package org.apereo.cas.ticket;

import java.nio.charset.StandardCharsets;
import java.security.Key;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.util.EncodingUtils;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/ticket/BaseIdTokenSigningAndEncryptionService.class */
public abstract class BaseIdTokenSigningAndEncryptionService implements IdTokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(BaseIdTokenSigningAndEncryptionService.class);
    private final String issuer;

    protected JsonWebSignature createJsonWebSignature(JwtClaims jwtClaims) {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(jwtClaims.toJson());
        jsonWebSignature.setAlgorithmHeaderValue("none");
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.NO_CONSTRAINTS);
        return jsonWebSignature;
    }

    protected String encryptIdToken(String str, String str2, String str3, Key key, String str4) {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmHeaderValue(str);
        jsonWebEncryption.setEncryptionMethodHeaderParameter(str2);
        jsonWebEncryption.setKey(key);
        jsonWebEncryption.setKeyIdHeaderValue(str3);
        jsonWebEncryption.setContentTypeHeaderValue("JWT");
        jsonWebEncryption.setPayload(str4);
        return jsonWebEncryption.getCompactSerialization();
    }

    protected JsonWebSignature configureJsonWebSignatureForIdTokenSigning(OAuthRegisteredService oAuthRegisteredService, JsonWebSignature jsonWebSignature, PublicJsonWebKey publicJsonWebKey) {
        LOGGER.debug("Service [{}] is set to sign id tokens", oAuthRegisteredService);
        jsonWebSignature.setKey(publicJsonWebKey.getPrivateKey());
        jsonWebSignature.setAlgorithmConstraints(AlgorithmConstraints.DISALLOW_NONE);
        if (StringUtils.isNotBlank(publicJsonWebKey.getKeyId())) {
            jsonWebSignature.setKeyIdHeaderValue(publicJsonWebKey.getKeyId());
        }
        LOGGER.debug("Signing id token with key id header value [{}]", jsonWebSignature.getKeyIdHeaderValue());
        jsonWebSignature.setAlgorithmHeaderValue(getJsonWebKeySigningAlgorithm(oAuthRegisteredService));
        LOGGER.debug("Signing id token with algorithm [{}]", jsonWebSignature.getAlgorithmHeaderValue());
        return jsonWebSignature;
    }

    @Override // org.apereo.cas.ticket.IdTokenSigningAndEncryptionService
    public JwtClaims validate(String str) {
        PublicJsonWebKey signingKey = getSigningKey();
        if (signingKey.getPublicKey() == null) {
            throw new IllegalArgumentException("JSON web key used to validate the id token signature has no associated public key");
        }
        JwtClaims parse = JwtClaims.parse(new String(EncodingUtils.verifyJwsSignature(signingKey.getPublicKey(), str), StandardCharsets.UTF_8));
        LOGGER.debug("Validated claims as [{}]", parse);
        if (StringUtils.isBlank(parse.getIssuer())) {
            throw new IllegalArgumentException("Claims do not container an issuer");
        }
        if (!parse.getIssuer().equalsIgnoreCase(this.issuer)) {
            throw new IllegalArgumentException("Issuer assigned to claims does not match " + this.issuer);
        }
        if (StringUtils.isBlank(parse.getStringClaimValue(OAuth20Constants.CLIENT_ID))) {
            throw new IllegalArgumentException("Claims do not contain a client id claim");
        }
        return parse;
    }

    protected abstract PublicJsonWebKey getSigningKey();

    @Generated
    public BaseIdTokenSigningAndEncryptionService(String str) {
        this.issuer = str;
    }

    @Generated
    public String getIssuer() {
        return this.issuer;
    }
}
