package org.keycloak;

import java.io.IOException;
import java.security.PublicKey;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:WEB-INF/lib/keycloak-core-1.0-beta-4.jar:org/keycloak/RSATokenVerifier.class */
public class RSATokenVerifier {
    public static AccessToken verifyToken(String str, PublicKey publicKey, String str2) throws VerificationException {
        return verifyToken(str, publicKey, str2, true);
    }

    public static AccessToken verifyToken(String str, PublicKey publicKey, String str2, boolean z) throws VerificationException {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!isPublicKeyValid(jWSInput, publicKey)) {
                throw new VerificationException("Invalid token signature.");
            }
            try {
                AccessToken accessToken = (AccessToken) jWSInput.readJsonContent(AccessToken.class);
                if (accessToken.getSubject() == null) {
                    throw new VerificationException("Token user was null.");
                }
                if (!str2.equals(accessToken.getAudience())) {
                    throw new VerificationException("Token audience doesn't match domain.");
                }
                if (!z || accessToken.isActive()) {
                    return accessToken;
                }
                throw new VerificationException("Token is not active.");
            } catch (IOException e) {
                throw new VerificationException("Couldn't parse token signature", e);
            }
        } catch (Exception e2) {
            throw new VerificationException("Couldn't parse token", e2);
        }
    }

    private static boolean isPublicKeyValid(JWSInput jWSInput, PublicKey publicKey) throws VerificationException {
        try {
            return RSAProvider.verify(jWSInput, publicKey);
        } catch (Exception e) {
            throw new VerificationException("Token signature not validated.", e);
        }
    }
}
