package org.gluu.oxauth.model.token;

import com.google.common.base.Function;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import javax.ejb.Stateless;
import javax.inject.Inject;
import javax.inject.Named;
import org.apache.commons.lang.StringUtils;
import org.gluu.oxauth.model.common.IAuthorizationGrant;
import org.gluu.oxauth.model.config.WebKeysConfiguration;
import org.gluu.oxauth.model.configuration.AppConfiguration;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.gluu.oxauth.model.exception.InvalidJweException;
import org.gluu.oxauth.model.jwe.Jwe;
import org.gluu.oxauth.model.jwe.JweEncrypterImpl;
import org.gluu.oxauth.model.jwk.Algorithm;
import org.gluu.oxauth.model.jwk.JSONWebKeySet;
import org.gluu.oxauth.model.jwk.Use;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxauth.model.jwt.JwtType;
import org.gluu.oxauth.model.registration.Client;
import org.gluu.oxauth.model.util.JwtUtil;
import org.gluu.oxauth.service.ClientService;
import org.gluu.oxauth.service.SectorIdentifierService;
import org.gluu.oxauth.service.ServerCryptoProvider;
import org.json.JSONObject;
import org.slf4j.Logger;

@Stateless
@Named
/* loaded from: input_file:org/gluu/oxauth/model/token/JwrService.class */
public class JwrService {

    @Inject
    private Logger log;

    @Inject
    private AbstractCryptoProvider cryptoProvider;

    @Inject
    private ClientService clientService;

    @Inject
    private AppConfiguration appConfiguration;

    @Inject
    private WebKeysConfiguration webKeysConfiguration;

    @Inject
    private SectorIdentifierService sectorIdentifierService;

    public JsonWebResponse encode(JsonWebResponse jsonWebResponse, Client client) throws Exception {
        if (jsonWebResponse instanceof Jwe) {
            return encryptJwe((Jwe) jsonWebResponse, client);
        }
        if (jsonWebResponse instanceof Jwt) {
            return signJwt((Jwt) jsonWebResponse, client);
        }
        throw new IllegalArgumentException("Unknown Jwr instance.");
    }

    private Jwt signJwt(Jwt jwt, Client client) throws Exception {
        JwtSigner newJwtSigner = JwtSigner.newJwtSigner(this.appConfiguration, this.webKeysConfiguration, client);
        newJwtSigner.setJwt(jwt);
        newJwtSigner.sign();
        return jwt;
    }

    private Jwe encryptJwe(Jwe jwe, Client client) throws Exception {
        if (this.appConfiguration.getUseNestedJwtDuringEncryption().booleanValue()) {
            Jwt newJwt = JwtSigner.newJwtSigner(this.appConfiguration, this.webKeysConfiguration, client).newJwt();
            newJwt.setClaims(jwe.getClaims());
            jwe.setSignedJWTPayload(signJwt(newJwt, client));
        }
        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString("alg"));
        BlockEncryptionAlgorithm encryptionMethod = jwe.getHeader().getEncryptionMethod();
        if (fromName != KeyEncryptionAlgorithm.RSA_OAEP && fromName != KeyEncryptionAlgorithm.RSA1_5) {
            if (fromName == KeyEncryptionAlgorithm.A128KW || fromName == KeyEncryptionAlgorithm.A256KW) {
                return new JweEncrypterImpl(fromName, encryptionMethod, this.clientService.decryptSecret(client.getClientSecret()).getBytes(StandardCharsets.UTF_8)).encrypt(jwe);
            }
            throw new IllegalArgumentException("Unsupported encryption algorithm: " + fromName);
        }
        JSONObject jSONWebKeys = JwtUtil.getJSONWebKeys(client.getJwksUri());
        String keyId = new ServerCryptoProvider(this.cryptoProvider).getKeyId(JSONWebKeySet.fromJSONObject(jSONWebKeys), Algorithm.fromString(fromName.getName()), Use.ENCRYPTION);
        PublicKey publicKey = this.cryptoProvider.getPublicKey(keyId, jSONWebKeys, (Algorithm) null);
        jwe.getHeader().setKeyId(keyId);
        if (publicKey == null) {
            throw new InvalidJweException("The public key is not valid");
        }
        return new JweEncrypterImpl(fromName, encryptionMethod, publicKey).encrypt(jwe);
    }

    public JsonWebResponse createJwr(Client client) {
        try {
            if (client.getIdTokenEncryptedResponseAlg() == null || client.getIdTokenEncryptedResponseEnc() == null) {
                return JwtSigner.newJwtSigner(this.appConfiguration, this.webKeysConfiguration, client).newJwt();
            }
            Jwe jwe = new Jwe();
            KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(client.getIdTokenEncryptedResponseAlg());
            BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(client.getIdTokenEncryptedResponseEnc());
            jwe.getHeader().setType(JwtType.JWT);
            jwe.getHeader().setAlgorithm(fromName);
            jwe.getHeader().setEncryptionMethod(fromName2);
            return jwe;
        } catch (Exception e) {
            this.log.error("Failed to create logout_token.", e);
            return null;
        }
    }

    public void setSubjectIdentifier(JsonWebResponse jsonWebResponse, IAuthorizationGrant iAuthorizationGrant) {
        jsonWebResponse.getClaims().setSubjectIdentifier(iAuthorizationGrant.getSub());
    }

    public static Function<JsonWebResponse, Void> wrapWithSidFunction(Function<JsonWebResponse, Void> function, String str) {
        return jsonWebResponse -> {
            if (jsonWebResponse == null) {
                return null;
            }
            if (function != null) {
                function.apply(jsonWebResponse);
            }
            if (!StringUtils.isNotEmpty(str)) {
                return null;
            }
            jsonWebResponse.setClaim("sid", str);
            return null;
        };
    }
}
