package org.keycloak;

import java.io.IOException;
import java.security.PublicKey;
import org.jboss.resteasy.jose.jws.JWSInput;
import org.jboss.resteasy.jose.jws.crypto.RSAProvider;
import org.jboss.resteasy.jwt.JsonSerialization;
import org.keycloak.representations.SkeletonKeyToken;

/* loaded from: input_file:WEB-INF/lib/keycloak-core-1.0-alpha-1-12062013.jar:org/keycloak/RSATokenVerifier.class */
public class RSATokenVerifier {
    public static SkeletonKeyToken verifyToken(String str, ResourceMetadata resourceMetadata) throws VerificationException {
        return verifyToken(str, resourceMetadata.getRealmKey(), resourceMetadata.getRealm());
    }

    public static SkeletonKeyToken verifyToken(String str, PublicKey publicKey, String str2) throws VerificationException {
        JWSInput jWSInput = new JWSInput(str);
        boolean z = false;
        try {
            z = RSAProvider.verify(jWSInput, publicKey);
        } catch (Exception e) {
        }
        if (!z) {
            throw new VerificationException("Token signature not validated");
        }
        try {
            SkeletonKeyToken skeletonKeyToken = (SkeletonKeyToken) JsonSerialization.fromBytes(SkeletonKeyToken.class, jWSInput.getContent());
            if (!skeletonKeyToken.isActive()) {
                throw new VerificationException("Token is not active.");
            }
            if (skeletonKeyToken.getPrincipal() == null) {
                throw new VerificationException("Token user was null");
            }
            if (str2.equals(skeletonKeyToken.getAudience())) {
                return skeletonKeyToken;
            }
            throw new VerificationException("Token audience doesn't match domain");
        } catch (IOException e2) {
            throw new VerificationException(e2);
        }
    }
}
