package com.atlassian.connect.spring.internal.jwt;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.util.Calendar;
import java.util.Date;
import java.util.Set;

/* loaded from: input_file:com/atlassian/connect/spring/internal/jwt/AbstractJwtReader.class */
public abstract class AbstractJwtReader {
    private static final int TIME_CLAIM_LEEWAY_SECONDS = 30;
    private static final String UNEXPECTED_TYPE_MESSAGE_PREFIX = "Unexpected type of JSON object member with key ";
    private static final Set<String> NUMERIC_CLAIM_NAMES = Set.of("exp", "iat", "nbf");
    private final JWSVerifier verifier;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJwtReader(JWSVerifier jWSVerifier) {
        this.verifier = jWSVerifier;
    }

    protected abstract Algorithm getSupportedAlgorithm();

    public JWTClaimsSet readAndVerify(String str, String str2) throws JwtParseException, JwtVerificationException {
        Object claim;
        try {
            JWTClaimsSet parse = JWTClaimsSet.parse(verify(str).getPayload().toString());
            if (parse.getIssueTime() == null || parse.getExpirationTime() == null) {
                throw new JwtInvalidClaimException("'exp' and 'iat' are required claims. Atlassian JWT does not allow JWTs with unlimited lifetimes.");
            }
            Date date = new Date();
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(date);
            calendar.add(13, -30);
            Date time = calendar.getTime();
            calendar.setTime(date);
            calendar.add(13, TIME_CLAIM_LEEWAY_SECONDS);
            Date time2 = calendar.getTime();
            if (null != parse.getNotBeforeTime()) {
                if (!parse.getExpirationTime().after(parse.getNotBeforeTime())) {
                    throw new JwtInvalidClaimException(String.format("The expiration time must be after the not-before time but exp=%s and nbf=%s", parse.getExpirationTime(), parse.getNotBeforeTime()));
                }
                if (parse.getNotBeforeTime().after(time2)) {
                    throw new JwtTooEarlyException(parse.getNotBeforeTime(), date, TIME_CLAIM_LEEWAY_SECONDS);
                }
            }
            if (parse.getExpirationTime().before(time)) {
                throw new JwtExpiredException(parse.getExpirationTime(), date, TIME_CLAIM_LEEWAY_SECONDS);
            }
            if (str2 == null || (claim = parse.getClaim(HttpRequestCanonicalizer.QUERY_STRING_HASH_CLAIM_NAME)) == null || str2.equals(claim)) {
                return parse;
            }
            throw new JwtInvalidClaimException(String.format("Expecting claim '%s' to have value '%s' but instead it has the value '%s'", HttpRequestCanonicalizer.QUERY_STRING_HASH_CLAIM_NAME, str2, claim));
        } catch (ParseException e) {
            if (!e.getMessage().startsWith(UNEXPECTED_TYPE_MESSAGE_PREFIX)) {
                throw new JwtParseException(e);
            }
            String replace = e.getMessage().replace(UNEXPECTED_TYPE_MESSAGE_PREFIX, "").replace("\"", "");
            if (NUMERIC_CLAIM_NAMES.contains(replace)) {
                throw new JwtInvalidClaimException(String.format("Expecting claim '%s' to be numeric but it is a string", replace), e);
            }
            throw new JwtParseException("Perhaps a claim is of the wrong type (e.g. expecting integer but found string): " + e.getMessage(), e);
        }
    }

    private JWSObject verify(String str) throws JwtParseException, JwtVerificationException {
        try {
            JWSObject parse = JWSObject.parse(str);
            JWSAlgorithm algorithm = parse.getHeader().getAlgorithm();
            if (!getSupportedAlgorithm().equals(algorithm)) {
                throw new JwtInvalidSigningAlgorithmException(String.format("Expected JWT to be signed with '%s' but it was signed with '%s' instead", getSupportedAlgorithm(), algorithm));
            }
            if (parse.verify(this.verifier)) {
                return parse;
            }
            throw new JwtSignatureMismatchException(str);
        } catch (ParseException e) {
            throw new JwtParseException(e);
        } catch (JOSEException e2) {
            throw new JwtSignatureMismatchException((Exception) e2);
        }
    }
}
