package net.shibboleth.idp.plugin.oidc.op.security.jwt.claims.impl;

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import javax.annotation.Nonnull;
import net.shibboleth.oidc.jwt.claims.AbstractClaimsValidator;
import net.shibboleth.oidc.jwt.claims.JWTValidationException;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/security/jwt/claims/impl/ChainExpiryClaimsValidator.class */
public class ChainExpiryClaimsValidator extends AbstractClaimsValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ChainExpiryClaimsValidator.class);

    @Nonnull
    private Duration clockSkew = Duration.ofSeconds(60);

    public void setClockSkew(@Nonnull Duration duration) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.clockSkew = (Duration) Constraint.isNotNull(duration, "Clock skew cannot be null");
    }

    public void doValidate(@Nonnull JWTClaimsSet jWTClaimsSet, @Nonnull ProfileRequestContext profileRequestContext) throws JWTValidationException {
        Instant now = Instant.now();
        try {
            Date dateClaim = jWTClaimsSet.getDateClaim("c_exp");
            if (dateClaim != null && now.isAfter(dateClaim.toInstant().plus((TemporalAmount) this.clockSkew))) {
                throw new JWTValidationException("Expired JWT by the chain expiration");
            }
        } catch (ParseException e) {
            throw new JWTValidationException("Unexpected contents on 'c_exp' claim");
        }
    }
}
