package org.gluu.oxd.server.service;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.inject.Inject;
import java.util.concurrent.TimeUnit;
import org.gluu.oxauth.client.JwkClient;
import org.gluu.oxauth.client.JwkResponse;
import org.gluu.oxauth.model.crypto.PublicKey;
import org.gluu.oxauth.model.crypto.signature.AlgorithmFamily;
import org.gluu.oxauth.model.crypto.signature.ECDSAPublicKey;
import org.gluu.oxauth.model.crypto.signature.RSAPublicKey;
import org.gluu.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.gluu.oxauth.model.jwk.JSONWebKey;
import org.gluu.oxauth.model.jwk.Use;
import org.gluu.oxauth.model.jws.ECDSASigner;
import org.gluu.oxauth.model.jws.RSASigner;
import org.gluu.oxauth.model.jwt.Jwt;
import org.gluu.oxd.server.op.OpClientFactory;
import org.gluu.util.Pair;
import org.jboss.resteasy.client.core.executors.ApacheHttpClient4Executor;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gluu/oxd/server/service/PublicOpKeyService.class */
public class PublicOpKeyService {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) PublicOpKeyService.class);
    private final Cache<Pair<String, String>, PublicKey> cache;
    private final HttpService httpService;
    private OpClientFactory opClientFactory;

    @Inject
    public PublicOpKeyService(ConfigurationService configurationService, HttpService httpService, OpClientFactory opClientFactory) {
        this.cache = CacheBuilder.newBuilder().expireAfterWrite(configurationService.get().getPublicOpKeyCacheExpirationInMinutes(), TimeUnit.MINUTES).build();
        this.httpService = httpService;
        this.opClientFactory = opClientFactory;
    }

    public PublicKey getPublicKey(String str, String str2) {
        try {
            PublicKey publicKey = null;
            Pair pair = new Pair(str, str2);
            PublicKey ifPresent = this.cache.getIfPresent(pair);
            if (ifPresent != null) {
                LOG.debug("Taken public key from cache, mapKey: " + pair);
                return ifPresent;
            }
            JwkClient createJwkClient = this.opClientFactory.createJwkClient(str);
            createJwkClient.setExecutor(new ApacheHttpClient4Executor(this.httpService.getHttpClient()));
            JwkResponse exec = createJwkClient.exec();
            if (exec != null && exec.getStatus() == 200) {
                publicKey = exec.getPublicKey(str2);
            }
            return publicKey;
        } catch (Exception e) {
            LOG.error("Failed to fetch public key.", (Throwable) e);
            throw new RuntimeException("Failed to fetch public key.", e);
        }
    }

    public String getKeyId(Jwt jwt, String str, SignatureAlgorithm signatureAlgorithm, Use use) {
        try {
            JwkClient createJwkClient = this.opClientFactory.createJwkClient(str);
            createJwkClient.setExecutor(new ApacheHttpClient4Executor(this.httpService.getHttpClient()));
            JwkResponse exec = createJwkClient.exec();
            if (exec != null && exec.getStatus() == 200) {
                for (JSONWebKey jSONWebKey : exec.getJwks().getKeys()) {
                    if (signatureAlgorithm.getFamily().toString().equals(jSONWebKey.getKty().toString()) && (use == null || use == jSONWebKey.getUse())) {
                        String kid = jSONWebKey.getKid();
                        PublicKey publicKey = exec.getPublicKey(kid);
                        if (signatureAlgorithm.getFamily().toString().equals(AlgorithmFamily.RSA.toString())) {
                            if (publicKey instanceof RSAPublicKey) {
                                Pair<String, String> pair = new Pair<>(str, kid);
                                RSAPublicKey rSAPublicKey = (RSAPublicKey) publicKey;
                                if (new RSASigner(signatureAlgorithm, rSAPublicKey).validate(jwt)) {
                                    this.cache.put(pair, rSAPublicKey);
                                    return kid;
                                }
                            } else {
                                continue;
                            }
                        } else if (signatureAlgorithm.getFamily().toString().equals(AlgorithmFamily.EC.toString()) && (publicKey instanceof ECDSAPublicKey)) {
                            Pair<String, String> pair2 = new Pair<>(str, kid);
                            ECDSAPublicKey eCDSAPublicKey = (ECDSAPublicKey) publicKey;
                            if (new ECDSASigner(signatureAlgorithm, eCDSAPublicKey).validate(jwt)) {
                                this.cache.put(pair2, eCDSAPublicKey);
                                return kid;
                            }
                        }
                    }
                }
            }
            LOG.warn("`kid` is missing in `Id_Token`. Unable to find matching key out of the Issuer's published set, algorithm family: " + signatureAlgorithm.getFamily() + ", use: " + use.toString());
            return null;
        } catch (Exception e) {
            LOG.error("`kid` is missing in Id_Token. Error in getting `kid` from keystore.", (Throwable) e);
            throw new RuntimeException("`kid` is missing in Id_Token. Error in getting `kid` from keystore.", e);
        }
    }

    public PublicKey refetchKey(String str, String str2) {
        this.cache.invalidate(new Pair(str, str2));
        return getPublicKey(str, str2);
    }
}
