String algorithm = algorithms.get(jwtHeader.getAlg());
// get JWTClaims JSON object
JWTClaims jwtClaims = (JWTClaims) decodeAndParse(pieces[1], JWTClaims.class);
// check signature
if (!"none".equals(algorithm))
{
if (pieces.length!=3)
throw new IllegalStateException("wrong number of segments: " + pieces.length);
if (args.getKey()==null)
throw new IllegalStateException("key not set");
Mac hmac = Mac.getInstance(algorithm);
hmac.init(new SecretKeySpec(decoder.decodeBase64(args.getKey()), algorithm));
byte[] sig = hmac.doFinal(new StringBuilder(pieces[0]).append(".").append(pieces[1]).toString().getBytes());
if (!Arrays.equals(sig, decoder.decodeBase64(pieces[2])))
throw new SignatureException("signature verification failed");
}
// additional JWTClaims checks
if (jwtClaims.getExp()!=0 && System.currentTimeMillis()/1000L >= jwtClaims.getExp())
throw new IllegalStateException("jwt expired");
if ((jwtClaims.getIss()!=null && (args.getIss()==null || !args.getIss().equals(jwtClaims.getIss()))) ||
(jwtClaims.getIss()==null && args.getIss()!=null)) throw new IllegalStateException("jwt issuer invalid");
if ((jwtClaims.getAud()!=null && (args.getAud()==null || args!=null && !args.getAud().equals(jwtClaims.getAud()))) ||
(jwtClaims.getAud()==null && args.getAud()!=null)) throw new IllegalStateException("jwt audience invalid");
}