package org.iplass.mtp.impl.auth.oauth.jwt;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.security.SignatureException;
import java.security.Key;
import java.security.PrivateKey;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import org.iplass.mtp.impl.auth.oauth.util.IdTokenConstants;
import org.iplass.mtp.impl.auth.oauth.util.OAuthConstants;

/* loaded from: input_file:org/iplass/mtp/impl/auth/oauth/jwt/JjwtProcesor.class */
public class JjwtProcesor implements JwtProcessor {
    private boolean useRsaSsaPss;

    public boolean isUseRsaSsaPss() {
        return this.useRsaSsaPss;
    }

    public void setUseRsaSsaPss(boolean z) {
        this.useRsaSsaPss = z;
    }

    @Override // org.iplass.mtp.impl.auth.oauth.jwt.JwtProcessor
    public String encode(Map<String, Object> map, CertificateKeyPair certificateKeyPair) throws InvalidKeyException {
        try {
            return Jwts.builder().addClaims(map).setHeaderParam("kid", certificateKeyPair.getKeyId()).signWith(certificateKeyPair.getPrivateKey(), forSigningKey(certificateKeyPair.getPrivateKey())).compact();
        } catch (io.jsonwebtoken.security.InvalidKeyException e) {
            throw new InvalidKeyException(e.getMessage(), e);
        }
    }

    private SignatureAlgorithm forSigningKey(PrivateKey privateKey) {
        SignatureAlgorithm forSigningKey = SignatureAlgorithm.forSigningKey(privateKey);
        if (this.useRsaSsaPss) {
            if (forSigningKey == SignatureAlgorithm.RS256) {
                forSigningKey = SignatureAlgorithm.PS256;
            } else if (forSigningKey == SignatureAlgorithm.RS384) {
                forSigningKey = SignatureAlgorithm.PS384;
            } else if (forSigningKey == SignatureAlgorithm.RS512) {
                forSigningKey = SignatureAlgorithm.PS512;
            }
        }
        return forSigningKey;
    }

    @Override // org.iplass.mtp.impl.auth.oauth.jwt.JwtProcessor
    public String preferredAlgorithm(CertificateKeyPair certificateKeyPair) throws InvalidKeyException {
        try {
            return forSigningKey(certificateKeyPair.getPrivateKey()).getValue();
        } catch (io.jsonwebtoken.security.InvalidKeyException e) {
            throw new InvalidKeyException(e.getMessage(), e);
        }
    }

    @Override // org.iplass.mtp.impl.auth.oauth.jwt.JwtProcessor
    public void checkValidVerificationKey(String str, CertificateKeyPair certificateKeyPair) throws InvalidKeyException {
        try {
            SignatureAlgorithm.forName(str).assertValidVerificationKey(certificateKeyPair.getPublicKey());
        } catch (SignatureException | io.jsonwebtoken.security.InvalidKeyException e) {
            throw new InvalidKeyException(e.getMessage(), e);
        }
    }

    @Override // org.iplass.mtp.impl.auth.oauth.jwt.JwtProcessor
    public Jwt decode(String str, int i, final Function<String, Map<String, Object>> function) throws InvalidKeyException, InvalidJwtException {
        try {
            Jws parseClaimsJws = Jwts.parserBuilder().setSigningKeyResolver(new SigningKeyResolverAdapter() { // from class: org.iplass.mtp.impl.auth.oauth.jwt.JjwtProcesor.1
                public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                    String keyId = jwsHeader.getKeyId();
                    Map map = (Map) function.apply(keyId);
                    if (map == null) {
                        throw new InvalidJwtException("JWK is not defined for specific keyId:" + keyId);
                    }
                    String str2 = (String) map.get("use");
                    if (str2 != null && !str2.equals("sig")) {
                        throw new InvalidKeyException("invalid use parameter:" + str2);
                    }
                    String str3 = (String) map.get(IdTokenConstants.HEAER_ALG);
                    if (str3 != null) {
                        String algorithm = jwsHeader.getAlgorithm();
                        if (algorithm != null && !str3.equalsIgnoreCase(algorithm)) {
                            throw new InvalidJwtException("alg parameter unmatch:" + algorithm);
                        }
                    } else {
                        str3 = jwsHeader.getAlgorithm();
                    }
                    if (str3 == null || str3.equalsIgnoreCase(OAuthConstants.PROMPT_NONE)) {
                        throw new InvalidJwtException("alg parameter unspecified or none specified:" + str3);
                    }
                    CertificateKeyPair certificateKeyPair = new CertificateKeyPair(map);
                    JjwtProcesor.this.checkValidVerificationKey(str3, certificateKeyPair);
                    return certificateKeyPair.getPublicKey();
                }
            }).setAllowedClockSkewSeconds(TimeUnit.MINUTES.toSeconds(i)).build().parseClaimsJws(str);
            return new Jwt(parseClaimsJws.getHeader(), (Map) parseClaimsJws.getBody());
        } catch (JwtException e) {
            throw new InvalidJwtException(e.getMessage(), e);
        } catch (io.jsonwebtoken.security.InvalidKeyException e2) {
            throw new InvalidKeyException(e2.getMessage(), e2);
        }
    }
}
