package org.glassfish.soteria.mechanisms.openid.controller;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import jakarta.security.enterprise.identitystore.openid.AccessToken;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Map;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdConfiguration;

/* loaded from: input_file:org/glassfish/soteria/mechanisms/openid/controller/AccessTokenClaimsSetVerifier.class */
public class AccessTokenClaimsSetVerifier extends TokenClaimsSetVerifier {
    private final AccessToken accessToken;
    private final Algorithm idTokenAlgorithm;
    private final Map<String, Object> idTokenClaims;

    public AccessTokenClaimsSetVerifier(AccessToken accessToken, Algorithm algorithm, Map<String, Object> map, OpenIdConfiguration openIdConfiguration) {
        super(openIdConfiguration);
        this.accessToken = accessToken;
        this.idTokenAlgorithm = algorithm;
        this.idTokenClaims = map;
    }

    @Override // org.glassfish.soteria.mechanisms.openid.controller.TokenClaimsSetVerifier
    public void verify(JWTClaimsSet jWTClaimsSet) throws BadJWTException {
        validateAccessToken();
    }

    public void validateAccessToken() {
        if (this.idTokenClaims.containsKey(OpenIdConstant.ACCESS_TOKEN_HASH)) {
            MessageDigest messageDigest = getMessageDigest(this.idTokenAlgorithm);
            messageDigest.update(this.accessToken.toString().getBytes(StandardCharsets.US_ASCII));
            byte[] digest = messageDigest.digest();
            if (!this.idTokenClaims.get(OpenIdConstant.ACCESS_TOKEN_HASH).equals(Base64URL.encode(Arrays.copyOf(digest, digest.length / 2)).toString())) {
                throw new IllegalStateException("Invalid access token hash (at_hash) value");
            }
        }
    }

    private MessageDigest getMessageDigest(Algorithm algorithm) {
        String str = "SHA-" + algorithm.getName().substring(2);
        try {
            return MessageDigest.getInstance(str);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("No MessageDigest instance found with the specified algorithm : " + str, e);
        }
    }
}
