package com.okta.jwt.impl.jjwt;

import com.okta.jwt.Jwt;
import com.okta.jwt.JwtVerificationException;
import com.okta.jwt.impl.DefaultJwt;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtHandlerAdapter;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.UnsupportedJwtException;
import java.time.Duration;
import java.util.Map;

/* loaded from: input_file:com/okta/jwt/impl/jjwt/TokenVerifierSupport.class */
abstract class TokenVerifierSupport {
    private final SigningKeyResolver keyResolver;
    private final String issuer;
    private final Duration leeway;

    /* loaded from: input_file:com/okta/jwt/impl/jjwt/TokenVerifierSupport$OktaJwtHandler.class */
    static class OktaJwtHandler extends JwtHandlerAdapter<Jws<Claims>> {
        private final ClaimsValidator claimsValidator;

        protected OktaJwtHandler(ClaimsValidator claimsValidator) {
            this.claimsValidator = claimsValidator;
        }

        @Override // io.jsonwebtoken.JwtHandlerAdapter, io.jsonwebtoken.JwtHandler
        public Jws<Claims> onClaimsJws(Jws<Claims> jws) {
            String algorithm = jws.getHeader().getAlgorithm();
            if (!SignatureAlgorithm.RS256.getValue().equals(algorithm)) {
                throw new UnsupportedJwtException("JWT Header 'alg' of [" + algorithm + "] is not supported, only RSA25 signatures are supported");
            }
            this.claimsValidator.validateClaims(jws);
            return jws;
        }

        @Override // io.jsonwebtoken.JwtHandlerAdapter, io.jsonwebtoken.JwtHandler
        public /* bridge */ /* synthetic */ Object onClaimsJws(Jws jws) {
            return onClaimsJws((Jws<Claims>) jws);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenVerifierSupport(String str, Duration duration, SigningKeyResolver signingKeyResolver) {
        this.issuer = str;
        this.leeway = duration;
        this.keyResolver = signingKeyResolver;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JwtParser parser() {
        return Jwts.parser().setSigningKeyResolver(this.keyResolver).requireIssuer(this.issuer).setAllowedClockSkewSeconds(this.leeway.getSeconds());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Jwt decode(String str, JwtParser jwtParser, ClaimsValidator claimsValidator) throws JwtVerificationException {
        if (!jwtParser.isSigned(str)) {
            throw new JwtVerificationException("Token did not contain signature");
        }
        try {
            Jws jws = (Jws) jwtParser.parse(str, new OktaJwtHandler(claimsValidator));
            return new DefaultJwt(str, ((Claims) jws.getBody()).getIssuedAt().toInstant(), ((Claims) jws.getBody()).getExpiration().toInstant(), (Map) jws.getBody());
        } catch (JwtException e) {
            throw new JwtVerificationException("Failed to parse token", e);
        }
    }

    SigningKeyResolver getKeyResolver() {
        return this.keyResolver;
    }

    String getIssuer() {
        return this.issuer;
    }

    Duration getLeeway() {
        return this.leeway;
    }
}
