package org.xdi.oxauth.model.token;

import java.io.UnsupportedEncodingException;
import java.security.SignatureException;
import java.util.Calendar;
import java.util.Date;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationCode;
import org.xdi.oxauth.model.common.IAuthorizationGrant;
import org.xdi.oxauth.model.config.ClaimMappingConfiguration;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.signature.ECDSAPrivateKey;
import org.xdi.oxauth.model.crypto.signature.RSAPrivateKey;
import org.xdi.oxauth.model.crypto.signature.RSAPublicKey;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.jwe.Jwe;
import org.xdi.oxauth.model.jwe.JweEncrypterImpl;
import org.xdi.oxauth.model.jwk.JSONWebKey;
import org.xdi.oxauth.model.jwk.JSONWebKeySet;
import org.xdi.oxauth.model.jws.ECDSASigner;
import org.xdi.oxauth.model.jws.HMACSigner;
import org.xdi.oxauth.model.jws.RSASigner;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtType;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.util.security.StringEncrypter;

/* loaded from: input_file:org/xdi/oxauth/model/token/IdTokenFactory.class */
public class IdTokenFactory {

    /* renamed from: org.xdi.oxauth.model.token.IdTokenFactory$1, reason: invalid class name */
    /* loaded from: input_file:org/xdi/oxauth/model/token/IdTokenFactory$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm = new int[SignatureAlgorithm.values().length];

        static {
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.RS256.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.RS384.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.RS512.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.ES256.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.ES384.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.ES512.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.HS256.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.HS384.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.HS512.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.NONE.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    public static Jwt generateSignedIdToken(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Map<String, String> map) throws SignatureException, InvalidJwtException, StringEncrypter.EncryptionException {
        Jwt jwt = new Jwt();
        SignatureAlgorithm fromName = SignatureAlgorithm.fromName(ConfigurationFactory.getConfiguration().getDefaultSignatureAlgorithm());
        if (iAuthorizationGrant.getClient() != null && iAuthorizationGrant.getClient().getIdTokenSignedResponseAlg() != null) {
            fromName = SignatureAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenSignedResponseAlg());
        }
        if (fromName == SignatureAlgorithm.NONE) {
            jwt.getHeader().setType(JwtType.JWT);
        } else {
            jwt.getHeader().setType(JwtType.JWS);
        }
        jwt.getHeader().setAlgorithm(fromName);
        switch (AnonymousClass1.$SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[fromName.ordinal()]) {
            case 1:
                jwt.getHeader().setKeyId(ConfigurationFactory.getConfiguration().getRs256KeyId());
                break;
            case 2:
                jwt.getHeader().setKeyId(ConfigurationFactory.getConfiguration().getRs384KeyId());
                break;
            case 3:
                jwt.getHeader().setKeyId(ConfigurationFactory.getConfiguration().getRs512KeyId());
                break;
            case 4:
                jwt.getHeader().setKeyId(ConfigurationFactory.getConfiguration().getEs256KeyId());
                break;
            case 5:
                jwt.getHeader().setKeyId(ConfigurationFactory.getConfiguration().getEs384KeyId());
                break;
            case 6:
                jwt.getHeader().setKeyId(ConfigurationFactory.getConfiguration().getEs512KeyId());
                break;
        }
        jwt.getClaims().setIssuer(ConfigurationFactory.getConfiguration().getIssuer());
        jwt.getClaims().setAudience(iAuthorizationGrant.getClient().getClientId());
        int idTokenLifetime = ConfigurationFactory.getConfiguration().getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jwt.getClaims().setExpirationTime(calendar.getTime());
        jwt.getClaims().setIssuedAt(time);
        if (iAuthorizationGrant.getUserDn() != null) {
            jwt.getClaims().setClaim("sub", iAuthorizationGrant.getUserId());
            jwt.getClaims().setClaim("oxInum", iAuthorizationGrant.getUser().getAttribute(ClaimMappingConfiguration.getClaimByLdap("oxInum")));
        }
        if (StringUtils.isNotBlank(str)) {
            jwt.getClaims().setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jwt.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jwt.getClaims().setClaim("c_hash", authorizationCode.getHash(fromName));
        }
        if (accessToken != null) {
            jwt.getClaims().setClaim("at_hash", accessToken.getHash(fromName));
        }
        jwt.getClaims().setClaim("oxValidationURI", ConfigurationFactory.getConfiguration().getCheckSessionIFrame());
        jwt.getClaims().setClaim("oxOpenIDConnectVersion", ConfigurationFactory.getConfiguration().getOxOpenIdConnectVersion());
        if (map != null) {
            for (String str2 : map.keySet()) {
                jwt.getClaims().setClaim(str2, map.get(str2));
            }
        }
        JSONWebKeySet webKeys = ConfigurationFactory.getWebKeys();
        switch (AnonymousClass1.$SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[fromName.ordinal()]) {
            case 1:
            case 2:
            case 3:
                JSONWebKey key = webKeys.getKey(jwt.getHeader().getClaimAsString("kid"));
                jwt = new RSASigner(fromName, new RSAPrivateKey(key.getPrivateKey().getModulus(), key.getPrivateKey().getPrivateExponent())).sign(jwt);
                break;
            case 4:
            case 5:
            case 6:
                jwt = new ECDSASigner(fromName, new ECDSAPrivateKey(webKeys.getKey(jwt.getHeader().getClaimAsString("kid")).getPrivateKey().getD())).sign(jwt);
                break;
            case 7:
            case 8:
            case 9:
                jwt = new HMACSigner(fromName, iAuthorizationGrant.getClient().getClientSecret()).sign(jwt);
                break;
        }
        return jwt;
    }

