package org.forgerock.selfservice.stages.tokenhandlers;

import java.security.KeyPair;
import java.util.Date;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.builders.JwtBuilderFactory;
import org.forgerock.json.jose.exceptions.JwtRuntimeException;
import org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.json.jose.jwe.JweAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.SignedEncryptedJwt;
import org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.json.resource.BadRequestException;
import org.forgerock.json.resource.InternalServerErrorException;
import org.forgerock.json.resource.ResourceException;
import org.forgerock.selfservice.core.snapshot.SnapshotTokenHandler;
import org.forgerock.selfservice.stages.utils.JsonUtils;
import org.forgerock.util.Reject;

/* loaded from: input_file:org/forgerock/selfservice/stages/tokenhandlers/JwtTokenHandler.class */
public final class JwtTokenHandler implements SnapshotTokenHandler {
    private final JwtBuilderFactory jwtBuilderFactory;
    private final JweAlgorithm jweAlgorithm;
    private final EncryptionMethod jweMethod;
    private final KeyPair jweKeyPair;
    private final JwsAlgorithm jwsAlgorithm;
    private final SigningHandler jwsHandler;
    private final long tokenLifeTimeInSeconds;

    public JwtTokenHandler(JweAlgorithm jweAlgorithm, EncryptionMethod encryptionMethod, KeyPair keyPair, JwsAlgorithm jwsAlgorithm, SigningHandler signingHandler, long j) {
        Reject.ifNull(new Object[]{jweAlgorithm, encryptionMethod, keyPair, jwsAlgorithm, signingHandler});
        Reject.ifFalse(j > 0);
        this.jwtBuilderFactory = new JwtBuilderFactory();
        this.jweAlgorithm = jweAlgorithm;
        this.jweMethod = encryptionMethod;
        this.jweKeyPair = keyPair;
        this.jwsAlgorithm = jwsAlgorithm;
        this.jwsHandler = signingHandler;
        this.tokenLifeTimeInSeconds = j;
    }

    public String generate(JsonValue jsonValue) throws ResourceException {
        Reject.ifNull(jsonValue);
        try {
            return this.jwtBuilderFactory.jwe(this.jweKeyPair.getPublic()).headers().alg(this.jweAlgorithm).enc(this.jweMethod).done().claims(this.jwtBuilderFactory.claims().claim("state", jsonValue.toString()).exp(new Date(System.currentTimeMillis() + (this.tokenLifeTimeInSeconds * 1000))).build()).sign(this.jwsHandler, this.jwsAlgorithm).build();
        } catch (JwtRuntimeException e) {
            throw new InternalServerErrorException("Error constructing snapshot token", e);
        }
    }

    public void validate(String str) throws ResourceException {
        try {
            validateAndExtractClaims(str);
        } catch (JwtRuntimeException e) {
            throw new InternalServerErrorException("Error deconstructing snapshot token", e);
        }
    }

    public JsonValue validateAndExtractState(String str) throws ResourceException {
        Reject.ifNull(str);
        try {
            return JsonUtils.toJsonValue(validateAndExtractClaims(str).getClaim("state").toString());
        } catch (JwtRuntimeException e) {
            throw new InternalServerErrorException("Error deconstructing snapshot token", e);
        }
    }

    private JwtClaimsSet validateAndExtractClaims(String str) throws ResourceException {
        Date date = new Date();
        SignedEncryptedJwt reconstruct = this.jwtBuilderFactory.reconstruct(str, SignedEncryptedJwt.class);
        if (!reconstruct.verify(this.jwsHandler)) {
            throw new BadRequestException("Invalid snapshot token");
        }
        reconstruct.decrypt(this.jweKeyPair.getPrivate());
        JwtClaimsSet claimsSet = reconstruct.getClaimsSet();
        if (claimsSet.getExpirationTime().before(date)) {
            throw new BadRequestException("Snapshot token has expired");
        }
        return claimsSet;
    }
}
