemote(URL url) {
        Map<String, RSAPublicKey> map;
        Assert.checkNotNullParam("url", url);
        long j = 0;
        synchronized (this.keys) {
            map = this.keys.get(url);
            if (map == null) {
                map = new ConcurrentHashMap();
                this.keys.put(url, map);
            }
        }
        synchronized (map) {
            if (this.timeouts.containsKey(url)) {
                j = this.timeouts.get(url).longValue();
            }
            if (j + this.updateTimeout <= System.currentTimeMillis()) {
                Map<String, RSAPublicKey> jwksFromUrl = getJwksFromUrl(url, this.sslContext, this.hostnameVerifier);
                if (jwksFromUrl == null) {
                    ElytronMessages.log.unableToFetchJwks(url.toString());
                    return null;
                }
                map.clear();
                map.putAll(jwksFromUrl);
                this.timeouts.put(url, Long.valueOf(System.currentTimeMillis()));
            }
            return map;
        }
    }

    private static Map<String, RSAPublicKey> getJwksFromUrl(URL url, SSLContext sSLContext, HostnameVerifier hostnameVerifier) {
        JsonObject jsonObject = null;
        try {
            URLConnection openConnection = url.openConnection();
            if (openConnection instanceof HttpsURLConnection) {
                HttpsURLConnection httpsURLConnection = (HttpsURLConnection) openConnection;
                httpsURLConnection.setRequestMethod(Acme.GET);
                httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
                httpsURLConnection.setHostnameVerifier(hostnameVerifier);
                httpsURLConnection.setConnectTimeout(CONNECTION_TIMEOUT);
                httpsURLConnection.setReadTimeout(CONNECTION_TIMEOUT);
                httpsURLConnection.connect();
                jsonObject = Json.createReader(httpsURLConnection.getInputStream()).readObject();
            }
            if (jsonObject == null) {
                ElytronMessages.log.warn("No response when fetching jwk set from " + url.toString());
                return null;
            }
            JsonArray jsonArray = jsonObject.getJsonArray("keys");
            if (jsonArray == null) {
                ElytronMessages.log.warn("Unable to parse jwks");
                return null;
            }
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            for (int i = 0; i < jsonArray.size(); i++) {
                JsonObject jsonObject2 = jsonArray.getJsonObject(i);
                String string = jsonObject2.getString(Acme.KID, null);
                String string2 = jsonObject2.getString(Acme.KEY_TYPE, null);
                String string3 = jsonObject2.getString(Acme.EXPONENT, null);
                String string4 = jsonObject2.getString(Acme.MODULUS, null);
                if (string == null) {
                    ElytronMessages.log.tokenRealmJwkMissingClaim(Acme.KID);
                } else if (!"RSA".equals(string2)) {
                    ElytronMessages.log.tokenRealmJwkMissingClaim(Acme.KEY_TYPE);
                } else if (string3 == null) {
                    ElytronMessages.log.tokenRealmJwkMissingClaim(Acme.EXPONENT);
                } else if (string4 == null) {
                    ElytronMessages.log.tokenRealmJwkMissingClaim(Acme.MODULUS);
                } else {
                    try {
                        linkedHashMap.put(string, (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(Base64.getDecoder().decode(string4)), new BigInteger(Base64.getDecoder().decode(string3)))));
                    } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                        ElytronMessages.log.info("Fetched jwk could not be parsed, ignoring...");
                        e.printStackTrace();
                    }
                }
            }
            return linkedHashMap;
        } catch (IOException e2) {
            ElytronMessages.log.warn("Unable to connect to " + url.toString());
            return null;
        }
    }
}