    public static Jwe generateEncryptedIdToken(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Map<String, String> map) throws InvalidJweException {
        Jwe jwe = new Jwe();
        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenEncryptedResponseAlg());
        BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenEncryptedResponseEnc());
        jwe.getHeader().setType(JwtType.JWE);
        jwe.getHeader().setAlgorithm(fromName);
        jwe.getHeader().setEncryptionMethod(fromName2);
        jwe.getClaims().setIssuer(ConfigurationFactory.getConfiguration().getIssuer());
        jwe.getClaims().setAudience(iAuthorizationGrant.getClient().getClientId());
        int idTokenLifetime = ConfigurationFactory.getConfiguration().getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jwe.getClaims().setExpirationTime(calendar.getTime());
        jwe.getClaims().setIssuedAt(time);
        if (iAuthorizationGrant.getUserDn() != null) {
            jwe.getClaims().setClaim("sub", iAuthorizationGrant.getUserId());
            jwe.getClaims().setClaim("oxInum", iAuthorizationGrant.getUser().getAttribute(ClaimMappingConfiguration.getClaimByLdap("oxInum")));
        }
        if (StringUtils.isNotBlank(str)) {
            jwe.getClaims().setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jwe.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jwe.getClaims().setClaim("c_hash", authorizationCode.getHash(null));
        }
        if (accessToken != null) {
            jwe.getClaims().setClaim("at_hash", accessToken.getHash(null));
        }
        jwe.getClaims().setClaim("oxValidationURI", ConfigurationFactory.getConfiguration().getCheckSessionIFrame());
        jwe.getClaims().setClaim("oxOpenIDConnectVersion", ConfigurationFactory.getConfiguration().getOxOpenIdConnectVersion());
        if (map != null) {
            for (String str2 : map.keySet()) {
                jwe.getClaims().setClaim(str2, map.get(str2));
            }
        }
        if (fromName == KeyEncryptionAlgorithm.RSA_OAEP || fromName == KeyEncryptionAlgorithm.RSA1_5) {
            RSAPublicKey publicKey = JwtUtil.getPublicKey(iAuthorizationGrant.getClient().getJwksUri(), SignatureAlgorithm.RS256, (String) null);
            if (publicKey == null || !(publicKey instanceof RSAPublicKey)) {
                throw new InvalidJweException("The public key is not valid");
            }
            jwe = new JweEncrypterImpl(fromName, fromName2, publicKey).encrypt(jwe);
        } else if (fromName == KeyEncryptionAlgorithm.A128KW || fromName == KeyEncryptionAlgorithm.A256KW) {
            try {
                jwe = new JweEncrypterImpl(fromName, fromName2, iAuthorizationGrant.getClient().getClientSecret().getBytes("UTF-8")).encrypt(jwe);
            } catch (StringEncrypter.EncryptionException e) {
                throw new InvalidJweException(e);
            } catch (UnsupportedEncodingException e2) {
                throw new InvalidJweException(e2);
            } catch (Exception e3) {
                throw new InvalidJweException(e3);
            }
        }
        return jwe;
    }
}
