package org.springframework.security.oauth2.provider.token.store.jwk;

import java.util.Map;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.springframework.security.jwt.Jwt;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.JsonParser;
import org.springframework.security.oauth2.common.util.JsonParserFactory;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-2.0.13.RELEASE.jar:org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.class */
class JwkVerifyingJwtAccessTokenConverter extends JwtAccessTokenConverter {
    private final JwkDefinitionSource jwkDefinitionSource;
    private final JwtHeaderConverter jwtHeaderConverter = new JwtHeaderConverter();
    private final JsonParser jsonParser = JsonParserFactory.create();

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwkVerifyingJwtAccessTokenConverter(JwkDefinitionSource jwkDefinitionSource) {
        this.jwkDefinitionSource = jwkDefinitionSource;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter
    public Map<String, Object> decode(String str) {
        Map<String, String> convert2 = this.jwtHeaderConverter.convert2(str);
        String str2 = convert2.get("kid");
        if (str2 == null) {
            throw new InvalidTokenException("Invalid JWT/JWS: kid is a required JOSE Header");
        }
        JwkDefinition definitionLoadIfNecessary = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(str2);
        if (definitionLoadIfNecessary == null) {
            throw new InvalidTokenException("Invalid JOSE Header kid (" + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        String str3 = convert2.get("alg");
        if (str3 == null) {
            throw new InvalidTokenException("Invalid JWT/JWS: alg is a required JOSE Header");
        }
        if (!str3.equals(definitionLoadIfNecessary.getAlgorithm().headerParamValue())) {
            throw new InvalidTokenException("Invalid JOSE Header alg (" + str3 + DefaultExpressionEngine.DEFAULT_INDEX_END + " does not match algorithm associated to JWK with kid (" + str2 + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        SignatureVerifier verifier = this.jwkDefinitionSource.getVerifier(str2);
        Jwt decode = JwtHelper.decode(str);
        decode.verifySignature(verifier);
        Map<String, Object> parseMap = this.jsonParser.parseMap(decode.getClaims());
        if (parseMap.containsKey(AccessTokenConverter.EXP) && (parseMap.get(AccessTokenConverter.EXP) instanceof Integer)) {
            parseMap.put(AccessTokenConverter.EXP, new Long(((Integer) parseMap.get(AccessTokenConverter.EXP)).intValue()));
        }
        return parseMap;
    }

    @Override // org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter
    protected String encode(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        throw new JwkException("JWT signing (JWS) is not supported.");
    }
}
