package org.gluu.oxd.server.service;

import com.google.common.collect.Lists;
import com.google.inject.Inject;
import io.dropwizard.util.Strings;
import java.security.KeyStoreException;
import java.util.ArrayList;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.List;
import org.gluu.oxauth.model.crypto.AbstractCryptoProvider;
import org.gluu.oxauth.model.crypto.OxAuthCryptoProvider;
import org.gluu.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.oxauth.model.jwk.Algorithm;
import org.gluu.oxauth.model.jwk.JSONWebKey;
import org.gluu.oxauth.model.jwk.JSONWebKeySet;
import org.gluu.oxauth.model.jwk.Use;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxd.common.ErrorResponseCode;
import org.gluu.oxd.common.ExpiredObject;
import org.gluu.oxd.common.ExpiredObjectType;
import org.gluu.oxd.server.HttpException;
import org.gluu.oxd.server.OxdServerConfiguration;
import org.gluu.oxd.server.persistence.service.PersistenceService;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gluu/oxd/server/service/KeyGeneratorService.class */
public class KeyGeneratorService {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KeyGeneratorService.class);
    private OxdServerConfiguration configuration;
    private PersistenceService persistenceService;
    private AbstractCryptoProvider cryptoProvider;
    private JSONWebKeySet keys = new JSONWebKeySet();

    @Inject
    public KeyGeneratorService(OxdServerConfiguration oxdServerConfiguration, PersistenceService persistenceService) {
        this.configuration = oxdServerConfiguration;
        this.persistenceService = persistenceService;
        try {
            this.cryptoProvider = new OxAuthCryptoProvider(oxdServerConfiguration.getCryptProviderKeyStorePath(), oxdServerConfiguration.getCryptProviderKeyStorePassword(), oxdServerConfiguration.getCryptProviderDnName());
        } catch (Exception e) {
            LOG.error("Failed to create CryptoProvider.", (Throwable) e);
            throw new RuntimeException("Failed to create CryptoProvider.", e);
        }
    }

    public void generateKeys() {
        ArrayList newArrayList = Lists.newArrayList(Algorithm.RS256, Algorithm.RS384, Algorithm.RS512, Algorithm.ES256, Algorithm.ES384, Algorithm.ES512, Algorithm.PS256, Algorithm.PS384, Algorithm.PS512);
        ArrayList newArrayList2 = Lists.newArrayList(Algorithm.RSA1_5, Algorithm.RSA_OAEP);
        try {
            if (this.configuration.getEnableJwksGeneration().booleanValue()) {
                JSONWebKeySet generateKeys = generateKeys(newArrayList, newArrayList2, this.configuration.getJwksExpirationInHours());
                saveKeysInStorage(generateKeys.toString());
                setKeys(generateKeys);
            }
        } catch (Exception e) {
            LOG.error("Failed to generate json web keys.", (Throwable) e);
            throw new RuntimeException("Failed to generate json web keys.", e);
        }
    }

    private JSONWebKeySet generateKeys(List<Algorithm> list, List<Algorithm> list2, int i) throws Exception, JSONException {
        LOG.trace("Generating jwks keys...");
        JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
        GregorianCalendar gregorianCalendar = new GregorianCalendar();
        gregorianCalendar.add(10, i);
        for (Algorithm algorithm : list) {
            try {
                SignatureAlgorithm.fromString(algorithm.name());
                jSONWebKeySet.getKeys().add(JSONWebKey.fromJSONObject(this.cryptoProvider.generateKey(algorithm, Long.valueOf(gregorianCalendar.getTimeInMillis()), Use.SIGNATURE)));
            } catch (Exception e) {
                LOG.error(e.getMessage(), (Throwable) e);
            }
        }
        for (Algorithm algorithm2 : list2) {
            try {
                KeyEncryptionAlgorithm.fromName(algorithm2.getParamName());
                jSONWebKeySet.getKeys().add(JSONWebKey.fromJSONObject(this.cryptoProvider.generateKey(algorithm2, Long.valueOf(gregorianCalendar.getTimeInMillis()), Use.ENCRYPTION)));
            } catch (Exception e2) {
                LOG.error(e2.getMessage(), (Throwable) e2);
            }
        }
        LOG.trace("jwks generated successfully.");
        return jSONWebKeySet;
    }

    public Jwt sign(Jwt jwt, String str, SignatureAlgorithm signatureAlgorithm) {
        try {
            jwt.setEncodedSignature(this.cryptoProvider.sign(jwt.getSigningInput(), jwt.getHeader().getKeyId(), str, signatureAlgorithm));
            return jwt;
        } catch (Exception e) {
            LOG.error("Failed to sign signingInput.", (Throwable) e);
            throw new RuntimeException("Failed to signingInput.", e);
        }
    }

    public JSONWebKeySet getKeys() {
        if (!this.configuration.getEnableJwksGeneration().booleanValue()) {
            LOG.info("Relying party JWKS generation is disabled in running oxd instance. To enable it set `enable_jwks_generation` field to true in `oxd-server.yml`.");
            throw new HttpException(ErrorResponseCode.JWKS_GENERATION_DISABLE);
        }
        if (this.keys != null && !this.keys.getKeys().isEmpty()) {
            return this.keys;
        }
        JSONWebKeySet keysFromStorage = getKeysFromStorage();
        if (keysFromStorage == null || keysFromStorage.getKeys().isEmpty()) {
            generateKeys();
            return this.keys;
        }
        this.keys = keysFromStorage;
        return this.keys;
    }

    public void setKeys(JSONWebKeySet jSONWebKeySet) {
        this.keys = jSONWebKeySet;
    }

    public String getKeyId(Algorithm algorithm, Use use) throws Exception {
        try {
            String keyId = this.cryptoProvider.getKeyId(getKeys(), algorithm, use);
            return !this.cryptoProvider.getKeys().contains(keyId) ? this.cryptoProvider.getKeyId(getKeys(), algorithm, use) : keyId;
        } catch (KeyStoreException e) {
            LOG.error("Error in keyId generation");
            return null;
        }
    }

    public void saveKeysInStorage(String str) {
        this.persistenceService.createExpiredObject(new ExpiredObject(ExpiredObjectType.JWKS.getValue(), str, ExpiredObjectType.JWKS, this.configuration.getJwksExpirationInHours() * 60));
    }

    public JSONWebKeySet getKeysFromStorage() {
        ExpiredObject expiredObject = this.persistenceService.getExpiredObject(ExpiredObjectType.JWKS.getValue());
        if (expiredObject == null || Strings.isNullOrEmpty(expiredObject.getValue())) {
            return null;
        }
        JSONWebKeySet fromJSONObject = JSONWebKeySet.fromJSONObject(new JSONObject(expiredObject.getValue()));
        try {
            if (!hasKeysExpired(expiredObject)) {
                return fromJSONObject;
            }
            LOG.trace("The keys in storage got expired. Deleting the expired keys from storage.");
            deleteKeysFromStorage();
            return null;
        } catch (Exception e) {
            LOG.error("Error in reading expiry date or deleting expired keys from storage. Trying to delete the keys from storage.", (Throwable) e);
            deleteKeysFromStorage();
            return null;
        }
    }

    public void deleteKeysFromStorage() {
        this.persistenceService.deleteExpiredObjectsByKey(ExpiredObjectType.JWKS.getValue());
    }

    public boolean hasKeysExpired(ExpiredObject expiredObject) {
        return (expiredObject.getExp().getTime() - new Date().getTime()) / 60000 <= 0;
    }
}
