package org.springframework.security.oauth2.jwt;

import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Map;
import java.util.function.Supplier;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.web.context.request.RequestAttributes;
import org.springframework.web.context.request.RequestContextHolder;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-6.4.4.jar:org/springframework/security/oauth2/jwt/X509CertificateThumbprintValidator.class */
final class X509CertificateThumbprintValidator implements OAuth2TokenValidator<Jwt> {
    static final Supplier<X509Certificate> DEFAULT_X509_CERTIFICATE_SUPPLIER = new DefaultX509CertificateSupplier();
    private final Log logger = LogFactory.getLog(getClass());
    private final Supplier<X509Certificate> x509CertificateSupplier;

    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-jose-6.4.4.jar:org/springframework/security/oauth2/jwt/X509CertificateThumbprintValidator$DefaultX509CertificateSupplier.class */
    private static final class DefaultX509CertificateSupplier implements Supplier<X509Certificate> {
        private DefaultX509CertificateSupplier() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.function.Supplier
        public X509Certificate get() {
            X509Certificate[] x509CertificateArr;
            RequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
            if (requestAttributes == null || (x509CertificateArr = (X509Certificate[]) requestAttributes.getAttribute("jakarta.servlet.request.X509Certificate", 0)) == null || x509CertificateArr.length <= 0) {
                return null;
            }
            return x509CertificateArr[0];
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public X509CertificateThumbprintValidator(Supplier<X509Certificate> supplier) {
        Assert.notNull(supplier, "x509CertificateSupplier cannot be null");
        this.x509CertificateSupplier = supplier;
    }

    @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        Map map = (Map) jwt.getClaim("cnf");
        String str = null;
        if (!CollectionUtils.isEmpty((Map<?, ?>) map) && map.containsKey("x5t#S256")) {
            str = (String) map.get("x5t#S256");
        }
        if (str == null) {
            return OAuth2TokenValidatorResult.success();
        }
        X509Certificate x509Certificate = this.x509CertificateSupplier.get();
        if (x509Certificate == null) {
            OAuth2Error oAuth2Error = new OAuth2Error("invalid_token", "Unable to obtain X509Certificate from current request.", null);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(oAuth2Error.toString());
            }
            return OAuth2TokenValidatorResult.failure(oAuth2Error);
        }
        try {
            if (computeSHA256Thumbprint(x509Certificate).equals(str)) {
                return OAuth2TokenValidatorResult.success();
            }
            OAuth2Error oAuth2Error2 = new OAuth2Error("invalid_token", "Invalid SHA-256 Thumbprint for X509Certificate.", null);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(oAuth2Error2.toString());
            }
            return OAuth2TokenValidatorResult.failure(oAuth2Error2);
        } catch (Exception e) {
            OAuth2Error oAuth2Error3 = new OAuth2Error("invalid_token", "Failed to compute SHA-256 Thumbprint for X509Certificate.", null);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(oAuth2Error3.toString());
            }
            return OAuth2TokenValidatorResult.failure(oAuth2Error3);
        }
    }

    static String computeSHA256Thumbprint(X509Certificate x509Certificate) throws Exception {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(x509Certificate.getEncoded()));
    }
}
